OK, this post has been lingering in my “to do” folder for a few weeks now. So here goes…
This year I had contemplated submitting a presentation for DefCon. I’ve been a big fan of this conference since I first attend DefCon 8. Seems so long ago now. Well, I have been seeing all of these great conferences and I felt it was time to give back. However, one thing in short supply these days is time. So, I figured I would float my idea out there.
One thing that has been concerning me this year is the growing fascination with widgets (gadgets, grapple grommits, etc.) This is a growing trend that offers itself up as another attack surface. This is not a new concept to be sure. Now, what I’m pondering is the weaponization of the widget.
This idea first struck me when I was asked to review the security implications for the Yahoo! Widget engine. I was surprised to find the extent to which the underlying framework extends the power of the widgets. The functionality for supporting numerous Unix style commands in Windows has been removed from current version 4.
Over time, it was discovered that not that many Widgets took advantage of these utilities, or at best
only took advantage of a small number of them. Also, the utilities took up 4.7MB of hard disk space. As a result, they are no longer a part of the engine’s base install package in version 4.0 and newer. However, they are still available as a separate download.
(ref. Page 274, Widgets Refernce 4.0)
OK, so that sill limit the distribution of those commands but, what of the framework itself? Well, it allows for function calls to the COM in Windows.
The COM object is an interface to enable your Widgets to call a COM interface in the system. For
example, you could use it to talk to iTunes (if you didn’t use our built-in support), MSN Messenger, Outlook, etc.You can connect to any COM object using COM.createObject( progID|CLSID ). The COM interface does need to have sufficient type info supplied. At present we cannot support lazy binding to methods, etc., so all type information needs to be provided up front (i.e., the ITypeInfo interface needs to return the appropriate info so we can perform our introspection to obtain info about things such as the number of parameters and their types).
(Ref. Page 160, Widget Reference 4.0)
Hmm, that causes me some concern. The cute graphic of a fuzzy bunny widget could access my MSN or Email? Here is an example of just what a widget could do.
OK, so this thing has access to the COM…so, now what? Well, a widget needs to be crafted that would, I don’t know, display the online status of your Facebook, MySpace and Twitter “friends”. This should ensure a liberal distribution. Now, within the code the author would need to embed an update function (updateNow) that will silently update (suppress) the widget for the user. The key here is to provide the user with a bona fide update that would operate as advertised.
The principle point here is to provide here is that this would not be a quick assault. This would require patience.
There are function calls such as XMLHttpRequest.open() that the widget uses to dynamically update. Much in the same vein as Google Maps uses to update. One such function would be to phone home. This is the point where we see integration with Google Analytics or NetCat. This would allow the author to view the distribution of the WMD.
OK, now you have an idea of your distribution. You know the systems that are available. You have built your wee beastie. Now, you can pick your time.
Having been patient you have had the “front” widget pimping itself out to the world. As a result of this you have managed to build the requisite statistical data to glean the best time to roll out the widget of mass destruction. This could encompass any number of forms. It could be a DDoS agent, a botnet or sorts, eavesdropper et cetera. Bearing in mind the XSS work that has been published by Grossman, Hansen, and others, it is readily apparent that you are limited merely by imagination.
I have not and most likely will not write a demo widget like the ones I have been ruminating on. My greater concern is the average Joe User and their fascination with things that are “cute”. If you can get users to give up their passwords for chocolate then something like this would be quite plausible.
Rambling thoughts for the day.
[tags]Widgets of Mass Destruction, WMD, Widgets[/tags]
Comments