Developers are creating countless information disclosure and privilege escalation vulnerabilities by misusing elements of various graphical user interfaces as a mechanisms for access control, according to a new research paper from the Northeastern University College of Computer and Information Science.
The paper – coauthored by Collin Mulliner, William Robertson, and Engin Kirda – explores GUI element misuse (GEM). Essentially, the researchers assert that GUIs are the primary conduit through which users interact with computer programs. Each contains a unique list of visual elements – referred to in the paper as widgets. The “GUIs typically provide the ability to set attributes in these widgets to control their visibility, enabled status, and whether they are writable.”
While these attributes are helpful for users, in the context of GUI-based applications with multiple levels of privilege, they are very often misused to control who has access to which information under what circumstances. The researchers claim that fairly unsophisticated attackers can use easily accessible programming utilities such as WinSpy++ or Spy++ in order to select, view, and modify any window in a system, including the hierarchy the widgets within those windows.
“For example, a developer might disable a text field if a user is not authorized to enter any input into the backfield database via the user interface,” the researchers wrote in their paper. “Generally speaking developers might start to rely on user interface element attributes to enforce privilege levels within the application. Unfortunately, these user interface attributes are not suitable as an access control mechanism.”
In other words, attackers could potentially modify widgets in order to achieve deeper access to information stored by or made accessible to the application deploying that widget. Problematically, such attacks can be simultaneously easy to perform but difficult to detect.
“We see this class of bugs likely to appear in custom applications within (big) organizations (enterprises),” Mulliner told Threatpost in an email interview. “GEM bugs only exist in applications that provide multiple privilege levels within the application, these type of enterprise applications most likely handle sensitive data.”
The key point of this class of bugs, Mulliner continued, is that it requires only minimal skill to exploit them. An attack, he claims, is reduced to manipulating one or multiple user interface widgets, which is easier than reverse engineering an application’s binary, database format, or network protocol.
“Manipulating a widget is easily carried out by using one of many point and click tools that are freely available on the Internet,” Mulliner said. “Therefore, allowing an average user to bypass access controls to gain access to sensitive data and even the ability to modify it.”
The researchers also developed what they are calling a GEM mining tool that automatically detects insecurely configured GUIs. This specific tool works only on Windows systems (though they believe that this type of vulnerability is in no way limited to Windows) and the trio identified a number of previously unknown GEM bugs in Windows-platform software, which they have reported to the appropriate vendors.
In order to be considered for analysis by their GEM miner, an application has to offer at least two levels of privilege, because an attacker obviously cannot escalate his or her position if there is only one level of privilege (such is a prerequisite for GEM bugs).
Specifically, the researchers used this tool to root out an assortment of different bugs of varying degrees of severity in three separate applications, two of which remain unnamed. The first, an inventory management tool, is vulnerable in such a way that an unauthorized user could create new entries and delete existing ones within the application’s database. Worse yet, the researchers say, the application’s account management window, which is initiated at start-up and merely hidden from view, is totally accessible to an attacker. Without much difficulty, an attacker can modify the visibility attribute of this window (again, using readily available tools) and directly access user credentials. However, if a user were to attempt to log in as the admin, a similar attack could be launched against the admin login window, after which point the attacker would merely need to convince the admin to log in or simply wait for that to happen.
In the second app, used for employee and project management, an attacker could modify the visibility of a certain hidden window, achieving access to an entire employee database consisting of work schedules, business trips, and vacation days. Leveraging a separate callback GEM bug, the attacker would also have the capacity to change this information.
The third app tested in their experiment – named Proffix – is one that provides client management, order processing, and financial accounting functions. In this case, the vendor has acknowledged the bug and admitted it was not aware of GEM issues. The GEM vulnerabilities discovered by the researchers in this application could give an attacker the ability to modify data stored in the application’s database that normal users are not authorized to modify, completely bypassing the application’s intended access control scheme.
Milluner, Robertson, and Kirda will discuss their findings next month at the IEEE Security and Privacy conference in San Jose, California.