Breaking Free From Remote Browsers - Nishaanth Guna

um I'm Nan I'm going to be presenting uh one of the one of the researches which me and my colleague did as part of uh an assessment waited for a client and it's about uh one of the Technologies which we encountered which is RBI or remote browser isolation and yeah and I'm working as a security consultant with mdac and I've been doing pen testing for the last 78 years now and majorly focus on Windows ad Network infrastructure and so on and yeah so why are we talking about RBI and what is what is RBI about so like I said this was part yeah this was part of a security assessment which we did for a

client and the main goals for this assessment was to the client wanted to understand if in an envirment where there is RBI which which they had so they wanted to understand if it was possible to deliver malware or you know deliver payloads that gets executed and how that would get detected or if it would get get detected and so on so what what's RBI RBI is basically a technology remote browser isolation and RBA follows this thing called zero trust zero trust security model and basically it's like it assumes that the user along with the user's workstation is compromised for example the user laptop or the PC that's being used zero TR security model uh says that

it's assume that it's compromised and take actions based on the fact that it's a already compromised and how how does it work does it even work in in short RBI or remote browser isolation is just a browser on a cloud but in in if if if you want to discuss about about it in like more detail uh RBI uses different techniques different vendors use use different technique but the according to the specification there are like a at least three uh three ways in which browsers can perform RBI uh browser isolation the first one is basically pixel pushing it's which is basically a interactive image or a video sent from the local browser to the remote browser

the second one is Dom or document object model reconstruction it's basically when the user uh visits a website and the response of the website gets Rewritten by the browser and it gets re directed and the third one was using Vector rendering or NVR and it uses this language or Tech called skia which which uh which is by far the secure and uh fastest way of you know isolating uh content from a local browser so imagine this this is a normal scenario where typically a user is trying to access Google or access any website what happen ref es from the endpoint there is a browser and when they go to the browser search bar and say say Search

google.com they go directly to google.com so the client uh the client uh client browser makes a request does all the DNS and goes to google.com and the Google's homepage or the web search P page gets displayed and what's the problem here is that uh what's a problem here is that uh since the client or the browsers directly uh directly uh execute the JavaScript or download files from google.com I'm I'm just saying google.com as an example it could be any website any any malicious website serving malicious documents and so on what what's the problem here is that the websites in in this scenario where there is no browser isolation the user is prone to get infected by malware or web

application style attacks and and so on that that's the uh that's the problem browser isolation is trying to solve and how does in how does RBI or browser isolation work in in in like overview is your the uh computer or the endpoint would have a local binary or a service installed that will make sure all the request which are sent by the browser are passed through the NBI so basically what would happen in this scenario is uh that specific agent or the service that's installed on the system would redirect or route all the traffic that is generated from the browser and that would that would get sent to a remote browser which is there on say cloud and

all the actions would get executed there or the JavaScript would get executed there the file downloads would get downloaded there and the remote browser instead of the local browser and once that's done the RBI agent or the back end would determine if if it is a legitimate or malicious website if it is a legitimate or malicious download and allow or deny it based on based on the intent of the web activity and yeah like I said all uh all the RBA vendors they don't uh follow the same approach towards uh towards browser isolation they have different ways of doing it and and with different ways of doing it there are like different configurations which you can enable from the back end

and that's that's what we going to talk about and what like what threats in general do RBI prevent it's downloads like preventing malicious downloads in an Enterprise or maling where you know uh malware is being distributed through ad networks and redirection style attacks where you know you get sent a fishing mail of a legitimate looking website but it but it is actually a malware or a malicious website and also cross-side scripting where you could steal a session token using uh by exploiting the xss attack on a web application so these are some of the attacks or these are the some of the scenarios that browser isolation is trying to prevent yeah now that we have talked

about enough about what and what uh browser isolation us like we are going to talk about some of the bypasses which we found uh which was configured in the environment so this this screenshot we can see that uh I'm trying to access lastpass.com and below in the in the uh in the network developer tools tab we can see that there is a request that's made to lastpass.com which is a 200 on the first request and rest whatever hidden is basically the request that was sent to the rbii browser and again if we see there is a request to lastpass.com after after where the uh aisc ends and again it again the data sent to the uh

