| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <OF9A650644.F2DDFF8E-ONC22577D7.005BB124@il.ibm.com> Date: Wed, 10 Nov 2010 18:41:28 +0200 From: Roee Hay <ROEEH@...ibm.com> To: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk Subject: Babylon Cross-Application Scripting Code Execution Introduction ============ Babylon is a single-click computer online dictionary and translation software which is also capable of translating whole documents and web pages. The translation and dictionary results are presented to the user via the Trident layout engine (an in-app/embedded Internet-Explorer rendering engine). Vulnerability ============= Babylon fails to sanitize user input before rendering it on the Trident control, effectively leading to a Cross-Application Scripting vulnerability. The user's input can originate from the following sources: 1. Babylon's main translation interface: When searching for a non-existent term Babylon pushes the string "No matches were found for 'non-existent term'. Search the web for non-existent-term". Unfortunately, 'non-existent term' is not HTML encoded or validated before it is written on the embedded browser (the translation process transparently validates translatable input). 2. Document translation: Documents (such as PDF files) may contain text which cannot be translated (e,g. JavaScript code), in such case it is rendered without HTML encoding or validation. 3. Web site translation: Same as the document translation case. Text which is not translated is simply rendered on the Trident control. In order to trigger an attack, the victim has to be lured into translating malicious text, either in a document or on a web page. Although the scenarios require some social-engineering, some of them are feasible and realistic. Impact ====== The Trident control runs in Local Machine Zone (LMZ) which is not Locked down. This allows a malicious script to perform the following actions: 1. Interact with other websites in the background while using persistent cookies to impersonate the victim: This can be done using XHR. The payload can leak the response's body which may contain sensitive information in case the victim has been authenticated on the site prior to the attack. The payload can also perform actions on the site on behalf of the victim. 2. Collect information from local files: This can be done using XHR or by a hidden iframe with the filename's as the source. Since the payload runs in a non-Locked-down LMZ, the XHR response or iframe's body can be inspected and sent back to the attacker. 3. Code execution: System commands can be executed by using the Wscript.Shell ActiveX object to practically take over the whole system. Vulnerable versions =================== Versions prior to 8.0.7 are susceptible to this vulnerability. Credit ====== Yair Amit <amityair@...ibm.com> Roee Hay <roeeh@...ibm.com> Acknowledgments =============== We would like to thank the Babylon team for their quick responses and the efficient way in which they handled this security issue. References ========== 1. Original advisory: http://blog.watchfire.com/files/babylon_cas_advisory.pdf 2. Blog post: http://blog.watchfire.com/wfblog/2010/11/babylon-cross-application-scripting.html 3. Demo: http://www.youtube.com/watch?v=51ypgI1lqzE 4. Babylon's homepage: http://www.babylon.com/ 5. Enhanced Browsing Security: http://technet.microsoft.com/en-us/library/bb457150.aspx _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists