Resident scripts and global cross-domain
In October of 2006, a vulnerability in IE7 known as the “mhtml:” Redirection Information Disclosure was discovered. RSnake wrote up a post about how nasty it was. The basics: it took over the entire browser experience.
Fortunately, the bug was patched quickly, it required access to the web server/application (or HTTP header injection), and it only affected IE7. There was also a lot of talk about the vulnerability, making it quite obvious to monitor, discover, and track if you do those sorts of things.
Nate McFeters wrote about his trip to BlueHat v7 on the ZDNet Zero-Day Security Blog. There, he links to a more in-depth writeup on the BlueHat blogs with a full recap of the conference. He spoke about a few things that interested and surpised him along the way.
One big, glaring highlight of the talks, he spoke about — and I quote:
Manuel Caballero discussed something that originally didn’t catch my attention. It initially sounded like the same research that’s been put into cross-site scripting attack frameworks, which basically involved using XSS to create a bi-directional communication channel between victim and attacker for exploitation of XSS. Then I realized what Manuel was really talking about. Resident scripts have put the fear of God into me. Whereas a normal cross-site scripting attack vector is great for the site that was cross-site scripted, it stopped there; it couldn’t follow you off-domain. Manuel’s can. Scary.
Manuel’s talk, “A Resident in My Domain”, discussed using browser malware activated by what sounds like an iframe and a bit of Javascript magic. On Manuel’s website, a deeper look into the newly discussed concept speaks as follows:
Do you believe in ghosts? Imagine an invisible script that silently follows you while you surf, even after changing the URL 1000 times and you are feeling completely safe. Now imagine that the ghost is able to see everything you do, including where (location) you are surfing, what you are typing (passwords included) and even guess your next move. No downloading required, no user confirmation, no ActiveX. In other words: no strings attached. We will examine the power of a resident script and the power of a global cross domain. Also, we go through a step by step approach on how to find cross domains and a resident scripts.
So, there you have it, folks. Manuel has appeared to have discovered a cross-browser, multi-OS, unstoppable man-in-the-browser that can read any activity that you do with your browser after it activates, including crossing any domain boundaries. Unlike the “mhtml:” Redirection Information Disclosure, this appears to be a vulnerability that will go unpatched in browsers for possibly as long as XSS, CSRF, and other same-origin policy violations.
I’m going to continue to explain to my mom that she should close her browser (exit completely), open the browser again, log into and use her banking web application, and then close her browser cleanly again after logging out of her bank’s website. Barring NoScript, I suggest you do the same.
Update (Wed May 7 14:28 MST): It appears that Michal Zalewski busted Firefox in a unique way that almost sounds similar to the above attack vector. The Mozilla bug is called iframes from other sites can be changed while pointing at about:blank and Zalewski’s PoC is available from your browser as ifsnatch.
I’m just going to tell my mom to stop using the Internet.
Do any additional details, caveats, remediations etc exist? This sounds pretty bad, smart people need to be getting on a fix asap.
I think that’s the best idea. “Stop using the internet”
that about:blank iframe bug was in mozilla dev builds last year it seems, not this year. In contrast though Manuel sure does seem to have an unpatched ie7 attack. word on the streets of washington state is to make sure the sidebar isn’t running either.
@ morphene: Thanks! Are you saying the bug is IE7 only? I thought it would be cross-browser. Are you also saying that Manuel’s bug has something to do with the IE7 sidebar, or is this a separate issue?
@ Mark: No, but we’ll update with a new post once we get more information.
Smart people are already at work on trying to fix XSS, CSRF, and other SOP problems in browsers and Flash, etc. Unfortunately, the problem/fix doesn’t always seem to be on their side of the equation. The problem is really a problem with the initial designs inherent in HTML, HTTP, Web Services, and the code that is produced to create applications that use these technologies.
@ morphene, dre: It’s my understanding the vulnerability was patched in IE7. Manuel works for Microsoft, and I doubt they would let Manuel release an 0day at BlueHat. They wouldn’t even let Kuza present a Flash 0day.
However, whether or not the issue is entirely fixed in IE7 is another story.
Was not at blue hat and don’t know anything for sure, sorry if I misrepresented that. However I did ask directly to one who should know if that described an unpatched non public for ie7 and the response was not that it was patched which i would have expected if it was – though it didn’t confirm it to be unpatched either.
I’m not trying to spread FUD at all, I’m more clueless than clued in. But I was under the impression that the explicit attack vector was not discussed. Honestly interested if anyone can confirm or deny that.
I do understand that Manuel works there and I agree that if the initial attack was described they must have already patched it. But I also know that undisclosed internally known attacks do at times remain open.
I asked about slides and was told there were none, but that audio of the talk should be available some how, but i didn’t get a follow up about it. If that’s true does anyone know how to get a recording of the talk?
Hi!
there’s a writeup of this kind of attack @ gnucitizen by sirdarckcat with code samples.
link: http://www.gnucitizen.org/blog/ghost-busters/