| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <54D43956.7010800@deusen.co.uk>
Date: Fri, 06 Feb 2015 11:47:34 +0800
From: David Leo <david.leo@...sen.co.uk>
To: "Barkley, Peter" <peter.barkley@....com>,
'Zaakiy Siddiqui' <zaakiy@...con.com.au>, Joey Fowler <joey@...blr.com>
Cc: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>,
"bugs@...uritytracker.com" <bugs@...uritytracker.com>,
"bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>,
"cve-assign@...re.org" <cve-assign@...re.org>
Subject: Re: [FD] Major Internet Explorer Vulnerability - NOT Patched
'could you share the contents of "1.php"?'
Sure:
<?php
sleep(2);
header("Location: http://www.dailymail.co.uk/robots.txt");
?>
"I'm assuming it is a delayed re-direct to the target's domain?"
Exactly. :-)
"the cloudflare scripts"
It's been tested without them.
Kind Regards,
On 2015/2/6 2:31, Barkley, Peter wrote:
> Thanks Zaakiy,
>
> I'm able to get the hacked page on IE9 after changing the document mode from Quirks to IE9 Standards. Screenshot attached. I'm sure you could get around having to manually switch the document mode with the appropriate DOCTYPE set in the exploit html page.
>
> David, could you share the contents of "1.php"? I'm assuming it is a delayed re-direct to the target's domain? I am unable to reproduce the exploit locally with the same code (assuming my 1.php is correct), though without the cloudflare scripts.
>
> Thanks,
> Peter
>
>
> Peter Barkley | Senior Security Intelligence Analyst | Security Operations Centre | Royal Bank of Canada
>
>
>
> -----Original Message-----
> From: Fulldisclosure [mailto:fulldisclosure-bounces@...lists.org] On Behalf Of Zaakiy Siddiqui
> Sent: 2015, February, 04 6:46 PM
> To: David Leo; Joey Fowler
> Cc: fulldisclosure@...lists.org; bugs@...uritytracker.com; bugtraq@...urityfocus.com; cve-assign@...re.org
> Subject: Re: [FD] Major Internet Explorer Vulnerability - NOT Patched
>
> Hi David,
>
> Nice one…great find! And thanks Joey for confirming the bypass of HTTP-to-HTTPS restrictions.
>
> I can confirm that this also affects Spartan Browser (Experimental enabled in about:flags in Internet Explorer 11).
>
> I can also confirm that IE 10 is affected.
>
> IE 9 appears to not be vulnerable. Screenshots below.
>
> Regards,
> Zaakiy Siddiqui
>
>
> IE 11 Spartan - vulnerable (Windows 10)
>
> [cid:Image1466.png@...56f08dd75bb]
>
> [cid:Image1487.png@...56f6487b5d0]
>
>
> IE 10 - vulnerable (Windows 7)
> [cid:Image1485.jpg@...56f5f5025ce]
>
> IE 9 - not vulnerable (Windows 7)
>
> [cid:Image1503.jpg@...56fa3c785e0]
>
>
> From: David Leo<mailto:david.leo@...sen.co.uk>
> Sent: Wednesday, 4 February 2015 11:13 PM
> To: Joey Fowler<mailto:joey@...blr.com>
> Cc: bugtraq@...urityfocus.com<mailto:bugtraq@...urityfocus.com>, fulldisclosure@...lists.org<mailto:fulldisclosure@...lists.org>, bugs@...uritytracker.com<mailto:bugs@...uritytracker.com>, cve-assign@...re.org<mailto:cve-assign@...re.org>
>
> Microsoft was notified on Oct 13, 2014.
>
> Joey thank you very much for your words.
>
> Kind Regards,
>
> On 2015/2/3 4:53, Joey Fowler wrote:
>> Hi David,
>>
>> "nice" is an understatement here.
>>
>> I've done some testing with this one and, while there /are/ quirks, it most definitely works. It even bypasses standard HTTP-to-HTTPS restrictions.
>>
>> As long as the page(s) being framed don't contain X-Frame-Options headers (with `deny` or `same-origin` values), it executes successfully. Pending the payload being injected, most Content Security Policies are also bypassed (by injecting HTML instead of JavaScript, that is).
>>
>> It looks like, through this method, all viable XSS tactics are open!
>>
>> Nice find!
>>
>> Has this been reported to Microsoft outside (or within) this thread?
>>
>> --
>> Joey Fowler
>> Senior Security Engineer, Tumblr
>>
>>
>>
>> On Sat, Jan 31, 2015 at 9:18 AM, David Leo <david.leo@...sen.co.uk <mailto:david.leo@...sen.co.uk>> wrote:
>>
>> Deusen just published code and description here:
>> http://www.deusen.co.uk/items/__insider3show.3362009741042107/ <http://www.deusen.co.uk/items/insider3show.3362009741042107/>
>> which demonstrates the serious security issue.
>>
>> Summary
>> An Internet Explorer vulnerability is shown here:
>> Content of dailymail.co.uk <http://dailymail.co.uk> can be changed by external domain.
>>
>> How To Use
>> 1. Close the popup window("confirm" dialog) after three seconds.
>> 2. Click "Go".
>> 3. After 7 seconds, "Hacked by Deusen" is actively injected into dailymail.co.uk <http://dailymail.co.uk>.
>>
>> Technical Details
>> Vulnerability: Universal Cross Site Scripting(XSS)
>> Impact: Same Origin Policy(SOP) is completely bypassed
>> Attack: Attackers can steal anything from another domain, and inject anything into another domain
>> Tested: Jan/29/2015 Internet Explorer 11 Windows 7
>>
>> If you like it, please reply "nice".
>>
>> Kind Regards,
>>
>>
>> _________________________________________________
>> Sent through the Full Disclosure mailing list
>> https://nmap.org/mailman/__listinfo/fulldisclosure <https://nmap.org/mailman/listinfo/fulldisclosure>
>> Web Archives & RSS: http://seclists.org/__fulldisclosure/ <http://seclists.org/fulldisclosure/>
>>
>
> _______________________________________________________________________
> If you received this email in error, please advise the sender (by return email or otherwise) immediately. You have consented to receive the attached electronically at the above-noted email address; please retain a copy of this confirmation for future reference.
>
> Si vous recevez ce courriel par erreur, veuillez en aviser l'expéditeur immédiatement, par retour de courriel ou par un autre moyen. Vous avez accepté de recevoir le(s) document(s) ci-joint(s) par voie électronique à l'adresse courriel indiquée ci-dessus; veuillez conserver une copie de cette confirmation pour les fins de reference future.
>
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists