lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 27 Jun 2019 11:37:52 +0200
From: Zmx <larouanne@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] [XSS] IFrame Buster tools and news

*History*
Almost two years ago I reported to the full disclosure list my finding
about the usage of IFrameBusterKit (often provided by Google) in order to
help advertising.

Sadly a lot of those file (that you host on your own domain) have really
easy XSS include in them.

After the report, Google quickly remove most of the kit, and email user to
warn them about removing those file:
https://support.google.com/admanager/answer/7622991

*The Tools*
As of today, a lot of those file are still present on a lot of websites,
and are not detected by any tools that I know, that's the reason I created
the following scripts:
https://github.com/tr4l/iframeBusterXSS

The script simply scan for know URL (way more than on the original report
from Google), and check some regexp to ensure the content seems to be what
we look for.

The docs section contains sample file that I gathered on real website, and
for some of them a PoC on how to trigger the XSS.

*Proof of concept*
My last work was on two (not fully explained here) proof of concept for the
most used IframeBuster file:
- eyeblaster/addineyeV2.html
- doubleclick/DARTIframe.html (the one use by Google)

*Eyeblaster*
eyeblaster is now handled by a group name sizmek.com
I already reported the issue present on the GitHub repository, and they
have badly patch it. I also have reported the new XSS a month ago, without
any feedback (and I didn't get any feedback for the first fix, not even a
thank you.)

In order to achieve the XSS, you simply need to create an Iframe to the
Iframe Buster File (like what a regular ads will do)

Then you post a message to this windows of the type "ebVerifyInnerIframe'.

postMessage('{"type":"ebVerifyInnerIframe",
"data":{"ebProtocol":"data:","ebBs":"text/javascript,alert();var x=/
bs.serving-sys.com/.source;//#https://"}}','*');

More details in
https://github.com/tr4l/iframeBusterXSS/blob/master/docs/examples/eyeblaster/poc.txt

Website have removed those file thanks to the tools
- www.forbes.com
- lemonde.fr
- tf1.fr
- gizmodo.com

*Doubleclick*
Now, we talk about the most iframe buster kit.
First, the loader use a very limited range of possible script to be
injected:
//s0.2mdn.net/879366/DARTIFrame_' + gtVersion + '.js
However, we can found that the number of scripts that exists are  long
enough to be investigated:
- DARTIFrame_200_xxx.js with xxx any value between 10 and at least 246.
- DARTIFrame_lidar.js
- DARTIFrame_relay_200_XXX.js (same rules)

The doubleClick Iframe allow the use of several "protocol" for the
transport of "command".
- postMessage
- RelayIframe
- etc ...
The protocol can be change when you call the iframe with the xpc param:
dart-iframe.html?gtVersion=200_246&mediaserver=https%3A%2F%2Fs0.2mdn.net
%2F879366&xpc={THE_XPC_IN_JSON}

A typical IFrame tree look like:
yourwebsite
   -> IFrame with the ads (not on local website)
      -> Iframe with the buster file.
After exchanging some message to setup the transport channel, the main
website will send message with .JS to be loaded to the iframe buster file.
Once the message is read and executed, the iframe will stop listening.

I haven't found a way to call the buster frame directly (like the
eyeblaster one), as the Google Iframe try to get access to the window of
parent.parent which is not possible if we are on different domain.

However, this seems to be theoratically possible to do a race with the
legit postMessage before the iframe stop to listen.

Other protocol than postmessage may also have some other flow.

*Contribute*
I would be really happy if some of you can contribute, in different aspect
of the tools:
- informe me if you know any buster file that are not yet listed here. I
had to gather several sources to try to get the most exhaustive list
- you can try yourself to provide PoC for the one I have done yet
- copy the work on other tools that already gather this kind of data
(Burp/Zap/grenbone, etc ...)
- get a look at the Google one

I will be in the amazing hack conference https://lehack.org next week in
Paris. Probably with a nice hoodie with "Zmx" on it provide by
https://twitter.com/hacklabesgi so feel free to came and talk if you want
to have more details.

Thanks to Randy Westergren for the nice article on the subject.

Tr4l/Zmx
- https://twitter.com/Tr4LSecurity

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists