lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Sat, 14 Nov 2009 01:41:16 +0100
From: Rosario Valotta <valotta.rosario@...il.com>
To: full-disclosure@...ts.grok.org.uk
Cc: Matteo Carli <matteo@...teocarli.com>
Subject: Twitter "swine flu" worm

Hi, up to some days ago Twitter was affected by a vulnerability that allowed
the propagation of a worm what we like to call "twitter swine flu".
The vulnerability exploited by the worm was a simple Xss injected in an
error page, but what is worth noticing here is that the error page was not a
specific one, but was (and still currently is) raised when some unmanaged
Unicode chars were included in the URL.

When you try to call a specific URL and set the path or a querystring
parameter to string containing an unsupported Unicode value (for a complete
list see: http://unicode.org/charts/PDF/U0080.pdf) the webapp raised an
error page.

E.g.
http://twitter.com/%A2  -->  Invalid Unicode value in parameter user

http://twitter.com/testxss/%A2 --> Invalid Unicode value in parameter id

http://twitter.com/testxss/whatever/%A2 --> Invalid Unicode value in
parameter params

http://twitter.com/testxss?a=%A2 --> Invalid Unicode value in parameter a

No control was performed on valid path/parameter names.

Moreover, in the last example, the error page echoed the parameter name
without any sanitazion/encoding. This lead to XSS.

E.g.
If the url http://twitter.com/testxss?<script>alert('xss')</script>=%A2<http://twitter.com/testxss?%3Cscript%3Ealert%28%27xss%27%29%3C/script%3E=%A2>was
called the error page was raised and, as no validation on parameter
name
is performed, the script was executed and an alert was raised.

The worm we developed is just a PoC that exploited this vulnerability and:

   - made the victim post arbitrary tweets
   - added followers to an attacker controlled account

A video of the PoC is available at:
http://sites.google.com/site/tentacoloviola/twitterhorror
and
http://www.matteocarli.com/2009/11/twitter-horror.html

The XSS issue in the error page has been patched by Twitter few days after
our disclosure.
The Unicode issue is still there.

Regards
Rosario Valotta + Matteo Carlo

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