Re: [FD] Major Internet Explorer Vulnerability - NOT Patched
Does anyone know if Microsoft have patched this yet? On Wed Feb 04 2015 at 09:05:26 David Leo david@deusen.co.uk wrote: Microsoft was notified on Oct 13, 2014. Joey thank you very much for your words. Kind Regards, On 2015/2/3 4:53, Joey Fowler wrote: Hi David, nice is an understatement here. I've done some testing with this one and, while there /are/ quirks, it most definitely works. It even bypasses standard HTTP-to-HTTPS restrictions. As long as the page(s) being framed don't contain X-Frame-Options headers (with `deny` or `same-origin` values), it executes successfully. Pending the payload being injected, most Content Security Policies are also bypassed (by injecting HTML instead of JavaScript, that is). It looks like, through this method, all viable XSS tactics are open! Nice find! Has this been reported to Microsoft outside (or within) this thread? -- Joey Fowler Senior Security Engineer, Tumblr On Sat, Jan 31, 2015 at 9:18 AM, David Leo david@deusen.co.uk mailto:david@deusen.co.uk wrote: Deusen just published code and description here: http://www.deusen.co.uk/items/__insider3show.3362009741042107/ http://www.deusen.co.uk/items/insider3show.3362009741042107/ which demonstrates the serious security issue. Summary An Internet Explorer vulnerability is shown here: Content of dailymail.co.uk http://dailymail.co.uk can be changed by external domain. How To Use 1. Close the popup window(confirm dialog) after three seconds. 2. Click Go. 3. After 7 seconds, Hacked by Deusen is actively injected into dailymail.co.uk http://dailymail.co.uk. Technical Details Vulnerability: Universal Cross Site Scripting(XSS) Impact: Same Origin Policy(SOP) is completely bypassed Attack: Attackers can steal anything from another domain, and inject anything into another domain Tested: Jan/29/2015 Internet Explorer 11 Windows 7 If you like it, please reply nice. Kind Regards, _ Sent through the Full Disclosure mailing list https://nmap.org/mailman/__listinfo/fulldisclosure https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/__fulldisclosure/ http://seclists.org/fulldisclosure/ ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/ ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/
Re: [FD] Major Internet Explorer Vulnerability - NOT Patched
Hi Joey, In my research I found out that the 'x-frame-options' solution doesn't protect against session hijacking via session cookie theft. It is very important that you also need to add 'HttpOnly' flags on all cookies. I've published an overview of my research, additional mitigations and supporting evidence in a web log article: http://sijmen.ruwhof.net/weblog/427-mitigations-against-critical-universal-c ross-site-scripting-vulnerability-in-fully-patched-internet-explorer-10-and- 11 Kind regards, Sijmen Ruwhof Re: Major Internet Explorer Vulnerability - NOT Patched _ From: Joey Fowler joey () tumblr com Date: Mon, 2 Feb 2015 15:53:10 -0500 _ Hi David, nice is an understatement here. I've done some testing with this one and, while there *are* quirks, it most definitely works. It even bypasses standard HTTP-to-HTTPS restrictions. As long as the page(s) being framed don't contain X-Frame-Options headers (with `deny` or `same-origin` values), it executes successfully. Pending the payload being injected, most Content Security Policies are also bypassed (by injecting HTML instead of JavaScript, that is). It looks like, through this method, all viable XSS tactics are open! Nice find! Has this been reported to Microsoft outside (or within) this thread? -- Joey Fowler Senior Security Engineer, Tumblr On Sat, Jan 31, 2015 at 9:18 AM, David Leo david.leo () deusen co uk wrote: Deusen just published code and description here: http://www.deusen.co.uk/items/insider3show.3362009741042107/ http://www.deusen.co.uk/items/insider3show.3362009741042107/ which demonstrates the serious security issue. Summary An Internet Explorer vulnerability is shown here: Content of dailymail.co.uk can be changed by external domain. How To Use 1. Close the popup window(confirm dialog) after three seconds. 2. Click Go. 3. After 7 seconds, Hacked by Deusen is actively injected into dailymail.co.uk. Technical Details Vulnerability: Universal Cross Site Scripting(XSS) Impact: Same Origin Policy(SOP) is completely bypassed Attack: Attackers can steal anything from another domain, and inject anything into another domain Tested: Jan/29/2015 Internet Explorer 11 Windows 7 If you like it, please reply nice. Kind Regards, ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/ http://seclists.org/fulldisclosure/ ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/ http://seclists.org/fulldisclosure/ ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/
