How Microsoft Accidentally Backdoored 270 MILLION Users

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
May 18th 2022 was the day that masato kinugawa a renowned Bug Hunter hacked the world's most valuable company Microsoft the service that he hacked was the social networking giant Microsoft teams the severity of this bug was critical as this was a remote code execution where attackers could escape the context of teams and gain access to the underlying operating system without requiring so much as a single click from any of team's 270 million daily active users Microsoft paid out an astronomical $150,000 Bounty placing this among the highest publicly reported payouts globally and the largest Bounty covered on this channel this is also going to be the first exploit chain covered on this channel which is in contrast to the previous single bug exploits before we can lay out the architecture of the exploit chain we first need to understand electron the technology behind the team's desktop application electron is a popular open source framework developed by GitHub that is designed for creating desktop applications using traditional web Technologies such as HTML CSS and JavaScript among the most well-known electron desktop applications are Discord slack vs code WhatsApp and of course teams electron has two different types of processes Main and render each electron app has a single main process running no. JS which is logically equivalent to what the backend is in a traditional web app with this comes any number of renderer processes which are logically equivalent to front-end Windows which render HTML CSS and JavaScript using a version of the Chromium browser engine each visible window you see is running as a renderer process the last thing that we need to understand are process models electron inherits its multi-process architecture from chromium which makes the framework architecturally very similar to a modern web browser in the early days of the internet browsers used a single process that was shared across all browser tabs this means that the rendering of web pages execution of JavaScript and the overarching browser UI were all running within the same process this had unwanted side effects as a single website crashing or hanging would affect the entire browser even worse were the potential security risks as web content had Direct access to the entire browser process to solve this problem the Chrome team introduced the multi-process model where each tab would render within its own process with the overarching main process managing everything this limits the harm that buggy or malicious code on a web page could cause to the browser as a whole this is how electron operates with its main and render processes being analogous to crumbs now that we're familiar with electron at a high level let's unve the first exploit in the chain which takes advantage of the chat feature within Microsoft teams the chat feature runs within a renderer process mimicking the front end of a web app which opens the door to cross-site scripting attacks through an elegantly crafted chat message attackers enable themselves to execute arbitrary code within the chat window without requiring any clicks from the user while a fully remote zero click arbitrary code execution seems bad the injected code is merely front-end JavaScript contained within the scope of the isolated and low privileged renderer process in order to cause any real harm we would First Need to Escape out of the renderer process into the highly privileged main process which is access to the incredibly powerful node.js apis these include among others the API to execute operating system commands which is how we could break out of the team's application in its entirety and gain full system access the second and third exploits in the chain accomplish this but before we get ahead of ourselves let's begin with stage one cross-site scripting if you're not familiar cross-site scripting is a type of attack where malicious JavaScript is injected into trusted websites the most basic example would be if someone wrote JavaScript within script tags on a video comment and due to improper sanitization everyone else viewing the comment would have their browser execute the malicious JavaScript of course it's not going to be this easy as Team sanitizes all HTML content within chat messages this sanitization is done at both server side and client side with the client side using an open source Library called sanitize HTML here we find an allow list that defines all the permitted class attributes for HTML sent within chat messages any other ones would be stripped out and discarded something interesting to note here is that the asterisks within the class attributes represent wild cards this shouldn't be any cause for concern as we still can't inject arbitrary elements or class names but it does warrant further investigation it turns out that any characters besides the class attribute separator itself ox20 are allowed within this wild card this may seem like a dead end however this is where angularjs comes in angular is a client side JavaScript framework that is used in some pages across teams including the chat page angular actually tends to be quite useful when it comes to cross-site scripting attacks because arbitrary JavaScript can be executed within double curly brace template tags without the need for HTML script tags you might be thinking that we could just place our JavaScript within a template tag for execution however this is protected against and won't work something interesting to note is that a group of other sec security