Saturday, August 15, 2015

I saw Natalie Silvanovich give a talk titled "Attacking ECMAScript Engines with Redefinition" at Black Hat.

So what is redefinition? Let's say we wanted to redefine, per Natalie's example, this...

alert("hello");

 
 

...which manifests like this...

 
 

Well, an eye-opener that I've had this summer is that any of ECMAScript's keywords may be set like variables to be something else. In Natalie's example a function and an assignment were added upstream of the alert like so:

function f(mystring) {
   document.write(mystring);
}
alert = f;
alert("hello");

 
 

...giving:

 
 

...for me in Google Chrome. Do you see how alert now writes something instead of throwing up an alert? If you could slip in the function and the assignment in an XSS attack you could make this fairly mundane change occur at a web site and, thus, write to the browser all alerts downstream of your injection point. Natalie was quick to caution that the effect I describe above is what mostly happens in the JavaScript space. In some browsers the alert will still be an alert and in other browsers neither the alert nor the document.write will be tripped. In this later scenario, nothing happens at all. Anyways, beyond this silly example, if you use your imagination/creativity you can probably come up with some ways to do some real harm. I put my hand up and asked about the effects on JavaScript frameworks such as AngularJS and Natalie in response suggested that her personal testing and research in advance of the talk really instead focused on the ActionScript of Adobe Flash. Apparently there are plenty-o-vulnerabilities of this shape in ActionScript 2.0 and she had numerous slides with numerous examples. __resolve apparently may be run when a property or method is undefined. If you can overpower __resolve with your own madness, well... yikes! Another way to hack is to subclass an existing object. Properties on a "class" can sometimes be overwritten by extending the class. When I close my eyes and try to picture the hack I suppose this would allow for some internal mechanics of the thing being tampered with to continue to behave while others get redefined. ActionScript 3.0 has a lot of the pitfalls filled in to prevent you from falling down a hole and hurting yourself, but Natalie suggested there were still problems with ActionScript 3.0 too. I don't know what injection attacks look like in the Flash space. Does one enter stuff into a form in a Flash app only to have something interpreted as a string get reinterpreted as ActionScript? I don't know and Natalie didn't delve into how to push attacks in. She did suggest that one thing that could be done to make redefinitions harder to obtain was to put wrappers around functions as suggested here. Using a fuzzer to bombard your engine to find weakness (should it exist) was also recommended. IDA in particular was mentioned by name.

No comments:

Post a Comment