Re: [FD] Major Internet Explorer Vulnerability - NOT Patched
'could you share the contents of 1.php?' Sure: ?php sleep(2); header(Location: http://www.dailymail.co.uk/robots.txt;); ? I'm assuming it is a delayed re-direct to the target's domain? Exactly. :-) the cloudflare scripts It's been tested without them. Kind Regards, On 2015/2/6 2:31, Barkley, Peter wrote: Thanks Zaakiy, I'm able to get the hacked page on IE9 after changing the document mode from Quirks to IE9 Standards. Screenshot attached. I'm sure you could get around having to manually switch the document mode with the appropriate DOCTYPE set in the exploit html page. David, could you share the contents of 1.php? I'm assuming it is a delayed re-direct to the target's domain? I am unable to reproduce the exploit locally with the same code (assuming my 1.php is correct), though without the cloudflare scripts. Thanks, Peter Peter Barkley | Senior Security Intelligence Analyst | Security Operations Centre | Royal Bank of Canada -Original Message- From: Fulldisclosure [mailto:fulldisclosure-boun...@seclists.org] On Behalf Of Zaakiy Siddiqui Sent: 2015, February, 04 6:46 PM To: David Leo; Joey Fowler Cc: fulldisclosure@seclists.org; b...@securitytracker.com; bugt...@securityfocus.com; cve-ass...@mitre.org Subject: Re: [FD] Major Internet Explorer Vulnerability - NOT Patched Hi David, Nice one…great find! And thanks Joey for confirming the bypass of HTTP-to-HTTPS restrictions. I can confirm that this also affects Spartan Browser (Experimental enabled in about:flags in Internet Explorer 11). I can also confirm that IE 10 is affected. IE 9 appears to not be vulnerable. Screenshots below. Regards, Zaakiy Siddiqui IE 11 Spartan - vulnerable (Windows 10) [cid:Image1466.png@14b56f08dd75bb] [cid:Image1487.png@14b56f6487b5d0] IE 10 - vulnerable (Windows 7) [cid:Image1485.jpg@14b56f5f5025ce] IE 9 - not vulnerable (Windows 7) [cid:Image1503.jpg@14b56fa3c785e0] From: David Leomailto:david@deusen.co.uk Sent: Wednesday, 4 February 2015 11:13 PM To: Joey Fowlermailto:j...@tumblr.com Cc: bugt...@securityfocus.commailto:bugt...@securityfocus.com, fulldisclosure@seclists.orgmailto:fulldisclosure@seclists.org, b...@securitytracker.commailto:b...@securitytracker.com, cve-ass...@mitre.orgmailto:cve-ass...@mitre.org Microsoft was notified on Oct 13, 2014. Joey thank you very much for your words. Kind Regards, On 2015/2/3 4:53, Joey Fowler wrote: Hi David, nice is an understatement here. I've done some testing with this one and, while there /are/ quirks, it most definitely works. It even bypasses standard HTTP-to-HTTPS restrictions. As long as the page(s) being framed don't contain X-Frame-Options headers (with `deny` or `same-origin` values), it executes successfully. Pending the payload being injected, most Content Security Policies are also bypassed (by injecting HTML instead of JavaScript, that is). It looks like, through this method, all viable XSS tactics are open! Nice find! Has this been reported to Microsoft outside (or within) this thread? -- Joey Fowler Senior Security Engineer, Tumblr On Sat, Jan 31, 2015 at 9:18 AM, David Leo david@deusen.co.uk mailto:david@deusen.co.uk wrote: Deusen just published code and description here: http://www.deusen.co.uk/items/__insider3show.3362009741042107/ http://www.deusen.co.uk/items/insider3show.3362009741042107/ which demonstrates the serious security issue. Summary An Internet Explorer vulnerability is shown here: Content of dailymail.co.uk http://dailymail.co.uk can be changed by external domain. How To Use 1. Close the popup window(confirm dialog) after three seconds. 2. Click Go. 3. After 7 seconds, Hacked by Deusen is actively injected into dailymail.co.uk http://dailymail.co.uk. Technical Details Vulnerability: Universal Cross Site Scripting(XSS) Impact: Same Origin Policy(SOP) is completely bypassed Attack: Attackers can steal anything from another domain, and inject anything into another domain Tested: Jan/29/2015 Internet Explorer 11 Windows 7 If you like it, please reply nice. Kind Regards, _ Sent through the Full Disclosure mailing list https://nmap.org/mailman/__listinfo/fulldisclosure https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/__fulldisclosure/ http://seclists.org/fulldisclosure/ ___ If you received this email in error, please advise the sender (by return email or otherwise) immediately. You have consented to receive the attached electronically at the above-noted email address; please retain a copy of this confirmation for future reference. Si vous recevez ce courriel par erreur, veuillez en aviser l'expéditeur immédiatement, par retour de courriel ou par un autre moyen. Vous avez accepté de
Re: [FD] Major Internet Explorer Vulnerability - NOT Patched
