Who am I?
This presentation is going to show an idea I had and how I leveraged this idea into 3 vulnerabilities in the major IM clients
One of which will not be disclosed today due to the fact that it was not yet patched.
It will be publish in our blog once it is patched
Explain how IMs work:
Talk about:
--------------
The message window is actually a browser
The users text message is wrapped in HTML\XML template containing the following fields
Message is sent to and then rendered as HTML\XML in the clients browser.
Accept parameters dictating:
color
Font name
Font weight
Font style
And more
בואו נדבר על IMS
ונשים רגע בצד את כל הפונקציונאליות של וידאו, סאונד שליחת קבצים וכו
ונשאיר רק את האספקט של שליחת ההודעות.
אם ננסה למפות את הדרכים שלנו לשלוח קלט למערכת, נגיע למשהו כמו בדוגמא
Explain how IMs work:
Talk about:
--------------
The message window is actually a browser
The users text message is wrapped in HTML\XML template containing the following fields
Message is sent to and then rendered as HTML\XML in the clients browser.
Accept parameters dictating:
color
Font name
Font weight
Font style
And more
בואו נדבר על IMS
ונשים רגע בצד את כל הפונקציונאליות של וידאו, סאונד שליחת קבצים וכו
ונשאיר רק את האספקט של שליחת ההודעות.
אם ננסה למפות את הדרכים שלנו לשלוח קלט למערכת, נגיע למשהו כמו בדוגמא
To configure all these setting, these apps usually come with a screen like this one
Every time I’ve seen this screen, I wondered “what if I could use some HTML here…”
And apparently, you can!
Windows fonts,
All Chars are valid
Max 30 chars in every font name
Explain that the font we change, goes into this template and then sent out.
Talk about possibilities of exploits:
1. Expression
2. Get out to span tag
3. Get out to HTML main context
Starting off with expression
The server actually filtered everything in the CSS
Moving to the next payload,
Getting out of the style attr and getting into a new onclick attr
Result in the onclick being empty. No good
Two fields attack
First field (Font Name):
-----------
1. Filter deletes the <style<style</style part
2. We are left with e0”><img x=‘…..
Opens a new IMG tag with X attribute (using a single quot)
Second field (Message Text):
---------------
1. Closes the X attribute (it contains all the rest of the real CSS)
2. Adds a SRC attribute
3. Adds an ONERROR attribute relocation the windows to an EXE/BAT file
4. File will be executed
Two fields attack
First field (Font Name):
-----------
1. Filter deletes the <style<style</style part
2. We are left with e0”><img x=‘…..
Opens a new IMG tag with X attribute (using a single quot)
Second field (Message Text):
---------------
1. Closes the X attribute (it contains all the rest of the real CSS)
2. Adds a SRC attribute
3. Adds an ONERROR attribute relocation the windows to an EXE/BAT file
4. File will be executed
Two fields attack
First field (Font Name):
-----------
1. Filter deletes the <style<style</style part
2. We are left with e0”><img x=‘…..
Opens a new IMG tag with X attribute (using a single quot)
Second field (Message Text):
---------------
1. Closes the X attribute (it contains all the rest of the real CSS)
2. Adds a SRC attribute
3. Adds an ONERROR attribute relocation the windows to an EXE/BAT file
4. File will be executed
Two fields attack
First field (Font Name):
-----------
1. Filter deletes the <style<style</style part
2. We are left with e0”><img x=‘…..
Opens a new IMG tag with X attribute (using a single quot)
Second field (Message Text):
---------------
1. Closes the X attribute (it contains all the rest of the real CSS)
2. Adds a SRC attribute
3. Adds an ONERROR attribute relocation the windows to an EXE/BAT file
4. File will be executed
Two fields attack
First field (Font Name):
-----------
1. Filter deletes the <style<style</style part
2. We are left with e0”><img x=‘…..
Opens a new IMG tag with X attribute (using a single quot)
Second field (Message Text):
---------------
1. Closes the X attribute (it contains all the rest of the real CSS)
2. Adds a SRC attribute
3. Adds an ONERROR attribute relocation the windows to an EXE/BAT file
4. File will be executed
Two fields attack
First field (Font Name):
-----------
1. Filter deletes the <style<style</style part
2. We are left with e0”><img x=‘…..
Opens a new IMG tag with X attribute (using a single quot)
Second field (Message Text):
---------------
1. Closes the X attribute (it contains all the rest of the real CSS)
2. Adds a SRC attribute
3. Adds an ONERROR attribute relocation the windows to an EXE/BAT file
4. File will be executed
Second line shows the trapped CSS in the X parameter
Calc executed example
Yahoo
No History found in local FS, meaning template is unknown
Messages sent takes about 3-4 hours till they register in the History
That means that every time I wanted to test anything, I have to wait 3-4 for the results and only then tweak my payloads and resend everything…
Message view seems to sanitize input well,
All messages sent managed to do nothing more the pretty colors
Taking into account the fact that every test take 3 hours, I decided its best to move on and open the history
Looks a bit better but still, nothing interesting…
The next step I took was to change the history filter to “Instant Messages”
Boom
Endless pop ups poped up…
Apparently a lot of my tests worked…
I isolated the simplest payload that worked and we can now move on and get some info such as:
User Agent
Privileges
Etc…
Digging deeper got us the browser type (IE)
And the location of the page, which is an internet address
So I tried accessing this page using chrome, and as long as I was Logged in to Yahoo! It got me to the same results!
The next thing I found was the cookie
Apparently, Yahoo don’t like to use HTTP-only cookies, so once stealing the cookie actually means stealing the account!
Send message
Wait 3-4h
Social engineer the user into opening the History
Have the user click on the Instant Messages context menu
No more 3 hours tests
I can now send a message and see it on the web messenger immediately
I now know the template.
I sent the first line of code
The web messenger rendered the second line of code
Changes:
Added a new ID attribute – We don’t care!
Transformed the Size attribute into a CSS Font-Size attribute – Very Interesting!
First, I tried to inject a new color:red sentence
Using the & -> & encoding in order to terminate the css rule and inject a new one
And that worked without a glitch
Tried the same with an expression call, and all seems well
Opening IE
But no alert…
After digging a little deeper
Different sanitizer per browser
Found an older message that has a similar behavior
Worked in that example till I found some guidelines for the transformation on IE
Talk about the two rules of transformation
Using these guidelines I attempted a new rule injection
Payload found – new rule injected
Explain the CSS encoding trick
Everything looks good in IE
Somehow, no alert
Goddamn meta tag
But this meta tag doesn’t work in IE<8
VM
Kick off IE8
Entered the same URL with IE 7 and the alert shows up
Also in the original History view of the messenger which actually uses the installed IE