 Now, I hope that you have a good time at DevCon. So this talk is called hack any website. This is a very sexy title. This explains why there are so many people in the room. Actually, it's more about man in the middle attack. So first, I will give you an overview of this attack. Then I've prepared a few demos to show you what it's possible to do with this attack. After that, I will give you some general analysis, and I will explain to you how it works. Then I follow up with some technical analysis, and I will show you the code to be able to reproduce this attack. Then I will give you some defense mechanism, and then I will conclude. So what is the man in the middle attack? The problem is today, server are more well protected, but the client are not. So the idea is the following. You have a client, you have a server, and between them, you have the man in the middle. You have a communication between the client and the server. Let's say that the client send a request to the server. The man in the middle will intercept this request. It's possible to modify this request. The server will respond, and once again, the man in the middle will intercept this response. And once again, it's possible to modify the response. So this is a very generic man in the middle attack, and I will show you how it's possible to do it with Internet Explorer. So I've prepared a few demoes for you. As the wireless connection does not work very well, I did it yesterday in my hotel room, and I will be able to show you what I did. So first, I will try, I will start with iNodes. So you probably know iNodes. This is a webmail interface to access mail when you're running Lotus Domino. So I will launch the demo. So this is a very basic computer running Windows 2000 with Internet Explorer. I've started Internet Explorer. I will type in the address bar the URL to access the webmail interface. So access the login page. I type the username. I type my password. I will login. So very standard, the homepage of the iNodes web access. I will click on the mail menu. I will choose inbox. And once again, this is very standard. I have the list view with all my email in my list box. I will quite click on one of this email. And as you can see, you have a very nice pop-up menu. And actually, this is a, it's too fast. I will just go back a little. So you have a nice DHTML pop-up menu. And this DHTML menu, you have some feature like open. So you can open an email. You can move the email to another folder. You can remove an email from the folder. So this is very standard. I choose the open feature. And the email is open. So everything is fine. No problem at this moment. So now let's try the second demo, which is the same except that there is somebody between the client and the server which will attack the communication and modify what happens. So let me show you with a graph. So you have the client which sends a request to the corporate server. The corporate server sends back the response. And it will modify the response. And actually, I will switch the open and the remove feature. So the open and remove feature that you have so in the pop-up menu will be switched. So what will happen? When the user will try to open his email, he will send the request. I want to remove the email. So definitely the email will be deleted on the server. And then the corporate server will send back the list view, obviously, without the email. So let me show you how it works. Very easy. I launch once again the demo. So same stuff. I launch Internet Explorer. I tap the URL. The user experience is exactly the same except that somebody is intercepting what happens between the client and the server. So I tap my username and my password. I log in through this page. Okay, I reach the homepage of the iNotes web access. I choose the inbox from the mail menu. Once again, I right click on one of the email. And then take a look. I choose open. But actually, it remove the email from the inbox. Once again, I do it for another one. I choose open. Same stuff. It will delete the email. So it's pretty funny to change those features. Okay, so I have a second demo. And I think that is even better than the first one. It's about the CNN webpage. So let's do it again. I will start the demo. On this time, the computer is free of the attack. So I just want to type www.cnn.com in the address bar of Internet Explorer. And I will reach the CNN webpage homepage. I did this yesterday night. So let me explain what I will do. Once again, you have a request between the client and the media website, which is CNN. CNN will send back the HTML page. And this HTML page will be intercepted by the man in the middle. So what the man in the middle will get, this is a standard source of this HTML page. And the man in the middle will search for a specific tag. It's a little bit up here. This tag, actually, if you take a look at the source of the HTML page of the homepage of CNN, this is a tag to see that you are in the middle of the page with the main title. And as you remember, it was a title about the dovetail of Saddam Hussein. So you can see it there. So what will happen? The man in the middle will request something from a malicious server because I want to change the content of the homepage. So I do a request to the malicious web server. Obviously, I get a response from this server and then I send back to the client the answer that has been modified. So let me show you what you will get. So I launched my second CNN demo. So this time, the man in the middle will intercept the communication. I will type the CNN URL in the address space bar. And as you can see, this is a little bit different. So if you have any information about DevCon, I think that you have to report to the DevCon website. Okay, so let me explain to you how it works and how it's possible to do this. And you will see that this is very, very easy to be able to intercept the content from a website. So is it new? No. Actually, I have to go back in the past and it was a war between Internet Explorer and Netscape. And if you remember, there was the release of version four in the same week of both Internet Explorer and Netscape. By the way, I have some PC card and I'm supposed to give it away right now. So I will ask a question. And the first one who will answer the question will win the PC card. In which year was released version four of Internet Explorer? That is seven. Okay, actually there is a second one but this is for the end. There will be another question. So big competition between Internet Explorer and Netscape in 1997. And Internet Explorer introduced a concept which is a BHO, the border helper object. And actually it was a very good initiative for Microsoft. This is a way to open the browser structure and you can access the browser structure through a DLL. So this is the purpose of the BHO. And it's a great feature and when you, for instance, when you download a PDF file through Internet Explorer, the PDF file is displayed with a BHO. And it's also the same with the Google toolbar. The Google toolbar is using a BHO. The problem of the BHO is that you can change the structure of the HTML page inside Internet Explorer but you have absolutely no security around this feature. I mean Microsoft considered probably that Windows was secure enough and then BHO is totally silent. So you can fully