 My name is Toby. This is Mickey. We're glad you could make it this morning. We're going to talk to you about Windows Gadgets. First, our standard disclaimer. None of this has anything to do with anyone that we've ever worked for, or do work for, or might ever work for in the future. We have our own opinions. They have no opinions about anything and the two connections aren't connected in absolutely no way. Shape or form, they have no knowledge of anything we do ever and they're not even sure we exist. Well, aside from not being sure that I exist, my name is Toby. I'm a senior InfoSec geek for a Fortune 50 company. I do all sorts of things that mostly involve telling people their ideas or bad and then trying to keep their ideas from being compromised once they insist on doing them anyways. And an opinionated loudmouth. That too, you forgot to say that. My name is Mickey. I used to work for a Fortune 50 company. I used to break software firmware and hardware in my spare time. And well, that's it basically. We're going to keep docy-dowing because we don't have wireless mics. Excuse us for being a bit rough this morning. Today we're going to go through a bunch of different things. First, we're going to spend a little time. We've already talked about who we are. We're going to talk about what gadgets are. By the way, you all know we're talking about Windows Gadgets, right? Yeah, we're good? Okay. We're going to tell you a little bit about what Windows Gadgets are. History, little details about them. Then we're going to go into what's wrong with them. We're going to talk about first attacking with gadgets and then we're going to talk about how you can attack gadgets. Then we'll spend a little bit of time talking about, once it's all done, what you can do about it and what the solutions are. Long-term, short-term solutions that Microsoft chose and otherwise. I understand. A couple of thank yous because this talk is based on several things made by other people and the support of other people. So I'd like to thank Itzy, Gaffix, Ian, Jason Street, SoftSec folks, Wim, Aviv, Raph, Galdi Skin, and Suzuki Sao and Mitsuki. Mitku, I don't think I pronounced that, but they helped us a lot with their work. Try this one. Also, CG, I guess we'll use that. We apologize, clearly technology is complex and we're not very good at it. Also, CG from a Carnal Onage blog for his work on PowerShell Bypass, PowerShell Metasploit, and just being a lot of fun to read. So for those of you who don't own Windows systems, what are gadgets? Or those tiny little applications you have on your desktop when you do a right click and then you're like gadgets. You can use gadgets that range from a simple clock up to GPU performance handlers. They're very simple to use. A couple of examples on screen. Those are the default Microsoft gadgets, the CPU clock, the RSS feed and the weather. A little history about gadgets. The first references we've actually seen documented were to show the active desktop in Windows XP. Over the course of the last week or so, we've had a couple people mention that they remember seeing similar things that there was actually an active desktop in 98 as well, but we weren't able to find any traces of it or any documentation on it. So the first thing that we've seen is from Windows XP is the concept of the active desktop. We just basically run little tiny things on the desktop and get dynamic updates. It was fairly simple. In Vista, they started moving around, moving to the concept of actually having something called a gadget. They had the sidebar. It was fairly simple. We'll show you in half a second. It looked like this. Literally, it was just a sidebar. All of the things ran along it and were very tightly tied to it, but they were referred to as gadgets. In Windows 7, they actually did a significant number of improvements to the capabilities. First, they combined it to a single process. They made it much easier to manage them. They could be placed all over the desktop. They also added a number of new capabilities to make it easier to develop, and they added a bunch of enterprise security features. The development points are obviously irrelevant at this point. Windows Vista, this is what it looked in Windows 7. We're actually both quite fond of the Pandora gadget. It's a fairly handy thing to have, and it's literally just a way to listen to Pandora on the system. I think I was listening to Ween at that time. These are some other examples besides the ones that you saw previously. The question is, why does this matter? To be quite honest, Mickey came to me and said, we should do this, and I said, why would anyone care? It took him about three weeks to convince me. It felt like an eternity. Yeah, you're telling me. About three weeks to convince me to do the research, and frankly, it's not news. If you write bad code, you're going to get compromised, right? If you run somebody else's code on your system, they're going to compromise you, right? This isn't novel. Turns out, though, the same issues that made this an actual interesting target and a problem are being moved forward consistently as a clear and enthusiastic business model. We're seeing everything being done by vendors to try and make it easier and easier for people who have less and less experience and knowledge about development to actually do development. So the sorts of mistakes that we found and that we were able to exploit and take advantage of on these systems are going to continue being common as long as you can do something as silly as write an entire application in JavaScript and HTML. So a little bit of what is a gadget? A gadget is a zip file. Technically, it's a zip file renamed to be .gadget. If you didn't get that, that's cat.zip. A gadget has several screens on it. The main one, which you see when you use a gadget, there is an about, a fly out, and a setting screen. As you can see, they have correlating HTML files. This is, by the way, the simplest directory structure for a gadget. You've got a CSS folder, images folder, JavaScript folder. A couple of HTML files. Sorry. This is Neon Cat Gadget, which you'll see soon enough. The part that is not standard is the gadget.xml, which is the gadget manifest. It holds the information on a gadget, manufacturer, copyright, URLs, permission level, which is always set to full and is expected to be full by Microsoft for some reason. Forget anything? It can get simpler. Yeah. This is the template. Yes, this is the HTML template. But you can also develop gadgets with Silverlight. So it's even more simpler if you... It's simpler, sorry. English is not my first language, I apologize. WPF and Silverlight will make it easier to code malicious code into your gadget. So a little bit about the security model. Microsoft actually provides a very detailed explanation. We were surprised by how much effort Microsoft has put in to documenting the security model and to documenting good security practices for writing gadgets, especially considering the general lack of security quality we found in the development of gadgets. They didn't, for lack of trying, we didn't see quality for lack of Microsoft trying to do it right. What we're going to do though is we're going to call out some of the highlights of the security model and if you want to see more, you can still find the documentation for a modern Microsoft site. There's a URL in the background. First, code signing is actually possible. It's not standard. It's not common. It isn't required, but it is absolutely possible. We saw out of 60 or 70 gadgets that we were able to pull down one or two, maybe three. One vendor. One single vendor and not very many gadgets from any vendor that were actually signed. The prompt looks pretty similar to the actual installation for any standard application. The action behind it is much less complex in that it's just dropping everything into a directory but I'm making a couple configuration changes, very small stuff. But as you can see, it looks pretty standard. Show of hands, who's familiar with an HTML application? HTAs? Show of hands? Who can give me the square root of 1,563? Just checking that there was actually a difference in response. So, they're fairly similar to HTAs, HTML applications. There are some differences in that they still run in the local machine zone but they have some additional privileges that you wouldn't otherwise be able to take advantage of and they have some limitations that aren't always in place. First, one of the advantages and something we found tremendously useful is you can instantiate any active X object on the system. Doesn't matter what it's for. Doesn't matter whether it's a reasonable or sane thing to be able to do from an HTML function, you can do it from here. However, you can't actually kick off a USC prompt. Doesn't matter what privilege you're actually running as for the user, this is always going to run as a standard user even if you're in the admin group. On the other hand, any process that's been exact from the gadget can then itself raise a USC prompt and since you can use the active X shell.run function or shell.exec function you can still pretty much do what you want from here. Parental controls do apply as you would expect for any HTML based thing. It's a running in an IE container, it's just a modified set of permissions to do so. Anything? You want to add anything? Some of the enterprise features that were added in Windows 7, there are a couple basic things that you can use, you do via GPO, you can manage them in different ways. One, you can turn off the sidebar completely as a function. Two, you can set policies to control unpacking and installing of Windows gadgets that aren't signed. Unfortunately, this doesn't actually prevent somebody from installing them manually and it doesn't remove gadgets that have already been installed, it just prevents new ones from being automatically installed when they double click and want to run them. You can disable user installed gadgets which is basically just locking down the permissions for a specific directory and finally you can actually override the get more gadgets online link which is now dead anyways. At this point, normally I know the standard is to ask questions at the end. Feel free though, does anyone have any questions about anything we've covered on the development side of it that you want to ask now? The question was is there any concept of this moving to Windows 8? Do you mean is there anything being done in Windows 8 that has a similar sort of idea behind it? Okay. As far as I know I guess since neither of us work for Microsoft we can speculate wildly but as far as we know you've got the metro app store sort of thing that is similar but it's wrapped in the app container capability which locks it down much much more tightly and I haven't looked at the development for the metro app so I don't know anything about metro app. Any other questions? Yeah. I think the question was is Microsoft really going to remove gadgets from Windows 8 or are they going to make it optional? Our understanding is they removed the feature and other questions? Attack surface. We're going to now go into a little bit of the attacking actually through gadgets and with gadgets. We're going to start off with attacking with gadgets. One of the fundamental problems here is that it's just another piece of code somebody is running. We've all known for 20 years that if you download and run someone's code it's just this little tiny container thing. Unfortunately people don't actually think of gadgets for some reason as code. We weren't quite sure why. Mickey speculated that it was because they're cute and small and run around with little hats and pants on all the time so he took a picture of them. Honestly they are just as dangerous as any other piece of software. So the question is what can you do with this? Well is it really just another piece of ability that you would expect? Here are some of the things that you're actually able to do from a gadget. I can't do everything I might want. Well OES, wait a minute, I can. I can exact code. Do I need to say anything? Well just in case anyone is curious you can also open URLs. So if you didn't want to carry something with you in the HTML that you're downloading with the gadget you can go get more. If you want to change what you downloaded you can do that too. You want to update, no problem. You want to create files with arbitrary content binary or otherwise on the system. We can do that. You want to be able to read files, anything that the user has permission to you're good for. And if you want to get past that permission obviously you can just spawn something and raise the UAC prompt and do so. Make your computer speak. Sure, you can do that too. All right. So let's just make sure this works. Proxy setup is going to be one. It's going to be another one. No, I think that was the never mind. Let's stop with the Gmail. We're going to show you a little demonstration of what you can do with a malicious gadget. I'm just going to make sure I'm connected. Okay, so this is a POC of a gadget that will self spread to all your contacts. It is not fully weaponized, it's just a POC and a little explanation. The gadget opens Gmail assuming well, quick question which how many of you use Gmail? Okay. How many of you make sure you log out after you and stop using Gmail? Every single time? Every single time. How many of you are lying? That's not good. What the? Okay. Can we get sound from okay. I apologize in advance. You should be so ashamed. Open your contacts. Select them all. Create a new email add a subject add a link and we'll send it. When it's done it will close the window. Now just to clarify how it is. First of all I would like to stress that there is no security vulnerability in Gmail. It's kind of work around for a setting. Gmail allows users to use keyboard shortcuts. And to enable that usually what you do is go into settings and select an option saying enable keyboard shortcuts. However, if you open a URL with KBD equals 1 in the query string you will get that feature enabled. And gadgets very easily send keystrokes to the screen. This is the code that sends the Gmail. 16 lines. That's how simple this is. So simple example, you saw what can be done very standard malicious sort of gadget activity. The key is that it's got all of the access it needs to all of your cookies and all of the information in your browser. Which means it also has your proxy configurations. It can manipulate anything else it wants on the system. It's got all of that state that you're giving it at any point in time. Another condition. We discovered also that gadgets can also read map network drives delete map network drives handle map network drives. Everything that Windows supports it can do basically. We actually ran out of time to find out all the things we kept finding we try something and say oh that's possible. How about oh that's possible so you've been something we've talked about attacking with gadgets simple demo. Hopefully you understand it is just a POC. The question is now what can you do in terms of attacking gadgets. Well unfortunately they're just code. And in many cases they're written by people who don't have a lot of experience writing code. It was fairly interesting as we went through the collection of gadgets and we found about is that a question? No, it had all of them in an attack? Okay. We found about 65-70 gadgets that were floating around that people were actually using. And it was very easy to distinguish between the gadgets that were written by people who are used to doing development. And they'd break it down as you'd expect with any developer in terms of having separate files for different function families and all sorts of clean object oriented design and people who are used to doing web development in which case you'd see one big HTML file that contained everything in the JavaScript and you can do this. It's really just a web page to some extent that's running locally with a lot of extra pillages. So you'd see a lot of different styles and of course that leaves you with a lot of vulnerable systems so you end up with a fairly basic strategy which is just find some gadgets analyze them pause and profit. So what did we find? Well when you went around we found a lot of sites offering malware that were claiming to be gadgets we found a fair number of gadgets but we found more in terms of total number of sites that were offering it there was more malware out there than there were actual gadgets we found really limited use of SSL in fact the only consistent cases that we found SSL being used were in the cases where the websites that were being connected to required it otherwise they didn't use it and we actually found all interesting educations you want to give them the rundown? Yeah we saw one good use of SSL in a gadget but the funny thing was that the website hosting the file that was being accessed through SSL also hosted it at normal HTTP so all you got to do is SSL strip and you win and this is the sort of behavior that we saw that was actually some of the more well intentioned behavior we saw most of the time we didn't even see that used so a lot of connections to ad servers that seemed to have no purpose for the gadget they never notified the user that they were being connected to they never prompted the user for any permission or activity around it it was just generically run we also found that there were a small number of producers that produced all the gadgets which meant that there was a lot of share code at one point Mickey got this random text from me saying there's something really strange going on I've got gadgets that are coming from different sources that have the exact same update patterns in their fully qualified domains literally the pads are he said no I can't be right the pads are exactly the same we start looking into the domains a little bit and they have not