 Hello everyone. Today I will talk about how to tag desktop uh desktop applications use web security skills. Uh this may sound weird but of this talk, you can see how we can pop up a calculator without reversing our binary explorer team's knowledge. Uh I'm sort, I'm from Tencent's security show lab and I'm a member of the CDF team and I have spoken at zero nice and hit B. And my friend here man, he also from show lab and he's a speaker of Asia's Quest. And another friend uh he's from Tencent's show lab too. He's a member of C clover security and he's spoken at zero nice and hit B too. And fortunately these two guys doesn't come here. Okay uh when people are talking about attacking desktop applications, you may think about Pongtong. Yeah. Hacker said Pongtong may uh may use memory corruption box to get a calculator. I dream about that one day I can pop up calculators just like them. But there's some difference between me and them. I know just know something about web security. I can do little reversing. I know nothing about punning. Can I pop up a calculator like people in the Pongtong? Hmm that sounds a good question. Yeah. And we notice more and more applications use hybrid technologies. Uh uh people write applications use their, use frameworks like Electron or NW.js. So their applications can run at all the platforms. And web techniques are used in these frameworks and they may use web techniques to develop their applications. So that's a good news for our web security researchers. Yeah. We can use web security tricks to pun them reliably. Oh let's see how to pop up a calculator. Use web security knowledge. Let's keep web security great. So let's start off from the attack surfaces. So today in this talk we all talk about three sections. One is open pause. The second one is UR schemes. And the third one is some features of the applications. Yeah. So we start from uh when uh application opens up port. So why do they open a port? Maybe they open a port for a web server because they want to expose some API calls. And maybe they use the port for debugging and not many other purposes. And the application may bind the port on all the interfaces or on the local host. Yeah. On all the interfaces you can access them really remotely. But how to, how do we access the ports on local host? And the browser is our good friend. If the port, the service running on the port accepts HTTP protocol or it has a tolerance of illegal commands and then we can use browser to attack this local host port. And before we come to the exploding uh let's see some basics. The same origin policy. Yeah. We say that two pages have the same protocol host and port and these two pages are in the same origin. So for pages in the same origin they can send simple HTTP requests or send requests with custom headers and get the response. If they are not in the same origin they can only send the HTTP requests and cannot get the response. So how this uh, this is a basic restriction in the process. There is there a way to bypass this. There comes DNS rebinding. So uh the process is as follows. Uh we first access the rebinder.com. It will resolve to uh attack this IP and pull all the pillows from the attack server. And uh in the browser just you just wait with a few uh with a uh with a few minutes and you request rebinder.com again. And then this domain will resolve to the target IP uh such as local host. And in the uh and uh uh the port, the protocol and the host are not changed in this process. So the browser believes they are in the same origin. So we can attack it just uh bypass the IP. Yeah. So we need the uh there are some prerequisites. The swap service should not check the host name. Because we need the, we need a domain name that we control. And the weak team should wait until the DNS has changed. Because there is a catch in the browser. And there is a uh another attack method called CFRF. And there is some difference about uh CFRF and DNS rebinding. We can use DNS rebinding to bypass, bypass that OP. But if there is a host name check, it will field. And if the client cannot wait uh with a few seconds and this may be not work. But for CFRF uh it is restricted by SOP. But uh it doesn't uh the host check doesn't matter. And it will be effective immediately. Yeah. So let's just go to a key. And it is uh popular for popular third party plugin for WeChat. Uh it is uh popular chat software in China. Yeah. And it is called this WeChat plugin uh Michael S. Uh using this third party plugin, we can keep the record message. We can auto reply a message. And it has many users. You see many stars and many folks. But it just stopped maintenance months ago. And it has it finds a port, a fixed port on local host. And expose some APIs. For these APIs you can get all the, all the user's friends, all the chat logs. And you can send any message to any user. And we can use DNS rebinding to attack this plugin. So we reported this issue to the author and the author fixed with checking the host. Yeah. The host cannot be uh local host. Because of this host check we cannot use DNS rebinding to attack them. But it is still affected by a CFRF attack. If, if we know a user name we can then use CFRF to send a