G1234! - The Chrome Crusader - Lily Chalupowski

all right so as you heard I'm Lily my presentation today is called a chrome Crusader I thought it'd be a cool title as you can see here in the picture on the slide and I'm not taking credit for this artwork but you can see Firefox is duking it out with chrome Chrome's trying to get the strangle grab onto the firefox and if you can tell there's internet explorer over they are eaten glue have any Internet Explorer users in the crowd today one awesome one willing to admit yeah it's it's almost as good as me getting an email from a compliance manager saying that their Internet Explorer 11 will not work on our dashboard so yeah another funny thing

about Internet Explorer and you know my grandmother you know she never got the experience the Internet not because she didn't know how to use computers but because she is Internet Explorer so yeah this is sort of my who is profile so obviously over the sea carry I work in cyber intelligence for data aggregation of public threat intelligence submitting that data to a customized sandbox in which I had developed and then getting indicators off of that and make rules reverse-engineer malware and all that good stuff so what are we going to cover today basically a disclaimer and there is code with this talk I've done this talk at the Atlantic security conference previously off in Nova Scotia Canada or

you guys get your Lobster friend talk about the manifesto and I'll get more into that also the Chrome extension ecosystem will go into command and control the definition of hooking and how to code this in practice credential stealing we'll talk about security headers for a bit and then we're gonna essentially do a demo and then I'm gonna take your lovely questions and repeat them as best as I can so skills needed how many here are our front-end developers one two three four or five and a lot of no deicing JavaScript right tends to be your favorite so you're just gonna need some JavaScript some Python and yeah anybody can really do this if they just know how

to be a front-end developer the reason I looked into this ecosystem from malware was for the sheer fact that I started looking into it and I found it was so easy that it scared me a little bit so I thought it'd be a good idea to make a talk about it so the code in this does steal credentials does key logging amongst other nasty things so you know don't use my tool unless it's you know in an engagement or you want to send a pull request you know just be smart so we're gonna make chrome great again that's not really Chrome's official mascot but we're just gonna burn the world with it and it's going to be fine

so a manifesto so I don't know if you guys recognize this but it's literally the very first hackers manifesto from 1986 anyone read frack articles and stuff like that yeah old stuff but for Chrome extensions when we talk about manifests we talk about JSON files essentially and inside this JSON file you have sets of permissions and things that you set for your application as well as you know where each individual file goes if it runs in the background or if it runs on specific pages etc so this is kind of an example of what a manifest JSON document would look like this goes into your main folder hierarchy the main folder you can see we're calling ours chroma optimizer and

gives you a faster browser all eyes by the way also you can see since this is proof of concept staff um I just put in like C and C dot J s like you wouldn't necessarily see this in the real world yeah so you can also hide the icon and not hide the icon with converted from user scripts I found this kind of buggy with some of the code I went through for one reason or another I had some chorus limitations when I did not show that icon not sure why that is but if you want certainly send me a pull pull request on github so when I talk about chorus Americans probably think about

this right watered-down beer you're right I'm Canadian so I don't drink beer though so Coors cross-origin resource sharing so it's the mechanism that uses additional HTTP headers till it user agent gain permission or access to selected resources from a server from a different origin so you can set your course policy right say you own example.com right and you don't want the JavaScript on your site to be able to make Ajax calls or requests to alternate domains right you would set up a course policy to not be you know asterisk star everything right so there's a couple ways you can go about making a botnet you could go to the Chrome extension ecosystem but this is without an

extension so Pro is here is there's nothing to install right the cons is it's a lot of work you got to go out there you got to compromise a whole ton of sites right inject your code onto them in hopes our course policy is garbage so yeah that can be a bit irritating also potentially get you caught faster Damita pool here with an extension right we can see that it's a good button infrastructure you get more compromised data out of it right takes a little bit more programming longer time to build right so you can see all your rails right go through the malicious extension the malicious script is executed and it gets all siphoned out to

the malicious site

this guy did a talk forgetting his name believe it or not but one of his famous quotes was you are in fact he's really Spanish he did a talk about making JavaScript botnets in with squid proxy and things like that for free proxy services he put a disclaimer up there saying if you connect your in fact and people still connected and what are you to do he told them that they are participating and they they did anyway he didn't I think mentioned briefly on that talked a little bit about Chrome extensions or extensions in general but he said he was from Spain so he didn't want to go dive that deep so um so here is a look at a

