lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <003c01d0411c$5e408200$1ac18600$@obrela.com>
Date: Thu, 5 Feb 2015 10:18:46 +0200
From: "Dimitris Strevinas" <d.strevinas@...ela.com>
To: "'Ben Lincoln \(F7EFC8C9 - FD\)'" <F7EFC8C9@...eaththewaves.net>,
	<fulldisclosure@...lists.org>
Cc: bugs@...uritytracker.com, bugtraq@...urityfocus.com, cve-assign@...re.org
Subject: Re: [FD] Major Internet Explorer Vulnerability - NOT Patched

Ben, we have reproduced the vulnerability in many occasion.
First of all, at least to steal the session it is no matter if
X-Frame-Option is set to deny/same-origin.
Secondly, we were able to easily bypass the alert popup. It is not needed if
you implement the "waiting" logic with a synchronous AJAX call or a looped
wait (there is no sleep is JS).

The most important part is that the "1.php" in the original POC, should
implement a sleep itself. This seems to do the trick to allow setTimeout to
be assigned in the iframe prior to be redirected to the target site.

It has nothing to do with Cloudflare.

Nevertheless, it is particularly difficult in my opinion to serve one HTML
page to target multiple web sites at once in a phising/session-stealing
attack. This is because, alert/synchronous AJAX/custom sleep, lock the
browser resources so other iframe-based (independent) attacks cannot be
executed. Using asynchronous AJAX with onreadystate does not seem to work. 
But, of course, alert dialog can still be easily bypassed so web users can't
do anything to avoid a signle exploitation.

Regards,

Dimitris Strevinas
Chief Security Engineer / Obrela Security Industries


-----Original Message-----
From: Fulldisclosure [mailto:fulldisclosure-bounces@...lists.org] On Behalf
Of Ben Lincoln (F7EFC8C9 - FD)
Sent: Wednesday, February 04, 2015 9:29 PM
To: fulldisclosure@...lists.org
Cc: bugs@...uritytracker.com; bugtraq@...urityfocus.com;
cve-assign@...re.org
Subject: Re: [FD] Major Internet Explorer Vulnerability - NOT Patched

So here's a possibly stupid question: is this entirely an IE flaw, or is it
tied to the use of Cloudflare by the targeted site as well as the attacking
site?

I ask because:

1 - I tried to reproduce the attack in a number of ways without using
CloudFlare, and was unsuccessful.
2 - Since I don't have access to a CloudFlare account, I used Burp to do a
find/replace for proxied response headers and bodies on
"www.dailymail.co.uk" and then "dailymail.co.uk" with a target domain which
does not use Cloudflare, then accessed the Deusen demo page. The injection
attempt failed.
3 - I then used Burp in the same way, but replaced
"www.dailymail.co.uk"/"dailymail.co.uk" with a target domain which
*does* use CloudFlare, and the injection attempt succeeded.

If this is true, am I correct in thinking that while this definitely
involves a vulnerability in IE, it also depends at least on targeting
website owners who use JavaScript hosted on shared domains (CloudFlare, in
this case), which is inherently riskier than hosting it all on one's own
domain due to the way cross-domain security works in modern browsers?

I don't have time to to a teardown on CloudFlare.JS, but does this also
depend on some sort of code vulnerability in that file?

Even if one or both of those caveats are true, it's a very impressive
exploit, but I'd like to make sure the label "universal" is actually
justified.

Sorry if this has already been discussed elsewhere. I couldn't find anything
when I looked.

- Ben

On 2015-02-02 12:53, Joey Fowler wrote:
> Hi David,
>
> "nice" is an understatement here.
>
> I've done some testing with this one and, while there *are* quirks, it 
> most definitely works. It even bypasses standard HTTP-to-HTTPS
restrictions.
>
> As long as the page(s) being framed don't contain X-Frame-Options 
> headers (with `deny` or `same-origin` values), it executes 
> successfully. Pending the payload being injected, most Content 
> Security Policies are also bypassed (by injecting HTML instead of
JavaScript, that is).
>
> It looks like, through this method, all viable XSS tactics are open!
>
> Nice find!
>
> Has this been reported to Microsoft outside (or within) this thread?
>
> --
> Joey Fowler
> Senior Security Engineer, Tumblr
>
>
>
> On Sat, Jan 31, 2015 at 9:18 AM, David Leo <david.leo@...sen.co.uk> wrote:
>
>> Deusen just published code and description here:
>> http://www.deusen.co.uk/items/insider3show.3362009741042107/
>> which demonstrates the serious security issue.
>>
>> Summary
>> An Internet Explorer vulnerability is shown here:
>> Content of dailymail.co.uk can be changed by external domain.
>>
>> How To Use
>> 1. Close the popup window("confirm" dialog) after three seconds.
>> 2. Click "Go".
>> 3. After 7 seconds, "Hacked by Deusen" is actively injected into 
>> dailymail.co.uk.
>>
>> Technical Details
>> Vulnerability: Universal Cross Site Scripting(XSS)
>> Impact: Same Origin Policy(SOP) is completely bypassed
>> Attack: Attackers can steal anything from another domain, and inject 
>> anything into another domain
>> Tested: Jan/29/2015 Internet Explorer 11 Windows 7
>>
>> If you like it, please reply "nice".
>>
>> Kind Regards,
>>
>>
>> _______________________________________________
>> Sent through the Full Disclosure mailing list 
>> https://nmap.org/mailman/listinfo/fulldisclosure
>> Web Archives & RSS: http://seclists.org/fulldisclosure/
> _______________________________________________
> Sent through the Full Disclosure mailing list 
> https://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/
>


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