lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <009701cd50a4$c082f940$9b7a6fd5@ml>
Date: Fri, 22 Jun 2012 21:26:13 +0300
From: "MustLive" <mustlive@...security.com.ua>
To: <submissions@...ketstormsecurity.org>, <full-disclosure@...ts.grok.org.uk>
Subject: XSS and Charset Remembering via charsets in
	different browsers

Hello list!

I want to warn you about XSS and Charset Remembering vulnerabilities via 
multiple charsets in different browsers.

----------
Details:
----------

XSS and Charset Remembering (WASC-08):

In the beginning of 2009 I've write about Charset Remembering vulnerability 
in Mozilla Firefox via UTF-7 (http://websecurity.com.ua/2848/) and EUC-JP 
and SHIFT_JIS charsets (http://websecurity.com.ua/2928/). The Charset 
Remembering attack can be used for making persistent attacks via different 
charsets, which are affected to XSS. With this attack it's possible to 
conduct XSS attacks via affected charset not only at pages with the same 
charset, but at any suitable page with any charset.

Last week, in the last Patch Tuesday, Microsoft fixed vulnerabilities in 
Internet Explorer and among them there was vulnerability CVE-2012-1872 
(http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1872).

This vulnerability surprised me. Because information about XSS via EUC-JP in 
IE6 was known already in 2006 - Cheng Peng Su wrote about it (he checked few 
charsets in browsers Internet Explorer 6, Firefox 1.5.0.6 and Opera 9.0.1). 
Including my exploit 
(http://websecurity.com.ua/uploads/2009/Firefox_XSS_Charset_Remembering.html) 
for XSS via EUC-JP and SHIFT_JIS charsets in Mozilla Firefox also was 
suitable for IE (only one char should be added to it). Just the attack via 
EUC-JP works in IE 6 and 7, but in IE 8 it was fixed. It looks that new 
chars of EUC-JP charset was found, via which it's possible to conduct 
attack.

Note, that in MFSA 2011-47 Mozilla fixed possibilities of XSS attacks via 
charset Shift-JIS, about which I've informed them in March 2009 (but still 
not fixed the same issue with charset EUC-JP). So first Mozilla have ignored 
my letter and publication at 03.03.2009, and only after 2,5 years, at 
08.11.2011, they have fixed one from few vulnerabilities informed by me.

So I've made new exploit (for work in different browsers) and tested XSS 
attacks via different charsets in different browsers. In result I've found, 
that many browsers are vulnerable to attacks via EUC-JP, SHIFT_JIS and 
Chinese Simplified (HZ) charsets. And some browsers also are vulnerable to 
attacks via other charsets. And I'll note, that Charset Remembering attack, 
described by me three years ago, besides Mozilla and Firefox (all browsers 
on Gecko engine) also works in Internet Explorer and Opera.

PoC:

http://websecurity.com.ua/uploads/2012/XSS_charsets_in_browsers.html

The code will execute at setting of appropriate character encoding in the 
browser (the PoC designed for Charset Remembering attack).

This attack via EUC-JP, SHIFT_JIS and Chinese Simplified (HZ) charsets works 
in Mozilla Firefox 3, 4 and previous versions (and must work in next 
versions), in Internet Explorer 6, 7, 8 (and must work in other versions), 
in Opera 10.62 (and must work in other versions).

Also I've found some other affected charsets from East Asian group. In IE 6, 
7 and 8 the attack will work via charset Chinese Simplified (GB2312 and 
Big5), and in IE 6 and 7 the attack will work via charset Korean (in other 
browsers named as EUC-KR). In version IE8 (and obviously in IE9) the attack 
is not working via charsets EUC-JP and Korean. And in Opera 10.62 it also 
works in Chinese Simplified (GB2312, GB18030 and Big5-HKSCS), but doesn't 
work in Big5 and HZ.

------------
Timeline:
------------ 

2009.02.03 - published at my site about UTF-7 charset in Mozilla.
2009.02.05 - informed developers. UTF-7 attack vector was fixed by Mozilla.
2009.03.03 - published at my site about EUC-JP and SHIFT_JIS charsets in 
Mozilla.
2009.03.04 - informed developers. Mozilla ignored to fix these 
vulnerabilities.
2011.11.08 - Mozilla fixed vulnerability in Firefox related to SHIFT_JIS 
(MFSA 2011-47 / CVE-2011-3648).
2012.06.12 - Microsoft fixed vulnerability in Internet Explorer related to 
EUC-JP (CVE-2012-1872).
2012.06.06 - published at my site about multiple charsets in different 
browsers (http://websecurity.com.ua/5902/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua 


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