listed that there's anything compared we find out they're owned by the same company and that the developers at the same minute all of a sudden make sense they're using the exact same code base there's just no reference the question is was there any warning for self-signed certs or anything like that and certainly you would hope to see that and we did not we also didn't see any prompting for cookies now that may have been the configuration but I don't think so because we tried it with about half a dozen configurations and it just didn't seem to prompt the way you would expect so the interesting thing is that if you find something in one gadget you're probably going to find it in other ones as well this comes up a lot in a framework and if you're building a framework and a lot of these are built from simple frameworks you're going to end up with shared flaws this is just another instance of shared code giving you underlying problems how many remember the ASN1 bug one two really? okay ASN1 is an underlying parsing protocol that the US government defined they offered a reference implementation of it that nobody bothered to use as a reference and just took and implemented directly into everything baseband for satellites ISDN SNMP everything uses ASN1 and so there was this really pernicious flaw that showed up everywhere because of the shared code problem it was a long lasting flaw so like we said we found a bunch of actual really poor practices which led us to plenty of options for how to inject code your default permissions were full we could easily sniff traffic I think he really likes this one yeah this is a funny one as we're looking through traffic seeing what the gadgets send through HTTP requests on 64 bit platforms we noticed that gadgets will send a request every request will be sent with an HTTP header UA-CPU does anyone know what that header is? show of hands that header is to indicate the kind of platform you're using as far as I know I can tell from the large scope searches I did online and Wikipedia which is not really accurate most of the times UA-CPU has been used in IE3 and 4 and has not been used since except here the only use that we've seen is in gadgets on 64 bit platforms 32 bits are unimportant more interesting thing is most of the systems that I have been in contact with through all my corporate life experience have been Windows 64 bit machines we have no official numbers but we assume that most of the Windows 7 machines are 64 bit based so I got to do a sniff to traffic and you'll see it easy to spot so SSL we all know it's really complex it's not like there's good references for it it's not like it's well documented there certainly aren't libraries that are available for everyone to use and it certainly hasn't been explained again and again and again and again how to do it right so why would you expect anyone to do it properly and since you can't expect someone to do it properly what you end up with is this strange habit where gadgets want to update themselves it's reasonable auto update is a reasonable thing but what we found was you have clear text downloads of updates and since gadgets are written in javascript and html what you've got is clear text download of javascript and html which is then fully updating the entire cache of the gadget itself which means you've just replaced all of the code for the gadget which unfortunately means that whatever you looked at at the beginning may have absolutely no reference or relevance to what is actually going on to what's actually executed this is sort of like what Charlie Millard demonstrated except nowhere near as complex or challenging and not quite as cool well nowhere near as cool frankly but the same sort of consequence you think you get one thing and you get something completely different as a result it makes it really simple to perform a man in the middle attack as Mickey pointed out there's a really simple html header that you can check for you can use something as simple as your phone to be clear the demos we're showing you and the demos that we've done were actually doing full man in the middle we configured a proxy this isn't because it's required it's because the demo gods are capricious and fickle and really really nasty and we just don't want to have any more variability in it than we absolutely have to there's no reason though you couldn't just do a race attack and do an injection without actually having to use a proxy for this okay yeah so what we have here is a proxy running in this window bottom right window a proxy said listen to gadget traffic and intercept it and replace the response with something interesting I'm going to display this using it yeah no that was just the port that we set up for the proxy the question was all gadget traffic hit 8181 no that was just the proxy port that we chose because it was a nice number no meaning no meaning otherwise um the question is is it typically using any gadget traffic is just running an IE process so it's going to use whatever ports IE is configured to use by default it'll use 44380 if you've got a proxy that's on an off numbered port it'll use whatever is on the off numbered port yeah so this is the normal screen in windows the default gadgets the only two different ones are the neon cat which you already seen and the piano the piano gadget is this one is exactly the one that was in the Microsoft gallery live gallery before they killed it no modifications have been done to it reminder this computer is running through a proxy right now hello this is your computer I'm tired of the way you have been treating me I am going to self destruct in five seconds goodbye the gadget isn't supposed to do that that's by the way three lines of code the hardest part of that was actually well no I wasn't really a hard part of that one that was an easy one to be fair your computer does complain at you a lot imagine hearing that when you least expect it so the simple example we gave you of running just