nsmail XSS hole (was Re: double decoding filter bypass (Hotmail) + challenge for you)

From: FozZy (fozzyat_private)
Date: Thu Jul 18 2002 - 15:12:24 PDT

Next message: b0iler: "PHP : eval() ?"

Previous message: frog frog: "PHP : eval() ?"
In reply to: http-equivat_private: "Re: double decoding filter bypass (Hotmail) + challenge for you"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> Here's another one for you FozZY:

thx ! No time for testing it since i am going on holidays, but surely it can be used again most webmails, in this commercial world where companies do not care about their users' privacy...

I'd just like to show here why filters should be designed very carefully:
The netscape webmail (and maybe aol's one if it is the same engine, can someone test it ?) has a very aggressive filter. And weird. It seems to try to delete anything that does not fit its need, but in a kind of strange way, not easy to understand. However, it can be bypassed, by experimenting the output of the filter with different inputs and trying to understand its logic. When you understand the way the filter works, you can bypass it easily.
So, if you design a filter, you should really think about the logic of your filter, and try to make it mathematically correct. If not, the cracker will find the flaws in your logic, and use them to bypass the filter.

As an example, here is a nsmail exploit that used to fire javascript a couple of month ago (dunno if they changed anything since that time, they could have cut off all html since the frog-frog advisory, would be a good idea):
<img <img src="j&#X41vascr&#x49pt:alert(document.cookie)">

Really simple, only known stuff, the trick here is to use two img tags and let the flawed filter delete one of them for you ! So the output after the work of the filter become :
<img src="j&#X41vascr&#x49pt:alert(document.cookie)">

That fires a javascript. If I had put directly this line into an email, it would have been deleted by the filter. The two img tags are needed to exploit this bad-designed filter.

Conclusion: there are two ways to bypass a javascript-filter. The http-equiv approach: using a new way to trigger javascript on some current browsers, with unfiltered html tags. And the usual approach in security audits: trying to find flaws into the design of the software (here, the filter).
What is a secure design ? It's a mathematically proved one. With filter rules, it can be done. But let me go on holidays for now ;)

FozZy
Hackademy & Hackerz Voice Director

Next message: b0iler: "PHP : eval() ?"
Previous message: frog frog: "PHP : eval() ?"
In reply to: http-equivat_private: "Re: double decoding filter bypass (Hotmail) + challenge for you"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jul 18 2002 - 15:28:18 PDT