Man-in-the-browser to retrieve content of SSL connections

Man-in-the-browser • IMT4122 Software Security Trends • Spring 2013
Man-in-the-browser to retrieve content of
SSL connections
A NDRÉ N ORDBØ∗
IMT4122 Software Security Trends
[email protected]
Abstract
In this paper we will dive into the attack known as "Man-in-the-browser", where malicious code is interacting inside the victims computer tagging along already authenticated sessions. The goal is to demonstrate
that content is available even if SSL/TLS is being used. The demonstration code uses Microsoft Detours
API and targets primarily Internet Explorer run on Windows XP, although the method in general also
works for other browsers and Windows operating systems.
1.
I NTRODUCTION
Former Secure Socket Layer (SSL), now Transport
Layer Security (TLS), is used to ensure confidence
in the identity of web applications and also protect
access to information being transmitted. A lot of
effort has been put in place to protect this end to
end communication to fend off "man in the middle" attacks. A related attack is called "man in the
browser" and can be considered a subcategory of
the former[3]. The idea is to move closer to the
interaction between the human user and the machine.
One major reason why this is important is pointed
out in the assignment description:
"E-business and browser banking allows companies to transfer parts of
their activity to their customers, using
customers’ computers. A tacit assumption in the process is that the system
the user uses is free from malicious
software."[7]
The implied but falsely assumed assumption that
customers’ computers are free from malware is of
the essence. E-banking has evolved to include usage of one time passwords via different channels.
This for protecting against stealing of credentials
across sessions and can also be used for allowing finer granularity when authenticating subtasks
while being logged in. The goal of this project
is to demonstrate with code that malicious applications can eavesdrop on secure TLS connections
∗ Gjøvik
before being sent out on the Internet. Performed
by attacking web browsers and their dependencies,
ultimately fooling the human user. In the following chapters we will look at the requirements given
in this assignment, a bit on methodology, the theory behind this technology, an implementation and
lastly some preventive thoughts, further work and
conclusion.
2.
R EQUIREMENTS
• Compilable source code is to be handed in
together with a verifiable explanation of the
steps necessary for compilation on a clean install of an operating system.
• The source code is to be accompanied by
Doxygen-generated source code documentation.
• The presentation needs to demonstrate the
techniques employed, ideally including a live
demonstration.
• Source code must generate zero warnings
when compiling and give zero true positives
in a static analysis tool for source code vulnerabilities in the chosen programming language.
• The expected result is a working demonstrator that is compatible with Internet Explorer, Firefox, Chrome, or Opera on Microsoft Windows. Preferably it should work
University College (12HMISA)
1
Man-in-the-browser • IMT4122 Software Security Trends • Spring 2013
reliably with more than a single web browser
3.
safer methods are preferred but not the main goal of
this endeavour.
M ETHODOLOGY
4.
The assignment text introduces three methods as
examples of how a man in the browser solution can
be achieved:
• Write a browser plug-in
• Use a (browser) helper object (DLL module
for IE browser, basically a browser plug-in
with high privileges)
T HEORY
The main reason for attacking interfaces closer to
the human operator is to avoid having to deal with
encryption and authentication and instead utilize
the fact that a human somewhere in the chain has to
be able to perform these sensitive tasks like banking previously mentioned. Figure 1 shows this concept.
• Inject a new thread in the browser process,
and then hook into the socket API calls.[5]
Since one of the requirements is a solution working for several Internet browsers, then there are
at least two options: Write custom code for each
browser, or try to discover whether all browsers
use common libraries for performing TLS encryption. TLS/SSL is operating in the transport layer
of the TCP/IP protocol suite, and without in-depth
knowledge, it would be natural to assume browsers
rely on functionality in the operating system. This
rules out the first two options. One additional
resource[1], a presentation from black hat 2008 by
Kenji Aiko, was also given. Kenji also mention
the Microsoft Detours API[5]1 resulting from Microsoft research.
Because the author of this paper doesn’t have much
experience with low level programming, the main
methodology will be trial and error, actively using
tutorials on the Internet for guidance as learning
parts of C++ will be a major part of this assignment.
