[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Suspicious URL:Re: [FD] Major Internet Explorer Vulnerability - NOT Patched
- To: David Leo <david.leo@xxxxxxxxxxxx>
- Subject: Suspicious URL:Re: [FD] Major Internet Explorer Vulnerability - NOT Patched
- From: Shawn Hsiao <phsiao@xxxxxxxxxxxxxxx>
- Date: Mon, 9 Feb 2015 14:09:33 +0000
Not sure what you think about this one. It appears to be a bug with IE.
---
// Shawn
On Feb 5, 2015, at 12:06 AM, David Leo <david.leo@xxxxxxxxxxxx> wrote:
> "is this entirely an IE flaw"
> Yes.
>
> "is it tied to the use of Cloudflare"
> No.
>
> "I tried to reproduce... was unsuccessful"
> Likely, this detail is missing:
> <?php
> sleep(2);
> header("Location: http://www.dailymail.co.uk/robots.txt";);
> ?>
> Please tell us whether you reproduce(with the PHP code).
>
> "am I correct... JavaScript hosted on shared domains"
> In the demo, it's first injected into page without any JavaScript.
> (robots.txt)
>
> "I don't have time to to a teardown on CloudFlare.JS"
> Honestly we don't even know such file exists :-)
> We uploaded and took a screenshot - that's all.
>
> "it's a very impressive exploit"
> Thanks.
>
> 'make sure the label "universal" is actually justified'
> It has also been tested against Yahoo etc.
>
> "Sorry if this has already been discussed elsewhere"
> Many asked - for example:
> http://www.milw00rm.com/exploits/7057
>
> Again, please tell us whether you reproduce with the PHP code.
>
> Kind Regards,
>
> On 2015/2/5 3:29, Ben Lincoln (F7EFC8C9 - FD) wrote:
>> So here's a possibly stupid question: is this entirely an IE flaw, or is it
>> tied to the use of Cloudflare by the targeted site as well as the attacking
>> site?
>>
>> I ask because:
>>
>> 1 - I tried to reproduce the attack in a number of ways without using
>> CloudFlare, and was unsuccessful.
>> 2 - Since I don't have access to a CloudFlare account, I used Burp to do a
>> find/replace for proxied response headers and bodies on
>> "www.dailymail.co.uk" and then "dailymail.co.uk" with a target domain which
>> does not use Cloudflare, then accessed the Deusen demo page. The injection
>> attempt failed.
>> 3 - I then used Burp in the same way, but replaced
>> "www.dailymail.co.uk"/"dailymail.co.uk" with a target domain which *does*
>> use CloudFlare, and the injection attempt succeeded.
>>
>> If this is true, am I correct in thinking that while this definitely
>> involves a vulnerability in IE, it also depends at least on targeting
>> website owners who use JavaScript hosted on shared domains (CloudFlare, in
>> this case), which is inherently riskier than hosting it all on one's own
>> domain due to the way cross-domain security works in modern browsers?
>>
>> I don't have time to to a teardown on CloudFlare.JS, but does this also
>> depend on some sort of code vulnerability in that file?
>>
>> Even if one or both of those caveats are true, it's a very impressive
>> exploit, but I'd like to make sure the label "universal" is actually
>> justified.
>>
>> Sorry if this has already been discussed elsewhere. I couldn't find anything
>> when I looked.
>>
>> - Ben
>>
>> On 2015-02-02 12:53, Joey Fowler wrote:
>>> Hi David,
>>>
>>> "nice" is an understatement here.
>>>
>>> I've done some testing with this one and, while there *are* quirks, it most
>>> definitely works. It even bypasses standard HTTP-to-HTTPS restrictions.
>>>
>>> As long as the page(s) being framed don't contain X-Frame-Options headers
>>> (with `deny` or `same-origin` values), it executes successfully. Pending
>>> the payload being injected, most Content Security Policies are also
>>> bypassed (by injecting HTML instead of JavaScript, that is).
>>>
>>> It looks like, through this method, all viable XSS tactics are open!
>>>
>>> Nice find!
>>>
>>> Has this been reported to Microsoft outside (or within) this thread?
>>>
>>> --
>>> Joey Fowler
>>> Senior Security Engineer, Tumblr
>>>
>>>
>>>
>>> On Sat, Jan 31, 2015 at 9:18 AM, David Leo <david.leo@xxxxxxxxxxxx> wrote:
>>>
>>>> Deusen just published code and description here:
>>>> http://www.deusen.co.uk/items/insider3show.3362009741042107/
>>>> which demonstrates the serious security issue.
>>>>
>>>> Summary
>>>> An Internet Explorer vulnerability is shown here:
>>>> Content of dailymail.co.uk can be changed by external domain.
>>>>
>>>> How To Use
>>>> 1. Close the popup window("confirm" dialog) after three seconds.
>>>> 2. Click "Go".
>>>> 3. After 7 seconds, "Hacked by Deusen" is actively injected into
>>>> dailymail.co.uk.
>>>>
>>>> Technical Details
>>>> Vulnerability: Universal Cross Site Scripting(XSS)
>>>> Impact: Same Origin Policy(SOP) is completely bypassed
>>>> Attack: Attackers can steal anything from another domain, and inject
>>>> anything into another domain
>>>> Tested: Jan/29/2015 Internet Explorer 11 Windows 7
>>>>
>>>> If you like it, please reply "nice".
>>>>
>>>> Kind Regards,
>>>>
>>>>
>>>> _______________________________________________
>>>> Sent through the Full Disclosure mailing list
>>>> https://nmap.org/mailman/listinfo/fulldisclosure
>>>> Web Archives & RSS: http://seclists.org/fulldisclosure/
>>> _______________________________________________
>>> Sent through the Full Disclosure mailing list
>>> https://nmap.org/mailman/listinfo/fulldisclosure
>>> Web Archives & RSS: http://seclists.org/fulldisclosure/
>>>
>>
>>
>> _______________________________________________
>> Sent through the Full Disclosure mailing list
>> https://nmap.org/mailman/listinfo/fulldisclosure
>> Web Archives & RSS: http://seclists.org/fulldisclosure/
>