Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Suspicious URL:Re: Major Internet Explorer Vulnerability - NOT Patched

From: Christoph Gruber <list () guru at>
Date: Tue, 10 Feb 2015 09:06:38 +0100
I love "Suspicious URL".
It reminds me the microsoft KB article speaking of "Malicious Hyperlink"

"The most effective step that you can take to help protect yourself from malicious hyperlinks is not to click them."
in http://support.microsoft.com/kb/833786/en-us


-- 
Christoph Gruber

Am 09.02.2015 um 15:09 schrieb Shawn Hsiao <phsiao () tripadvisor com>:



Not sure what you think about this one.    It appears to be a bug with IE.

---
// Shawn




On Feb 5, 2015, at 12:06 AM, David Leo <david.leo () deusen co uk> wrote:


"is this entirely an IE flaw"
Yes.

"is it tied to the use of Cloudflare"
No.

"I tried to reproduce... was unsuccessful"
Likely, this detail is missing:
<?php
sleep(2);
header("Location: http://www.dailymail.co.uk/robots.txt";);
?>
Please tell us whether you reproduce(with the PHP code).

"am I correct... JavaScript hosted on shared domains"
In the demo, it's first injected into page without any JavaScript.
(robots.txt)

"I don't have time to to a teardown on CloudFlare.JS"
Honestly we don't even know such file exists :-)
We uploaded and took a screenshot - that's all.

"it's a very impressive exploit"
Thanks.

'make sure the label "universal" is actually justified'
It has also been tested against Yahoo etc.

"Sorry if this has already been discussed elsewhere"
Many asked - for example:
http://www.milw00rm.com/exploits/7057

Again, please tell us whether you reproduce with the PHP code.

Kind Regards,

On 2015/2/5 3:29, Ben Lincoln (F7EFC8C9 - FD) wrote:

So here's a possibly stupid question: is this entirely an IE flaw, or is it tied to the use of Cloudflare by the 
targeted site as well as the attacking site?

I ask because:

1 - I tried to reproduce the attack in a number of ways without using CloudFlare, and was unsuccessful.
2 - Since I don't have access to a CloudFlare account, I used Burp to do a find/replace for proxied response 
headers and bodies on "www.dailymail.co.uk" and then "dailymail.co.uk" with a target domain which does not use 
Cloudflare, then accessed the Deusen demo page. The injection attempt failed.
3 - I then used Burp in the same way, but replaced "www.dailymail.co.uk"/"dailymail.co.uk" with a target domain 
which *does* use CloudFlare, and the injection attempt succeeded.

If this is true, am I correct in thinking that while this definitely involves a vulnerability in IE, it also 
depends at least on targeting website owners who use JavaScript hosted on shared domains (CloudFlare, in this 
case), which is inherently riskier than hosting it all on one's own domain due to the way cross-domain security 
works in modern browsers?

I don't have time to to a teardown on CloudFlare.JS, but does this also depend on some sort of code vulnerability 
in that file?

Even if one or both of those caveats are true, it's a very impressive exploit, but I'd like to make sure the label 
"universal" is actually justified.

Sorry if this has already been discussed elsewhere. I couldn't find anything when I looked.

- Ben

On 2015-02-02 12:53, Joey Fowler wrote:

Hi David,

"nice" is an understatement here.

I've done some testing with this one and, while there *are* quirks, it most
definitely works. It even bypasses standard HTTP-to-HTTPS restrictions.

As long as the page(s) being framed don't contain X-Frame-Options headers
(with `deny` or `same-origin` values), it executes successfully. Pending
the payload being injected, most Content Security Policies are also
bypassed (by injecting HTML instead of JavaScript, that is).

It looks like, through this method, all viable XSS tactics are open!

Nice find!

Has this been reported to Microsoft outside (or within) this thread?

--
Joey Fowler
Senior Security Engineer, Tumblr



On Sat, Jan 31, 2015 at 9:18 AM, David Leo <david.leo () deusen co uk> wrote:


Deusen just published code and description here:
http://www.deusen.co.uk/items/insider3show.3362009741042107/
which demonstrates the serious security issue.

Summary
An Internet Explorer vulnerability is shown here:
Content of dailymail.co.uk can be changed by external domain.

How To Use
1. Close the popup window("confirm" dialog) after three seconds.
2. Click "Go".
3. After 7 seconds, "Hacked by Deusen" is actively injected into
dailymail.co.uk.

Technical Details
Vulnerability: Universal Cross Site Scripting(XSS)
Impact: Same Origin Policy(SOP) is completely bypassed
Attack: Attackers can steal anything from another domain, and inject
anything into another domain
Tested: Jan/29/2015 Internet Explorer 11 Windows 7

If you like it, please reply "nice".

Kind Regards,


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/




_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/






_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Previous By Date Next
Previous By Thread Next

Current thread: