During the 2012 edition of the Hack in the Box (HITB) security conference in Amsterdam, we had the pleasure of speaking to Roberto Suggi Liverani, a researcher who focused his efforts on finding vulnerabilities in some of the most popular web browsers.
Security holes in web browsers are nor something new, but part of his research is based on finding flaws in Chinese web browsers, an area that hasn’t been targeted by many experts.
Take a look at what he discovered and the difficulties he came across while trying to report his findings to various vendors.
Please introduce yourself for our readers. Roberto Suggi Liverani:
My name is Roberto Suggi Liverani and I do work for Security-Assessment.com. We are based in New Zeeland, we also have an office in Singapore, and the research has been made with Scott Bell. Softpedia:
You’ve found a lot of security holes in popular web browsers. Did you find any one of them to be more vulnerable than the other? Roberto Suggi Liverani:
We didn't test all of them, we targeted Firefox, Opera, and Chinese browsers. One is Maxthon and the other one is Avant Browser.
The most critical vulnerabilities are in the Chinese browsers, especially in Maxthon. The other browsers seem to be in average standard, Firefox especially, but still our research proves that you can find interesting bugs despite all the efforts made by the vendors to secure their browsers.
If I have to think about the number of bugs, Maxthon is the one that I found most bugs in. I found five bugs and if you chain the bugs together you can get code execution, in five different ways.
In Avant browser, I have found less bugs whose impact is a little bit less severe, but still it is possible to change browser configuration or read the history of what was browsed by the user.
Regarding Firefox, Scott Bell and Blair Strang found that bug (a use-after-free) and they spent a lot of time in exploitation. It was a memory corruption bug and it's not that easy to exploit these bugs because there are multiple factors involved. It’s an interesting bug as it involves a race condition between different operations.
Then, after you have that condition, you need to find a way to exploit it and then you have to face challenges in terms of memory protection into the operating system, such as DEP and ASLR.
So, still doing some research on that point of view, but what will be shown in the presentation is a Proof-of-Concept (PoC) with no DEP/ASLR bypass which demonstrates code execution in Firefox. Softpedia:
So, certain conditions have to be met in order for the bug to be exploited. Roberto Suggi Liverani:
Yes. The reproducibility is there. Mozilla acknowledged that this is critical and they have to fix it. The funny thing with this particular bug is that it took so long for them to fix it because it's very difficult to reproduce.
If you read the thread of the security report you see all the different developers, some of them even struggled to reproduce the bug in the first place.
Other people were commenting on the fact that they were not sure about the patch, they were not sure that it was fixed. So, it took them a long time to fix, which demonstrates the bug’s complexity. But then, again, you face other challenges if you want to exploit the bug.
We’re still doing work on that, so probably in the next few months we will have a more stable exploit. Softpedia:
How do Chinese vendors handle reports on vulnerabilities? Roberto Suggi Liverani:
I sent them the reports with all the bugs and I tried to be as responsible as I could. I did that with both Maxthon and the Avant Browser, but there was no response.
Actually, the first difficult thing was to find a security contact. These companies and these vendors are not used to this process. For me, it was a struggle to find someone to send the report to.
Once I found that, with Maxthon, I sent the report and then there was no response. So then I had to chase them to say "Did you receive the report?" and they said "Yes, we received the report". This was after two weeks since I sent the report.
I said "OK, that's cool, but do you confirm the bugs I found?" No response. " Do you have an estimate time for patching the bugs?” No response.
And the same story is with the Avant Browser. Same exact story, but it is even more fun with the Avant Browser because they have a forum where you have to get in to report the bug. My first question was “how to report security vulnerabilities?” I had to write 10 posts before contacting one of the admins, and only then I got the contact to send the report.
Once the report was sent they said "Oh, yeah, thanks for your report. We will get back to you". But I am still waiting for them to get back to me. Softpedia:
When exactly did you find these bugs? Roberto Suggi Liverani:
Approximately 3 months ago. Softpedia:
And have you seen any improvements since you reported the vulnerabilities? Roberto Suggi Liverani:
At the time of this interview, with Maxthon there have been eleven new releases after I sent the report, and there's no fix. There’s only one bug, out of five, that has been fixed silently. So, that means they didn't tell me about it. I just found out testing the latest version.
At the time of this interview, with Avant, there were two new releases, but no fix. All three bugs are still there. Softpedia:
How many users are impacted by these vulnerabilities? Roberto Suggi Liverani:
That’s interesting. If you go to download.com
, they display the number of downloads and Avant browser has more than Chrome, IE and Opera. That's an indication to me that a lot of people use it. Avant doesn’t release official numbers, that’s why I had to go to a third-party website.
With Maxthon is different. They do press releases and they say that in 2010 they had 500 million downloads, and that's two years ago. They also say there are other 120 million users that use the browser each month.