A note on the requirements: This project is not going to use Doxygen documentation, mostly because
it’s demonstration code and it does not export any
API for usage. Code will be documented in the
header of source files and in-line. The demonstration code is meant for demonstration and learning
purposes only, thus no reason for the requirement
of "no true positive using static analysis". Usage of
1 Application
Figure 1: Principle illustration of man in the browser
The main questions in this section deals with what
methods are known for performing man in the
browser attacks and find a doable method within the
scope of this project. Let’s start by addressing the
big picture. The authors of [2] talk of the general
concepts. They talk of typical capabilities found in
banking Trojans including screen shot, video, keyboard and mouse capture, redirection of web pages
and manipulation of HTTP POST/GET/PUT2 requests and the DOM3 in browsers. They also explain how to become one with the user authenticated session in 5 steps.
1. Infection by Trojan
2. Activation upon user initiation of legitimate
transaction
3. The user passes all authentication
4. Trojan manipulates outgoing transaction details, replacing a mule4 as the recipient.
Programming Interface, often libraries of code that can be reused
for requesting pages, transmitting what you search for and transmit online forms
3 The DOM (Document Object Model) can be thought of as the "live" page source of HTML. The source HTML is parsed by
browsers in memory, placed in a DOM and rendered. Modifications to this DOM allows for adding and removing of elements like
pictures, forms and text
4 In order to hide the true identify of the miscreants behind the attack
2 Used
2
Man-in-the-browser • IMT4122 Software Security Trends • Spring 2013
Figure 2: Example of how detouring and trampolining works (based on an illustration in the cited paper)
5. Trojan manipulates receipts and handles additional transaction authentication by making
the user re-authenticate.
Typical infection vectors are social engineering
sending e-mail with malicious PDF files (phishing)
and exploiting vulnerable plug-ins like Java on popular web pages (pharming and water hole). As mentioned later in the paper, these banking Trojans typically have a command and control infrastructure allowing for a back channel and updating the Trojan
with new functionality and configurations containing specific target details. The need for customization is nicely summarized in this quote:
"For instance, is clearly not of use
to perform html injection attacks ...
without knowing what to inject and
where to do so.
Attackers cannot expect inserting a ’Please enter password/email/D.O.B.” field at
random into every page to be very
successful"[3]
Continuing with[2], they discuss the reasons for targeting the browsers: It’s easy to infect computers,
detection is hard, traditional strong authentication
is inadequate and anti fraud mechanisms are not effective. As they say
"However, they [MitB attacks] are
especially prevalent in areas where
two-factor authentication is densely
deployed"[2]
5 Implying
It’s an interesting observation, reasonable because
without two factor authentication5 simply using key
stroke and/or mouse loggers is sufficient. Dynamic authentication using Transaction Authentication Numbers (TAN) and also the mobile TAN becoming popular raises even a new kind of middleman known as the Man-in-the-Mobile.
Three points of attacks are mentioned, basically the
same as in the assignment description:
1. Browser Helper Objects: dynamically loaded
DLL’s loaded by Internet Explorer on startup, have full access to the DOM tree. Said to
be very easy.
2. Extensions: Said to be very easy. This
paper[11] try to compare extensions in Firefox, Internet Explorer, Safari and Opera.
3. API-Hooking: Man in the middle between
executables and DLL’s, claimed to be difficult.
They mention a method "InternetConnect()" in "wininet.dll" for Windows
Internet Explorer and methods "CFReadStreamOpen()", "CFReadStreamRead()" and
"CFReadStreamWrite()" for Safari on Mac.
In the Black hat presentation[1] from 2008, Kenji
Aiko talks of API hooking which is diverting function that call external library code. He mentions
an API for performing this on Windows named
Microsoft Detours and a technique on Unix using
LD_PRELOAD[6]. He claims SSL communication in Windows often uses the CryptoAPI provided
usage of dynamic authentication tokens changing all the time, compared to being static
3
Man-in-the-browser • IMT4122 Software Security Trends • Spring 2013
by ADVAPI32.dll for internal functionality, specifically "CryptEncrypt" and "CryptDecrypt" functions. During initial testing with "API monitor"
(described in the implementation section), I was
not able to find anything from Chrome, Firefox or
Opera using these two API’s. Internet Explorer
used them, but only header information was visible.
It’s 5 years ago since written and can be explained
by changes since then. Browser implementation
might have changed. Another explanation could be
the tool used and knowledge required to hook these
methods. MS Detours still looks like an interesting
path ahead.