command to control what that kind of looks like here so obviously this is an example so we have the config is servers just us right 480 and you can obviously set this to HTTPS if you wish I mean let's encrypt is free right um yeah and so basically it takes the data and has a call back and it posts the data to the C&C server right as JSON it's really quite simple

so here when we talk about hooking right we're not talking about you know don't want to go into it um there's a different kind so essentially this here runs an asynchronous function in the background right and it's running constantly having delay of 10 seconds it executes the command sent back from the CNC server with just simply eval right so you can literally with your bots have them make like whatever requests or do whatever you want right you could lay our fishing overtop of what they have on their current page you can collect financials you can get them to make Ajax requests like infinitely to some domain that you don't like I mean the list goes on and so for the manifest

for this essentially we want all URLs right for hook so it will implement this on every single page or tab or whatever you open

so we got them hooked so don't have any more definitely I could fit the C&C server like the most basic thing on like one slide if it's going to see any implication of like how easy it is to write Chrome extension malware this this should be one of them this is simply flask I have used flask and a lot more complicated projects than obviously this but it's a very basic example right of how to get a command sent to these BOTS so when you see return console dot log leap botnet dude we're just sending that to the browser of the victim right so essentially the extension calls out right to the C&C server and the C&C

server goes oh if you're a but send this command back and then the the victim browser will go ahead and execute that command so you guys are probably like half disappointed already in this talk because you know where are the classic malware features right like okay you can send a little command link you want some feature isn't here that would be certainly cool so you can write a keylogger and one slide to so literally doesn't matter what page you're on if it's HTTP HTTPS if you're on your banking website if you're talking to your friends on Facebook this is on your machine it can get all of it encrypt it or not which is quite awesome

right now it's currently just sending each individual key but you can obviously send a set of delay or you can set it to after a certain amount of keys and fire off the data if you like and obviously when writing this you kind of want to fail silently because you feel like keylogger filled in your logs your users gonna be like alert keylogger fail just like Oh guess this wasn't a chrome optimizer so again horror hit rates no user cares about their permissions site has accept and go that's that's it you can incorporate this kind of stuff into your own other malware that actually uses legitimate exploits and then what you make becomes literally a banker Trojan malware right

so you can actually install these in the backend right with the user permission that you have into the browser and then try to hide it as best you can to make it a little less obvious Google does have quite a few extensions on their own that are sometimes I believe installed by default so you could in theory kick one of those out kick your own in and no one ever looks at that stuff credential stealing I'm really really simple subject to change right basically just add a listener right and to go ahead and just grab the username and password I did this with different events like auth event a key of key log event things like

that so this one here just simply grabs Facebook credentials and fires them out to the C&C server for for my viewing

um I'm not in Canada so you can do a Canada Revenue Agency too so if there's no limitation um there's some things that sites could do to prevent like some of these things from happening to their users like sometimes like messing around with randomizing classes and adore filled form names and things like that could prevent potentially some of this

and obviously Twitter so I know I'll get to these throat the the demo as well so we're probably wondering like okay well if you own a website any have users and your users get these things like why is why is this possible right what if you have like a really secure Korres policy right what if you have really secure header policies on your site and you really lock it down and why is this so possible so for that we kind of have to get into the Chrome extension architecture it's kind of boring but we'll dive through it so Chrome extensions have access to the complete Dom which is a document object model like I said this allows you to grab

stuff in HTTP as well as HTTP right because we're directly conversing with the Dom we can send out sensitive data depending on the security headers so what we'll get into that so the main feature of Chrome extensions Firefox extensions all these extensions is injection so we're talking about injection as a feature so some people had asked me about this talk and said well why didn't you like get in touch with the Google or Firefox and be like you know you know vulnerability and well they stick it in her documentation it's a feature right it's not a vulnerability so this is a level that we're stupid - so what about security headers like you guys are probably

saying probably not good enough not cool enough I put it up a little bit here I can only access what's in the browser can access the file system they're not as fully featured as one would hope for so it's like I'll try to impress you guys so you're like well what about CSP right what about that not much I can do about it rain eight what about HSTs you know strict Transport Security can we do you think I'll be on the metal with that may be extreme options they go beyond metal with that - a lot of like half sort of serious nerds XSS protection I think I'll be able to meddle with that -

yeah what about X content type options yeah okay what about course and not the beer

so Google's security considerations quote this is directly from Google's documentation estates when writing a constant script you should be aware of - security oh she is first careful not to introduce security vulnerabilities into the website your content script is injected into injected into for example if your content script receives content from another website for example by use of XML HTTP requests it can act calls be careful to filter that content for cross scrape a cross-site scripting attacks for injecting the content into the current page so what are their concerns their main concerns are not that things are able to be injected directly right their main concern is that you know you're a jock request is essentially

going to be perhaps man-in-the-middle - modified and then sent back and then crummy stuff is going to be injected into the users web browser Google keeping you safe message from concerned concerned children's advertisers if you're from Canada and you grew up in the 90s you would probably have seen this but otherwise all you Americans are in the dark so I apologize so do you have a little bit of insecurity and self-doubt so far it's coming

