Abusing browsers user interfaces (for fun & profit)

Q: "Abusing browsers user interfaces"... looks like an old fashioned topic - I mean - dealing with phishing attacks, fake iframes, fake chrome windows and stuff like that. What is it really about?
A: Let's start with a simple consideration: in a web environment like the one we are "living" in nowadays, where you cannot actually trust nothing and none, and even the safest website can turn in a weapon threatening your privacy & security, your browser represents your last line of defense. Browsers are becoming increasingly complex and secure and average users have a good degree of confidence in these pieces of software. If even the last bulwark falls then we are completely exposed. From this point of view the browser "chrome" is by far the most critical component...

Q: Chrome? what do you exactly mean when talking about  "chrome"? And why is it so important?
A: The "chrome" component of a browser includes all the set of user controls, menus, dialogs, notification bars that "surround" the actual web content whenever you are browsing the web. The chrome, among the other things, acts as a communication medium between the user and the browser, so it is generally trusted. As an example, you generally trust notifications provided by your browser, e.g. when you try to download some malicious software or visit some phishing domain, right?

Q: Right.
A: So...imagine if these "notification mechanisms" could be, in some ways, controlled by an attacker: you could not distinguish good from bad anymore, you wouldn't be alerted in dangerous situations...in a word, you would be highly vulnerable.

Q: So you're telling me that there are ways for an attacker to "control" these browsers notifications mechanisms?
A: Exactly, and it is also ridicolousy simple. I can show you how to run an executable file (potentially dangerous) directly from a web page, without any notification or user confirmation. All you need is to type ONE KEY on Internet Explorer or make ONE CLICK on Google Chrome.

Q: Are you kidding? Browser vendors are investing a lot of money in building increasingly complex security mechanisms...and you are telling me it is possibile to run a file with ONE KEY or ONE CLICK?
A: Correct. Let's start the explanation: all modern browsers use modeless notification mechanisms to notify users about some sentitive events (file downloading, plugins installation, HTML5 privileged APIs, etc); these notifications bars are non-invasive, they are designed in order to inform users without interrupting navigation...but they suffer from some serious design problems:
  1. notification bars are bound to the navigation window, so if you are able to "hide" the navigation window, you can hide also the notification, this means you can (in example) download a file on your computer and have no notification at all from your browser
  2. there are some keyboard shortcuts that browsers provide to interact with the user controls displayed in notification bars, e.g. ALT+R (fo runa file), ALT+S (save a file), and so on.
  3. you can use the TAB key to switch among the several user controls displayed in a notification bar
Q: Ok, so you can "hide" a notification bar if you are able to "hide" the navigation window...but how can you hide a navigation window?
A: Using popunder windows. Basically, open a new window, resize and pin it to some coordinates, then move it to the background. This requires some JS magic, but if you look for Jspopunder over Github you will be able to find a bunch of projects than enable popunders control in a cross browser environment. 

Q: But...even if it is a pupunder, there should be some new browser window displayed somewhere...
A: In modern browsers, multitabbing is enabled for default and all the navigation windows are tabbed very closely in the application taskbar, so there is merely no evidence of the popunder window for the average user, especially if many windows are opened.

Q: So you can download a file and hide the notification bar using a popunder window: but how  can you actually execute the file?
A: Here come the bug...on IE9/10 running on Win7, you can open the popunder window and give it the focus, even if it is hidden: this means that every keyboard input provided by the user will be directed to the popunder and not to the foreground window. Now remember the issue #2 about notification bars, the keyboard shortcuts...once the file has been downloaded and the notification bar has appeared, you only need to press a single key to trigger file execution: the key is "R" for english language OSes. So all you need is to trick a victim into typing the key "R".

Q: Why "R"?
A: "R" is the shortcut for Run, but the key changes according to the OS language: for instance on italian OSes the key is "E" (Esegui)

Q: So let me sum up....you visit an attacker malicious website,  automatically a popunder is created and a download initiated, at the end of the download no notification is provided and if you are able to trick a victim into typing the "R" key you can run the downloaded file. But how can you trick someone into typing any keys?
A: Well, there are plenty of ways: a game, a typing lesson...but my favourite one is a captcha. Just take a fake captcha starting with the proper letter ("r" or "e") and you'll get 100% of tricked users. You can test the online demo just to make an idea of how simple it is (at the capctha page type "R" or "E" depending on your language).

