Web Browser File Stealing Vulnerabilities Are Important
File stealing vulnerabilities have long held a special place in web browser exploitation. Web browsers attempt to carefully sandbox content to avoid interaction with the local file-system. But INPUT elements with TYPE=FILE are specifically designed to bypass the sandbox to allow users to select files for upload. For miscreants, this provides the opportunity to steal files from unsuspecting users. By exploiting web browser vulnerabilities, malicious web pages may be able to steal confidential information by manipulating the FILE input element and causing arbitrary files to be uploaded. These types of attacks are old and well known.
There are a few main modes of attack.
- Purely technical attacks: The purely technical attack
involves exploiting a
vulnerability to directly set the file input's VALUE field to a
chosen, arbitrary value. For example, create a input element of
type TEXT, set the value, and then change the type to FILE:
Other attacks have involved direct DOM manipulations. These types of vulnerabilities are now extremely rare, because the file input types enjoy additional protections in most modern web browsers.<script> var input0 = document.createElement("input"); input0.type = "text"; input0.value = "/etc/passwd"; input0.type = "file"; </script> - Social engineering attacks: The social engineering attack usually involves getting the user to type the complete path to the file into the input element. To increase the chance of success, Cascading Style-sheets (CSS) are used to style the input to appear more like a text element or textarea or to overlay it with some other element.
- Hybrid attacks: The hybrid attack combines aspects of the technical attack with elements of the social engineering attack. These attacks are typically performed by selectively capturing keystrokes in the file input's text entry field. There have been a couple of methods used to facilitate this type of attack. The first involves silently redirecting keystrokes from another input element into the file input. The second method sets the focus on the file input element and simulates keystrokes into another input element. In both methods, CSS can be used to obscure that the user's data is being sent to the file input element.
Depending on the attacker's goals, well-known files may be targeted. For example, on Linux or Mac OS X some security related files are juicy targets:
- ~/.gnupg/secring.gpg
- ~/.ssh/id_rsa
Or, maybe one of the history files:
- ~/.bash_history
- ~/.lesshst
- ~/.mysql_history
- ~/.scapy_history
- ~/.viminfo
Even simple files like "C:\boot.ini", "/etc/passwd" or "/etc/hosts" can show information about the system that the owner may not want revealed. For example, acquiring one or more of these files from a Tor user could be used to fingerprint the machine or reveal the user's actual identity.
The way that people use their web browsers with the Internet has changed over the last several years. The level of web browser interaction has drastically increased. Normal people are writing blog entries, posting comments on their friend's sites and composing business documents using online services. This is a huge shift from the "punch the monkey" mouse clicking of the early years. That increased level of interaction is what makes the hybrid attacks so significant. Users are accustomed to typing into web forms and responding to captchas. Vulnerabilities that allow redirecting of the focus to the file input field should be taken seriously.
File stealing through manipulation of the file input can be extremely insidious. Users truly depend on their web browser to protect them. So, among the major browsers, what can users expect?
Mozilla's efforts with Firefox are finally beginning to pay off. Firefox 3 completely removes the text entry portion of the file input and replaces it with a graphic file picker. The last several Firefox 2 releases are slowly addressing the ability to selectively set the focus on the text portion of the file input element.
Safari has used a file picker for a long time and avoided the whole focus and captured keystroke problem.
Microsoft Internet Explorer has lagged behind in these fixes. Although it isn't entirely clear what changes IE8 will bring, both IE6 and IE7 continue to exhibit some of the classic focus vulnerabilities. Although these vulnerabilities have been repeatedly publicly disclosed over the last couple of years, IE has not been updated to address any of them.
To close out the year, I'll post some demonstrations of how these IE file stealing vulnerabilities can be exploited. Stay tuned.