Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Exploiting IE8 UTF-7 XSS Vulnerability using Local Redirection
Posted by: Inferno
Date: May 11, 2009 11:47PM

Hi Ha.ckers,

I have been able to exploit the utf-7 charset inheritance fix that was done in IE8.
More information is available at my blog -
http://securethoughts.com/2009/05/exploiting-ie8-utf-7-xss-vulnerability-using-local-redirection/

-
Inferno
SecureThoughts.com

Options: ReplyQuote
Re: Exploiting IE8 UTF-7 XSS Vulnerability using Local Redirection
Posted by: Gareth Heyes
Date: May 12, 2009 02:43AM

Very nice attack good work

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: Exploiting IE8 UTF-7 XSS Vulnerability using Local Redirection
Posted by: Inferno
Date: May 12, 2009 03:13AM

@Gareth - thanks for your compliments.

i also wanted to get some suggestions from you, other hacker folks on exploitability scenarios for this. I see secunia earlier advisories on utf-7 charset inheritance attack was 'less critical' [back in 2007], However, i feel that if I find a open redirection flaw on the same vulnerable site, then the exploitability level becomes similar as reflected XSS attack.

-
Inferno
SecureThoughts.com

Options: ReplyQuote
Re: Exploiting IE8 UTF-7 XSS Vulnerability using Local Redirection
Posted by: Gareth Heyes
Date: May 12, 2009 04:01AM

If it requires a open redirection and a XSS flaw then you could argue it's less critical however a UTF-7 encoded string is unlikely to be filtered such as :- +ADwAcwBjAHIAaQBwAHQAPgBhAGwAZQByAHQAKAAxACkAPAAvAHMAYwByAGkAcAB0AD4-

So I'd see it as in-between because it requires a specific redirection. If you could make it work via a cross domain redirect then I'd see it as critical because you could then inject UTF-7 strings on any web site.

Lastly what happens when a charset already exists? If the charset isn't overwritten and has to be injected before the existing charset then it's less critical.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: Exploiting IE8 UTF-7 XSS Vulnerability using Local Redirection
Posted by: kuza55
Date: May 12, 2009 10:14PM

Gareth Heyes Wrote:
-------------------------------------------------------
> So I'd see it as in-between because it requires a
> specific redirection. If you could make it work
> via a cross domain redirect then I'd see it as
> critical because you could then inject UTF-7
> strings on any web site.

cross-domain redirects work, have a look at the PoC - http://www.securethoughts.com/security/ie8utf7/ie8utf-7.html

----------------------------------------------------------
Don't forget our IRC: irc://irc.irchighway.net/#slackers
[kuza55.blogspot.com]

Options: ReplyQuote
Re: Exploiting IE8 UTF-7 XSS Vulnerability using Local Redirection
Posted by: Gareth Heyes
Date: May 13, 2009 02:11AM

@kuza55

Yeah I've seen the http headers now. Inferno said it requires a open redirection on the site but if this can be any site that is completely different

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: Exploiting IE8 UTF-7 XSS Vulnerability using Local Redirection
Posted by: Inferno
Date: May 13, 2009 09:47AM

@Gareth, I think my question was a little confusing, sorry about that.

My POC is based on cross domain redirects and you can inject utf-7 strings on any site, as kuza55 said.

the question i had was that this attack requires that a user visit a evil site. i think this might be considered less likely as compared to a user clicking a link on his trusted domain. So, I thought that finding a open redirection on the trusted domain can allow me to compose a url that looks to coming from the trusted domain, but instead redirects to my evil site where this attack gets executed.

I raised this question as secunia marked this issue as less critical. I thought this was done because it required user visiting the evil site. However, i have now confirmed that secunia marks all reflected xss vulnerabilities as less critical as well.

-
Inferno
SecureThoughts.com

Options: ReplyQuote
Re: Exploiting IE8 UTF-7 XSS Vulnerability using Local Redirection
Posted by: Matt Presson
Date: May 13, 2009 11:49AM

Nice find, but if I set a meat tag on all of my pages stating the charset encoding, would this render the attack useless?

