This week during the SANS London 2010 conference I presented the second part of the web browser exploitation series, "Browser Exploitation for Fun and Profit Reloaded". This presentation is a follow up of the previous "Browser Exploitation for Fun and Profit" one from last month, and builds on top of the penetration testing setup previously described based on Samurai WTF v0.9, plus BeEF v0.4.0.3, and Metasploit v3.5.x.
This second part provides penetration testers with new tools, ideas, and techniques to demonstrate the impact of XSS vulnerabilities on the client side (but not only), with a specific focus on the top vulnerable (client-side) applications during the first three quarters of 2010: web browsers and their associated plug-ins.
The core of the session covers Java and Adobe Reader exploitation, including the availability of related exploits in multiple criminal sploit packs, and several demonstrations of different complexity levels for these two vulnerable plug-ins. In some scenarios, extra steps on the pen-tester side are required. On the one hand, the MSF Java exploit for CVE-2010-0886 requires a few tweaks to avoid binding conflicts on the web-based ports between Apache (used by Samurai & BeEF) and Metasploit; see the details on part one of the series. On the other hand, the proposed pen-testing setup provides capabilities to turn file format exploits, such as the MSF CVE-2010-0188 exploit, into web application exploits. To be more realistic and succeed in real-world environments, this attack makes use of (a slightly modified version of) the MSF meterpreter reverse_https module, which requires again a few tweaks to avoid port binding conflicts between Apache & BeEF and MSF. Both modifications have been made available through the "misc" directory of the SVN repository for the Samurai WTF project.
The presentation additionally introduces how to update Samurai v0.9 to the latest BeEF Ruby-based version, v0.4.2-alpha, as this is where the main XSS browser exploitation framework project is leading the industry to. Although the project is still in alpha state, the new features are very promising, and definitely opens the door for future presentations in this series ("To be continued...").
The third and final section of the presentation introduces web browsing best practices, pros and cons, extra countermeasures, and new industry movements into plug-in checking services and sandbox client applications.
Thanks to all the people that showed up and the interesting debate afterward. Enjoy the PDF file of the presentation (no, it is not malicious... ;-) and try to put all this info in practice within your pen-tests... of course... with authorization!