Thursday, November 15, 2007

IE Trust Zones

This week is the joint OWASP/WASC conference in San Jose. Two days of web app nerds getting together and exchanging ideas about CSRF protections, web services, the Samy worm, etc. It's loads of fun! I'm a big OWASP supporter and push their information wherever possible. I'm always shocked when I hear "I've never heard of them" from a developer.

Rsnake gave a presentation/rant about the sorry state of web security. Not that it's something that was created out of malice, just that we're seeing issues today that were never part of the original concept of the web. Just like spam was never on the minds of Ray and Dick when they created electronic mail.

He briefly mentioned one of my favorite topics - Windows hashes. Then I read his blog entry describing Natron's ideas for using DNS Pinning to affect the IE Trust Zone. It's an area I was thinking of but hadn't worked on yet because I was focused on the insider attack space. Awesome!

Of course there are a few complications with the theory that have to be considered:
  1. If the attacker doesn't send the domain name in the Type message that the victim's computer is a member of, a dialog box will appear. People may still put their passwords in but the idea of mass transparent authentication capture isn't there.
  2. IE Trust Zones are pretty akward in design. What constitutes an Intranet Zone site? Microsoft KB174360 says: By default, the Local Intranet zone contains all of the network connections that were established by using a Universal Naming Convention (UNC) path, and Web sites that bypass the proxy server or have names that do not include periods (for example, http://local), provided that they are not assigned to either the Restricted Sites or Trusted Sites zone.
  3. If a company is using a proxy server and you DNS Pin a name that doesn't have a FQDN at the end, that address may never be reached because IE won't use the defined proxy and attempt to connect directly to the attacker's IP address.
Another option I was thinking of would be somehow creating a Java or Flash proxy server but unfortunately their sandboxes have locked down any bind requests (unless someone has some mojo that gets around this). Flash doesn't support it and Java doesn't permit binds in applets.

In any event the patch to Metasploit adding NTLM type message parsing was submitted back in October. I have some updates to send in but it's still functional. The pre-defined nonce hash catcher (pokehashball.rb) script is fairly complete and the HTTP-to-POP3 tool (psyduck-pop3.rb) is fun to play with. None of these attacks have been incorporated into Metasploit modules yet but that's still on the radar (smb_relay via HTTP).

Visit http://grutz.jingojango.net/exploits/pokehashball.html for the code.

Full Disclosure: This attack was first documented by Jesse Burns at iSec Partners using jCIFS. Where's your code, Jesse? :)