researchers in the past have actually achieved cross-site scripting attacks within teams by using a template string filter bypass by inserting a null character between the curly braces of course this has been patched but the fact that this was done in a single page app gives us hope that team's dynamically compiles user input as angularjs but I digress we need to be more creative so let's go deeper this is where the NG and nit directive comes in the ngan NIT attribute enables you to write JavaScript code within the attribute value itself in the case that you wanted to initialize Data before the template tags are evaluated as we can see here of course the NG and nit attribute is not allow listed meaning that we can't actually use it seems like another dead end but we can go deeper it turns out that in addition to using NG and knit via regular attributes it can be used as a class attribute as well this increases our attack surface since angularjs is open source so we can see exactly how it parses these classes which is with this piece of Rex it turns out that there's actually no need for the NG andit class to be at the beginning of the string all of these cases are valid and would be recognized by angular if you've been paying attention you might be piecing together how we can pull off this attack let's take one of the allow listed classes such as Swift D wild card and for the Wild Card let's insert our random character delimit and begin a new class with a semicolon Define our NG and nich class and then insert whatever malicious JavaScript code we want to be executed this will pass right through San ization as it conforms to the allow listed class while still being recognized parsed and executed by angular at this point we've achieved a successful cross-site scripting attack with arbitrary JavaScript being executed within the render process through a chat message with zero clicks from the user let's move on to the next exploit in the chain to see how we can escape the context of the renderer process and gain access to node's powerful apis each renderer process window is created with an instance of the browse window class these classes have three important security Flags to consider being node integration sandbox and context isolation node integration controls whether the render process has direct access to node apis if enabled arbitrary JavaScript could directly call these apis causing a systemwide RC needless to say this was set to false before we get to the other two let's take a quick digression to introduce preload scripts as we know the electron main process runs a no. JS environment with full operating system access the renderer processes on the other hand are fairly isolated and do not run no. JS to bridge the gap and to enable interprocess communication or IPC we use preload scripts preload scripts are injected in Ran within a renderer process before the web page itself loads in preload scripts have a higher privilege level than the render process and have access to node.js apis even if node integration is enabled the preload script will still have access to node apis as it is a privileged script sandboxing can be enabled in addition to node integration further enhancing security by enforcing a set of restrictions on the render process in a similar manner to chromium sandboxes sandboxing will disable most of the powerful node apis within the preload script however it will still have a subset of node.js apis available predominantly for the purpose of interprocess communication within a Sandbox all privileged tasks such as accessing the file system cannot be done by the preload script anymore and must be delegated to the main process via IPC sandboxing in this case was set to True context isolation is a feature that ensures that both your preload scripts and electron's internal logic run in a separate context from the web content this is important as it helps prevent websites accessing the powerful apis that the preload script has access to this was actually turned off which is the crack and the dam that we needed despite the other two settings working against us this was just enough to access the powerful node apis with an exploit called prototype pollution prototypes are the mechanism by which JavaScript objects inherit features from one another for instance we can define a function called ocean that prints this is a clean ocean and we can call it with its call method we can now pollute the function prototypes call method by overwriting it with this is a polluted ocean the next time we call this function or any other function within the same context it will call the polluted version because context isolation is turned off the JavaScript we injected into the renderer process with cross site scripting shares the same context as its preload script meaning the pollution will be Global we can go ahead and overwrite the call method with our injected code and the next time a function is called with an object containing a node API from the preload script we can steal the reference to this object which contains a node.js API that we shouldn't have access to at this point once we have the API reference we can do whatever we want with it you might be thinking that we're done as we could use this API to run operating system command SS causing our rce right we were so close but the issue here is that sandboxing is enabled meaning that all of the powerful apis that the preload script should have access to including the ability to execute OS commands is disabled we're only left with weaker apis meant for IPC in the course of testing which node objects