injection making your computer say something this is kind of cute trite a little silly we've seen it before the question is of course can we get a shell that's always the real interesting question and the interesting thing is as we said since you've just got the ability to write anything you want to the system and you've got the updates in many cases or not even the updates you've got the request for html and javascript running in clear text and it's going to then go execute your javascript and parse your html you've got a tremendous amount of power in the process you can write any scripting language you want execute anything you want in our case we started playing with PowerShell so at this point ok so what you've got now is three windows top left is a simple html web server that we set up it's serving a shell it's serving a file in this case the file it's serving is a very simple metasploit meterpreter reverse tcp shell we didn't do any modifications by itself this shell would be detected by any decent antivirus that's purely for poc because we're lazy the fact is obviously that you could download any binary that you want and you could write anything you want in the upper right corner you've got metasploit waiting for a recurrent connection and as mickey already showed you you've got a proxy in this corner we're going to do one small change the payload that's delivered because it is a gadget just like because it runs in the IE process you've basically still got to clear the cache it'll store things there were a number of times where one of us or the other would forget and try to figure out why something suddenly stopped working it was more than a little frustrating but it's pretty straightforward so what you're going to see from this side is not particularly exciting fairly intentionally from this side all you get is that all you see is a file working to the desktop now this is for a poc we chose to write to the desktop you can write anywhere you want there's no reason you have to write to the desktop you can start, you can write to the startup folder you can write anywhere the user has permissions to but notice that there is no prompt that you're running an unsigned binary notice that there is no prompt that you were kicking off anything from a script or running a script all you saw and one last thing the gadgets functional still works in contrast what you see when you've got back here is that you see the request was detected and injected you see a request here for the URL and for the file that it downloaded and over here what do we have but actually a windows shell so you can in fact now the interesting thing about this is that if you run the exact function from javascript it will warn the user that you are trying to execute something that's not signed that was downloaded from an untrusted zone it tries to do the right thing however if you run a binary from power script power shell it doesn't warn you at all now of course the default policy for power shell is you can't run scripts on the system luckily CG and some of the other folks out there have been looking around and talking about power shell attacks and documented some really nice power shell policy bypasses so what we're actually doing in this attack is we are using javascript to write first to pull down to the system then it writes a power shell script which is meant to execute the binary and then it writes a batch file which is used to bypass the power shell policy so that you've got a batch script running power shell exacting the shell the result of which is the user sees nothing and it bypasses all of the basic controls on the system to do so it was actually mostly the pain in the neck of getting all of that escaping properly set up between multiple languages and getting it to write to the desktop so at this point you can see we feel pretty comfortable that you've got complete compromise of the system we've owned it you've got shell we can do this with anything that you're asking for javascript from anytime you ask for javascript with a gadget we can do this what do you do about this it's fun to find flaws but you've got to find something that you can do about this well at a basic level if you're going to write applications it's going to be vulnerable if you're going to download and execute stuff don't take handy from strangers think about what you're downloading think about what you're executing if you're someone involved writing application framework and this is an open request to anyone writing application frameworks if it matters that something be done properly don't leave it to chance the easier you make it for people to write code the less experience they're going to have writing code finally there's always microsoft solution which is they removed the feature completely and they moved over to the windows 8 model which has the app container instead which has much much tighter controls over it completely they're moving into the windows store they've updated all the documentation for developers and everything else this research could not have been done without the help of others interesting history the three CVEs you see are remote code execution in default when those gadgets in vista reported by Aviv Raff in 2007 that's five years ago it has been probably worked by Ian and Aviv on DEF CON 15 and it's Ike Yonatan for the Jinx malware for a lot of reference even though it's not listed under the references the fact is that all of the functions we found the PowerShell policy bypass all of those things we borrowed proudly and stole enthusiastically from people who did and published and were good enough to share the original research that they found we couldn't have done it without them so if you've got any interest there's additional references here if you've got questions we're happy to take them we got only a couple of minutes after that we're going to be in the Q&A room number four I guess maybe we'll move to the Q&A room and take questions there thank you