Exploiting Unicode-enabled Software - Paper · 32nd Internationalization & Unicode Conference Exploiting Unicode Enabled Software Attacks and Exploits •Visual Security Homograph

Exploiting Unicode-enabled

Software

Chris Weber

Casaba Security

www.casabasecurity.com

http://www.casabasecurity.com/

32nd Internationalization & Unicode Conference Exploiting Unicode Enabled Software

Overview

• Attacks and Exploits

• Root Causes

• Case Studies

• TR# 36 highlight

• TR# 39 highlight

• Demos

• Areas for further Testing



Attacks and Exploits

• Visual Security

▫ Homograph attacks, bidi-spoofing, syntax-spoofing

• Bypassing security logic

▫ Decoding or converting a Unicode string after a security gate

▫ ometimes before

• Directory traversal

▫ Breaking out of a file system sandbox



Attacks and Exploits (cont.)

• Controlling syntax

▫ E.g. HTML parsers and javascript interpreters

• Filter evasion

▫ Exploit delivery techniques

E.g., Cross-site scripting (buffer overflow of the Web)

• Code execution

▫ Game over, you‟re owned



Root Causes

• Canonicalization▫ Interpreting non-shortest form (e.g .UTF-8 encoding

trickery)▫ Other decoding issues

• Absorption (over-consumption) ▫ Over-consuming invalid byte sequences or correcting

rather than failing When <41 C2 C3 B1 42> becomes <41 42>

• Character deletion and swallowing ▫ “deletion of noncharacters” (UTR-36)▫ <scr[U+FEFF]ipt> becomes <script>▫ Use replacement characters instead!



• Interpreting Syntax replacements▫ white space and line feeds E.g. when U+180E acts like U+0020

• Best-fit mappings▫ When σ becomes s▫ When ′ becomes ‘

• Buffer overruns▫ Incorrect assumptions about string sizes (chars vs. bytes)▫ Improper width calculations

• Timing issues▫ handling Unicode after security gates▫ Sometimes handling Unicode before a gate can be a

problem too! E.g. BOM handling


Root Causes (cont.)


1) Issues with specification implementations.2) Issues with specification designs?

▫ Specs are carefully designed but not always perfect This could be a problem (and is): “When designing a markup language or data protocol,

the use of U+FEFF can be restricted to that of Byte Order Mark. In that case, any U+FEFF occurring in the middle of the file can be ignored, or treated as an error. ”

▫ HTML 4.01 Defines four whitespace characters and explicitly

leaves handling other characters up to implementer.


Root Causes (high level)


TR 36 Highlight

• Covers many of the root causes we discussed

• Highlights:

▫ Unicode 5.1 updated for preventing over-consumption of ill-formed UTF-8

An ill-formed code unit subsequence cannot overlap with a minimal well-formed subsequence

▫ UTF-8 non-shortest form – never generate these and be careful interpreting

▫ Deletion of Noncharacters defined



TR 39 Highlight

• Convenient guidance for:

▫ General identifier

▫ IDN identifier acceptance

▫ Detecting the “confusables”

▫ Mixed-script detection



Case Studies

• Who‟s up?

▫ Microsoft

▫ PostgresSQL

▫ Python

▫ Adobe

▫ Trolltech

▫ VMWare


▫ PostgresSQL and MySQL

▫ Cisco

▫ ICU

▫ Apple and Mozilla

▫ Opera

▫ Web Ad network

▫ Social Networking


Case Study: Microsoft IIS

• In 2000 and 2001 the Infamous IIS Unicode Path Traversal bug hit the Web

• CVE-2000-0884▫ Damage: Directory traversal▫ Exploit: Run commands and code on the server ▫ Root Cause: Canonicalization, Timing

