Sunday, February 17, 2008

Browser Hacking 1: Testing Your Code.

Today I'll let you in on a trick I developed.

One problem for many researchers is that when they found a browser issue or vulnerability, they must test it on different platforms, and different setups to guarantee that the vulnerability works in most cases. From an attackers standpoint this is way more crucial, because it is important to know that your exploit can work on different systems and browsers. Problem is, how do you arrange that? You could buy yourself a nice Beowulf cluster, but a cheap alternative is to let web based services do it for you. This can be done fairly simple by abusing the web applications that allow you to make screenshots. We create proof of concept code and place it on one of our own servers. We then feed the link to the screenshot service to see how each browser on each platform responds. One service that allows you to do this, is

Yesterday I found a vulnerability in Firefox that triggers a out-of-memory heap corruption. This is a serious vulnerability because under some conditions it allows remote code execution. Surely enough, I wanted to test this against 42 browsers on 42 different setups. This is where the browsershot service came into good use. It let me select the browsers I want, if Javascript or Java must be enabled and a lot of different other settings. They also provide very early builds from MSIE, Firefox or any other browser. I waited for 30 minutes to let the system work for me and I could determine which versions are vulnerable and which are not. It gave me detailed information about the used system like processor and memory use, plus a screenshot of what was happening to see if our code got executed or not.

These services run mostly on VMware and they can be abused. If I launch a page with an old vulnerability against Firefox 1.5 or any kind of vulnerable browser which I can select upon, I could possibly crash their service, or execute code. Of course this could turn out very badly, and you can imagine what we could do. Like setting up a shell on that box for instance. But more important we can also abuse these service to attack other websites through their virtual machine. SQL injection comes to mind, CSRF or simply launching worms from their system. You get the point: it shows that everything has a flip-side.

I might crashed a couple of browsers here and there with my latest Firefox test case.

My apologies, it's all in the name of a safer browser. :)

Try it yourself:

No comments:

Post a Comment