pseudo-flaw.net

I have been refraining from commenting on any specifics regarding the Mozilla Firefox file stealing vulnerabilities discussed in MFSA 2008-02: Multiple file input focus stealing vulnerabilities, because Mozilla notified me that some of the details would be embargoed pending fixes from other browser vendors. So, I was a little surprised with Opera's announcement that:

Mozilla notified us of one security issue ( :smile: ) the day before they published their public advisory ( :worried: ). They did not wait for us to come back with an ETA for a fix: they kept their bug reports containing the details of the exploits closed to the public for a few days, and now opened most of them to everybody ( awww ).

This was picked up by The Register and Slashdot as well as numerous personal blogs.

But as best as I can tell, Mozilla has not released details for any of the proofs-of-concept exploits that Opera may be vulnerable to. The samples for the focus shifting bugs don't appear to affect Opera. If Opera is in fact vulnerable to any of the released information, I would be very interested in finding out more about it.

In any case, once the details for Bugzilla #413135 are opened to the public, I will be posting online versions of the sample exploits.

Just a couple of days ago, OSVDB added a new classification, Discovered In the Wild, based on some suggests by Pete Lindstrom (Spire Security Viewpoint).

Now, we get the 0-day Can Happen to Anyone post. The OSVDB WordPress blog was being hacked by SEO spammers that edited spam content directly into the posts. Apparently the blog was being exploited by a real-life, discovered in the wild, 0-day: 41136: WordPress XML-RPC xmlrpc.php Unauthenticated Post Modification.

For reference, the links I saw were:

<noscript>Courtney scott a <a href="http://groups.google.com/group/lynn5052/web/cricket-ringtones">cricket ringtones</a> is not.</noscript>

<noscript>Wiederum im Uhrzeigersinn <a href="http://www.kasino007.de">gratis casinospiele</a> jeder Boxinhaber dann sein Online Blackjack Blatt zu Ende.</noscript>

Interesting stuff.

If you are at all interested in how exploits are created by reversing patches, check out HD Moore's post over at BreakingPoint System Strike Center: Exploiting IIS via HTMLEncode (MS08-006).

It is a step-by-step walk-through of how the vulnerability was located in the patch, the analysis applied to determine the flaw and finally how the exploit was developed. An informative and interesting read if you are into that sort of thing.

I noticed the ShmooCon schedule was posted last week, and with only a few days to go until the con, the speakers and schedule should all be pretty well finalized.

Looks like there will be some very interesting talks. Several of the talks in the "Break it!" track look especially appealing.

There are numerous stances that a researcher can take when disclosing a possible security vulnerability. The first is to do absolutely nothing -- simply hold onto it in the hopes that it can be leveraged in the future. Obviously, there is not much disclosure happening and the vulnerability will most likely never be addressed. Other, more public methods, are awareness, advocacy and grandstanding.

Awareness can come in many forms. The best form of awareness is to report the security vulnerability to the vendor and work with them to see that it is resolved. Most often, this can be done is a private and responsible manner. The information security landscape has changed in the last several years and most vendors are willing to accept and accommodate security bug reports.

Another way to raise awareness is to publicly post details of the vulnerability to blogs, mailing lists, and forums prior to notifying the vendor. That traditional "full disclosure" mentality may still have merit, but the time is long past when this is considered a truly productive method of information sharing. If that goal of security is to make people safer, publicly disclosing newly discovered or previously unknown exploits prior to a patch being made available is not furthering that goal.

Occasionally, though, recalcitrant vendors refuse to acknowledge privately reported security vulnerabilities or won't address publicly reported vulnerabilities and continue to ship exploitable products. In these cases, advocacy is an appropriate approach. This could involve simply creating an exploit for the vulnerability and releasing it. The example attack should do more than just the regurgitate the proof-of-concept in the original vulnerability. It should show a real world version of the attack and meet some defined goal. If those actions can be accomplished, more widespread dispersal of that information is appropriate, be it through forums, blog posts or mailing lists.

But, if a real-world attack cannot be constructed, the vulnerability is best left to drop until an exploit can be developed. Continued broadcasting of a questionable vulnerability is nothing more than grandstanding. Spamming mailing lists and making copypasta forums postings of half-baked ideas does not engender much respect from the community at large. To be a bit hackneyed, either "Put up or shut up", and if you can't, "quit while you're ahead".

Claiming to have some significant exploit and then refusing to release it because "it's too dangerous", rings quite hollow when it is discovered that the vulnerability was never reported to the vendor in the first place. It is also poor form to recycle vulnerability reports against a product when the vendor has addressed it in most recent supported versions. Taking a well-known, publicly reported vulnerability and hyping it in some sort of attention grabbing attempt is quite distasteful. These shallow stabs at fame-mongering are simply useless if they don't make positive contributions to the community dialog.

And sometimes, it is as much a matter of presentation as it is content. Making a conscious decisions to not take part in the established process and then later railing on that very same process does very little to improve ones professional image. A history of such behavior leads to reputation that is hard to shed, no matter how much quality or relevance some information has.

To put it plainly, if I have to ask "Is this bogus?" every time I see post on a given blog or from a particular individual, I will be much less likely to trust the source of that information over time.

I've been wanting to post a follow-up to RSnake's XSS Worm Analysis And Defense paper, but I was waiting to see if anything else came of it. As I mentioned before, post-contest commentary has been extremely light. I find this very disheartening. The whole reason for the contest was to generate interest in creating XSS worms in order to better understand what effective anti-worm counter-measures could be developed. RSnake made this perfectly clear: the goal here is to understand why the propagation methods were chosen so we can build defenses against them. Unfortunately, it appears the sensationalism of the contest over-shadowed the ultimate goals.

But that doesn't mean there wasn't important progress made in understanding both how XSS worms could propagate and what can be done to prevent them. I posted the following comment as an attempt to drawn in all of the ideas in the paper:

So, let me see if I am understanding how this all ties together:

• The website www.example.com is a social network site where users must log in to post content.
• The www.example.com site has potential XSS vulnerabilities on every page.
• There are two types of users that utilize the site: those with JavaScript enabled and those with JavaScript disabled. The users don't toggle JavaScript on and off as they use the site. Going from on to off, the site will not function; going from off to on, the user may be vulnerable to XSS attacks.
• When a user first logs into www.example.com, the JavaScript status is detected (e.g., onsubmit form handler sets hidden form variable). The JavaScript status is associated with the user session.
• A separate domain confirm.example.com is used to prompt users for confirmation of submitted content.
• The confirm.example.com website is guaranteed to be free of XSS holes.
• Any content submitted on www.example.com is posted directly to a confirmation page on confirm.example.com.
• There is not a nonce used on www.example.com, because an XMLHttpRequest could read it if it was present and replay it.
• Confirmation of content on confirm.example.com is only allowed via the POST method.
• A nonce is used on POSTs from confirm.example.com to prevent blind CSRF attacks.
• If the confirmation page detects that it has been framed, it should attempt to unframe itself. If this fails, submission of the form should not be allowed. If JavaScript is either not enabled or if on IE the "security=restricted" was set on the frame, this check will never be applied so additional logic compensates for it.
• If user did not have JavaScript enabled when the user session was established, the form is constructed so that no JavaScript is required to submit it. If JavaScript is enabled, the form should not be submitted; this protects against the situation where the user started with JavaScript off and then turned it on, thus making himself vulnerable to attacks.
• If the user had JavaScript enabled when the session was established, the confirm page should be constructed so that it only allows for submission when JavaScript is enabled (e.g., set method and action in onsubmit handler). This protects against the IE situation where "security=restricted" has been set on an frame. If JavaScript is no longer enabled, submission will fail.

The big caveat to all of this would be that the login process needs to be protected in a similar manner (e.g., use separate login.example.com domain, etc.).

Given some of the confusion, maybe RSnake's explanation in the paper wasn't clear enough for general consumption. For anyone that is involved with these types of issues, the paper presents a fresh take on many of the existing defensive techniques.

The approach can be condensed into the following main points:

• use the same-origin policy as a choke-point
• be smart about nonces
• anti-framing should be JavaScript aware

The key insight is, that by using a separate domain which is strictly dedicated to confirmation of user submitted content, many of the XSS worm propagation techniques can be stymied. Any use of XMLHttpRequest to propagate the worm will be prevented when a separate domain is used (the Samy worm was able to propagate because it could switch domains). This leaves only blind CSRF attacks as a concern.

If that single domain can be guaranteed to be free of XSS holes, then a nonce can be used to prevent blind CSRF. But that nonce must be properly employed. If the nonce is available anywhere that can be read using JavaScript, then it could be replayed as part of the attack.

Finally, anti-framing approaches should be considered carefully. Because some users may not have JavaScript enabled (for accessibility reasons), a thoughtful approach is required to avoid causing those users excessive hardship. Internet Explorer can be forced to disable JavaScript in frames through the use of a restricted security policy. By analyzing the possible scenarios, appropriate application logic can be constructed that prevents these types of attacks while still making the website usable.

Of course, all of this depends on browsers being free of vulnerabilities. If web-browsers can be induced into violating the same-origin policy, many of these defenses begin to break down. In these cases, additional techniques are required to identify and stop XSS worms; this is still an area with open research questions.

But as RSnake shows in his paper, some simple architectural design decisions can be used to help prevent XSS worms from ever taking hold.

A couple of days ago, I noted the latest Sun Java Runtime Environment (JRE) update and the apparent lack of security advisories. Today, I saw that one was in fact released shortly after I posted about it.

The following advisory was posted, A Vulnerability in the Java Runtime Environment XML Parsing Code May Allow URL Resources to be Accessed, that describes a defect that allowed "external general entities" to be processed even when the processing had been disabled:

The Java Runtime Environment (JRE) by default allows external entity references to be processed. To turn off processing of external entity references, sites can set the "external general entities" property to FALSE. This property is provided since it may be possible to leverage the processing of external entity references to access certain URL resources (such as some files and web pages) or create a Denial of Service (DoS) condition on the system running the JRE. A defect in the JRE allows external entity references to be processed even when the "external general entities" property is set to FALSE.

The issue of external entity handling would mostly be a concern where one was accepting and parsing XML documents from untrusted sources. But given the prevalence of web-services that may rely on exchange of XML documents, this is probably a common situation. Anyone that was depending on feature being turned off is potentially at risk.

NOTE: By default, processing of external entities is turned ON.

The advisory states that to turn them off, the following feature should be set to false:

factory.setFeature("http://xml.org/sax/features/external-general-entities", false);

You can search for other disclosed JRE vulnerabilities on the Sun sites using the search: "Vulnerability Java Runtime Environment".