Internal Affairs: Hacking File System Access from the Web

Presented at Black Hat USA 2021, Aug. 5, 2021, 2:30 p.m. (30 minutes).

The File System Access API deployed to browsers this year is the current version of a W3C draft to give websites, with user approval, the ability to read, write, and edit files and folders the user selects on their devices, an outgrowth of an earlier proposal called Native File System. It has been released and deployed in many Chromium-based browsers. Despite a number of security features implemented in the API, this presentation will show several ways in which a hostile website may gain arbitrary code execution and slip malicious code past operating system and security product scans, or even detailed, manual inspection.

Presenters:

• Matthew Weeks - Technology Fellow, Deloitte
  Matt Weeks is a Technology Fellow at Deloitte. He led root9B's research and development arm and has uncovered a number of major software and cryptographic vulnerabilities. He has contributed to the Metasploit framework, runs the site http://www.scriptjunkie.us/ and red teams the national CCDC. Previously he led the USAF's intrusion forensics and reverse engineering lab and the creation of their enterprise hunt teams.

Links:

• https://www.blackhat.com/us-21/briefings/schedule/#internal-affairs-hacking-file-system-access-from-the-web-23811
• https://www.blackhat.com/us-21/briefings/schedule/#internal-affairs-hacking-file-system-access-from-the-web-238111625062367

Similar Presentations:

• Black Hat USA 2012 / File disinfection framework: Striking back at polymorphic viruses
• Black Hat USA 2019 / Battle of Windows Service: A Silver Bullet to Discover File Privilege Escalation Bugs Automatically