Crippling HTTPS with Unholy PAC

Presented at Black Hat USA 2016, Aug. 3, 2016, 4:20 p.m. (50 minutes)

You're in a potentially malicious network (free WiFi, guest network, or maybe your own corporate LAN). You're a security conscious netizen so you restrict yourself to HTTPS (browsing to HSTS sites and/or using a "Force TLS/SSL" browser extension). All your traffic is protected from the first byte. Or is it? We will demonstrate that, by forcing your browser/system to use a malicious PAC (Proxy AutoConfiguration) resource, it is possible to leak HTTPS URLs. We will explain how this affects the privacy of the user and how credentials/sessions can be stolen. We will present the concept of "PAC Malware" (a malware which is implemented only as Javascript logic in a PAC resource) that features: a 2-way communication channel between the PAC malware and an external server, contextual phishing via messages, denial-of-service options, and sensitive data extraction from URI's. We present a comprehensive browser PAC feature matrix and elaborate more about this cross-platform (Linux, Windows, Mac) and cross-browser (IE, Chrome, Safari) threat.

Presenters:

• Amit Klein - SafeBreach
  Amit Klein is a world renowned information security expert, with 24 years in information security and over 30 published technical papers on this topic. Amit is VP Security Research at SafeBreach, responsible for researching various infiltration, exfiltration and lateral movement attacks. Before SafeBreach, Amit was CTO for Trusteer (acquired by IBM) for 8.5 years. Prior to Trusteer, Amit was chief scientist for Cyota (acquired by RSA) for 2 years, and prior to that, director of Security and Research for Sanctum (acquired by Watchfire, now part of IBM security division) for 7 years. Amit has a B.Sc. from the Hebrew University (magna cum laude, Talpiot program), recognized by InfoWorld as a CTO of the year 2010 , and has presented at RSA, OWASP, CertConf, BlueHat, CyberTech, APWG and AusCERT.
• Itzik Kotler - SafeBreach
  Itzik Kotler is CTO and Co-Founder of SafeBreach. Itzik has more than a decade of experience researching and working in the computer security space. He is a recognized industry speaker, having spoken at DEFCON, Black Hat USA, Hack In The Box, RSA, CCC and H2HC. Prior to founding SafeBreach, Itzik served as CTO at Security-Art, an information security consulting firm, and before that he was SOC Team Leader at Radware. (NASDQ: RDWR).

Links:

• https://www.blackhat.com/us-16/briefings.html#crippling-https-with-unholy-pac
• https://infocon.org/cons/Black Hat/Black Hat USA/Black Hat USA 2016/Crippling HTTPs With Unholy PAC.mp4
• https://www.youtube.com/watch?v=7q40RLilXKw
• https://www.blackhat.com/docs/us-16/materials/us-16-Kotler-Crippling-HTTPS-With-Unholy-PAC.pdf

Similar Presentations:

• Black Hat Europe 2015 / Watching the Watchdog: Protecting Kerberos Authentication with Network Monitoring
• Black Hat USA 2020 Virtual / iOS Kernel PAC, One Year Later
• DEF CON 30 (2022) / The PACMAN Attack: Breaking PAC on the Apple M1 with Hardware Attacks