Results 1 to 3 of 3

Thread: Houston, we have an XSS at Garage Share/Save - My123World.Com!

  1. #1
    Webapp Secninja
    Join Date
    Aug 2012
    Location
    Ranchi, Jharkhand
    Posts
    41
    Blog Entries
    2

    Houston, we have an XSS at Garage

    I want to share details behind a Flash-based XSS at our Garage4Hackers Forum that I found and has been patched.

    Last day, I was uploading a pic for a post here and for some strange reason it was not getting uploaded, I tried to look a bit deeper inside this issue which turned out that our not-so-friendly mod_security module was blocking the file. In the course, I discovered that we use a Flash-based uploader for uploading pictures.

    Name:  uploader.jpg
Views: 1149
Size:  40.5 KB

    So I decompiled it and checked for common sinks that typically causes XSS in SWF files, I searched for ExternalInterface.call() and found 2 results in the decompiled code.

    One reference that caught my attention was:

    Code:
    ExternalInterface.call(this.javaScriptEventHandler  , this.elementID, event);

    I looked deeper and found that both this.javaScriptEventHandler and this.elementID were being taken from external input (Flashvars), see snippet below:


    Code:
    			this.elementID = this.loaderInfo.parameters.YUISwfId;
    			this.javaScriptEventHandler = this.loaderInfo.parameters.YUIBridgeCallback;
    			var jsCheck: * = /^[A-Za-z0-9.]*$/g;
    			if (!jsCheck.test(this.javaScriptEventHandler)) {
    			    this.javaScriptEventHandler = "";
    			}
    We can see that there is a RegExp validation on this.javaScriptEventHandler that would prevent our code to reach sink (ExternalInterface.call). But guess what there is no validation with this.elementID . Now we can control the second parameter of ExternalInterface.call but before proceeding let's talk some basic stuff.

    ExternalInterface.call AS function works like this :

    Code:
    ExternalInterface.call("sendToJavaScript", input.text);
    This will become something like below, when the compiled ActionScript code (in form of SWF file) will execute inside a browser with Adobe Flash installed.

    Code:
     try { __flash__toXML(sendToJavaScript, "value of input.text");  } catch (e) {    "<undefined/>";  }

    Some more basics, if value of input.text in above ExternalInterface.call is Test" then it will translate to ... __flash__toXML(sendToJavaScript, "Test\""); ... .Notice " got escaped, we are still inside the string block, but to insert our own JS we need to escape out of the string block.

    Now if the value of input.text is Test\" it will translate to ... __flash__toXML(sendToJavaScript, "Test\\""); ... . Here our slash will escape out the slash of double quotes and we can now break out of the string block and break the try-catch block to append our own JS code like a boss!


    Imagine if the input of input.text is \")}catch(e) {alert('XSS');}// it will become:

    Code:
    try {   __flash__toXML(sendToJavaScript, "\\")}catch(e) {alert('XSS');}//"));  } catch (e) {    "<undefined/>";  }

    Now let's come back to our Flash-based Uploader, controllable variable is this.elementID which received input via external parameter YUISwfId. If value of YUISwfId is equal to input"\ it will result to the following try-catch block via ExternalInterface.call in the uploader code mentioned at the top of this post :

    Name:  trycatch.jpg
Views: 1012
Size:  16.3 KB

    So, we can set the value of YUISwfId parameter to \"))}catch(e) {alert('XSS');}// to execute our payload, just co-relate it with the example we learned earlier :

    Code:
    http://www.garage4hackers.com/clientscript/yui/uploader/assets/uploader.swf?YUISwfId=\"))}catch(e) {alert('XSS');}//
    Technically this URL should execute our supplied JS with the origin of http://www.garage4hackers.com domain but IT WON'T as mod_security will kick in and prevent us from doing this..

    We have a sneaky bypass for this, we can use a '#' sign before start of query string, this will force the query string to remain on client-side and prevent it from reaching Mr.mod_security

    Code:
    http://www.garage4hackers.com/clientscript/yui/uploader/assets/uploader.swf#?YUISwfId=\"))}catch(e) {alert('XSS');}//

    Let's see the POC Image:

    Name:  xss.jpg
Views: 1054
Size:  43.0 KB


    And a complete video of analysis: http://www.youtube.com/watch?v=8yswPOOryOg

    Notes:

    1. After Googling around I noticed that it was a known issue in YUI Uploader http://osvdb.org/show/osvdb/68876 which was patched back then but still shipped into vBulletin 4.2 which we use at Garage.

    2. I'm really thankful to Rahul Sasi aka FB1H2S for quick fix.

    3. Decompiled code: http://pastebin.com/1TseRvgn

    Cheers to every Garage Member
    Last edited by prakhar; 07-04-2013 at 04:59 PM.
    Hacking Wacking Sab Moh Maya Hai
    To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.

  2. #2
    Super Commando Dhruv abhaythehero's Avatar
    Join Date
    Sep 2010
    Location
    Lucknow/Pune,India
    Posts
    466
    Blog Entries
    2
    Excellent find prakhar ! Brilliant hackerish attempt to find vulnerability !
    In the world of 0s and 1s, are you a zero or The One !

  3. #3
    Garage Addict 41.w4r10r's Avatar
    Join Date
    Jul 2010
    Location
    Pune
    Posts
    338
    Blog Entries
    3
    Nice Find.. & Thanks for Responsible Disclosure

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •