Paid Advertising
SLA.CKERS.ORG
HA.CKERS SLACKING
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails.
Cross Application Scripting 3 (All your browsers are belong to us)
Posted by: nmcfeters (IP Logged)
Date: July 24, 2007 03:39PM
Rios, Raghav, and I are back with more. Of course, everyone's been wondering, pointing fingers, who's fault is all this Cross Application/Browser Scripting stuff? We've been saying it's everyone's fault... the proof is in your browser.
The following page (http://xs-sniper.com/blog/remote-command-exec-firefox-2005/) outline's a number of command injection flaws within FireFox 2.0.5 (and up to the new 3.0 alpha), Netscape Navigator 9, and Mozilla. These command injections are leverageable from a Cross Site Scripting attack.
Commend Mozilla for the quick response to the original issue that was posted, which has been blamed on IE/Mozilla/My Mom/Billy's Sister and everyone in between. They certainly handled it quickly. Hopefully these will be handled quickly as well, but I think the point is that the blame goes across the board. The browsers that recognized the URIs and allow special characters to be passed, the developers who created and registered the URIs. We should also commend Trillian (Cerulean Studios) for the quick response and patch.
The cat is out of the bag, it's time to stop pointing fingers. The fix is to remove these URIs, not just sanitize the input. There will be more coming.
The following page (http://xs-sniper.com/blog/remote-command-exec-firefox-2005/) outline's a number of command injection flaws within FireFox 2.0.5 (and up to the new 3.0 alpha), Netscape Navigator 9, and Mozilla. These command injections are leverageable from a Cross Site Scripting attack.
Commend Mozilla for the quick response to the original issue that was posted, which has been blamed on IE/Mozilla/My Mom/Billy's Sister and everyone in between. They certainly handled it quickly. Hopefully these will be handled quickly as well, but I think the point is that the blame goes across the board. The browsers that recognized the URIs and allow special characters to be passed, the developers who created and registered the URIs. We should also commend Trillian (Cerulean Studios) for the quick response and patch.
The cat is out of the bag, it's time to stop pointing fingers. The fix is to remove these URIs, not just sanitize the input. There will be more coming.
Re: Cross Application Scripting 3 (All your browsers are belong to us)
Posted by: Anonymous User (IP Logged)
Date: July 24, 2007 09:01PM
This is terrible, really.
Re: Cross Application Scripting 3 (All your browsers are belong to us)
Posted by: hackathology (IP Logged)
Date: July 25, 2007 12:39AM
Thumbs up to you. Cool shit!! Blog about it in my blog, do check it out.
[hackathology.blogspot.com]
Edited 1 time(s). Last edit at 07/25/2007 01:16AM by hackathology.
[hackathology.blogspot.com]
Edited 1 time(s). Last edit at 07/25/2007 01:16AM by hackathology.
Re: Cross Application Scripting 3 (All your browsers are belong to us)
Posted by: ma1 (IP Logged)
Date: July 25, 2007 02:05AM
You may want to add that the relevant Mozilla bug has been fixed 2 days ago.
This means that already available Minefield builds and Firefox 2.0.0.6 release candidates are immune.
Furthermore, NoScript 1.1.6.06 (released yesterday) gives early protection against this exploit for those stuck with stable 2.0.0.5.
Nevertheless, URI handlers (in their Windows implementation, at least) are definitely evil...
--
*hackademix.net*
There's a browser safer than Firefox... Firefox, with NoScript
This means that already available Minefield builds and Firefox 2.0.0.6 release candidates are immune.
Furthermore, NoScript 1.1.6.06 (released yesterday) gives early protection against this exploit for those stuck with stable 2.0.0.5.
Nevertheless, URI handlers (in their Windows implementation, at least) are definitely evil...
--
*hackademix.net*
There's a browser safer than Firefox... Firefox, with NoScript
Re: Cross Application Scripting 3 (All your browsers are belong to us)
Posted by: hackathology (IP Logged)
Date: July 25, 2007 03:10AM
thanks ma1
[hackathology.blogspot.com]
Edited 1 time(s). Last edit at 07/25/2007 03:10AM by hackathology.
[hackathology.blogspot.com]
Edited 1 time(s). Last edit at 07/25/2007 03:10AM by hackathology.
Re: Cross Application Scripting 3 (All your browsers are belong to us)
Posted by: .mario (IP Logged)
Date: July 25, 2007 03:23AM
Plus - you can of course wrap any of those URIs in base64 and trigger the execution via dataURL.
PoC
------ removed ------
Again it's possible to obfuscate with spaces, use arbitrary charsets (UTF16, UTF7...)
Greetings,
.mario
---
g:0in~/*for another*/~alert(!!1)
(Å='',[Ç=!(µ=!Å+Å)+{}][Ç[ª=µ[++Å]+µ[Å-Å],È=Å-~Å]+Ç[È+È]+ª])()[Ç[Å]+Ç[Å+Å]+µ[È]+ª](Å)
me || PHPIDS || Twitter || <malicious></markup>
Edited 1 time(s). Last edit at 07/26/2007 02:38PM by .mario.
PoC
------ removed ------
Again it's possible to obfuscate with spaces, use arbitrary charsets (UTF16, UTF7...)
Greetings,
.mario
---
g:0in~/*for another*/~alert(!!1)
(Å='',[Ç=!(µ=!Å+Å)+{}][Ç[ª=µ[++Å]+µ[Å-Å],È=Å-~Å]+Ç[È+È]+ª])()[Ç[Å]+Ç[Å+Å]+µ[È]+ª](Å)
me || PHPIDS || Twitter || <malicious></markup>
Edited 1 time(s). Last edit at 07/26/2007 02:38PM by .mario.
Sorry, only registered users may post in this forum.
sla.ckers.org RSS feed
Board haX0r3d together by ha.ckers.org, forshizzle.
SecTheory Security Consulting *