Finding and Exploiting Access Control Vulnerabilities in Graphical User Interfaces

Presented at Black Hat USA 2014, Aug. 6, 2014, 3:30 p.m. (60 minutes)

Graphical user interfaces (GUIs) contain a number of common visual elements or widgets such as labels, text fields, buttons, and lists. GUIs typically provide the ability to set attributes on these widgets to control their visibility, enabled status, and whether they are writable. While these attributes are extremely useful to provide visual cues to users to guide them through an application's GUI, they can also be misused for purposes they were not intended. In particular, in the context of GUI-based applications that include multiple privilege levels within the application, GUI element attributes are often misused as a mechanism for enforcing access control policies. In this session, we introduce GEMs, or instances of GUI element misuse, as a novel class of access control vulnerabilities in GUI-based applications. We present a classification of different GEMs that can arise through misuse of widget attributes, and describe a general algorithm for identifying and confirming the presence of GEMs in vulnerable applications. We then present GEM Miner, an implementation of our GEM analysis for the Windows platform. We evaluate GEM Miner using real-world GUI-based applications that target the small business and enterprise markets, and demonstrate the efficacy of our analysis by finding numerous previously unknown access control vulnerabilities in these applications.

Presenters:

• Collin Mulliner - Northeastern University
  Collin Mulliner is a postdoc researcher at SECLAB at Northeastern University. Collin's main interest is in the area of security and privacy of mobile and embedded devices with an emphasis on mobile and smart phones. Since 1997, Collin has developed software and did security work for Palm OS, J2ME, Linux, Symbian OS, Windows Mobile, Android, and the iPhone. In 2006, he published the first remote code execution exploit based on the multimedia messaging service (MMS). Collin's most recent projects are in the area of vulnerability analysis and offensive security.

Links:

• https://www.blackhat.com/us-14/archives.html#finding-and-exploiting-access-control-vulnerabilities-in-graphical-user-interfaces
• https://www.youtube.com/watch?v=Gy45h-mnHfI
• https://www.blackhat.com/docs/us-14/materials/us-14-Mulliner-Finding-And-Exploiting-Access-Control-Vulnerabilities-In-Graphical-User-Interfaces.pdf
• https://www.blackhat.com/docs/us-14/materials/us-14-Mulliner-Finding-And-Exploiting-Access-Control-Vulnerabilities-In-Graphical-User-Interfacess-WP.pdf
• https://www.blackhat.com/docs/us-14/materials/us-14-Mulliner-Finding-And-Exploiting-Access-Control-Vulnerabilities-In-Graphical-User-Interfaces-Tool.zip

Similar Presentations:

• DEF CON 15 (2007) / The Inherent Insecurity of Widgets and Gadgets
• Kiwicon X: The Truth is In Here (2016) / Finding and Exploiting Access Control Vulnerabilities in Graphical User Interfaces