Microsoft Detours API as described in this paper[5]
works by modifying binary code in memory, as apposed to changing the image on disk. It can intercept arbitrary Windows binary functions for 32-bit
as described in the paper, and now also 64-bit in the
latest commercial version 3. It does so by changing target functions with a jump command to an alternative function (detour function) and also keeps
track of the original target in order to call it while
detouring (trampoline function). Figure 2 tries to
illustrate this method.
A short look at browser implementation. Windows
has it’s SChannel/CryptoAPI, MacOS has "Secure
Transport"6
• Firefox uses an open API called NSS7 .
• Chrome/Chromium was according to[9] using operating system provided libraries until
2010, but seems to be moving to NSS. Interesting API’s are "PR_Write" and "PR_read"
(NSPR4.dll).
• Internet Explorer is primarily only available
on Windows and uses the Windows API.
Interesting API’s found (using "API monitor") are "InternetReadFile" for raw content, "HttpOpenRequestW" for GET/POST
requests and "InternetConnectW" for domain
name lookup.
5.
I MPLEMENTATION
The implemented demonstration code, based on
tutorials, consists of an executable "injector.exe"
responsible for looking through the running processes on the machine, and injecting Internet Explorer and Firefox DLL’s into the correct processes.
The Firefox DLL simply inverts text on all visited pages, while the Internet Explorer DLL sniffs
HTTP/HTTPS traffic and appending the content to
files on the Desktop. The Windows XP platform selected were running version 8 of Internet Explorer.
Techniques used are dependent on usage of function calls. The Firefox API detoured is very general,
while as seen with the three API’s used for Internet
Explorer only apply to it and a very simple test on
Windows 7 indicate changes.
5.1
Setup
In order to control the demonstration, virtual machines were set up using VirtualBox from Oracle.
Initial trials were performed on 64-bit Windows 7
using Visual Studio 2012. MS Detours, version
3.0 as of now, can be downloaded from Microsoft8 ,
but is only available for 32-bit architectures for free
non-commercial use. This should not in itself be a
huge disadvantage because many user processes on
64-bit systems still run in 32-bit mode9 . Initial trouble compiling Detours, even when telling it to compile for 32-bit, lead to migration to a 32-bit Windows XP SP3 system using the freely available Microsoft Visual C++ 2010 Express package.
Microsoft Detours installs source files to a folder
under "Program Files". In order to compile it,
use a "Visual Studio Command Prompt" found
in the start menu, execute "vcvarsall.bat" in order to set up the compiler environment, move to
the Detours installation folder, force 32-bit by "set
Detours_TARGET_PROCESSOR=x86" command
(not necessary on 32-bit) and then run "nmake".
Detours comes with a lot of examples in a "samples" directory and a helper file with documentation.
6 https://developer.apple.com/library/mac/#documentation/security/Reference/secureTransportRef/
Reference/reference.html
7 http://www.mozilla.org/projects/security/pki/nss/
8 http://research.microsoft.com/en-us/projects/Detours/
9 In task manager, look for *32 after image name (Windows 7)
10 http://www.rohitab.com/apimonitor
4
Man-in-the-browser • IMT4122 Software Security Trends • Spring 2013
In order to get a feeling for how API hooking
works, and for verifying what different API’s give
access to, a tool called "API monitor"10 was downloaded. It supports 32 and 64 bit processes and has
a huge list of predefined hooks available for discovery. They have a tutorial on monitoring SSL in Internet Explorer11 . Another great tool called "Task
Explorer", as part of the "Explorer Suite"12 displays
running processes and lists all imported modules.
Good for verifying injection of DLL’s.
5.2
Compiling the code
A compressed folder is following this report. It contains:
• Compiled code folder
• A readme.txt file
• Two required files from the compiled Detours
folder (detours.lib and detours.h)
• Three C++ source files: source_injector.cpp,
source_mitb_ff.cpp and source_mitb_ie.cpp
5.2.2
Prerequisites are Microsoft Visual C++ 2010 Express and MS Detours compiled.
1. Create project named "mitb_ie", select
"Win32 Console Application" template and
select application type "DLL" under Application Settings.
2. In the "Solution Explorer" window find
"Source Files" folder and beneath it the
file "dllmain.cpp".
Insert code from
"source_mitb_ie.cpp" here.