• Attackers could run cmd.exe on the IIS server using their web browser! http://lookout.net/scripts/..%c0%af../winnt/system32/c

md.exe?/c+dir+c:\

• Then came double-decode http://lookout.net/scripts/..%255c../winnt/system32/cm

d.exe?/c+dir+c:\



Case Study: PostgreSQL and PHP/MySQL

• In 2006 PostgreSQL and MySQL SQL Injection▫ Example of the delicate ecosystem

• CVE-2006-2314▫ not Unicode specifically, but Internationalization▫ Damage: Code execution▫ Exploit: Run commands and code on the server ▫ Root Cause: Absorption (over-consumption)

• For SQL injection to work, I need a tick (single quote) 0x27 to control the statement. ▫ I send a 0xbf27 (invalid multi-byte) and PHP‟s

addslashes() gives me a 0xbf5c27. The 0xbf5c is now a valid multi-byte, and my 0x27 gets through!



• In 2006 a Repr() function buffer overrun• CVE-2006-4980

▫ Damage: Code execution▫ Exploit: Leverage a flaw in UCS-4 handling to

execute code on the box▫ Root Cause: Buffer overrun

• Only affected a minority of *nix Unicode UTF-32 Python builds (majority would be UTF-16)▫ Trying to stuff 10 bytes into a 6 byte buffer▫ Expecting \uffff but getting \u0010ffff


Case Study: Python


• Heap overrun in in Perl-Compatible Regular Expression (PCRE) library ▫ Affected many products, not just Adobe

• CVE-2007-4768 ▫ Damage: Code execution▫ Exploit: Leverage a heap overrun to run arbitrary

code on a client‟s computer.▫ Root Cause: Buffer overrun

• Vulnerabilities could be exploited through content from a remote location via the user‟s web browser, email client, or other applications that include or reference the Flash Player.


Case Study: Adobe Flash


• In 2007 a QUtf8Decoder::toUnicode() off-by-one error

• CVE-2007-4137▫ Damage: Code execution▫ Exploit: Leverage a flaw in QUtf8Decoder::toUnicode function to execute code on the box

▫ Root Cause: Buffer overrun

• QT3 was exploitable, a popular cross-platform application framework.


Case Study: Trolltech Qt


Case Study: VMWare

• In 2007 VMWare issue identified by CORE Security

• CVE-2007-1744

▫ Damage: Directory traversal

▫ Exploit: Traverse out of the sandbox of the guest OS into the host OS

▫ Root Cause: Canonicalization, Timing

• MultiByteToWideChar() choices

▫ Ill-formed UTF-8 %c0%2e%c0%2e

▫ When MB_ERR_INVALID_CHARS flag not set, you wind up with %2e%2e or ..



Case Study: Cisco

• In 2007 Cisco IPS evasion

• CVE-2007-2688

▫ Damage: Filter evasion

▫ Exploit: Bypass the intrusion prevention system‟s protection by leveraging full-width character forms

▫ Root Cause: Canonicalization

• Not the first time encodings have been used to bypass filters!

▫ Step back to 2001 when \uNNNN and %uNNNNnotation was used to bypass filters



• In 2008 ICU Library▫ Not a flaw in ICU specifically, but a problem for consumers!

• CVE-2008-1036▫ Damage: Filter evasion▫ Exploit: Character decoding issues can compromise

content-filtering logic▫ Root Cause: Character deletion

• ICU Library leveraged by many software vendors including Google, Apple, IBM, and more

• Dropping invalid character sequences can lead to problems!

• Answer: Replace with a fallback character (refer to TR 36)


Case Study: ICU Library


• In 2008 Safari and Firefox BOM consumption▫ Damage: Filter evasion, code execution▫ Exploit: Bypass filtering logic with specially

crafted strings to leverage cross-site scripting▫ Root Cause: Character swallowing

<a href=“java[U+FEFF]script:alert(‘XSS’)>

• Even nastier:

<a h[U+FEFF]ref=“java[U+FEFF]script:al[U+FEFF]ert(‘XSS’)>


Case Study: Apple and Mozilla


• Opera browser• In 2008 Opera White-space interpretation

▫ Damage: Filter evasion, controlling syntax, code execution▫ Exploit: Bypass filtering logic with specially crafted strings to leverage cross-site

scripting▫ Root Cause: Interpreting syntax replacements▫ A problem with HTML 4.0 spec?

