Re: double decoding filter bypass (Hotmail) + challenge for you

From: FozZy (fozzyat_private)
Date: Thu Jul 18 2002 - 14:45:22 PDT

Next message: frog frog: "PHP : eval() ?"

Previous message: KF: "Re: Lindows Issues"
In reply to: http-equivat_private: "Re: double decoding filter bypass (Hotmail) + challenge for you"
Next in thread: FozZy: "nsmail XSS hole (was Re: double decoding filter bypass (Hotmail) + challenge for you)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Time to give full details to people who did not get it yet. Indeed, it seems that is was not so obvious.
To exploit the double html-entity decoding to bypass htomail filters, we could replace any letter inside a filtered keyword contained in an html parameter like this:
    A ->  &amp;#x41
Single encoding of "A" is &#41; and html entity encoding of "&" is &amp;
(we could also encode the # or the x to have double-encoding)

What happens is :

input message
  &amp;#x41
     |
     |
filter modify input
by interpreting html entities:
&amp;#x41 ->  &#x41
     |
     |
filter tries to get rid of any "A" letter
but there is none, so let it go !
     |
    \|/
output message (different from input !) :
  &#x41
     |
    \|/
the client browser interprets
the html entities and see:
     A

A successful proof of concept exploit was:
<P STYLE="left:expression(ev&amp;#x61;l('alert(document.cookie'))">  

(the "eval" keyword was filtered by Hotmail)

FozZy


On Mon, 15 Jul 2002 04:25:47 +0200
FozZy <fozzyat_private> wrote:

> I provide the details of the vulnerability here (without the exploit) so that people programming filters of *any* kind can think about it, and maybe fix their broken codes. Better realize that now than never.
> So what about Hotmail ? Well, where can we put unicode in an html message ? Into an url as %xx, yep, but that's not the point here. There is a thing called "html entities" : you can replace *any* printable character by its ascii/unicode value in the values of the parameters of html tags, for instance in the parameters of the STYLE tag (hint !).  "A" is &#x41, "B" is &#x42, etc.
> What the hotmail filter did is replacing any html entity by its corresponding character, then trying to filter out any bad string (forbidden keywords), THEN giving the output to the user, without re-applying the filter on this output. But, if there are still html entities into this output, the user's browser will interpret them, that will possibly give birth to some interesting forbidden keywords... and fire a script.
> The double decoding issue in IIS was triggered by things like %252e were %25 is the hex unicode value for '%'. I let it you find the equivalent for html entities, it is obvious.

Next message: frog frog: "PHP : eval() ?"
Previous message: KF: "Re: Lindows Issues"
In reply to: http-equivat_private: "Re: double decoding filter bypass (Hotmail) + challenge for you"
Next in thread: FozZy: "nsmail XSS hole (was Re: double decoding filter bypass (Hotmail) + challenge for you)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jul 18 2002 - 13:37:52 PDT