[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Suspicious URL:Re: [FD] Major Internet Explorer Vulnerability - NOT Patched
Not sure what you think about this one. It appears to be a bug with IE.
On Feb 5, 2015, at 12:06 AM, David Leo <david.leo@xxxxxxxxxxxx> wrote:
> "is this entirely an IE flaw"
> "is it tied to the use of Cloudflare"
> "I tried to reproduce... was unsuccessful"
> Likely, this detail is missing:
> header("Location: http://www.dailymail.co.uk/robots.txt");
> Please tell us whether you reproduce(with the PHP code).
> "I don't have time to to a teardown on CloudFlare.JS"
> Honestly we don't even know such file exists :-)
> We uploaded and took a screenshot - that's all.
> "it's a very impressive exploit"
> 'make sure the label "universal" is actually justified'
> It has also been tested against Yahoo etc.
> "Sorry if this has already been discussed elsewhere"
> Many asked - for example:
> Again, please tell us whether you reproduce with the PHP code.
> Kind Regards,
> On 2015/2/5 3:29, Ben Lincoln (F7EFC8C9 - FD) wrote:
>> So here's a possibly stupid question: is this entirely an IE flaw, or is it tied to the use of Cloudflare by the targeted site as well as the attacking site?
>> I ask because:
>> 1 - I tried to reproduce the attack in a number of ways without using CloudFlare, and was unsuccessful.
>> 2 - Since I don't have access to a CloudFlare account, I used Burp to do a find/replace for proxied response headers and bodies on "www.dailymail.co.uk" and then "dailymail.co.uk" with a target domain which does not use Cloudflare, then accessed the Deusen demo page. The injection attempt failed.
>> 3 - I then used Burp in the same way, but replaced "www.dailymail.co.uk"/"dailymail.co.uk" with a target domain which *does* use CloudFlare, and the injection attempt succeeded.
>> I don't have time to to a teardown on CloudFlare.JS, but does this also depend on some sort of code vulnerability in that file?
>> Even if one or both of those caveats are true, it's a very impressive exploit, but I'd like to make sure the label "universal" is actually justified.
>> Sorry if this has already been discussed elsewhere. I couldn't find anything when I looked.
>> - Ben
>> On 2015-02-02 12:53, Joey Fowler wrote:
>>> Hi David,
>>> "nice" is an understatement here.
>>> I've done some testing with this one and, while there *are* quirks, it most
>>> definitely works. It even bypasses standard HTTP-to-HTTPS restrictions.
>>> As long as the page(s) being framed don't contain X-Frame-Options headers
>>> (with `deny` or `same-origin` values), it executes successfully. Pending
>>> the payload being injected, most Content Security Policies are also
>>> It looks like, through this method, all viable XSS tactics are open!
>>> Nice find!
>>> Has this been reported to Microsoft outside (or within) this thread?
>>> Joey Fowler
>>> Senior Security Engineer, Tumblr
>>> On Sat, Jan 31, 2015 at 9:18 AM, David Leo <david.leo@xxxxxxxxxxxx> wrote:
>>>> Deusen just published code and description here:
>>>> which demonstrates the serious security issue.
>>>> An Internet Explorer vulnerability is shown here:
>>>> Content of dailymail.co.uk can be changed by external domain.
>>>> How To Use
>>>> 1. Close the popup window("confirm" dialog) after three seconds.
>>>> 2. Click "Go".
>>>> 3. After 7 seconds, "Hacked by Deusen" is actively injected into
>>>> Technical Details
>>>> Vulnerability: Universal Cross Site Scripting(XSS)
>>>> Impact: Same Origin Policy(SOP) is completely bypassed
>>>> Attack: Attackers can steal anything from another domain, and inject
>>>> anything into another domain
>>>> Tested: Jan/29/2015 Internet Explorer 11 Windows 7
>>>> If you like it, please reply "nice".
>>>> Kind Regards,
>>>> Sent through the Full Disclosure mailing list
>>>> Web Archives & RSS: http://seclists.org/fulldisclosure/
>>> Sent through the Full Disclosure mailing list
>>> Web Archives & RSS: http://seclists.org/fulldisclosure/
>> Sent through the Full Disclosure mailing list
>> Web Archives & RSS: http://seclists.org/fulldisclosure/