“On Windows, I believe version 5.0 or 5.1 is the default version. The out-of-the-box use of the script is additionally limited by the fact that it requires PowerShell 6.0 to work. Releasing the PoC script to the public might not seem a good idea to many but, as Prefer told Help Net Security, there are a lot more powerful attack tools and scripts out there provided by the community, and a script like Brugglemark can be trivially built based on the information provided in his research paper.
The data can then be reconstructed from those bookmarks when they have been synced to a remote system. He then used that information to create Brugglemark (the name is a portmanteau of “browser” + “smuggle” + “bookmarks”), a script that base64 encodes the provided text, splits it into smaller strings, and creates Chrome bookmarks by inserting them into the local Bookmarks file in a JSON format (with dummy text in the other requisite bookmark fields). He also figured out the maximum number of characters bookmarks’ name and url fields can contain in order to be synced, as well as the maximum number of bookmarks that can be synced in one go. He confirmed that synchronization is triggered by different actions related to bookmarks (creation, deletion, etc.) and that remoted devices usually receieve synced bookmarks in a matter of seconds. Prefer’s research and testing was focused on Chromium-based browsers (Chrome, Edge, Brave and Opera), collectively used by a great majority of users. Automated encoding and decoding of the data He discovered that they can, and he created a basic PoC PowerShell script to make the process of data exfiltration via synced bookmarks easy. Some attackers have also recently managed to exploit Chrome’s syncing feature and use an extension to connect their computer directly to a targeted workstation, creating a covert channel for remote data manipulation, but also (concievably) for data exfiltration and C&C communication.īut the use of browser extensions can be restricted in enterprise environments, blocking that particular access path, so SANS Technology Institute student David Prefer decided to investigate whether bookmarks could be exploited in a similar way. Malicious browser extensions are a known and widespread threat, used by attackers to perform actions such as stealing passwords, exfitrating email data or delivering additional malware. Two universal and seemingly innocuous browser features – the ability to create bookmarks (aka “favorites”) and browser synchronization – make users’ lives easier, but may also allow hackers to establish a covert data exfiltration channel.
0 kommentar(er)