is this entirely an IE flaw, or is it tied to the use of Cloudflare by the targeted site as well as the attacking site? No, this is entirely an IE flaw. I've repro'd on domains that I know don't use cloudflare, from a domain that doesn't use cloudflare. There's a great teardown on this POC by @filedescriptor at http://innerht.ml/blog/ie-uxss.html -- Justin On 5 February 2015 at 05:29, Ben Lincoln (F7EFC8C9 - FD) f7efc...@beneaththewaves.net wrote: So here's a possibly stupid question: is this entirely an IE flaw, or is it tied to the use of Cloudflare by the targeted site as well as the attacking site? I ask because: 1 - I tried to reproduce the attack in a number of ways without using CloudFlare, and was unsuccessful. 2 - Since I don't have access to a CloudFlare account, I used Burp to do a find/replace for proxied response headers and bodies on www.dailymail.co.uk and then dailymail.co.uk with a target domain which does not use Cloudflare, then accessed the Deusen demo page. The injection attempt failed. 3 - I then used Burp in the same way, but replaced www.dailymail.co.uk/ dailymail.co.uk with a target domain which *does* use CloudFlare, and the injection attempt succeeded. If this is true, am I correct in thinking that while this definitely involves a vulnerability in IE, it also depends at least on targeting website owners who use JavaScript hosted on shared domains (CloudFlare, in this case), which is inherently riskier than hosting it all on one's own domain due to the way cross-domain security works in modern browsers? I don't have time to to a teardown on CloudFlare.JS, but does this also depend on some sort of code vulnerability in that file? Even if one or both of those caveats are true, it's a very impressive exploit, but I'd like to make sure the label universal is actually justified. Sorry if this has already been discussed elsewhere. I couldn't find anything when I looked. - Ben On 2015-02-02 12:53, Joey Fowler wrote: Hi David, nice is an understatement here. I've done some testing with this one and, while there *are* quirks, it most definitely works. It even bypasses standard HTTP-to-HTTPS restrictions. As long as the page(s) being framed don't contain X-Frame-Options headers (with `deny` or `same-origin` values), it executes successfully. Pending the payload being injected, most Content Security Policies are also bypassed (by injecting HTML instead of JavaScript, that is). It looks like, through this method, all viable XSS tactics are open! Nice find! Has this been reported to Microsoft outside (or within) this thread? -- Joey Fowler Senior Security Engineer, Tumblr On Sat, Jan 31, 2015 at 9:18 AM, David Leo david@deusen.co.uk wrote: Deusen just published code and description here: http://www.deusen.co.uk/items/insider3show.3362009741042107/ which demonstrates the serious security issue. Summary An Internet Explorer vulnerability is shown here: Content of dailymail.co.uk can be changed by external domain. How To Use 1. Close the popup window(confirm dialog) after three seconds. 2. Click Go. 3. After 7 seconds, Hacked by Deusen is actively injected into dailymail.co.uk. Technical Details Vulnerability: Universal Cross Site Scripting(XSS) Impact: Same Origin Policy(SOP) is completely bypassed Attack: Attackers can steal anything from another domain, and inject anything into another domain Tested: Jan/29/2015 Internet Explorer 11 Windows 7 If you like it, please reply nice. Kind Regards, ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/ ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/ ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/ ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/
Re: [FD] Major Internet Explorer Vulnerability - NOT Patched
Hi David. When I tried to reproduce it using code hosted on one of my domains, I tried three variations of what I assumed at the time the PHP code from the original was: ?php usleep(300); header(Location: http://www.dailymail.co.uk/;); die(); ? ?php sleep(3); header(Location: http://www.dailymail.co.uk/;); die(); ? ?php sleep(10); header(Location: http://www.dailymail.co.uk/;); die(); ? I wasn't able to get it working, so as I said, I used Burp Suite to modify your demo in realtime as it came down to my browser, with the Daily Mail domain being replaced in response headers and bodies with a different target domain, but no other changes made. It worked with another CloudFlare customer's site (tickld.com), but not a non-CloudFlare customer's site (can't share that one without giving away information I'm not supposed to). It seems like that was a coincidence, and that the reason it didn't work on the other site was something other than them not being a CloudFlare customer. Enough other people (in particular, @filedescriptor, who Justin Steven sent a link to (http://innerht.ml/blog/ie-uxss.html)) have