I call them insecurity Hatter's again a lot of this fit on one slide so so inside of Chrome extensions the JavaScript API directly with the Chrome extension ecosystem as you can see has Chrome web requests on headers receive add listener so every time I had or is received from the server your website for example your said user with this said malware right on all URLs right matching HTTP not only it just yes any path collect the response headers and essentially what we're doing here is we're matching the headers based on Iran's and then based on that reg X we are removing that header so removing XSS protection core is the whole nine yards right so here we can see a function for

removing matching headers so this year is removing cores but what else is it doing right it not only removes it it adds it back gives it the star so when I first started making this malware is like a just perfect concept practice I had issues with certain sites I was like what is going on here right some sites would work and I would get everything back and a yes sir course policy was not super strict I found like sites that had a lot of advertisers tend have less strict course policy is those ones I could normally get user credentials back out of but deviantART of all places Brooksie and Facebook worked deviantART wouldn't so yeah this was my solution to

that and it's just literally removing and replacing with what you like and you can probably guess that Chrome web requests on headers received is a what it's a feature right this is vulnerability it's literally a feature there are some extensions out there like you block origin and your block origin users out there this does the exact opposite so when you install this extension right and you install you block origin they'll actually Duke it out with headers like hard and it's quite funny so the same features that are protecting you is sort of not to doing you good either the thing is it's hard to me the middle ground there but being able to remove them completely

right that's that's have some concern so this here is going to run in the background all tabs all URLs right so this is kind of how I imagined a board meeting to go so the chair is like preventing Chrome security header manipulation solutions go black listing disable the feature you only care about man-in-the-middle just Chuck's on at the window

so Chrome before I did this talk last time about two weeks before started coming out with trying to enable Google Chrome site isolate isolation by default I was like you're not trolling my github so it's essentially a security feature that that would go live with Chrome 66 so it's been available for a long time apparently but it's not enabled by default as you can imagine security features like this can either make or break your entire web browsing experience

thank you so web sites cannot websites typically cannot access each other's data inside the browser thanks to code that enforces the same urgent policy of course which is exactly what I was talking about right so it says that sometimes websites try to bypass these rules and attack other websites so named to fix these bugs as quickly as possible and I believe I have tried this in the new Chrome and it still works so that's that's cool and again like it's a big challenge it's it's not a small thing but as a development team certainly it comes down to literally rules black with listing white listing and a whole lot of other complexities so I was kind of scared

like a earlier that wondering if they saw my talk coming up so it was like two weeks before like my other talk I was like super frustrated just what are like oh no is it just gonna stop working in my demo what I was good so I'm gonna do a proof of concept here now to essentially showcase you know how easy this is how like even you know front-end developers you don't have to don't jump down to the sea level or assembly or nothing like that you can just literally write some JavaScript take a little bit of time and you can be straight away making your own malware for a fine mind you so they give me a

work laptop and they literally installed Windows on it so this is the gen to be I'm over top [Music]

all right um it's hard to get this mic in the right position here I'm gonna do my best if I show can you hear me okay it's kind of hard to position this microphone and I type at the same time so as you can see here on the left hand pane I have chrome optimizer optimizes browser performance as in it makes it worse performance because it's doing stuff that doesn't help that so I did show a class of kids this page here right here but with both them enabled obviously I was like which one of these is bad right it's like well

I can do this for a minute now I want to come back off all right I apologize so you can see Chrome optimizer up there Vinny um down there it says hackers browser so I was assuming that the children would obviously pick up and say you know oh the one on the bottom with the word hacker in it right is bad they didn't actually they actually got the top one correct that's probably because they don't believe anything that I would tell them anyway but but yeah it was certainly a fun experience so I'm going to go ahead and enable that now in theory if the demo gods prevail if I can get to Google if I have an internet

connection

looks like the demo gods are not in my favor today

there we go oh gosh I was so damn scared so essentially on the right here obviously the Wi-Fi here is kind of shoddy but we can see I got a public IP but do you notice a private one if you enable web RTC you can get internal IP s so not only with your victims here you could get the external IP of the corporation you also get where they are on the internal network which is also pretty cool so I got it from here I don't need to collect in much more so here we can see the URL that I went to navigator familiar with JavaScript it's simply you know basically a user information so knows I'm on Linux my

favorite operating system obviously user agent it grabs that also there's a site logger module added in there so it just simply grabs out cookies so grabs all the cookies as well which is quite fun so some of these sites may not work but I think Twitter might still work because you know sites change a lot

I just want to see if we can get an author vent in here if her Wi-Fi is not poor

it looks like our Wi-Fi is poor so what I'm gonna do for the benefit of you guys is I'm not gonna use the Wi-Fi I'm gonna tether to myself get ready for data roaming charities rain

oh man computer

there we go

you might have to take my word for it because my internet is just gone

I think we're seeing I think received there so I'm gonna just type in a fake details here and cancel that quit that hit login

so here we can see I see the auth off one up here so we did were able to capture user name password tells you what website what the timestamp was in integer format as well we can see that the locks up there to write for HTTP verified secure my but so another cool thing about this since I'm not using the Wi-Fi here now here's why I type on here hello Las Vegas you see each key right so like literally if you were in facebook chat talking to somebody or entering something on some site I don't have authorization or sorry auth event set up for ya you can still capture username passwords that way as well so

yeah that's pretty much pretty much it it's been a quite fun little project for me to look into you I usually dive into some low-level things but I thought I'd jump into some higher level stuff to see what the ecosystem is like as you can see is pretty much a dumpster fire I was wondering if you guys had any questions for me in regards to you know either how I done this or you know whatever so I'm gonna pass the audience mic out and then I'm gonna come back here with this one as well so who wants to go first you of course thank you that was really very interesting I am wondering what did you have to go

through to install your optimizer and more particularly what would that look like for an ordinary victim yeah sure so there's many different methods so you can do to spread stuff like this a song to a friend of mine and he was able to write he bought which essentially sends messages to a whole bunch of people like in Facebook you don't have to be logged in you can all send a message to anybody right so just scripted that so you can literally make a fishing script essentially to go through and be like hey check out this extension makes my Chrome browser faster like all over Facebook and you could actually embed modules like this into this Chrome

extension which would continue message that person's Facebook friends the same exact thing which would make it more legitimate right and then just completely wreak havoc on the Internet I don't condone that but if I was a criminal that's what I would do as well and in regards to exploits and things if you do have an exploit kit or something like that or your own malware you can have your own custom malware install this on its own in the background nuking out other extensions looking like default extensions you can certainly do that and have it be a banker perhaps but you know in regards to it getting on a user's machine that's that's how I would

see that happening and once something is install this be honest it's game over but the sheer fact that I can still do these things kind of is of some concern so Chrome has mitigations to prevent third-party installation of extensions unless you're in developer mode so definitely I get what you're saying about if you own the machine then you can circumvent that but how would you circumvent that in Google's Play Store and then the second part of the question would be can you take this code and turn it into a post installation exploitation using you know standard imports across the wire and bring that code in so I didn't look in this to fully but there

is way is to install Chrome extensions of Lee from the command line in Linux I didn't jump too much into Windows myself I should be probably repeating you this question so I do apologize for that yeah so you're essentially just wondering like how is it going to get on there and the up in there in the first place right

yes

yes yeah it is right if you pretty he's basically wondering if like there's probably ways to get this into the wonder if there's ways to get this into the Chrome Web App Store there has been previous malware in the Chrome Web App Store I've looked at some of these before I developed a role for it C&C itself I don't believe they were using evals in particular I believe they were simply using Ajax requests but yeah so putting in eval in there and then putting on the Chrome Web App Store that's probably gonna get red-flagged 100% I agree with you there now there's it's hard to make ways around that right when you're talking about like JavaScript in general right

but in regards to getting it on the machine enabling developer mode things like that there are certainly possibilities in that when you already have access to that user system anyway right I'm hoping that probably address your questions a little bit yeah I haven't looked into enabling developer mode myself automated but I'm sure there's probably away somewhere to figure that out

I did yet and you can access all of it on there yeah oh github.com slash lily pad and you'll see it in their chrome crusader that's a that's my github and if you want to talk to me after as well I'm certainly more than willing a quick question about HSTs is this the kind of thing that you have to catch the first HSTs header or is there a way after the browser has already registered an HSTs site to deal with that okay so the question is HSTs is this able to mess with that in any way so the answer to that is is a server since the HSTs header right and as up to the browser to enforce that right once

it receives it now to my knowledge yes I can remove the header right because it's in the headers I haven't completely tested out different man in the middle stuff whilst that is going with SSL injecting like malicious certificates and things of that nature so my speculation is a sense the header is not there my thoughts are chrome may not enforce it still because it's not there and it had been removed but it also may be a timing thing - like whether that chrome may receive it and then keep it but for the aspect of cores and stuff I know for sure that those ones when they're removed aren't enabled anymore so best guess is yes and if you want to

you for 3po test it out let me know and it's it's all about getting a discussion about this kind of thing and this kind of behavior and seeing what can happen if you're willing to definitely contribute to testing that that's awesome

is your extension able to see the HCP only cookies or do you see the setcookie headers in the headers collection and are you able to strip the HTTP only flag so if anything's a header I can get it if anything is a cookie in general like I can get that as well so literally any cookies any headers we can we can pull out it doesn't matter if I change T to P areas yes hopefully that answers your question sorry if you answered this already but it wasn't really clear on the response I think someone asked earlier if it's possible to submit a malware free version of the extension to the Play Store that once installed can

modify its own code with the malicious code that you want so the question is is if we submit something to the Play Store you're asking if it can modify itself yeah or just fetch the actual malicious code for its operation later after you installed that's is that the question that you actually meant I apologize if I misunderstood that if you're gonna do that you mostly need evals in order to accomplish such a thing because you're executing code that you pull and we execute code that you're that you pull you're probably gonna run an eval in the Google Chrome Play Store if anyone's here from Google they're not gonna like that very much

so like injecting like into the Dom and then executing a different remote yes you can modify the Dom and insert other remote JavaScript elements in that in that instance yes it may be possible to definitely bypass things in the chrome store without using eval yet again you would have to have your own server hosting your malicious stuff so you know and a second question I think that chrome sorry did interact but there is an extension part of the browser exploitation framework that does that exact same thing that he's mentioning go ahead sorry so I'm not sure if this would actually be possible because I think chrome sandbox is things so but would it be possible to use an extension

like this to actually gain access to the local machine not there are some things in there API is I allow you to do stuff with files but only within their ecosystem like really sandbox down I haven't played around with those things too much you could try path traversals with that and that might be an interesting thing to muck around with I haven't mucked around with past reversals and things like that within Chrome extensions this you know far the limitations of their sandbox and goes but certainly if I get more more time I'll certainly look into it and if you want to look into yourself and add it to the repo then that's cool too you have five minutes we got any

more questions here I've got one in the back and one in the front

hi I was wondering if you had the your github or feeds those sources online I might have missed the first part of that sure um the sources are at github.com slash lily pad li l ly p ad slash chrome - crusader so li l ly p ad is my github i have all kinds of things on there cleaning my Emacs config and some other stuff you may like cool I had another question I think down here the hi first I want to thank you so much for your presentation it was lovely and thank you for the time and energy in it I'm sure everything that you do I appreciate especially people who work in this usually when I

ask questions I like to ask non-technical questions which tends to annoy people but I do it anyway so I just want to as you finished everything that you've done and I'm in this particular program of course you're the expert so I just want to propose that I am a 15 year old girl on Facebook and I my whole life is on there and selfie after selfie and you know a group decides to come along and get me to click a link what would you tell that that girl that's out there that's being harassed what would you tell her don't install any extensions would you tell her don't click any links what would you what would be your what would you tell

her so what what essentially would I tell my own daughter if she received something like this in her facebook messages or something like that and and it appears to be from really close friends I would definitely say to her that I try to teach her about you know installing stuff without knowing what it is right and educate her that you know if you're installing something make sure you install it from the Google Play Store there has been stuff that has made it in there that's not good but you're the probability that is going to be better then external sources definitely is a lot better this is coming from a parent who keep logs her child's computer and

caught her giving her name out to and school too and or a stranger so yes maybe I'm a little bit more technical as a parent but our mother but you know that's exactly what I would say to her is there any other questions for me here today and I really like the actual input about the injecting a remotes script into the Dom pretty darn cool and yes that would more than likely work so yeah send me a pull request with that maybe there'll be something super cool I like it and it's yes you can be very creative with malware if you want to be and that's definitely a very creative solution to the Google Play story is

that uh all right I want to thank you guys very very much if you are too shy pass me a question today you can come and find me I will talk to you one-on-one if you wish and I want to thank you all for coming my first time in Las Vegas and it's a wonderful place to be