I found from other websites, not confirmed sources, but it seems that Maxthon is the second most used browser in China, after IE, so I assume a lot of people are using it. Softpedia:
How about the other vendors? How did you communicate with them? Roberto Suggi Liverani:
Mozilla was good. At the end of the day they responded and confirmed our findings and that can actually be seen on the website because communication is transparent. It's now public because they fixed the bug.
With the other vendors I struggled a little bit, especially with Opera. I found a similar bug with the one Scott found in Firefox, but it was in Opera, a memory corruption bug. The problem I had with Opera is that I couldn't find the exploit.
It is very difficult because it requires a different skillset. Me and Scott, we’re more like bug hunters. Sometimes we can exploit the bugs, but sometimes we cannot, we are not exploit developers.
So with Opera, I sent the report, I made an analysis of the bug, but they said that this is not a security issue because there is no exploit. I explained to them that this is a memory corruption, a use-after-free and asked them to confirm it.
They confirmed it and I told them that even without the exploit it should be classified as a security issue and it should be fixed.
They kept insisting that it’s not a security issue without the exploit, so that was a discussion I didn't like because I have spent 7 months to find the bug. If I had sent the same type of bug to Google Chrome for instance, they would have said "thank you, that's excellent" and they would even reward you and they would take that more seriously than Opera.
Opera is trying to devalue your work. They think you are trying to get fame or something, but at the end of the day I am not asking for money. It's just a security issue. The fact that I can't find the exploits is a different story.
Someone else, with more time, skills and knowledge might find the exploit in the future and that’s the point of having a proactive approach in fixing such bugs.
Then, the funny thing with Opera was when I asked them to help me. I told them “I can actually try to find the exploit, give me the debugging symbols”, but because it’s proprietary, it’s closed source, they refused.
Then I told them “OK, why don't you analyze the bug and you tell me if it’s exploitable, from your point of view”.
They said it’s not exploitable, but the funny thing about this is that they kept asking me if I could find an exploit, so it’s kind of conflicting a little bit. I said “no”, I am not going to find the exploits because if you say that it’s not exploitable then my research ends right there.
So when you take a look at the bug in the changelog, it doesn’t appear in the security section. It’s mentioned as a stability issue. Softpedia:
But did they fix it? Roberto Suggi Liverani:
It was fixed because they said that it was a “serious” crash, but they didn't define that as a security issue, they were very cautious in doing that. That’s kind of showing how Opera really doesn't get it, so that's a complaint, a rant from my side. Softpedia:
Do you believe that Google and Mozilla’s way of handing out large rewards for bugs is the most effective way to make sure that a product is safe? Roberto Suggi Liverani:
Not sure if this is the best way. I think there are pros and cons in everything, but at the end of the day if I have to make a comparison with the other browsers, then yes, I think this is the best approach to attract people, attract security researchers into reporting directly to them, so they can then reward the researcher.
I noticed that with Google Chrome they do that often and I see that the same researchers keep sending bugs to them, so that means it’s actually working.
I mean, it’s not easy to find bugs. That's why they understand the process and they value the process. And it’s the same with Mozilla and that works, I think it actually does.
For me, personally, even if I don't get the money, it's more about recognizing the work. Google and Mozilla went beyond that because they know that the method works.
With each new version of a web browser users are presented with a number of new features. In many cases, each of these features brings with it a number of security holes. Softpedia:
From your point of view, should browser vendors slow down with the innovations and focus more on security before releasing a new version, or is this pace good as long as users make sure that their applications are constantly updated? Roberto Suggi Liverani:
It's about the market and the competition, the browser wars. Of course, each browser vendor will try to get more share of the market and the only way you can do that is to offer new features, new supports, new protocols, and new formats, there's a lot of push into supporting new technologies, such as HTML5 for instance.
If we have to talk about the Chinese browsers, they are very aggressive, they try to offer a lot more features. They try to focus a lot on performance and quite interestingly, the Maxthon browser, if there is a website to test the performance of the browser, they are gonna do different checks, different things to try to make the browser perform well.
At the time of this interview, Maxthon scores more than all the other browsers (tested on http://html5test.com/
That's an indication that Chinese performance is the best. With Maxthon is interesting that it's kind of a hybrid browser because it tries to take the best of the two worlds. It has got the same layout engine as IE, but it also supports Webkit.
It's got this thing called retro and ultra mode where if there's a website which is not compatible with the new format, then Maxthon is trying to adapt using the Trident layout engine and then if it's something new, it is trying to use the Webkit rendering engine.
It’s always based on the performance and features. Maxthon has crazy features which no other browsers have.
I could totally say, in the context of the Chinese browsers, they are compromising functionality and performance for security. It's just trying to get the market share of the browser, try getting more users by giving more features and performance.
Google and Mozilla are trying to work a lot on sandboxing, security in depth, so you have different layers of security, which is quite interesting and it works for certain scenarios. But I think that Google and Mozilla are spending a lot on security.
The fact they reward researchers, they give a lot of attention to bugs, and they have their own security teams is an indication that they are taking security more serious than the Chinese competition. Softpedia:
Do you plan on searching for vulnerabilities in other browsers besides the ones you’ve already analyzed? Roberto Suggi Liverani:
When I was trying to find bugs in Opera I had to understand what's going on at the crash but could not get a clear understanding because of the lack of debugging symbols.
With other platforms which are open source, like Firefox, you have all the debugging symbols so if you have a crash you know at least “where” it is occurring.
You also have the source code which you can use with the debugger and once you have the crash you understand the functions and what’s happening.
And the same with Google Chrome (Chromium), so probably the next one we are going to focus on is Google Chrome since it's got all the symbols and all the source code, but I'm not sure on Opera. It's quite a tough one. Softpedia:
Of the bugs you’ve found, which one would you name as being the most dangerous? Roberto Suggi Liverani:
I think that the ones found in the Chinese browser Maxthon. I say that because in terms of exploitability it's 100% reliable. All the exploits will always work because there's no memory corruption bug involved, so you don't need to handle any memory corruption, any memory security controls or protections.
And the way it works is quite interesting. It’s basically an injection which occurs from a page of the Internet into a zone in the browser which is trusted, which is privileged and that's where the problems are.
Because the injection works in there and it can call all the privileged APIs, and those APIs allow the browser to interface with the file system, with the operating system, with browser settings, with bookmarks, with storage, and with other things which normally a page on the internet should never be able to have access to directly.
So if you go to a web page, you are totally compromised, just need the users to go to the malicious page and it's done. In terms of exploitation, the user is totally unaware of what is happening and the process of the browser doesn't have any part.
With the memory corruption bugs, since you are messing with the memory which is managed by the software and the OS, sometimes you have the exploit but then you might crash the browser and the users might actually see or realize that.
But with the bugs found in Maxthon there’s nothing like that, so the user is totally unaware. So, from that point of view I would say Maxthon is the most problematic one, both in terms of quantity of bugs and their impact. Softpedia:
Can you explain in a few words the technique you use to find vulnerabilities in browsers? Roberto Suggi Liverani:
For the memory corruption bugs we took the fuzzing approach and there was a lot of work behind that because we had to create like a framework to fuzz.
In a few words, the framework was based on a lot of virtualized agents or virtualized operating systems for each test case and each test case is trying to do something in the context of the document object model (DOM) of the page.
To do that we are using existing tools, we are modifying existing tools, and we also brought our fuzzer to fuzz browsers, so we created a framework which holds all this together.
We have a web interface which would list all the crashes. Once you see the details of each crash you can actually try to reproduce it.
If you can reproduce it you have to minimize the test case and see if it’s exploitable. It’s a lot of work behind it. This is for the memory corruption bugs.
For the other bugs I found, it’s more about looking at the browser, how it works, see what kind of features are there, and then take the same approach as when you’re trying to find cross-site scripting vulnerability it in a website, but instead of the website you try to find it in the context of the browser and its privileged zones.
You try to identify the trusted zone to see if there’s any way you can inject a malicious payload there. If you can, then it’s game over because you can then leverage them to call APIs that can allow you to write on the file system or execute stuff. That’s pretty much the two approaches we took. Softpedia:
Can you share your future plans? What are you currently working on? Roberto Suggi Liverani:
This research is awesome because you have a lot of targets and it’s quite challenging because you need to change your approach quite often if you don’t see results. And yeah, I’ll keep doing this with Scott and we’ll try to find more bugs.
We will try to focus on Chrome as well, and we’ll try to find bugs in there, and we’ll see if we can improve our fuzzing capabilities, see if we can get more crashes.
Probably in the future we will try to find bugs in mobile browsers, not just for desktop, as they are normally not as secure as the desktop version. Softpedia:
Have you already looked at mobile browsers or is this only a plan for the future? Roberto Suggi Liverani:
I haven’t looked yet, but for example, Maxthon has got the mobile version and I’m sure it contains the same bugs or some of them. I’m not sure 100% so I need to test it. Softpedia:
Is there anything else you would like to add? Roberto Suggi Liverani:
Yes, actually, one thing that might be interesting is that these Chinese browsers are based on existing technology. For instance, for Maxthon you need to have IE installed to have Maxthon running, because Maxthon is based on an IE layout engine but it adds other stuff on top of that.
Avant Browser is the same. It comes with two versions, one is Light, and the other one is Ultimate. The difference between the two is that the Light only supports IE and for the other one you need to have IE, Firefox and Chrome as well.
In the FAQ of Avant Browser I found a question that read “Is the Avant Browser secure?” And the answer is “Yes, because it’s as secure as Internet Explorer.”
It’s kind of delegating security on the browser which they are based on and that’s kind of providing a false sense of security to the end user, to the consumer.
But in reality their statement is not correct for two reasons – one is that they are putting other stuff on the top which might be vulnerable, and two is the fact that I found the bugs in their part of code. This last point proves the fact that the concept of “delegated” security is just a way to gain the user’s trust. Roberto Suggi Liverani's presentation from HITB 2012 Amsterdam is available here.