3. Add the header file "Detours.h" and "Detours.lib" from the MS Detours compiled
folder to the "mitb_ie" folder inside your
project(available in the compressed folder)
4. Compile as normal. This dll will append
POST/GET, domain and HTML content to
text files on the desktop. "dbgview"13 can be
used to view the debug messages it creates
using the "OutputDebugString" call.
5.2.3
5.2.1
Internet explorer DLL
Firefox DLL
Injector executable
Prerequisites: Nothing except Microsoft Visual
C++ 2010 Express or equivalent.
1. Create project named "injector"
2. Select "Win32 Console Application" template and select application type "console application" under Application Settings. Many
files will be created (37.9 MiB!)
3. In the "Solution Explorer" window find
"Source Files" folder and beneath it the
file "injector.cpp".
Insert code from
"source_injector.cpp" here
Prerequisites are the same as for Internet explorer
DLL. Use the same procedure as for Internet explorer DLL, using code from "source_mitb_ff.cpp".
In theory MS Detours is fully able to detour this
browser, but the main difference in specific implementation is that during experimenting with Firefox, no Windows API’s were found allowing for
the same access to unencrypted content. Firefox
(and the same for Chrome and Opera) uses custom
implementation. Still, a funny "invert text" code
is inserted to show content is available for manipulation. Detouring internal functions is a way to
go, but it requires knowledge of them and access to
structure definitions used to construct the detouring
function.
4. Go to properties of project: "Configuration
properties": General: Change Character set
to "multi byte" (replacing unicode)
5.3
5. Compile under "Debug": "Buid Solution
(F7)". Find the executable under the first /Debug folder
The injector.exe file will look for the DLL files in
the current path, so make sure injector.exe is run
with the dll’s in the same directory. The injector will look for Internet Explorer and Firefox pro-
Running the code
11 http://www.rohitab.com/api-monitor-tutorial-sniffing-internet-explorer-ssl-data
12 http://www.ntcore.com/exsuite.php
13 http://technet.microsoft.com/en-us/sysinternals/bb896647.aspx
5
Man-in-the-browser • IMT4122 Software Security Trends • Spring 2013
cesses, so one of these must be running. The hook
is removed when all instances of that browser is
terminated. In Windows XP, both running as the
default administrative account and as a limited account, both result in the code successfully injecting without any privilege escalation. For Windows
7, injector.exe does not work at all, even when run
with administrator privileges, most likely due to the
particular method used to inject the code.
6.
P REVENTION
The assignment asks:
"What are the recommend countermeasures that application developers or
system administrators should apply to
counter this attack?"
For application developers, like for example
browser vendors, this demonstration has showed
that it’s more difficult to perform man in the
browser detouring when the browser does not use
the default OS API for communicating, so mitigating could involve having tighter control of critical
functions like encryption. Static compilation and
using own libraries. For OS developers, locking
down the permissions to inject code into other processes should be done, but miscreants are still able
to poke holes in the defense[12].
System administrators in the context of organizations, and users in general can avoid getting infected by limiting permissions by not running as
administrator, using sandbox technology and update vulnerable software. Nothing new here. The
problem is caused by having such open platforms
as modern operating systems are, being used for all
purposes ranging for surfing YouTube to financial
transactions. In the short term dedicating a computer for financial and serious stuff from private
fun, even using live CD/DVD operating systems for
ensuring a clean system are possible but not very
practical solutions[4].
Both Almeida et al. [2] and Dougan et al.[3] has
their own chapters on how to mitigate man in the
browser attacks. Dougan[3] highlights the problem
of keeping up the cat and mouse game avoiding the
"arms race", and suggest out of band confirmations
as the only viable solution, in additional to the unlikely scenario that users stop getting infected with
malware. As they say
"Practice good computer hygiene"
Almeida[2] enumerates a lot of methods and why
they don’t protect against these attacks. My
thoughts on reading it is that the main problem related to banking is is that banks only authenticate
the user, not the transaction details. One time pass
codes, even when out of band like SMS, tokens,
code cards, only verify you are you. The amount
and receiver must also be part of the "signature"
the user verifies with. Professor Stephen Wolthusen
during Applied Information Security demonstrated
such a simple device reading an encrypted message from the screen, displaying the contents of the
transaction to the user that can be followed by the
generation of a verification code that only applies
for the decoded transaction. This method assumes
the computer cannot be fully trusted.
7.
