Re: [Full-disclosure] Web 2.0 backdoors made easy with MSIE XMLHttpRequest
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 The 2005 text does briefly mention Accessing content / web-scanning (take a look at Notes 1-3). So the problem is much older. Well, that's Micro$loth for ya. Amit Klein wrote: Michal Zalewski wrote: On Sat, 3 Feb 2007, Michal Zalewski wrote: xmlhttp.open(GET\thttp://dione.ids.pl/\tHTTP/1.0\n\n;, x,true); Funny enough, Paul Szabo was quick to point out that Amit Klein found the same vector that I used here for client-side backdoors in May 2006 (still not patched?! *shrieks in horror*), but for cache poisoning: IE + some popular forward proxy servers = XSS, defacement (browser cache poisoning) http://www.securityfocus.com/archive/1/434931 This is getting depressing. May 2006. Much worse. The basic technique already appeared in two of my previous write-ups: Exploiting the XmlHttpRequest object in IE - Referrer spoofing, and a lot more... (September 2005) http://www.securityfocus.com/archive/1/411585 XS(T) attack variants which can, in some cases, eliminate the need for TRACE /archive/107/308433/30/0/threaded (January 2003) http://www.securityfocus.com/archive/107/308433 The 2005 text does briefly mention Accessing content / web-scanning (take a look at Notes 1-3). So the problem is much older. Thanks, -Amit ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFx0j9nBEWLrrYRl8RAuzDAJ9j7ucnNaYlD7qXuFOsvwirZ4+WGwCfaupB 6WNArFbS1cB+5CRbYvkh/go= =4eMy -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Web 2.0 backdoors made easy with MSIE XMLHttpRequest
Michal Zalewski wrote: On Sat, 3 Feb 2007, Michal Zalewski wrote: xmlhttp.open(GET\thttp://dione.ids.pl/\tHTTP/1.0\n\n;, x,true); Funny enough, Paul Szabo was quick to point out that Amit Klein found the same vector that I used here for client-side backdoors in May 2006 (still not patched?! *shrieks in horror*), but for cache poisoning: IE + some popular forward proxy servers = XSS, defacement (browser cache poisoning) http://www.securityfocus.com/archive/1/434931 This is getting depressing. May 2006. Much worse. The basic technique already appeared in two of my previous write-ups: Exploiting the XmlHttpRequest object in IE - Referrer spoofing, and a lot more... (September 2005) http://www.securityfocus.com/archive/1/411585 XS(T) attack variants which can, in some cases, eliminate the need for TRACE /archive/107/308433/30/0/threaded (January 2003) http://www.securityfocus.com/archive/107/308433 The 2005 text does briefly mention Accessing content / web-scanning (take a look at Notes 1-3). So the problem is much older. Thanks, -Amit ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Web 2.0 backdoors made easy with MSIE XMLHttpRequest
On 2/3/07, Michal Zalewski [EMAIL PROTECTED] wrote: On Sat, 3 Feb 2007, Michal Zalewski wrote: xmlhttp.open(GET\thttp://dione.ids.pl/\tHTTP/1.0\n\n;, x,true); Funny enough, Paul Szabo was quick to point out that Amit Klein found the same vector that I used here for client-side backdoors in May 2006 (still not patched?! *shrieks in horror*), but for cache poisoning: IE + some popular forward proxy servers = XSS, defacement (browser cache poisoning) http://www.securityfocus.com/archive/1/434931 This is getting depressing. May 2006. but not really surprising, yes? Remember browserfun#18 (Tuesday, July 18, 2006) http://osvdb.org/27110 Metasploit, exploit in the wild like they said. Patched in October. 3 months of real insecurity. (^o^) troll Thx to Determina. http://www.determina.com/security_center/security_advisories/securityadvisory_0day_09282.asp /troll -- Tyop? [Fr] http://altmylife.blogspot.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Web 2.0 backdoors made easy with MSIE XMLHttpRequest
On Sun, 4 Feb 2007, Tyop? wrote: This is getting depressing. May 2006. but not really surprising, yes? No, though this bug is truly remarkable in that a quick fix, I'm quite certain, amounts to changing != ' ' to ' ' in the code. That's two characters, and no chance for a negative impact on any legitimate application, simply no way. Oh, and actually,did I say May? It gets even better! If you look at that paper, Amit initially noticed that \n and \t are not filtered in September 2005 (17 months ago), and described it as a referrer spoofing bug (granted, not an earth-shattering discovery). He then followed up in May 2006 demonstrating how this can be used to do local cache poisoning, which is kinda more problematic. It's February 2007, the attack can be obviously used to do a really nasty interactive firewall bypass attack in corporate environments - so... ugh. At least they managed to fix it in IE7's new native XMLHttpRequest code, which I bet happened by accident. /mz ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Web 2.0 backdoors made easy with MSIE XMLHttpRequest
Yes this is bad! On 2/3/07, Michal Zalewski [EMAIL PROTECTED] wrote: On Sat, 3 Feb 2007, Michal Zalewski wrote: xmlhttp.open(GET\thttp://dione.ids.pl/\tHTTP/1.0\n\n;, x,true); Funny enough, Paul Szabo was quick to point out that Amit Klein found the same vector that I used here for client-side backdoors in May 2006 (still not patched?! *shrieks in horror*), but for cache poisoning: IE + some popular forward proxy servers = XSS, defacement (browser cache poisoning) http://www.securityfocus.com/archive/1/434931 This is getting depressing. May 2006. /mz ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- http://www.goldwatches.com http://www.wazoozle.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
