File stealing vulnerabilities have long held a
special place in web browser exploitation. Web browsers attempt to
carefully sandbox content to avoid interaction with the local
file-system. But INPUT elements with TYPE=FILE are specifically
designed to bypass the sandbox to allow users to select files for
upload. For miscreants, this provides the opportunity to steal
files from unsuspecting users. By exploiting web browser
vulnerabilities, malicious web pages may be able to steal
confidential information by manipulating the FILE input element
and causing arbitrary files to be uploaded. These types of
attacks are old and well known.
There are a few main modes of attack.
Depending on the attacker's goals, well-known files may
be targeted. For example, on Linux or Mac OS X some security
related files are juicy targets:
- ~/.gnupg/secring.gpg
- ~/.ssh/id_rsa
Or, maybe one of the history files:
- ~/.bash_history
- ~/.lesshst
- ~/.mysql_history
- ~/.scapy_history
- ~/.viminfo
Even simple files like "C:\boot.ini", "/etc/passwd" or
"/etc/hosts" can show information about the system that the
owner may not want revealed. For example, acquiring one or more of these
files from a Tor user could be used to fingerprint the machine or
reveal the user's actual identity.
The way that people use their web browsers with the Internet has changed over
the last several years. The level of web browser interaction has
drastically increased. Normal people are writing blog entries,
posting comments on their friend's sites and composing business
documents using online services. This is a huge shift from the
"punch the monkey" mouse clicking of the early years. That increased
level of interaction is what makes the hybrid attacks so
significant. Users are accustomed to typing into web forms and
responding to captchas. Vulnerabilities that allow
redirecting of the focus to the file input field should be taken seriously.
File stealing through manipulation of the file input can
be extremely insidious. Users truly depend on their web browser
to protect them. So, among the major browsers, what can users expect?
Mozilla's efforts with Firefox are finally
beginning to pay off. Firefox 3 completely removes the text entry
portion of the file input and replaces it with a graphic file
picker. The last several Firefox 2 releases are slowly addressing
the ability to selectively set the focus on the text portion of
the file input element.
Safari has used a file picker for a long time and avoided the
whole focus and captured keystroke problem.
Microsoft Internet Explorer has lagged
behind in these fixes. Although it isn't entirely clear what
changes IE8 will bring, both IE6 and IE7 continue to exhibit some
of the classic focus vulnerabilities. Although these
vulnerabilities have been repeatedly publicly disclosed over
the last couple of years, IE has not been updated to address any of them.
To close out the year, I'll post some demonstrations of how
these IE file stealing vulnerabilities can be exploited. Stay tuned.