Full Disclosure mailing list archives

Re: Exploiting Chrome and Opera's inbuilt ATOM/RSS reader with Script Execution and more

From: "Inferno" <inferno () securethoughts com>
Date: Wed, 16 Sep 2009 01:23:46 -0700

Hi Michal,

Thanks for clarifying the feed reader functionality in Chrome and link to
the browser security handbook. The browser security handbook is a great
resource, sorry, I missed reading that section on RSS.

A question I had was it mentions Opera browser does not render javascript
inside feeds, whereas I found that it does. Also, for Chrome, now since it
has removed script rendering part completely, I think the handbook might
need a slight update for both Opera and Chrome in next version revision.

Thanks for your efforts in developing such a useful resource for the
community. 

Thanks and Regards,
Inferno
Security Researcher
SecureThoughts.com


-----Original Message-----
From: full-disclosure-bounces () lists grok org uk
[mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of Michal
Zalewski
Sent: Wednesday, September 16, 2009 12:07 AM
To: Inferno
Cc: full-disclosure () lists grok org uk
Subject: Re: [Full-disclosure] Exploiting Chrome and Opera's inbuilt
ATOM/RSS reader with Script Execution and more

Back in 2006, there was interesting research done by James Holderness[1]

and

James M. Snell[2] which uncovered a variety of XSS issues in various

online

feed aggregator services (e.g. Feed Demon). The vulnerability arises from
the fact that it is not expected of RSS readers to render scripted

content.

I want to extend that research by doing threat analysis on inbuilt feed
readers offered in most modern browsers. I have found Google Chrome (v2,3)
and Opera (v9,v10) to be vulnerable, while Internet Explorer(v7,8),

Firefox

3.5 and Safari 4 are resilient to the exploits mentioned below.


To be precise, Chrome does *not* have a built-in feed reader, and
instead, attempts to render the payload as a generic XML/HTML document
- which causes the behavior observed. The behavior of Chrome, MSIE6,
and Opera is actually covered for a longer while in Browser Security
Handbook:

http://code.google.com/p/browsersec/wiki/Part1#Other_built-in_document_forma
ts

More specifically, this is outlined in the "Is generic XML document
support present?", "Is RSS feed support present?", "Is ATOM feed
support present?", "Does JavaScript execute within feeds?", and "Are
javascript: or data: URLs permitted in feeds?" tests.

There are also some interesting details related to SVG and other XML
formats along these same lines.

Cheers,
/mz

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Exploiting Chrome and Opera's inbuilt ATOM/RSS reader with Script Execution and more Inferno (Sep 15)
- Re: Exploiting Chrome and Opera's inbuilt ATOM/RSS reader with Script Execution and more Michal Zalewski (Sep 16)
  - Re: Exploiting Chrome and Opera's inbuilt ATOM/RSS reader with Script Execution and more Inferno (Sep 16)