Q: It seems deadly. Does this works also on Win8?
A: Yes, but it will require a slightly more complex keys combo: "TAB" + "R", so you should use a different Poc...for instance a typing test

Q: So you are able tu run files on IE by just typing a key; what about Chrome?
A: For Chrome there is a different technique: you open a popunder window at some specific screen coordinates and put it under the foreground window, then starts the download of an executable file; after that you need to trick the victim into clicking on some link/button on the foreground window. The attacker, using some JS, is able to track mouse pointer coordinates so, as soon the mouse is hovering on the button, the attacker can close the foreground window; if timing is appropriate there are good chances that the victim will click on the underlying popunder notification bar, so actually self-launching the executable file.

Q: It looks to me not a brand new technique...
A: Actually it is not: an approach like that has been already been discussed by M.Zalewski and C.Jackson. Jackson actually tested this kind of approach for clickjacking attacks on a sample of 2000 people using Amazon Mechanical Turks, and found that success rate is over 90%. But up to Win7 it was not possibile to use this technique for launching executable files. On Win7 whenever you download a file from the web using Chrome, the OS writes a file on the file system called "Zone Information file": this file is an ADS (alternate data stream) that carries informations about the security zone you downloaded the file from. If you open an unsigned file downloaded from the Internet zone, the OS will raise a security warning, not bypassable; so the one-click attack will not work...

Q: What is different on Win8?
A: On Win8 this security warning has been dismissed and a Smartscreen check will be performed instead. But there are a lot of ways to circumvent Smartscreen, so it means you can execute code with just one click. If you don't believe it you can test the online demo. The same technique can also be used for abusing HTML5 APIs notifications and anti-framing technologies. You can test the whole set of PoCs here.

Q: So at the end of the day, you are telling me you can run any executable file from a browser with just a little bit of social engineering, like typing a key or clicking a button. Right?
A: Well, not any file...There are a couple of limitations: 
  1. Smartscreen filter
  2. User Access Control
Smartscreen filter is a Microsoft security technology for limiting access to malicious website and  malicious files. It works quite well but it is not unbreakable:
  1. Smartscreen Reputation check (it checks if a file is malicious or not) is not 100% reliable. If you browse of this website you will find a huge list of exetweets: an extweet is basically a shortened URL linking to some malicious executables, spread all over Twitter. I found that almost 20% of those exetweets will bypass Smartscreen and many of them are actually classified as malware on Virus Total.
  2. Smartscreen will need some response time in order to analyze and assign a reputation to new malware samples. So if you publish a new malware you have good chances of bypassing Smartscreen in the first publishing days.
  3. When checking signed applications (.exe) Smartscreen will only look at the signing certificate reputation and not at the exe binaries. This means that if you are able to put your hands on a "trusted" signing certificate (already used for signing benign applications), you can use it to sign your malware and it will bypass Smartscreen. Otherwise, you can buy an Extended Validation signing certificate from Symantec or Digicert: this kind of certificate will grant your executable an immediate good reputation, even if no prior reputation exists. Of course these AV companies will double check their customers identities, but I'm quite sure that cybercriminals can deal with that ;-)
  4. Last way to bypass Smartscreen deals with network control: in a MITM scenario, an attacker can drop any request to Smartscreen server: in this scenario the Smartscreen agent will raise a new notification bar, complaining about the fact that Smartscreen server is unreachable. The notification bar on the popunder will still show the Run button enabled, so if you trick your victim to type "TAB" and "R" once again you will get arbitrary code execution: I demoed this attack during the conferences and I showed how to  open calc.exe on the victim's machine.

Q: What about User Access Control?
A: In the default configuration, UAC enforces a warning whenever an application requires administrative privilges and it's not bypassable. But the real question is: "do you really need administrative privileges to cause serious damages to your victims"?

Q: ...and the answer is?
A: No. A lot of (in)famous malwares (e.g. Carberp) were able to do HTML content injection, keylogging and autostart at user logon...all using userland APIs. So, at the end of the day, merely no limitations exist for this couple of attacks.

Q: Are vendors aware of these problems?
A: Yes, I presented these techniques ad Hack In The Box, PHDays and Nuit Du Hack conferences this year, so they are "public" since a couple of months. I'm not aware of vendors plan for patching these bugs. Below you can download the slides with all the attack details.

Rosario Valotta - 27/6/2013
Rosario Valotta,
May 28, 2014, 4:49 AM