Overtaking Google Desktop.pdf
(
427 KB
)
Pobierz
OVERTAKING GOOGLE DESKTOP
A S
ECURITY
A
NALYSIS
Y
AIR
A
MIT
D
ANNY
A
LLAN
A
DI
S
HARABANI
A whitepaper from Watchfire
TABLE OF CONTENTS
A
BSTRACT
...................................................................................................................................... 1
I
NTRODUCTION TO
G
OOGLE
D
ESKTOP
..................................................................................... 2
G
OOGLE
D
ESKTOP AND
P
UBLIC
G
OOGLE
.
COM
I
NTEGRATION
.............................................. 2
P
ROTECTION
M
ECHANISMS
........................................................................................................ 4
Connection filtering ............................................................................................................................... 4
Signatures protection mechanism .......................................................................................................... 4
S
TICKY
XSS V
ULNERABILITY IN
G
OOGLE
D
ESKTOP
................................................................ 6
A
TTACK
D
ESCRIPTION
................................................................................................................. 8
1.
2.
3.
4.
Exploit Google.com XSS vulnerability.............................................................................................. 8
Send standard search to Google.com in background ....................................................................... 9
Acquire signature for Google Desktop search page ......................................................................... 9
Infect the victim’s browser................................................................................................................ 9
A
TTACK
C
HARACTERISTICS
...................................................................................................... 10
Remote Control.................................................................................................................................... 10
Persistent Control................................................................................................................................ 10
Virus-like behavior .............................................................................................................................. 10
Almost Undetectable Attack................................................................................................................. 11
I
MPACT
......................................................................................................................................... 11
Search for anything you want .............................................................................................................. 11
Enable disabled features of Google Desktop....................................................................................... 12
Search across computers ..................................................................................................................... 13
Full System Control ............................................................................................................................. 14
F
IX
R
ECOMMENDATIONS
........................................................................................................... 16
C
ONCLUSIONS
............................................................................................................................. 17
A
BOUT
W
ATCHFIRE
.................................................................................................................... 17
R
EFERENCES
................................................................................................................................. 18
Copyright © 2007 Watchfire Corporation. All Rights Reserved. Watchfire, WebXM, Bobby,
AppScan, PowerTools, the Bobby Logo and the Flame Logo are trademarks or registered
trademarks of Watchfire Corporation. All other products, company names and logos are
trademarks or registered trademarks of their respective owners.
Except as expressly agreed by Watchfire in writing, Watchfire makes no representation about the
suitability and/or accuracy of the information published in this whitepaper. In no event shall
Watchfire be liable for any direct, indirect, incidental, special or consequential damages, or
damages for loss of profits, revenue, data or use, incurred by you or any third party, arising from
your access to, or use of, the information published in this whitepaper, for a particular purpose.
www.watchfire.com
OVERTAKING GOOGLE DESKTOP
A
BSTRACT
This paper describes an innovative attack methodology against Google Desktop which enables a
malicious individual to achieve not only remote, persistent access to sensitive data, but full system
control as well. This outcome is the result both of the integration between the Google.com Web site and
Google Desktop, and Google Desktop's failure to properly encode output containing malicious or
unexpected characters.
This represents a significant real world example of a new generation of computer attacks. These attacks
take advantage of Web application vulnerabilities and the increasing power of the Web browser. Their
purpose is to remotely access private information. Unlike traditional computer penetration attacks, there
is no need for binary code to be injected.
In the attack described in this whitepaper, the malicious logic acts as a parasite, using JavaScript code to
control Google Desktop functionality. The attacker covertly hijacks confidential information from the
system, while evading current information protection systems, such as anti-virus software and firewalls.
The attack also emphasizes the danger of the integration between desktop applications and Web based
applications, as this opens an aperture for a malicious attacker to escalate his/her privileges by crossing
from the Web environment to the desktop application environment.
In this paper we describe the methodology of attack and provide a valid use case. We include a
description of the basic technique and some theoretical outcomes. Finally, we provide fix
recommendations that are appropriate for Google Desktop, as well as for other Web based applications.
© Copyright 2007. Watchfire Corporation. All Rights Reserved.
1
OVERTAKING GOOGLE DESKTOP
I
NTRODUCTION TO
G
OOGLE
D
ESKTOP
Google Desktop is a popular freeware desktop search tool offered by Google. It has a simple Web
interface—similar to the Google.com search interface—that makes it possible to use one’s browser to
search for information on the local computer.
Google Desktop can index and manage a large variety of resources including Office documents, media
files, zipped archives, email, Web history cache, and chat sessions. While it is possible to index and
manage password protected documents and encrypted Web pages, these features are disabled by default
for security purposes.
Google Desktop also tracks the user's activity while viewing and editing files, reading and writing email,
and surfing the Web. It creates cached copies of the tracked information, allowing the user to access it
afterwards. For this reason, it is possible to search and access data, from the cache, even after the
original email or file no longer exists on the system.
The Google Desktop application runs a local Web server which is bound to port 4664 on the localhost
network interface. For security purposes, it responds only to requests originating from the local
computer.
G
OOGLE
D
ESKTOP AND
P
UBLIC
G
OOGLE
.
COM
I
NTEGRATION
A striking feature of Google Desktop is its similarity to the Google.com Website. When searching for
information via Google.com, desktop search result snippets (30-60 characters) are presented along with
the Web search results. The local search results aren't served by the Google.com Web server, but are
injected into the response by Google Desktop.
© Copyright 2007. Watchfire Corporation. All Rights Reserved.
2
OVERTAKING GOOGLE DESKTOP
While this feature is very useful, it poses an obvious security threat. If a Cross Site Scripting (XSS)
vulnerability in Google.com is exploited against a Google Desktop user, a malicious attack can access a
portion of the local computer data.
This threat is mitigated somewhat in current Google Desktop versions since:
1. The integration of Google Desktop results via Google.com is optional. It can easily be disabled via
the Display option under the Desktop Preferences link in Google Desktop.
2. The integrated search results are partial: only a snippet of each result is displayed to the user. The
full contents of a result can only be accessed by entering the Google Desktop localhost Web
interface.
The integration between Google Desktop and the Google.com Website has another useful feature which
cannot
be disabled at the time of writing this paper. This is a
Desktop
link that is added to the links line
above the search box.
Within the main Google.com Web page, this link points to the main Web page of Google Desktop's Web
interface. Within Google.com search results, the
Desktop
link points to the corresponding search URL in
Google Desktop.
For example, when searching for “Watchfire” at Google.com, the injected
Desktop
link points to a
corresponding “Watchfire” search URL in Google Desktop (as can be seen in the status bar of the image
below, this is a 127.0.0.1:4664 link).
© Copyright 2007. Watchfire Corporation. All Rights Reserved.
3
Plik z chomika:
gorzkirdk
Inne pliki z tego folderu:
Google Maps Hacks.pdf
(41846 KB)
CCTV HACK.pdf
(8224 KB)
BH_US_11_BrownRagan_Pulp_Google.pdf
(6720 KB)
BH_EU_05-Long.pdf
(6680 KB)
1-Franco-Google-REV1.pdf
(4057 KB)
Inne foldery tego chomika:
Anti_Spyware
Cleaning_and_Tweaking
Developer_Tools
Drivers_and_Mobile_Phones
Hacks$$$
Zgłoś jeśli
naruszono regulamin