validated the way the exploit works that I agree it appears to be essentially universal. When are you going to give it a cool name and logo to ensure it gets the media coverage it deserves? :) - Ben On 2015-02-04 21:06, David Leo wrote: is this entirely an IE flaw Yes. is it tied to the use of Cloudflare No. I tried to reproduce... was unsuccessful Likely, this detail is missing: ?php sleep(2); header(Location: http://www.dailymail.co.uk/robots.txt;); ? Please tell us whether you reproduce(with the PHP code). am I correct... JavaScript hosted on shared domains In the demo, it's first injected into page without any JavaScript. (robots.txt) I don't have time to to a teardown on CloudFlare.JS Honestly we don't even know such file exists :-) We uploaded and took a screenshot - that's all. it's a very impressive exploit Thanks. 'make sure the label universal is actually justified' It has also been tested against Yahoo etc. Sorry if this has already been discussed elsewhere Many asked - for example: http://www.milw00rm.com/exploits/7057 Again, please tell us whether you reproduce with the PHP code. Kind Regards, On 2015/2/5 3:29, Ben Lincoln (F7EFC8C9 - FD) wrote: So here's a possibly stupid question: is this entirely an IE flaw, or is it tied to the use of Cloudflare by the targeted site as well as the attacking site? I ask because: 1 - I tried to reproduce the attack in a number of ways without using CloudFlare, and was unsuccessful. 2 - Since I don't have access to a CloudFlare account, I used Burp to do a find/replace for proxied response headers and bodies on www.dailymail.co.uk and then dailymail.co.uk with a target domain which does not use Cloudflare, then accessed the Deusen demo page. The injection attempt failed. 3 - I then used Burp in the same way, but replaced www.dailymail.co.uk/dailymail.co.uk with a target domain which *does* use CloudFlare, and the injection attempt succeeded. If this is true, am I correct in thinking that while this definitely involves a vulnerability in IE, it also depends at least on targeting website owners who use JavaScript hosted on shared domains (CloudFlare, in this case), which is inherently riskier than hosting it all on one's own domain due to the way cross-domain security works in modern browsers? I don't have time to to a teardown on CloudFlare.JS, but does this also depend on some sort of code vulnerability in that file? Even if one or both of those caveats are true, it's a very impressive exploit, but I'd like to make sure the label universal is actually justified. Sorry if this has already been discussed elsewhere. I couldn't find anything when I looked. - Ben On 2015-02-02 12:53, Joey Fowler wrote: Hi David, nice is an understatement here. I've done some testing with this one and, while there *are* quirks, it most definitely works. It even bypasses standard HTTP-to-HTTPS restrictions. As long as the page(s) being framed don't contain X-Frame-Options headers (with `deny` or `same-origin` values), it executes successfully. Pending the payload being injected, most Content Security Policies are also bypassed (by injecting HTML instead of JavaScript, that is). It looks like, through this method, all viable XSS tactics are open! Nice find! Has this been reported to Microsoft outside (or within) this thread? -- Joey Fowler Senior Security Engineer, Tumblr On Sat, Jan 31, 2015 at 9:18 AM, David Leo david@deusen.co.uk wrote: Deusen just published code and description here: http://www.deusen.co.uk/items/insider3show.3362009741042107/ which demonstrates the serious security issue. Summary An Internet Explorer vulnerability is shown here: Content of dailymail.co.uk can be changed by external domain. How To Use 1. Close the popup window(confirm dialog) after three seconds. 2. Click
Re: [FD] Major Internet Explorer Vulnerability - NOT Patched
So here's a possibly stupid question: is this entirely an IE flaw, or is it tied to the use of Cloudflare by the targeted site as well as the attacking site? I ask because: 1 - I tried to reproduce the attack in a number of ways without using CloudFlare, and was unsuccessful. 2 - Since I don't have access to a CloudFlare account, I used Burp to do a find/replace for proxied response headers and bodies on www.dailymail.co.uk and then dailymail.co.uk with a target domain which does not use Cloudflare, then accessed the Deusen demo page. The injection attempt failed. 