would come up through the polluted function call The Bug Hunter was able to steal a reference to the IPC renderer module this is actually pretty useful as the IPC renderer module is what's Ed for inter process communication between the main and render processes as we can see here we can use it to send arbitrary code from the render process to the main process the main process then receives it with an IPC Handler while we can't control what the main process does with the information we send it we can hope that there's a Handler on the main process with weak or improper validation that we can abuse as the main process isn't affected by sandboxing and has full access to all of the node.js apis which is how we could achieve our RC C at this point we injected JavaScript via cross site scripting that was able to steal a reference to the IPC renderer enabling us to send messages to the main process or other render processes which is where the third exploit comes into play it turns out that within teams there's an invisible renderer process called plug-in host running in the background within the plug-in host process sandbox is set to false meaning that its preload script has full unrestricted access to all nodejs apis unlike the chat Windows preload script apparently there is a node module called slim core loaded in being operated from the main process via IPC if you put a microscope under these IPC handlers there's going to be three of them of interest to us the IPC reference that we stole in stage two can also be used to send messages to other renderer processes including the invisible plug-in host process the messages that we send will be handled by these IPC handlers which run within the privileged unrestricted preload script let's see what we can do electron remote server require calls require with the string specified in the payload we have no other choice but to make this slim core as validation allows only allow listed modules but this won't stop us so easily electron remote server member get performs property access using the strings specified in the payload here we can chain the two string and the dot Constructor methods together in order to get the Constructor for the two string method which is the function Constructor within JavaScript electron remote server function call performs a function call with the string specified in the payload up until this point we have the JavaScript function Constructor we can go ahead and create a new function dynamically with whatever arbitrary JavaScript code that we want to execute we can then use the same Handler again but with an empty string as the payload to immediately call the function that we just defined now that we can execute arbitrary code within plug-in host's preload script we can use its privileged API access as our entry point to escape teams as a whole achieving our systemwide rce in aso's proof of concept he would send the following HTML as a chat message which would navigate to an attacker's website where the JavaScript to both steal and use the IPC reference would be waiting opening the calculator in this case representative of an rce all of these exploits have been patched only a limited subset of characters are now allowed within the Wild Card part of the allow listed classes context isolation is now enabled within the chat window and CSP has been applied to preload scripts if you want to stay protected from malware and other cyber threats you might be interested in square X's newest addition to their free- to you Suite of privacy and security driven tools malicious document detector when it comes to email attachments it's common for services like Gmail to scan incoming files which may instill a sense of security among users however the effectiveness of these measures has not been explicitly guaranteed by the providers themselves for instance we can embed a malicious macro into a Microsoft Office file opening aexe and get a passing result Square X's new scan for malicious documents featur is an industry first preemptive defense mechanism against office attachments all detection happens locally within your own browser before you download the file it provides a detailed list of the suspicious indicators as well as the options to either strip out the malware convert it into a secure PDF or view it in their cloud-based disposable file viewer maintaining the functionality of the macros within a controlled environment this overcomes the limitations of conventional antivirus software which often rely on heuristic rather than deterministic models if if you're interested in enhancing your security and anonymity online click the link in the description to download the extension and start using squarex for free today if you're interested in more vulnerability breakdowns check out these videos and subscribe to the channel for more content thanks for watching
Info
Channel: Daniel Boctor
Views: 248,859
Rating: undefined out of 5
Keywords: programming, software, softwareengineering, computerscience, code, programminglanguage, softwaredevelopment, hacking, hack, cybersecurity, exploit, tracking, softwareengineer, vulnerability, pentesting, privacy, spyware, malware, cyber, cyberattack, bugbounties, ethicalhacking, encoding, lowlevelsecurity, zeroday, zero-day, bugbounty, security, cyber security, breaches, data breaches, bug, bug bounty, pen testing, penetration testing, backdoor, javascript, XSS, cross site scripting, web, webdev, electron, HTML, hacked
Id: K5WOkLaGS-E
Channel Id: undefined
Length: 14min 44sec (884 seconds)
Published: Sat Feb 17 2024
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.