lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Sun, 2 Jan 2011 21:32:26 -0600
From: Kevin Killgore <kvkillgore@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Chatango Group Chat Web-Application Cross-Site
	Request Forgery Vulnerability

<?KvK~

############################################################################
Chatango Group Chat Web-Application Cross-Site Request Forgery Vulnerability
############################################################################

++++++++++++++++++++++++
~Application Description
++++++++++++++++++++++++
Chatango is an organization that freely provides chat box services named
"Chatango groups". These groups can be accessed through either a direct
connection to the Chatango group's address location or through a web page or
blog that has chosen to embed the group chat application within its own HTML
source. Chatango's group chat web-application is a Flex based flash
application. This web-application is commonly compared to other services
such as “meebly” and “xat”. Chatango groups have been created with a focus
on a large variety of topics, and each group may contain hundreds of active
visitors.

++++++++++++++++++++++++++
~Vulnerability Description
++++++++++++++++++++++++++
Most Chatango groups implement the automatic embedding of images such that
if one were to post "http://www.example.com/image.png" as a message, the
image located at this address would result as the messages body. However,
the application doesn't actually verify that the specified location actually
contains an image or that it even exists. Due to the fact that the
application is only able to differentiate a common hyperlink from an image
to be embedded based upon the presence of a valid image file extension, it
becomes possible to deceive the image loading script into believing that the
link provided contains the of a valid image file simply by ensuring that the
provided link is appended by a valid image file extension. By doing this,
the application attempts to load the provided address as an image whether or
not it actually contains an image. Due to this characteristic, the Chatango
group web-application can be used as a vector for a variety of Cross-Site
Request Forgery attacks.

This vulnerability was originally discovered using Mozilla Firefox as a web
browser. However, as the vulnerable application is flash based, this
vulnerability should be applicable within any browser that is configured to
allow the execution of flash applications. It should be noted that though
this vulnerability may be used as an URI injection vector, URI injection is
limited by specific browser and operating system URI handler configuration
settings.

There are primarily two parts included within a malformed "image" location
used to exploit this vulnerability. The first part, as in most CSRF
exploits, is the address to be referenced by the browser. The second, is the
file extension appendage scheme. The success of the scheme chosen depends
primarily upon the preceding address, but the last few characters included
in the scheme MUST consist of a period followed by a valid image file
extension. Valid image file extensions include common web image file
extensions such as png, gif, jpg, jpeg, etc. Examples of possible malformed
"image" locations along with a brief description of each example will
follow. File extension appendage schemes will be enclosed in brackets to
make them easier to identify, however they would not be included in the case
of actual exploitation.


==Example 1:
http://www.QuickUniqueVisits.org/[?x=.png]

In this example, www.QuickUniqueVisits.com would include this location in
the message body of a post on a Chatango group, which would result in a
seemingly blank post. However, this address would be loaded within the
browser of each active visitor of the Chatango group, resulting in
www.QuickUniqueVisits.com obtaining an amount of unique visits equal to the
amount of the group’s current active visitors as well as any visitor who
views the page within the next 35 posts, or even any user who chooses to
view previous posts including this message.


==Example 2:
http://bank.com/transfer.do?acct=BOB&amount=100000[&junk=.jpg]

This example would be implemented in the same manner as the previous
example. However instead of simply generating quick unique visits, this
address would transfer $100000 from the account of any user currently logged
in at "bank.com" to BOB's account. The same rules in terms of persistence
apply to this example, as they would in most cases.


==Example 3:
http://smallurl.com/a1b2c3[/.gif] (http://smallurl.com/a1b2c3 =
URIscheme:do(something);)

This final example demonstrates the use of URL shortening services to
obfuscate URI locators other than HTTP so that the application may attempt
to load third party applications through the visitor's browser. An example
of such a case would include the obfuscation of the "mailto" URI in attempt
to access "Outlook Express" on a visitor's Windows computer, which may then
lead to the exploitation of "Outlook Express" which may include a method of
obtaining remote code execution. As this vulnerability may be used as an
attack vector for such exploits and there at does exist a (undisclosed)
method of obtaining remote code execution via Outlook Express, this
vulnerability as whole should be considered fairly dangerous, as the most
user's I've witness in one group exceeded 2000. Also, there exists many more
powerful URI schemes than "mailto" such as "telnet" which may establish a
connection a remote machine, Skype’s "callto" which may initiate a Skype
call to the specified number, and "javascript" which may be used to execute
JavaScript functions within a visitor's browser. Luckily, URI schemes are
filtered by most URL shortening services. Also, this sort of attack can be
stopped in its tracks if the browser's URI handling rules are properly set.
They can be configured in "about:config" for Mozilla Firefox as well as in
Window's Registry Editor for other browsers.

+++++++++++
~Conclusion
+++++++++++
There exists the possibility of using this exploit as the basis for a Flash
based DDoS script which uses Chatango groups as a zombification medium,
among many other automated exploitation purposes. I've contacted Chatango in
regards to this vulnerability some time ago; I've not received an responsive
email. As far as I'm aware, all versions of the group chat application are
vulnerable.

Original Document Location: http://xkvk.zzl.org/KvK-1.txt

~KvK?>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