<a href=#[U+180E]onclick=alert()>

• This list includes many of the Unicode characters with the white_spaceproperty:

U+2002 to U+200AU+205FU+3000U+180E Mongolian Vowel SeparatorU+1680 Ogham Space Mark


Case Study: Opera


• A popular advertising network in 2008▫ Damage: Visual security, filter evasion▫ Exploit: Fooling a system that tried to prevent certain

words from being used - such as trademarks and profanity.

▫ Root Cause: best-fit mappings

• If the word “Unicode” was considered a protected trademark which should be restricted in ads: Try “Uniсode”

Where “с” = Cyrillic small letter ES (U+0441) Result – you bypass the filter, glyphs look identical.


Case Study: Web Ad network


• A popular social networking site in 2008

• Implemented pretty complex filtering logic to prevent XSS

▫ Damage: Filter evasion, code execution

▫ Exploit: Bypass filtering logic with best-fit mappings to leverage cross-site scripting

▫ Root Cause: best-fit mappings

• -moz-binding() was not allowed, but….

▫ [U+ff4d]oz-binding() would best-fit map!


Case Study: Social Networking


.Net runtime will marshall a string as LPStr to a p/invoke function

How can we best-fit the < character?• 0x2329 0x3c ;Left-Pointing Angle Bracket• 0x3008 0x3c ;Left Angle Bracket

How can we best-fit the s character• 0xff1c 0x3c ;Fullwidth Less-Than Sign• 0x015b 0x73 ;Latin Small Letter S With Acute• 0x015d 0x73 ;Latin Small Letter S With Circumflex

To deal with this, specify a LPWStr type instead of LPStr[MarshalAs(UnmanagedType.LPWStr)]


Demo – Windows best-fit p/Invoke


• Get a dir listing of the IIS server through your browser

http://lookout.net/scripts/..%c0%af../winnt

/system32/cmd.exe?/c+dir+c:\

• Run any command remotely on the server

• Game over, Owned


Demo: Microsoft IIS Unicode exploit


• Call it a vulnerable Web server product MyHTTP• An attacker exploits the buffer overrun to run

shellcode on the server//sizeof() returns the number of bytes in the

buffer, and we end up accepting twice as many chars as we should.

MultiByteToWideChar(CP_UTF8,0,buff,res

ult,mBuff,sizeof(mBuff));

• Game over


Demo: MultiByteWideChar() buffer

overrun and code injection


• Cross-site scripting is the buffer overrun of the Web

• Many applications and WAF‟s implement filters to block dangerous user-input:

▫ <script>alert(„xss‟)</script>

▫ Javascript:alert(„xss‟)

▫ Onclick=alert(„xss‟)

• Vulnerability looks like this:

▫ <sc[U+FEFF]ript>

▫ java[U+FEFF]script:

▫ On[U+FEFF]click


Demo: Safari BOM injection for XSS


• Vulnerability looks like this:<a href=#[U+180E]onclick=alert()>

• HTML 4.01 spec defines four whitespace characters and explicitly leaves handling other characters up to you to!

• HTML 5 explicitly defines five whitespace characters and no others.


Demo: Opera white_space formatter

characters for XSS


• Products▫ Browsers (IE, Firefox, Opera, Safari, and Chrome)▫ Libraries (ICU, etc.)▫ Servers (Web, email, etc.)

• Test cases▫ Buffer overruns▫ Canonicalization▫ Over-consumption▫ Deletion / swallowing▫ Best-fit mappings▫ Absorption▫ Timing


Further Testing

Questions?

Chris Weber

Casaba Security


www.lookout.net

http://www.casabasecurity.com/

http://www.lookout.net/

Documents

Exploiting Unicode-enabled Software - Paper · 32nd Internationalization & Unicode Conference Exploiting Unicode Enabled Software Attacks and Exploits •Visual Security Homograph