Skip to content
This repository

FullScreen Attack #702

Open
n0x00 opened this Issue · 18 comments

8 participants

John jgaliana Christian Frichot Wade Alcorn Brendan Coles Nbblrr Jean-Louis Huynen Michele Orru
John
n0x00 commented

I have been trying to code this but im terrible with Actionscript, consider this

the full screen executes the user is told to hit escape to escape fullscreen and as that message fades a Blue Screen of Death flickers and your logged out. you should log back in, BSoD! crap! is my work safe ?!

what just happened was the swf/(and beef?) have made an educated guess on your OS and loaded the images to satisfy a identical log in screen for your operating system. the username and password are POSTed back to the attacker/beef

I'm not sure if it could go as far as getting the username but that would be great too

if the attack is successful you will obtain the current users credentials to further your attack - and the AV doesn't need know about any of this as it's just asking you to submit your user and password

As I said before I'm terrible at Actionscript, but I know that swf will do a nice fullscreen might be nice to deploy as an exe too(or .app depending on how good the fingerprinting can get) - and using educated guesses on default user icon's etc.

I'd love to see this, would you ?

John

Brendan Coles
Collaborator
bcoles commented

I like this idea.

The Windows logon page probably won't have to be too accurate if the users want to save their work.

We might have to use something generic on the login page, like "Administrator" or "System Recovery" for the username. A "Restore your work" message might help.

It may be possible to get the username if Flash can read environment variables or local file system paths (either directly or indirectly by catching error messages) ?

John
n0x00 commented

I have been having a look at retrieving the username via environment variables but I think your catching an error message is a great idea.

It would be nice if there is a actionscript ninja among us, I can only help with .. the initial idea and creating the supporting graphics (unless you could have local file access via flash then you could load most default backgrounds and icons up via that )

but the error catching sounds great, I can't wait to see how this pan's out :)

John
n0x00 commented

Just had an interesting chat with a colleague and this attack could dip into application layer credential stealing too .. modular perhaps

such as http://4.bp.blogspot.com/-hBANnl3V4Pc/Tce_z7OHScI/AAAAAAAAAEM/Hp-GOVrcAnM/s1600/auth-failed.PNG

or http://image.vpvps.com/1_1.jpg

exciting stuff.

Brendan Coles
Collaborator
bcoles commented

From the Security Considerations section of https://www.adobe.com/devnet/flashplayer/articles/full_screen_mode.html

An overlay dialog box will appear when the movie enters full-screen mode, instructing the user how to exit and return to normal mode. The dialog box appears for a few seconds and then fades out.

Users cannot enter text in text input fields while in full-screen mode. All keyboard input and key-related ActionScript is disabled while in full-screen mode, with the exception of the keyboard shortcuts that take the viewer out of full-screen mode.

I'm not sure if it's possible to get around this. Maybe we could use Java or HTML5?

John
n0x00 commented
John
n0x00 commented

https://github.com/robnyman/robnyman.github.com/tree/master/fullscreen this looks pretty good chaps I'm playing but im not so much the javascript ninja

Nbblrr
Collaborator

Firefox 15 authorizes fullscreen but it shows a big error message to inform the user that the fullscreen is made by the website. So I don't know if it's really exploitable.
Any test with Chrome/Safari?

Michele Orru
Collaborator

I saw that ;) thanks.
Anyone wants to have a look at it and port it eventually to BeEF?

Christian Frichot
Collaborator
Brendan Coles
Collaborator

Issue #702 is now assigned to you xntrik. Milestone: 0.4.3.9-alpha

Nbblrr
Collaborator

Firefox shows a big notification while the chrome notification is really discreet. I've taken screenshot here and here.

The point is that you will have to detect the browser and OS of the user and create an relevant picture and many details can't be adapted (bookmarks, user name...). So I doubt it will be effective in most cases. But it would be good to have a first version in BeEF :)

Christian Frichot
Collaborator

Okies, this issue has gone through a number of iterations and now we seem to be happy with http://feross.org/html5-fullscreen-api-attack/

The problem though, as rightly pointed out by Nbblrr, is that this require an image of the spoofed site to be created in advance (although, I don't understand why the spoofed content can't just be actual content instead of an image?)

I can see, potentially, that this module might be more useful as a POC, but, actually using it, at least in it's current state, would be pretty darn difficult.

Christian Frichot
Collaborator

OH! you want to spoof the login page... right...

Christian Frichot
Collaborator

Mental note to self, to capture a screenshot of my lock screen I need to http://apple.stackexchange.com/questions/21094/lock-screen-screenshots and http://superuser.com/questions/103310/screen-capture-in-mac-is-all-black

I can then cut it up and recreate a 'phish' of that with a 'password' dialog.

Brendan Coles
Collaborator

Most browsers implement a "Now entering fullscreen mode" warning. It might be useful to add a 'wait time' option - similair to tabnabbing. Does this 'attack' have a name yet? I nominate 'screen nabbing'

John
Brendan Coles
Collaborator

Nah, you can't send fullscreen behind. I think fullscreen will fail silently if the current tab is not active.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.