RBI browser so this is a normal scenario in which I try to access lastpass.com my browser does not request or send a get request to lastpass.com directly but it sends through the RBA browser it tells that okay this user wants to access flp pass.com and these are the cookies these are the headers this is what they want to do this is what they want to download and that would get executed in in the uh remote browser and come back to you if it is legitimate yeah so while uh while we were uh checking the source code or the JavaScript for the remote browser website which which gets redirected we uh noticed a we noticed a

file which uh service worker file which had like loads and loads of user agents hardcoded and we just thought like why what's the reasoning behind user agents being hardcoded in the RBI browsers uh website could it be the reason that only these user agents are sent through RBI and it was the case actually like so if Ina if we send a request that's that has a user agent that's not part of the service worker JavaScript which is there in the RBI websites uh JavaScript what what happens is that that specific request goes directly to the web server instead of going through the RBI isolation proxy and what about browser extensions to the browser extensions we know that

all the browsers all of the browsers traffic go through the isolation proxy but what about extensions extensions didn't go through the RBA as well so this way it would be easy for an adversary to uh you know smuggle in or or deliver like malicious payload by using an extension since all the all the traffic is not monitored or not routed through uh the RBI platform and to browser like we thought to Bowser did not respect respect the proxy or they respect the isolation proxy that was in place so whatever request that was sent using a to browser or even Braves mode of uh VPN it didn't go through uh the isolation proxy but it directly went to the we website and also

we we were just wondering what what happens when a user who who has RBI product installed what happens when he visits a website does the RBA product in itself add any additional headers additional cookies or user identifiable information that can be used for fingerprinting and it did like what what was was happening was uh literally to every website that's being uh that's being accessed by a user that has RBI uh product installed the original Ip information the RBI specific tenet information where is his server located in the tenet number basically that's the organization number and so on all of these were all of these were like sent to any website the user the Visage and yeah like the next thing

which we're going to look into is how how do you uh bypass download protections so in a normal scenario what was happening is like the link which which is there on the second point the mets.com that's the metes sploits installer file and in a in the in the client enironment when we tried to visit this specific uh link what happened was we got blocked we got blocked and said uh there was a message that said that this this uh binary or this download has malware you can't download it so what so to to bypass that we figured out that instead of downloading the malicious executable directly from say dis pl's website what happens if we download it

locally hosted host it in our server and redirect the uh redirect the down download to download the Metasploit or malicious software from our server instead of uh instead of met Metasploit server and in the link on point 4 we can see that we are still downloading metas plits executable but the way we are doing it is using our server as a proxy using the server we control as a proxy and that server is going to make a call to Metasploit uh server to get the executable and download it that way and this evaded the protection uh that was enforced by the RBI and also with with the documents that were being uh opened or downloaded what was

happening was if I say try to uh download a document and download and open a document that's from the browser it did not get downloaded to my local browser but it got embedded in the RBA RBA browsers uh website and the document got displayed there so this way there is no way to you know uh deliver malware deliver a malicious document but like the more we tested we found out only certain extensions were uh being supported by the browsers backend so if we send a doc do doc document file that was getting that was getting inspected but we send uh doc M or doc other other extensions the RBA browser just lets it through and that gets downloaded

directly to your local uh local machine yeah this is uh this is the say like the code which we which Adam wrote to replicate replicate the same scenario which we saw on uh on how we were able to bypass the uh download protection to download a malicious executable all it does is it we run this specific uh script in our server and this downloads Metasploit or whatever binary we want and serves that specific malici binary using using the server as a proxy and yeah like in initially like exploit uh this specific website exploit DB was blocked but since we are proxying it using our web server we were able to evade the protection and still get

through get to the exploit DBS website and also other ways of bypassing which we found was if a download if a download was being served with the anchor HTML tag or iframe HTML tag that wasn't getting inspected properly so any website any website that embeds malware in uh in an iframe tag or uses a uh a tag to you know deliver a download that gets unnoticed by the uh product as well and yeah these two code Snippets are like examples of how we were able to use this specific JavaScript in our websites to embed malware and download it without the protection being getting uh without the prot protection getting uh kicked on on the uh on the client

side so the first uh first screenshot we are just using a a tag ahrf tag and the second uh screenshot we using IF frame and instead of directly downloading uh the malware from like uh from the website we I frame the malware and the malware like gets downloaded from the if frame and gets executed or downloaded and also one another interesting bypass which we found was if a website was hosted on standard ports like 80443 880 8443 and so on if that is serving a malicious executable we we were obviously getting blocked blocked by the vendor saying this is a malicious malicious executable but the same same uh malware if it was served on a

non-standard port like 1337 or like I don't know 2222 that was not getting inspected by the product and the bipass sketch through and yeah like also re in recent uh black hat there's really a good talk on how to bypass secure web gateways uh by squarex I attach the uh talk talks Link in the my references I recommend checking that out and also yeah the next one we're going to look on how how an attacker would be still able to uh like attack a user by xss like since the applic since the vendor is blocking xss attacks what happens in the scenario is say we have a web application and there is an xss and someone is trying to