-----------------------------------------------------------------------
(ú=(θ='',[µ=!(Φ=!θ+{})+θ,Θ=Φ[ø=+!θ]+Φ[+θ],ĩ=µ[ø],Ø=µ[º=ø+++ø],Ç=Φ[º+ø],à=ú[Φ[º+º]+Φ[+θ]+Ç+ĩ]][Ø+Ç+Θ])())[ĩ+à('•êí')](Ç+à('Á«)'))

Options: ReplyQuote
Re: Exploiting IE8 UTF-7 XSS Vulnerability using Local Redirection
Posted by: Gareth Heyes
Date: May 13, 2009 01:30PM

@Matt

It would probably depend where the injection takes place, if it's before or after the meta tag. I've not tested this though

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: Exploiting IE8 UTF-7 XSS Vulnerability using Local Redirection
Posted by: lightos
Date: May 13, 2009 02:42PM

Tested it and works just as Gareth predicted.
Nice discovery Inferno!

Options: ReplyQuote
Re: Exploiting IE8 UTF-7 XSS Vulnerability using Local Redirection
Posted by: kuza55
Date: May 14, 2009 06:07AM

Inferno Wrote:
-------------------------------------------------------
> Hi Ha.ckers,
>
> I have been able to exploit the utf-7 charset
> inheritance fix that was done in IE8.
> More information is available at my blog -
> http://securethoughts.com/2009/05/exploiting-ie8-u
> tf-7-xss-vulnerability-using-local-redirection/


Btw, I was a bit rushed when I saw this yesterday (was already running late for uni >_<), and forgot to say: nice work! That's going to make our lives much easier untill IE9 rolls around :D

Btw, someone showed me this drupal bug: http://drupal.org/node/449078 which seems to indicate that someone either doesn't know what they're talking about or has found a way to bypass content-types in headers:
Quote

Certain byte sequences that are valid in the UTF-8 specification are potentially dangerous when interpreted as UTF-7. Internet Explorer 6 and 7 may decode these characters as UTF-7 if they appear before the <meta http-equiv="Content-Type" /> tag that specifies the page content as UTF-8, despite the fact that Drupal also sends a real HTTP header specifying the content as UTF-8. This behaviour enables malicious users to insert and execute Javascript in the context of the website if site visitors are allowed to post content.
Does anyone here know anything about this?

----------------------------------------------------------
Don't forget our IRC: irc://irc.irchighway.net/#slackers
[kuza55.blogspot.com]



Edited 1 time(s). Last edit at 05/14/2009 06:07AM by kuza55.

Options: ReplyQuote
Re: Exploiting IE8 UTF-7 XSS Vulnerability using Local Redirection
Posted by: Inferno
Date: May 14, 2009 10:49AM

Hi Alex,

I have analyzed their patch [http://drupal.org/files/sa-core-2009-005/SA-CORE-2009-005-5.16.patch] and the only thing they do is move the meta tags before the title tag to prevent any utf-7 injection. I don't think browsers ignore the utf-8 specified in the http response headers, otherwise there could be tons of security issues to exploit :).

+ * Make any final alterations to the rendered xhtml.
+ */
+function drupal_final_markup($content) {
+ // Make sure that the charset is always specified as the first element of the
+ // head region to prevent encoding-based attacks.
+ return preg_replace('/<head[^>]*>/i', "\$0\n<meta http-equiv=\"Content-Type\" content=\"text/html; charset=utf-8\" />", $content, 1);
+}
+
+/**

-
Inferno
SecureThoughts.com

Options: ReplyQuote
Re: Exploiting IE8 UTF-7 XSS Vulnerability using Local Redirection
Posted by: kuza55
Date: May 15, 2009 07:02AM

Inferno Wrote:
-------------------------------------------------------
> Hi Alex,
>
> I have analyzed their patch and the only thing
> they do is move the meta tags before the title tag
> to prevent any utf-7 injection. I don't think
> browsers ignore the utf-8 specified in the http
> response headers, otherwise there could be tons of
> security issues to exploit :).
>
> + * Make any final alterations to the rendered
> xhtml.
> + */
> +function drupal_final_markup($content) {
> + // Make sure that the charset is always
> specified as the first element of the
> + // head region to prevent encoding-based
> attacks.
> + return preg_replace('/]*>/i', "\$0\n",
> $content, 1);
> +}
> +
> +/**


That's pretty much my thinking as well, but there's always some 0day floating around... :)

----------------------------------------------------------
Don't forget our IRC: irc://irc.irchighway.net/#slackers
[kuza55.blogspot.com]

Options: ReplyQuote


Sorry, only registered users may post in this forum.