message to that user. Yeah. So it is not enough to just check the host. Because check the host it just can just uh keep DNS rebinding away. You should also use some unpret, unpredictable data or path to prevent CFRF attack. Also most importantly, you should avoid using third party plugins. And there's another case called Xdebug. Xdebug is for PHP debugging. It's a PHP extension. So how does it work? First you should send a request with uh this um in parameters Xdebug session start. Just like that URL in the bot uh the URL below. And then the Xdebug will connect to a server. And the server can interact with Xdebug. So which server to connect? Xdebug will check the following things in a full back order. The first one in uh in the Xdebug's configuration file. The Xdebug remote host. If not set, then it will check X44 header in the HTTP request. And if not uh Xdebug will use remote address. So if we have these three configurations in the Xdebug, Xdebug remote connect back set to true. Uh Xdebug remote enable set to true. And the remote host is not set. And this is always met for most of the PHP developers. Then we can attack it using DL3 bind. We can set up a URL server waiting for Xdebug to connect. And then use DL3 binding to send a custom X44 header. And points to the URL server. So the event server will connect uh will uh interact with Xdebug. And finally we can get a real real shell. And I have reported this to the PHP. So if you are a PHP developer, if you use Xdebug and you stays on the on a URL page for 40 or 50 seconds and then you may be hacked. So how do the Xdebug officially think about this attack? And its response with, it thinks this is just a rumor. And for developers, himself should take care of this. Yeah. So anyway. And for Node.js debugging port or Java debugging port uh or Java RMI port, they may also be affected by death rebinding attack or set up attack. So if you find a port opened by an application, you can check it by some or interfaces or by some local host. So you can choose to attack them remotely or using a death rebinding or set up to attack them. And next part, your schemes. This is a short part. Yeah. Uh people use URL schemes to launch applications. Or send some messages inside an application. Uh we can see the following picture. We can use web code URL schemes to launch web code. Yes. And on Windows, in Windows, uh it is registered in the registry and has an item for the UI protocol name and the command it will exude. Windows will use shell exude W, this API to call that command. So call the web code command and launch it. But there is a well known bug in this API. We can use a code to close the former code. And we can inject other parameters. So there comes a famous exploit last year for Electron. We can use a chromium parameter injection to exude any command. Just like that. And we found all frameworks based on chromium may have the same issue. So the nw.jf framework. We found a famous application for not taking uh use nw.jf and it has two hundred millions of users. So we can just inject chromium parameters to exude uh any command. So we can just inject the nw.jf framework. Just like the Electron bug. So here comes the demo. Uh we set our web server local on the local host. And this is a explore page. Yeah. If we clicked that we all get a calculator. Okay. This is the first calculator. And this bug is fixed. Already fixed. And uh in this years, in this May, uh Microsoft released a patch called kb4497935. If you applied this patch, you will find the UI scheme is now URL encoded. So in this case we cannot inject parameters. Because the code, our URL encoded, we cannot close the former code. So maybe your scheme is dead. Or there is some bypass. Who knows? Yeah. So if you found, if you want to find your game box, you should check the your schemes that the application has. Also the framework has. Don't forget the framework. Yes. And the main part, we attack the features of the application. And this section we have three parts. First one is cross-site scraping in the desktop applications. And the second part, section is for pre-privileged APIs. And the last one is for improper protocol handler. And the cross-site scraping story begins from McDonn editors. And in the year 2016, we found many McDonn editors just renders the JavaScript in the preview window. Such as MOU, McDonn, or even Weth code. So um many of the McDonn editors just uh previews the page in the file domain. So we can use the JavaScript excuse on the file domain to steal files on the local disk. And we can steal some credentials from the local code and we may clone his account and lock it in another machine. And also if it's used, uh it has some pre-privileged APIs or it has a, it uses a outdated browser. We can, we maybe get remote code execution. Yeah, let's see a case for McDonn. It has thousands of stars and manifolds. And this is also uh this exploit can also be used in the latest version. So we can see the location is uh in a file domain. And we can use XML HTTP request to get the ETC password. And we can also send that uh the response uh uh that the container of the ETC password to the remote server. So we can steal local files. Yeah. I reported this