exploit the xss by sending a mail or sending a link to click even though the web application has an exerise the RBI understands that there is an ex that's an exerise and someone is trying to embid uh arbitrary script into the web application and it detects that and blocks it so how do we uh how do we bypass that when in in terms of yeah in in terms of uh xss instead of just using the script tag for popping up your alert box or popping up your xss payload if you just give like script alert document.cookie SL script that gets blocked but if we embit that specific script alert inside uh inside other tags like div or frame or SVG like how it's

shown in the screenshot like there is a SVC SVG tag and there is script uh script uh xss payload basically inside that so this way that this way uh since we we are embedding our accss payload inside SVG payload that gets bypassed as well and yeah additionally additionally SVG files were not being monitored properly were not getting inspected properly so and also there's an interesting way in which SVG files using an SVG file you can execute JavaScript so we just wrote a simple POC of an SVG file which would eventually execute JavaScript and that that gets gets through uh the solution as well and the last um last bypass regarding the accss is using jsonp which

uh jsnp is basically a technology that was used that was uh that's still being used to allow cross cross web Communications uh like basically it's like XML HTTP request but with less Les lesser restrictions so we found out that the uh the vendor that uh we are testing was supporting jsonp endpoints so we just create crafted a xss payload so so yeah we had the option to write a web application which would eventually support jsonp or just use existing web application where there is a jsonp support so and Google Google the main web search page has jonp support by default and we just used that Google search queries uh URL to smuggle our xss playload into the environment so

basically this script which uh on point for uh the code which is there is what we embid in the in the malicious website and what what would eventually happen is this uh would make a call to Google using jsnp and that would that would eventually have a base 64 uh BAS B 64 encoded data of the excess payload we want to execute and that gets executed without the solution noticing it and yeah like uh till uh the next thing which we going to see is how do we go about attacking the agent binary itself like uh during the uh start of the talk we discussed that how how does the how does the workstation route all the

traffic browser traffic through our uh through through the uh isolation product is it installs a binary in your local system and that binary starts a service and yeah that that's that server is not server that service is always enabled so like initially we thought yeah like what if we query the service see what permissions the service has but unfortunately only administrators or system level users were able to start and stop and do basically all the critical operations with the agent and there were no there were no like service level misconfigurations where you know you could side load a binary or there is a uh different type of misconfiguration like nothing nothing like that was present

right but if we if we looked into the windows tray like that specific agent had a icon had a basically icon and when we clicked on that there was an option called disable but it uh that that disable like initially when we thought uh when we saw that which like it it wouldn't disable the protection altogether it will be too simple like as a low privileged user so we tried clicking on disable it did disable the RBI protection which is installed but automatically what happen happens in the back background is the service gets restarted again responds and all the traffic goes through the uh isolation product as as intended but what if we click on the

disable like multiple times and spam it it got disabled which was like really surprising and when we when we did uh mention it to the client during after during the remediation they were like really surprised with this uh scenario as well and the most interesting part was uh a low privileged user it it yeah the most interesting part is you don't need to be administrator to click on to basically disable from the system tray and what happened was if there are like five different users loged logged into the uh server or the workstation and all of the traffic is going through isolation proxy even if a low privileged user disables it the solution gets disabled for all the all the users here

administ and insecure Cloud segregation and one of the one of the interesting test case one of the test cases which we want to focus uh later on during the project was we knew that that the we knew that this specific product was installed not not installed was deployed on zcp so we were assuming it's it's a tenant subscription like each each client would get a different subscription so there will be like VPC rules network network filtering rules in place to prevent tenant a from accessing tenant B data right but yeah that was the assumption but in the end what happened was it was possible for tenant a to access tenant B's data documents cookies and so on just because

the just because all all of the resources or all of the uh products were installed in the same tenant and they didn't have any proper firewall rules no VPC segregation in place and literally everything was in the same place that allowed uh that allowed uh one tenant to access different tenets data which should not be possible in Enterprise uh deployments and yeah like future research and conclusion I think it's still a it's still a very fascinating and new technology and I think at least from my perspective future research in this area would involve more testing on this service binary for the agent in itself test more for privileg escalation flaws and uh service level flaws in all

the possible agents and also like basically the browse the whole uh Crux of RBI it's they try to solve a really tough problem because since the user has access to the client side code he can modify client side data he has access to the browser in itself he could tamper tamper the browser and so on it's really a hard problem to solve but maybe in the future it this solution becomes more more robust and also yeah like each each environment would have different protections because of different configurations or different policies enforced by administrators so yeah it uh there should be a un uniform documentation on saying yeah if you disable this it's it's it's bad and so

on that's that's pretty much it that that was my talk and uh I want to thank R [Applause] yeah I want to thank Rio and Paulina and also the organizers of bides for uh conducting this conference this is my second conference uh second besides to hopefully I come for the next conference as well and if you have any questions please please feel free to ask me now