modify the structure of the HTML page without any warning for the user. And basically this is what I did for both the iNodes and the CNN web page. So definitely it requires Internet Explorer 4.0 or later. But if you take a look at the Google site guest, we show you all the Google requests on the web. It's more than 90% of the market. So definitely it's not a big deal. And definitely what you have to do, you have to create a DLL. You have to execute a code to be pushed, to push this DLL into the Internet Explorer process. The good point is that this is very generic attack that leads to a lot of malicious scenarios as I just show you. So the good point is that you do not need any hardware. It's just software. You have to develop this DLL and to run this DLL on the client. Another good point is that you do not have to modify the server. So this is what is very, very good because if I had to change the CNN server, it would have been probably very, very difficult. Moreover, this attack uses a feature developed by Internet Explorer. It's developed by Microsoft. So definitely Microsoft gave you all the tools to develop such attack. And last, this DLL actually cannot be detect by anti-virus. So this is a very standard DLL with no specific signature, nothing very specific. So it's very easy to push this DLL and will not be detected by anti-virus. Last, you can personalize this attack and this is what I did for the CNN web page. I established another connection with the malicious server to get the new content and I reproduced the content for the client. So let me give you some technical analysis to show you how you can develop this BH show, this attack. So actually BH show, this is a come in process DLL. And once you have registered this DLL, it will be automatically loaded by Internet Explorer. So it means that the next time you start Internet Explorer, the DLL will be loaded in the process. And then at this moment, Internet Explorer will check all the DLL and it will pass an unknown pointer to your DLL. So this is the way you will be able to modify all the structure of the HTML page. So how can you do that? So this is pretty obvious. You have just to define a set site function and in this function, you have to call the managed connection where you will advise Internet Explorer that you want to get back the HTML structure. So we will pass actually a flag advice to tell Internet Explorer that you are interested to get everything. Once you have done this, you have to connect your BH show to the structure, to the browser. So you can do this with a fine connection point function and you will get a pointer to a com pointer and then you have just to call the advice function with as you can see this parameter and you will be able to get all the event of the container. So any event that will be fired in Internet Explorer will be catch by your DLL. So you have many events that you can intercept. So the first event is DSP ID document complaint. So it means that when the page is downloaded and will be displayed on the Internet Explorer, this event will be fired. So you will be able to get the full content of the HTML page and to modify any tag you want and then to ask Internet Explorer to wander the page. So this is what I use for the CNN web page. I capture this event, I modify the page and then Internet Explorer displayed the new content. You have some other pretty interesting event like the navigate complete event, the before navigate and the new window. The before navigate is pretty interesting because it's fired before you send a request to the server. So I mean when you type a URL or when you want to click on an hyperlink, this event will be fired. So you will be able to get the full URL with all the argument that has been sent by the client before it reach the server. So you can get the full URL. You have more than 20 events that you can intercept and if you want to take a look, you have to go to the xdsp.h header file which you can find in the SDK. So let me give you an example with the document complete. So once you intercept this event, you will be able to get the document structure of the HTML page. So this is the function getDocument. So this is the document and from this document, you will be able to get the body. So it means that the body that you can see in the HTML page. So I mean from this tag basically to the end will be reflected in this structure. And then you can parse all the structure and modify any tag you want. And once you have done this modification, this new page will be displayed by Internet Explorer. The same way if you want to get the location, I mean the URL, you can do it through the getLocation URL function. So what you have to do to install your component, actually this is very easy. You have just to register the DLL and you have to create a key in each key, local machine, software, Microsoft, Windows, current version, Explorer, browser helper object with the GUID of your DLL. And that's all. Once you have done this, the next time Internet Explorer will be launched, it will automatically load your BH show. So how to defend? First, do not use Internet Explorer. If you want to still use Internet Explorer, you have many, many options. The first one is to disable all or some of the BH shows. So you can do it very simply. Just go through the registry to the key that I've just show you before this key and just remove all the keys and then all the BH show will not be loaded the next time. The problem is that it's pretty painful because sometimes the BH show are pretty useful and this is a case for the Acrobat plugin or for the Google toolbar. Another solution will be for Microsoft to improve in the coming release of Internet Explorer the support of BH show. First, I'm very, very surprised that there is no warning that a BH show has modified the webpage. So when I have modified the CNN webpage, I get absolutely no warning that something has modified what I've downloaded from the website. And I hope that in the next release, they can add a kind of warning to let the users that something happened inside the Internet Explorer. Otherwise, they can also create a tag, something like disabled BH show. So for a given webpage, you are sure to disable all the BH show of the page. Okay, so before the conclusion, I will give the second PC card. So to your mind, which privilege is required to install a BH show? Poor user, poor user. So definitely what I just wanted to show you is that using a very standard feature of Microsoft Internet Explorer, it was possible to develop an attack and this is a very flexible attack. It's fully selective and fully personalizable. So definitely you should not trust what you see. Another point is that you have, if you take a look at Google, you have a lot of BH show watcher and this is small executable to be able to list all the BH shows that are installed on your computer. So definitely I recommend that you are using such tool to know all the BH shows that are installed on your PC and I'm pretty sure that you will be amazed by what you will discover. So this presentation on the code can be downloaded from the DevCon website. You have a clear BH show and you can do whatever what you want to do with it. And definitely if you have any question you can contact me by email. So definitely have fun with BH show. Thank you.