in the year 2016 and it is still not fixed. Um but things are always getting harder. There's little cross-site scripting in McDonn editors nowadays. And some editors use content side, content security policy to limit JavaScript execution. And some editors use sandbox to run the JavaScript in the in a uh isolated context and there without node modules. So the pro uh the issues are harder to find and harder to exploit. But we should think that we can use the uh about the libraries that used by McDonn editors. Um the first one, mermaid. Uh it is used for charts or diagrams. It has uh it on the on the GitHub. It has thousands of used products. And many stars and many folks. Uh we have found three cross-site scriptings. In the latest word when I uh make this slice. But now in the latest latest word it has fixed. Okay. Uh latest word here is when I make this slice. It is fixed days ago. Just days ago. Yeah. Uh we can see the type row uh the HACMD, the error nodes and GitLab. And we can see the use mermaid. And there is the cross-site scripting. And the first two just renders the HTML. And the last one need a click. It is yeah it is click cross-site scripting. And here is demo page. The official demo page we can alert. And next to catax and magics. Uh these two libraries for math type setting. And uh in their old versions it has a click click cross-site scripting too. And these two is reported by other guys. Okay. And the last library, flow test.js. It has a click cross-site scripting too. In the latest version. And the last this has not fixed yet. So if you use mermaid please upgrade it to the latest word. Yeah. And the older version of math jacks and catax has cross-site scripting issues. And the latest word of flowchart has a click cross-site scripting. As these issues lies in the library so these issues may affect more applications than we can find. So here comes a keys for hack comedy. Uh it uses mermaid. It is a online macdown editor. And it has many many users. Uh we just used the payload before for mermaid. But the payload is blocked by csp. Yeah we cannot see the a large box here. Because the csp just blocks it. And then we check the csp. We found an interesting site. There. The Google analytics. There is no way for using Google analytics to bypass csp by cata. Yeah. So we can use Google tech manager. And then set a set a variable there. And set a malicious function. We can define or a malicious code there. And the code will be shown in the Google analytics. And we you can check the details in the following link. So then we can get a large box. Yeah. And we found there is also a desktop application for hack comedy. It uses uh there are two different types of uh two elements. One is a script element for renderer.js in uh uh excuse in a privileged context. And uh WebView tag renders the user page. There is no no integration. So how to turn our cross-out scripting in the WebView tag to RCE in the desktop application. So let's check the renderer.js first. We can see from the code. It's uh even listener for DOM ready. And when DOM ready, it will get the title from the WebView and set it to the inner HTML. To the privileged context. So if we can control the title, we can exude any JavaScript code in a privileged context. So we can use our Crizzat scripting to redirect the page to our email page. Which can trigger the DOM ready event. And then our page have a special header, a special title. And we can use this to uh to call the node modules uh process and uh the chart process and exude any command. And then we can see the calculator. Just click the malicious markdown and pop up the calculator. Okay. I have reported this to the hack handy and it has already fixed. So um there's uh some in some cases, we may not exude JavaScript. We can only inject some HTML code. So we can also use this, uh use HTML code for phishing or just advertising. Yeah. Uh anyway. So the next section, the next part, uh for privileged APIs. Uh privileged APIs comes from uh about to with, why is the node modules another maybe some uh from the custom APIs. The program just added these APIs. Uh programs usually use a JS bridge with some weapon to provide custom APIs. And these usually has a public documentation. So let's see a case. It is a case for a popular chat application. It has billions of users. In this application, it has a, has an embedded browser with some custom APIs. So if you render a, when you render your page on the embedded browser, you can call the custom APIs because there is no domain restriction. And these APIs are well documented for developers. And how to open UILs in the embedded browsers? There are two ways. One is send a spiral type message which is called feed card message. Just like uh that. And also we can use a in, in the app application UIL scheme. We can use a spiral scheme to open a, open the embedded browser. And in the custom APIs, there's two interesting APIs. Why is download a file? If you call this a API, you can uh you can pass a UIL to it. And it will download a file from that UIL. But uh it will pop up uh box for the user to choose a location to save that file. Yeah, this needs some user interactions. And another API called open local