![\"Rps20120524](\"https:\/\/www.corelan.be\/wp-content\/uploads\/2012\/05\/rps20120524_160301_391.jpg\" "\\"rps20120524_160301_391.jpg\\"")
<\/p>\n
Roberto starts by apologizing about the fact that Scott was not able to join him at the conference.<\/p>\n
The agenda of the talk contains 3 major components:<\/p>\n
- \n
- Introduction<\/li>\n
- Window Shopping<\/li>\n
- Conclusions<\/li>\n<\/ul>\n
Introduction<\/h3>\n
Everybody uses browsers, Roberto states. \u00a0Browsers have become predominant desktop applications and we see a clear shift towards client-side applications and attacks. \u00a0It makes a lot of sense to take a look at the security of browsers.<\/p>\n
<\/p>\n
Window Shopping<\/h3>\n
Firefox Use After Free < 11 \u00a0(Fixed in FF11), found by Scott Bell.<\/h4>\n
This bug only works in Windows 7. Roberto mentions that it took the devs a long time to get fixed, indicating possible complexity involved with this bug. \u00a0A slightly modified version of cross_Fuzz was used to find this bug.<\/p>\n
![\"Rps20120524](\"https:\/\/www.corelan.be\/wp-content\/uploads\/2012\/05\/rps20120524_161225_723.jpg\" "\\"rps20120524_161225_723.jpg\\"")
<\/p>\nTo make cross_fuzz produce the crash, they basically added more entropy, randomizing call parameter count, removed google_gc() and changed some other things. \u00a0 To create a different HTML file every time, they implemented \u00a0HTMLGen. \u00a0They also removed some phases in cross_fuzz to make things faster.<\/p>\n
After triggering the crash, they had to simplify the html page that caused the crash and remove unnecessary components. \u00a0Using the JSLOG Firefox extension, they logged DOM operations, allowing them to observe browser behavior around the time of the crash. \u00a0 FInally, they had to trace the browser behavior in a debugger\u2026 which took a fair bit of time (months). \u00a0In the end, they were able to pinpoint the exact code that causes the UAF condition.<\/p>\n
In terms of exploitability, they discovered that there's some kind of race condition involved, making timings particularly important to gain code execution. \u00a0The proof of concept code demonstrated on stage doesn't include DEP\/ASLR bypass either (it just sprays and ends up jumping into the spray).<\/p>\n
Maxthon - XCS and SOP Bypass, found by Roberto<\/h4>\n
Roberto found a couple of bugs in Maxthon and first explains what a Cross Zone Scripting is and the fact that it offers and intrinsic Same Origin Policy bypass. \u00a0If you have javascript running in a trusted zone (and each browser has a trusted zone), you can access the local system API's. \u00a0If you can do that, you can execute code, and it would be 100% reliable.<\/p>\n
Maxthon, a chinese web browser, supports Trident and Webkit layout engines, and is used, according to Maxthon, by 130 million users. \u00a0Roberto found 5 ways to get code execution in the Maxthon browser. \u00a0In addition to the Trusted Zone issues (and the fact that they could inject code into the about:history page),\u00a0they also discovered that i.maxthon.com appears to be a trusted domain, allowing access to privileged API's. \u00a0There's no control on domain name to IP resolution, and no SSL either. \u00a0MiTM anyone ? \u00a0 \u00a0The latest version of the browser is still vulnerable to some of the bugs they found. \u00a0 To demonstrate code execution, he used a few lines of javascript that creates a .bat file, adds some commands into the file and then runs it.<\/p>\n
Avant Browser XCS & SOP Bypass, found by Roberto<\/h4>\n
Yet another Chinese browser fell apart during their research. \u00a0Roberto drops 3 0day bugs during the talk (because the Avant devs didn't respond to any of his reports). \u00a0Avant is a custom web browser application, using IE (light version) or IE\/FF\/Chrome (Ultimate) in the background. \u00a0With 26 million downloads, the app seems to be used by a lot of people. \u00a0Some of the files in the res folder are rendered in special pages, allowing for the execution of a privileged function (ARFunCommand()). \u00a0They fuzzed the methods from this undocumented function and found some interesting results, returning information from the browser and browsing sessions. \u00a0 Using the 60003 value found during the fuzzing, they managed to perform a SOP bypass and XCS.<\/p>\n
Firefox, patched in 3.6.14 - CVE 2010-1585<\/h4>\n
Roberto discovered that the nslScriptableUnescapeHTML.parseFragment() function, which is used to filter and sanitize data. \u00a0Instead of using <script> (which gets removed by that function), \u00a0he used javascript:alert(window). \u00a0When the user clicks the scripts, it gets executed in the Chrome zone, allowing you to run privileged commands (such as downloading a file and running it).<\/p>\n
Opera Use-After-Free < 11.52<\/h4>\n
Labeled as low severity by Opera, because Roberto couldn't give them a proof of concept exploit. (???) \u00a0 It was recognized as a memory corruption bug, but not classified as a security issue. \u00a0At the same time, Opera mentioned that, if Roberto would deliver an exploit, they might revisit their position. \u00a0The researchers used their own custom fuzzer to find this bug.<\/p>\n
Firefox\/Opera - XCS via bookmarks<\/h4>\n
Ancient bug, reported in 2005 by M. Krax. \u00a0If the user is lured into bookmarking a malicious javascript: URI + payload and the user clicks on it, it might lead to a universal XSS (when used in a standard web page), or a XCS (when used in a privileged browser zone). \u00a0 Roberto explains that there are many ways to fool a user. \u00a0You can spoof URL and status bar. \u00a0Javascript can be compressed. \u00a0You can even hide code (@Agarri_FR found a bug in Opera, where you could use a null byte to hide code from the source view). \u00a0Of course, this type of exploit requires a couple of requirements or conditions to be met, but it works painfully well.<\/p>\n
The problem is even worse in Firefox, because you can't really see the javascript code from the \"Add Bookmark\" window. \u00a0This issue has been fixed in Firefox 11.<\/p>\n
<\/p>\n
Conclusions<\/h3>\n