While searching for solutions on several problems arising during development, several alternative tools were discovered. Most of them supporting 64-bit processes. This question[10] has a good
summary of frameworks like
• "Deviare API Hook"14
• "MHOOK"15
• "EasyHook"16
• API for Python17
Another interesting perspective could be to look at
what real Trojans/botnets use in order to perform
man in the browser. The paper [3] compares three
botnets "urlzone (bebloh)", "torpig (sinowal)"" and
"Zeus (zbot, kneber)" and there are many more to
choose from:
14 http://www.nektra.com/products/deviare-api-hook-windows/
15 http://codefromthe70s.org/
16 http://easyhook.codeplex.com/
17 http://www.rohitab.com/discuss/topic/37018-api-hooking-in-python/
6
F URTHER WORK
Man-in-the-browser • IMT4122 Software Security Trends • Spring 2013
8.
• Spyeye
• Carberp
• Feodo
• Tatanga
• Silent Banker
• Gataka18
Interesting things would be what DLL’s they hook,
what functions inside the DLL’s and what hooking techniques are being used. Other ways to inject DLL’s are using registry keys, replacing DLL’s,
targeting Import Address Table and System Service
Dispatch Table all described briefly in[1]. Another
interesting attack is subverting Ajax[8].
C ONCLUSION
The main result of this paper is demonstration code
showing parts of the Detours API. As for protecting
against man in the browser, avoiding being infected
with malware is a short term solution, involving
dedicating systems for critical tasks like banking
from everyday fun like games and YouTube. Avoid
being the lowest hanging fruit by choosing alternative operating systems and browsers also helps, but
with targeted attacks19 on the rise this is no guarantee. In the long term we must realize modern
computers are probably too complex and not trustworthy. Authentication using out of band communication including transaction details is a possible
future.
R EFERENCES
[1] A IKO , K. New reverse engineering technique using api hooking and sysenter hooking, and capturing
of cash card access. http://www.blackhat.com/presentations/bh-jp-08/bh-jp-08-Aiko/
bh-jp-08-Aiko-EN.pdf.
[2] A LMEIDA , M., AND B UYUKSAHIN , U. Man-in-the-browser attacks. http://www.slideshare.
net/aknahs/meninthebrowser.
[3] D OUGAN , T., AND C URRAN , K. Man in the browser attacks. http://www.scis.ulster.ac.uk/
~kevin/IJACI-Vol4No1-maninbrowser.pdf.
[4] G IBSON , S. Security now! episode 321 (search for "no single approach"). https://www.grc.com/
sn/sn-321.txt.
[5] H UNT, G., AND B RUBACHER , D. Detours: binary interception of win32 functions. In Proceedings
of the 3rd conference on USENIX Windows NT Symposium - Volume 3 (Berkeley, CA, USA, 1999),
WINSYM’99, USENIX Association, pp. 14–14.
[6] K RUMINS , P. A simple ld_preload tutorial (visited may 2013). http://www.catonmat.net/blog/
simple-ld-preload-tutorial/.
[7] L ANGWEG , H. Imt4122 software security trends – project topics.
[8] PAOLA , S. D., AND F EDON , G. Subverting ajax. http://events.ccc.de/congress/2006/
Fahrplan/attachments/1158-Subverting_Ajax.pdf.
[9] P ROJECT, T. C. Ssl stack (visited may 2013).
design-documents/network-stack/ssl-stack.
http://www.chromium.org/developers/
[10] S TACKOVERFLOW.
How does microsoft detours work and how do i use it to get a
stack trace?
(visited april 2013).
http://stackoverflow.com/questions/4507581/
how-does-microsoft-detours-work-and-how-do-i-use-it-to-get-a-stack-trace.
18 http://www.welivesecurity.com/2012/06/28/win32gataka-a-banking-trojan-ready-to-take-off/
19 http://en.wikipedia.org/wiki/Advanced_persistent_threat
7
Man-in-the-browser • IMT4122 Software Security Trends • Spring 2013
[11] T ER L OUW, M., L IM , J., AND V ENKATAKRISHNAN , V. Enhancing web browser security against
malware extensions. Journal in Computer Virology 4, 3 (2008), 179–195.
[12] Z HENG , L.
Windows 7 uac code-injection vulnerability: video demonstration, source
code released (visited may 2013).
http://www.istartedsomething.com/20090613/
windows-7-uac-code-injection-vulnerability-video-demonstration-source-code-released/.
8

Download Report