file. It just opens the file you just downloaded without confirmation. Yeah, this API is without user interaction. But only works on macOS. Uh so we can think, we can make it download uh ELF to exit but field because it has no X mode of downloaded. Yeah, we can, we may, we think we can use a bash or a pattern script but it is usually open, open by a text editor. Hmm. So how to exploit this? Java is a good friend. Yeah. We can just make it download a JAR file and use that API just open the JAR. It will exude our Java code. So if you have Java and you click a feed card message, from a hacker, and a dialog will ask you to seal a file. Ah, seal a file. You are harmless so you click seal and then you are hacked. So let's see the demo. Yeah, maybe some conversations for surrounding nearing. And come the feed card message. Just click it in the embedded, yeah, you should click seal and the, the kill kill it. And this is already fixed in the latest word, yeah. And it is fixed by, oh, just open the folder instead of the file. And the last part, uh, let's go to the part for protocol handler. Uh, when developing desktop, desktop allocations, you should pay pretend to these three protocols. HTTP, JavaScript, or file protocol. For HTTP protocol, you should avoid you render pages in a, in an untrusted context. Because if you have a outdated browser call, you may be affected by the browser one day. Or if you exude JavaScript, you, the JavaScript may exude in a file domain, you can steal files. And for the file protocol, you can use it to launch programs in, in your, in your computer. Or the file protocol may leak anti-M credentials. So just be care, be careful of ATAC. So, uh, we find a library and it is used in Chinese applications and it is widely used. It has, uh, many stars and many folks. And uh, it supports HTML like tags. If you set show HTML to true. And there are some tags for, such as ATAC for hyperlink, an ITAC for image, and a C-Tag for a text color, change the text color. And in a chat application, it's show, it, it says show HTML to true. And it renders the tags in the chat group name or your personal status. We can use C-Tag here to change the text colors. Yeah, we change it to the red. And change the color may be harmful. We can use ITAC to do some anti-M relay attacks. So we can use ITAC to insert a file protocol. Uh, an SMB protocol. And it will, uh, in Windows, it will send the Windows credentials automatically once the tags are rendered. And usually, and these tags are in the status, personal status on a group name. So usually this can be done without user interaction. And the attacker can get the credentials. They can just do some offline brute force works. Or the attacker can relay the credentials to other services, such as to the exchange server. So we can log in into the exchange server on behalf of the victim and get all the emails. Or if the victim have another machine, have the same, share the same password, we can relay to that machine. And get remote code execution. And there is another case for Gidra. And Gidra is developed based on Java. And it use HTML to describe a project. So there is a XSE in the Gidra project description file. It is found by this guy. Yeah, we can use XSE to steal files or use XSE to send HTTP request. But can we turn the XSE to RCE? Uh, based on our previous research, this can be done. Uh, we found that Java will send credentials when it encounters a NTL, NTLM based for O1 HTTP response. Not the basic authentication. It is a, it is a NTLM based for O1 HTTP response. Yeah. The attacker can set up a malicious HTTP server to response, uh, that. And the Java will send the credentials to the attacker. And the attacker can just reflect the credentials to the C machine, just the C machine. So if you just opens a malicious project and you have opened your FNB service and then you may be hacked. So here's demo. Uh, we set up a malicious server. And here is our Gidra. And we are, and it will open some malicious project. And then the XSE triggers. We can dump the hushies. Just get the hushies out of that machine. And then we can use the pass, pass the hush to execute any commands on the victim. We just use that hush. There's a mistake. Uh, there's a mistake. And we fix the command. Yeah. We can see the calculator. So there's many features in desktop applications. So we can find cross art scripting. And we can find if there are some privileged APIs. We can find how it handles the protocol. We can find that and check how, how we can attack these applications. So here's come to the end. If you are a developer, just be careful while debugging PHP, Node.js or some older version of Java. You may be, you may be, be popular of a calculator on your desktop. And also you are a developer, you should be careful while using these libraries. Uh, some older version of Mermaid. And older version of MathJax, Cortex. And the latest version of FlowChess. And if you use dual-lib, you should not set the show HTML to true. And if you're, if you use nw, nw.js, you'll be careful while doing this. You'll be careful while registering a UIL scheme. And thanks for these guys. And thank you all. So maybe any questions? Oh, yeah. Okay. Thank you guys.