Sunday, August 19, 2007
Say Cheeeeeese!
This particular issue involves Google’s Picasa. As you probably know, Picasa is used to organize and touch up photos by adding various effects. What you probably didn’t know is… Picasa registers a URI (picasa://) in the Windows registry. This URI is used to extend the functionality of Picasa in many ways and it’s this functionality that we are abusing. By abusing the registered URI, it is possible to steal the images that have been loaded into Picasa. For some this may not be a big deal… but for others, this may represent a HUGE privacy risk. From a security researcher standpoint, this vulnerability is unique in that it doesn’t require ANY restricted characters to be passed in the URI. This makes it virtually impossible for a browser to filter the URI to prevent this attack. In fact, if the browser did somehow stop this attack, it would probably break this particular piece of functionality offered by Picasa (albeit it is really insecure functionality and should probably be removed anyway)!
Nate and I have become extremely interested in what we call “Functionality based URI exploitation”, which involves abusing the functionality intentionally placed within software that is made remotely accessible through registered URIs. These vulnerabilities are nearly impossible to detect through automated tools and typically require an experienced blackbox effort, as most of the functionality offered by registered URIs is poorly documented and the software is typically closed source. We’re ALWAYS up for the challenge though…
If functionality based URI exploitation isn’t your cup of tea… you’ll probably be happy to know that Picasa also has some overflow and “cross application scripting” issues as well… These issues are VERY serious as well, but we found the functionality abuse especially interesting.
On a final note, I wanted to personally thank Rob Carter for all his work on this issue. While Nate and I put the attack together from a conceptual standpoint and provided the foundation for the attack, Rob was the guy who basically wrote the code to make this vulnerability “real”. The attack is fairly complicated but Rob has a solid understand of each step and it shows in the PoC! THANKS ROB!
Thursday, August 16, 2007
Dude... where's my passport?!?!
We've had an interesting couple of weeks recovering from DEFCON, including some discouraging feedback about our "disclosure policy"... perhaps we should actually get one of those someday. Surprisingly enough, it wasn't from the folks at Mozilla, who were actually quite cool and just asked us to work with them in the future (which we will).
We've just been featured on /. which has linked to an interview we did with Robert from IDG. Article was pretty nice, however, it's received some /. criticism for lack of technical content... We also leaked a little pre-release information about a new piece of URI Use and Abuse we are playing with... this one allows us to steal data from a user's computer thru an XSS exposure and a URI abuse. Interestingly enough, we've been blasted a bit on /. because we haven’t released the details of the flaw. Sometimes you can’t win the disclosure game (as I’m sure other security researchers have encountered). We’ve gone through vendor disclosure, third party disclosure, and full disclosure, and we’ve been criticized each and every time…. We’ve got the FULL PoC ready and we'll release when we’re ready (shoutz to ROB CARTER for all his actionscript and sever side skillz!). I’m sure we’re not alone with our experiences; shoot me an email if you have an interesting disclosure story…
Finally….. I’m sad to say that Mark Hinge and Mark Anderson of Whitedust have hung their hats up! I’ve been a fan of Whitedust over the last few years....you'll be missed…. If you're ever in the Seattle area, look me up...
-BK and Nate
Monday, August 6, 2007
I Survived BLACKHAT and DEFCON (Barely...)
Blackhat and Defcon are now officially in history books! Nate and I had the opportunity to catch up with lots of old friends, as well as make a few new friends in the security world. Nate and I were lucky enough to get a speaking spot at DEFCON (which was AWESOME) and I’ll be posting the slides and demos on the site within the next few days.
I had a lot of questions about the specifics of the Flash demo I finished with during my DEFCON talk. I’ll be putting up some PoCs on how to force well known web mail servers to take ownership of a custom Crossdomain.xml file, which could allow for crossdomain requests through flash applets (as demonstrated in the DEFCON demo).
We also had a lot of questions about URI exploitation. Nate and I should have some more examples coming soon… but in the meantime, any questions we didn’t get a chance to answer in Vegas can be sent to our email accounts.
I’ll be in and out for the next few days as I wrap up some forensics training, so my response may be a little slow. If anyone is interested in talking about forensics, shoot me an email.
Next up on the list for me is HITB Malaysia! It should be interesting as I’ll be showing how to pull off Anti-DNS Pinning in full blown Java Applets (JVM, not LiveConnect). It works with IE and no proxy is required!