3 - I then used Burp in the same way, but replaced www.dailymail.co.uk/dailymail.co.uk with a target domain which *does* use CloudFlare, and the injection attempt succeeded. If this is true, am I correct in thinking that while this definitely involves a vulnerability in IE, it also depends at least on targeting website owners who use JavaScript hosted on shared domains (CloudFlare, in this case), which is inherently riskier than hosting it all on one's own domain due to the way cross-domain security works in modern browsers? I don't have time to to a teardown on CloudFlare.JS, but does this also depend on some sort of code vulnerability in that file? Even if one or both of those caveats are true, it's a very impressive exploit, but I'd like to make sure the label universal is actually justified. Sorry if this has already been discussed elsewhere. I couldn't find anything when I looked. - Ben On 2015-02-02 12:53, Joey Fowler wrote: Hi David, nice is an understatement here. I've done some testing with this one and, while there *are* quirks, it most definitely works. It even bypasses standard HTTP-to-HTTPS restrictions. As long as the page(s) being framed don't contain X-Frame-Options headers (with `deny` or `same-origin` values), it executes successfully. Pending the payload being injected, most Content Security Policies are also bypassed (by injecting HTML instead of JavaScript, that is). It looks like, through this method, all viable XSS tactics are open! Nice find! Has this been reported to Microsoft outside (or within) this thread? -- Joey Fowler Senior Security Engineer, Tumblr On Sat, Jan 31, 2015 at 9:18 AM, David Leo david@deusen.co.uk wrote: Deusen just published code and description here: http://www.deusen.co.uk/items/insider3show.3362009741042107/ which demonstrates the serious security issue. Summary An Internet Explorer vulnerability is shown here: Content of dailymail.co.uk can be changed by external domain. How To Use 1. Close the popup window(confirm dialog) after three seconds. 2. Click Go. 3. After 7 seconds, Hacked by Deusen is actively injected into dailymail.co.uk. Technical Details Vulnerability: Universal Cross Site Scripting(XSS) Impact: Same Origin Policy(SOP) is completely bypassed Attack: Attackers can steal anything from another domain, and inject anything into another domain Tested: Jan/29/2015 Internet Explorer 11 Windows 7 If you like it, please reply nice. Kind Regards, ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/ ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/ ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/
Re: [FD] Major Internet Explorer Vulnerability - NOT Patched
Hi David, nice is an understatement here. I've done some testing with this one and, while there *are* quirks, it most definitely works. It even bypasses standard HTTP-to-HTTPS restrictions. As long as the page(s) being framed don't contain X-Frame-Options headers (with `deny` or `same-origin` values), it executes successfully. Pending the payload being injected, most Content Security Policies are also bypassed (by injecting HTML instead of JavaScript, that is). It looks like, through this method, all viable XSS tactics are open! Nice find! Has this been reported to Microsoft outside (or within) this thread? -- Joey Fowler Senior Security Engineer, Tumblr On Sat, Jan 31, 2015 at 9:18 AM, David Leo david@deusen.co.uk wrote: Deusen just published code and description here: http://www.deusen.co.uk/items/insider3show.3362009741042107/ which demonstrates the serious security issue. Summary An Internet Explorer vulnerability is shown here: Content of dailymail.co.uk can be changed by external domain. How To Use 1. Close the popup window(confirm dialog) after three seconds. 2. Click Go. 3. After 7 seconds, Hacked by Deusen is actively injected into dailymail.co.uk. Technical Details Vulnerability: Universal Cross Site Scripting(XSS) Impact: Same Origin Policy(SOP) is completely bypassed Attack: Attackers can steal anything from another domain, and inject anything into another domain Tested: Jan/29/2015 Internet Explorer 11 Windows 7 If you like it, please reply nice. Kind Regards, ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/ ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/
[FD] Major Internet Explorer Vulnerability - NOT Patched
Deusen just published code and description here: http://www.deusen.co.uk/items/insider3show.3362009741042107/ which demonstrates the serious security issue. Summary An Internet Explorer vulnerability is shown here: Content of dailymail.co.uk can be changed by external domain. How To Use 1. Close the popup window(confirm dialog) after three seconds. 2. Click Go. 3. After 7 seconds, Hacked by Deusen is actively injected into dailymail.co.uk. Technical Details Vulnerability: Universal Cross Site Scripting(XSS) Impact: Same Origin Policy(SOP) is completely bypassed Attack: Attackers can steal anything from another domain, and inject anything into another domain Tested: Jan/29/2015 Internet Explorer 11 Windows 7 If you like it, please reply nice. Kind Regards, ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/