Hi Ha.ckers,

I have been able to exploit the utf-7 charset inheritance fix that was done in IE8.
More information is available at my blog -
http://securethoughts.com/2009/05/exploiting-ie8-utf-7-xss-vulnerability-using-local-redirection/

-
Inferno
SecureThoughts.com

Very nice attack good work

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

@Gareth - thanks for your compliments.

i also wanted to get some suggestions from you, other hacker folks on exploitability scenarios for this. I see secunia earlier advisories on utf-7 charset inheritance attack was 'less critical' [back in 2007], However, i feel that if I find a open redirection flaw on the same vulnerable site, then the exploitability level becomes similar as reflected XSS attack.

-
Inferno
SecureThoughts.com

If it requires a open redirection and a XSS flaw then you could argue it's less critical however a UTF-7 encoded string is unlikely to be filtered such as :- +ADwAcwBjAHIAaQBwAHQAPgBhAGwAZQByAHQAKAAxACkAPAAvAHMAYwByAGkAcAB0AD4-

So I'd see it as in-between because it requires a specific redirection. If you could make it work via a cross domain redirect then I'd see it as critical because you could then inject UTF-7 strings on any web site.

Lastly what happens when a charset already exists? If the charset isn't overwritten and has to be injected before the existing charset then it's less critical.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Gareth Heyes Wrote:
-------------------------------------------------------
> So I'd see it as in-between because it requires a
> specific redirection. If you could make it work
> via a cross domain redirect then I'd see it as
> critical because you could then inject UTF-7
> strings on any web site.

cross-domain redirects work, have a look at the PoC - http://www.securethoughts.com/security/ie8utf7/ie8utf-7.html

----------------------------------------------------------
Don't forget our IRC: irc://irc.irchighway.net/#slackers
[kuza55.blogspot.com]

@kuza55

Yeah I've seen the http headers now. Inferno said it requires a open redirection on the site but if this can be any site that is completely different

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

@Gareth, I think my question was a little confusing, sorry about that.

My POC is based on cross domain redirects and you can inject utf-7 strings on any site, as kuza55 said.

the question i had was that this attack requires that a user visit a evil site. i think this might be considered less likely as compared to a user clicking a link on his trusted domain. So, I thought that finding a open redirection on the trusted domain can allow me to compose a url that looks to coming from the trusted domain, but instead redirects to my evil site where this attack gets executed.

I raised this question as secunia marked this issue as less critical. I thought this was done because it required user visiting the evil site. However, i have now confirmed that secunia marks all reflected xss vulnerabilities as less critical as well.

-
Inferno
SecureThoughts.com

Nice find, but if I set a meat tag on all of my pages stating the charset encoding, would this render the attack useless?

-----------------------------------------------------------------------
(ú=(θ='',[µ=!(Φ=!θ+{})+θ,Θ=Φ[ø=+!θ]+Φ[+θ],ĩ=µ[ø],Ø=µ[º=ø+++ø],Ç=Φ[º+ø],à=ú[Φ[º+º]+Φ[+θ]+Ç+ĩ]][Ø+Ç+Θ])())[ĩ+à('•êí')](Ç+à('Á«)'))

@Matt

It would probably depend where the injection takes place, if it's before or after the meta tag. I've not tested this though

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Tested it and works just as Gareth predicted.
Nice discovery Inferno!

Inferno Wrote:
-------------------------------------------------------
> Hi Ha.ckers,
>
> I have been able to exploit the utf-7 charset
> inheritance fix that was done in IE8.
> More information is available at my blog -
> http://securethoughts.com/2009/05/exploiting-ie8-u
> tf-7-xss-vulnerability-using-local-redirection/


Btw, I was a bit rushed when I saw this yesterday (was already running late for uni >_<), and forgot to say: nice work! That's going to make our lives much easier untill IE9 rolls around :D

Btw, someone showed me this drupal bug: http://drupal.org/node/449078 which seems to indicate that someone either doesn't know what they're talking about or has found a way to bypass content-types in headers:

Quote

Certain byte sequences that are valid in the UTF-8 specification are potentially dangerous when interpreted as UTF-7. Internet Explorer 6 and 7 may decode these characters as UTF-7 if they appear before the <meta http-equiv="Content-Type" /> tag that specifies the page content as UTF-8, despite the fact that Drupal also sends a real HTTP header specifying the content as UTF-8. This behaviour enables malicious users to insert and execute Javascript in the context of the website if site visitors are allowed to post content.

Does anyone here know anything about this?

----------------------------------------------------------
Don't forget our IRC: irc://irc.irchighway.net/#slackers
[kuza55.blogspot.com]



Edited 1 time(s). Last edit at 05/14/2009 06:07AM by kuza55.

Hi Alex,

I have analyzed their patch [http://drupal.org/files/sa-core-2009-005/SA-CORE-2009-005-5.16.patch] and the only thing they do is move the meta tags before the title tag to prevent any utf-7 injection. I don't think browsers ignore the utf-8 specified in the http response headers, otherwise there could be tons of security issues to exploit :).

+ * Make any final alterations to the rendered xhtml.
+ */
+function drupal_final_markup($content) {
+ // Make sure that the charset is always specified as the first element of the
+ // head region to prevent encoding-based attacks.
+ return preg_replace('/<head[^>]*>/i', "\$0\n<meta http-equiv=\"Content-Type\" content=\"text/html; charset=utf-8\" />", $content, 1);
+}
+
+/**

-
Inferno
SecureThoughts.com

Inferno Wrote:
-------------------------------------------------------
> Hi Alex,
>
> I have analyzed their patch and the only thing
> they do is move the meta tags before the title tag
> to prevent any utf-7 injection. I don't think
> browsers ignore the utf-8 specified in the http
> response headers, otherwise there could be tons of
> security issues to exploit :).
>
> + * Make any final alterations to the rendered
> xhtml.
> + */
> +function drupal_final_markup($content) {
> + // Make sure that the charset is always
> specified as the first element of the
> + // head region to prevent encoding-based
> attacks.
> + return preg_replace('/]*>/i', "\$0\n",
> $content, 1);
> +}
> +
> +/**


That's pretty much my thinking as well, but there's always some 0day floating around... :)

----------------------------------------------------------
Don't forget our IRC: irc://irc.irchighway.net/#slackers
[kuza55.blogspot.com]