Log in

No account? Create an account
MOMBY: a place for bugs
[Most Recent Entries] [Calendar View] [Friends]

Below are the 20 most recent journal entries recorded in M.O.M.B.Y!'s LiveJournal:

[ << Previous 20 ]
Monday, April 30th, 2007
8:52 pm
MOMBY-00010100: Myspace Bug Potpourri
Advisory MOMBY-00010100: Myspace Bug Potpourri
Noobz: .*
LOLz: .*
0wnz: .*

Today is the last day of the Month of Myspace bugs. We disclsed 19 bugs this month, about 14 of which were fixed within a day or two of publication, which demonstrates two interesting facts: the Myspace web design and security groups can fix bugs if they care to, and b) the Myspace web design and security groups tend to fix bugs if they're presented in an easy to read and high profile "Month of" format.

Anyway, here's the rest of the submissions that we didn't get to, in glorious unedited plain text. That means that we do not offer any sort of advice on how to reproduce these, nor do we offer any sort of independant validation on the quality of the bugs, or even so much as a spellcheck.

Thanks to MustLive, rMrGvG, Awesome AnDrEw, RSnake, teh_commodore, Synthetic, and everyone else, credited or not, for submitting bugs. We, quite literally, wouldn't have done it without you! And also thanks to Six Apart and the wonderful staff at LiveJournal for taking this all in stride and not being giant dicks. Extra thanks for rMrGvG for translation for my favorite people on Earth, the Mighty Spaniards, originators of the deadlist flu bug ever seen!

Finally, thanks to the readers, especially the haters. You guys made us laugh, and laugh, and laugh. April Fools, suckers!


MOMBY-00010100a: Myspace Flag Overlay Spammer Trick

Credit: Technocrat

MOMBY-00010100b: Myspace Unprintable Password Permanent Account Control

Credit: Awesome AnDrEw

MOMBY-00010100c: Myspace Embedded Flash Javascript/ActionScript XSS

Credit: Lonewolf / OwnedSpace

MOMBY-00010100d: Myspace Profile Redirect

Credit: Tymm

MOMBY-00010100e: Myspace Permanent Message Archival

Credit: c

MOMBY-00010100f: Myspace MP3 theft

Credit: Spas

MOMBY-00010100g: Myspace Jobs Search Locale XSS

Credit: rMrGvG

MOMBY-00010100h: Myspace Groups HTML Element Injection

Credit: rMrGvG

MOMBY-00010100i: Myspace Profile HTML Element Injection

Credit: rMrGvG

MOMBY-00010100j: Myspace Bulletin HTML Insertion

Credit: rMrGvG

MOMBY-00010100k: Myspace Blog Background Image XSS

Credit: Paul_Smells aka Sinclair

MOMBY-00010100l: Myspace mp3downloader MP3 Theft

Credit: Jon

MOMBY-00010100m: Myspace mp3downloader MP3 Theft

Credit: Awesome AnDrEw

MOMBY-00010100n: Myspace Random Image Viewer

Credit: skinnyCorp

MOMBY-00010100o: Myspace Profile Reset

Credit: Anonymous

MOMBY-00010100p: Myspace Preferred Language Reset

Credit: Anonymous

MOMBY-00010100q: Myspace Domain Generalization Design Error

Credit: Wladimir

MOMBY-00010100r: Myspace Patched XSS

Credit: rMrGvG

MOMBY-00010100s: Myspace Shouthacking Vector

Credit: Anonymous

MOMBY-00010100t: Myspace CSS "@import" XSS

Credit: luoluo

MOMBY-00010100u: Myspace Messaging XSS

Credit: rMrGvG

MOMBY-00010100v: Myspace Messaging XSS

Credit: TX

MOMBY-00010100x: Myspace Instant Messenger Unfiltered Flash

Credit: Awesome AnDrEw

MOMBY-00010100y: G4TV Month Of Myspace Bugs Article XSS

Credit: Mondo Armando

MOMBY-00010100z: Unknown Myspace Vulnerability

Credit: Unknown

MOMBY-00010100!: Unproven Myspace Undeletable Comment

Credit: Anonymous

MOMBY-00010100@: Myspace Top Friends Bug

Credit: Anonymous

MOMBY-00010100#: Myspace MYUSERINFO Alteration (User Impersonation)

Credit: Anonymous

MOMBY-00010100$: Myspace Message Privilege Violation

Credit: Anonymous

MOMBY-00010100%: Myspace Vulnerable Feeling Form

Credit: Anonymous

Current Mood: ecstatic
Thursday, April 26th, 2007
11:47 pm
MOMBY-00010011: Pimp-My-Profile "Hide Friends" Information Disclosure
Advisory MOMBY-00010011: Pimp-My-Profile "Hide Friends" Information Disclosure
Noobz: ***********
LOLz: ******
0wnz: *

Third party skinning service Pimp-My-Profile.com offers thousands of pre-designed Myspace profile styles (as well as misleading phishing links represented as eBay, for some reason). Most of these profile overlays can be "tweaked" to "hide" portions of Myspace profiles -- in particular, a "Hide Friends" button. The usual use of hiding friends is, in fact, a mistaken belief that a hidden friends pane removes the ability for attackers to learn who that user's friends are. For example, some users utilize the Pimp-My-Profile.com functionality to conceal "Cyber" romantic relationships from "Real Life" relationship partners, to hide "unprofessional" associatiations from potential employers, and other motives (this has been shown via first-hand anecdotal experience).

However, by viewing the user's personal information via the "viewfriends" application on friends.myspace.com, it is in fact trivial to learn such hidden relationships. An example is shown below.

howto: change 'profile' to 'friends' on the URL where indicated

Profile without friends
viewfriends profile (one friend)

It's worth stressing three features of this bug: 1) This is a third-party service presumably unrelated to MySpace. 2) Regardless, this bug affects the usability of the Myspace service -- if users were better informed of this information disclosure attack, they would not likely rely on the "Hide Friends" functionality to conceal relationships, and 3) This was in fact the bug that prompted the MOMBY Institute to pursue this ridiculous Month of Bugs.

Credit: This bug was first reported by Voodoo Woman, a confessed Myspace loser who enjoys stalking even the most casual of acquaintances on the Internet and compiling detailed dossiers of their lives and associations.

begin boring-rant.txt 644

When learning of this bug, we realized that there would be at least several thousand typical Myspace users who may be concerned about this sort information disclosure attack -- many more than would be concerned about a null pointer dereference, a local-only privilege escalation in Mac OSX, or a double-free in PHP4. While these other bugs, and even some XSS bugs detailed here at MOMBY, are more closely associated with information security, there is about zero common interest in these issues outside of a small, highly-trained circle of professional attackers and defenders. On the other hand, Myspace is simultaneously a common reference implementation of poor web application design, and one of the most popular and useful destinations in the history of the Internet. This is paradoxical to technical professionals, and the security set seems to be suffering a serious bout of cognitive dissonance on this point. Kids (12 to 24 year olds) are learning their Internet habits on Myspace -- that means cleartext authentication, random errors and re-logins, mysterious loss of data nad privileges, and easy XSS-enabled session hijacking are pretty much the sum total of their day-to-day experience.

We, as a defense industry and as a force for good, should be doing so much more to help them understand, even a little bit, what Good Security looks like. That's what MOMBY is all about.

Also, we really, really hate the other Months of Bugs, run by self-obsessed security douches all. And that is really what MOMBY is all about.

Also, we are ourselves self-obsessed security douches. And THAT is what MOMBY is all about.

Current Mood: contemplative
Wednesday, April 25th, 2007
11:56 am
MOMBY-00010010: Video Upload "title" Image Alt Text Error
Advisory MOMBY-00010010: Video Upload "title" Image Alt Text Error
Noobz: ******
LOLz: ***
0wnz: ?

Myspace allows users to upload video content to be aggregated and ultimately viewed by other Myspace users. Due to a problem in input validation on the "title" variable for the "metaForm" portion of the video upload application, it is possible for an attacker to cause input to be displayed outside the resulting alt parameter of the video's icon image.

Though this is certainly a bug, it appears that this is not exploitable by the feeble minds of the MOMBY! Cartel, due to the correct application of Myspace XSS filtering of common XSS elements, such as <script> tags, event handlers, style expression()s and the like. Also, most HTML elements are also correctly filtered. Perhaps the most interesting feature of this bug is that Myspace is clearly and correctly defending against the malicious leveraging of this bug, but still fails to correctly escape the "> sequence if provided by the user.

Screenshot: http://pics.livejournal.com/momby/pic/0000rqg1

Credit: rMrGvG of SNI-LABS first reported this bug. He reported it early on in MOMBY, so it's quite possible this was an exploitable condition then. Regardless, basic failure to escape user input is still a bug today.

Current Mood: frustrated
Tuesday, April 24th, 2007
7:44 pm
MOMBY-00010001: Clickable "numberPagesBack" XSS
Advisory MOMBY-00010001: Clickable "numberPagesBack" XSS
Noobz: ****
LOLz: **
0wnz: **

The action handler for the "Email Customer Service" form at http://collect.myspace.com/index.cfm?fuseaction=misc.contactInput contains a clickable cross-site scripting (XSS) vulnerability. The resulting page from submitting a message builds its content from parameters collected from the URI. The two parameters of note are highlighted here (url broken for readability):

&numberPagesBack=0);alert('cookie theft '%2bdocument.location);// (tiny)

Screenshot: http://pics.livejournal.com/momby/pic/0000pzyx

Similiar to MOMBY-1100, this link must be clicked by a victim in order to be effective for an attacker. Unlike MOMBY-1100, however, victims need not be authenticated, which lowers the relative value of the attack; victims are not guaranteed to possess useful session information. On the gripping hand, the attacker does have some freedom to alter the emailAddress parameter in order to further pursuade a victim to click on the presented "return to fix errors" link. For example, the attacker could present a false form for e-mailing Myspace customer service about something compelling, then intentionally alter the user's provided e-mail address with an engineered onSubmit() "hiccup" action immediately before loading the XSS-injected page. Victims, in turn, are more likely to believe the presented "results" does require them to reenter information.

Credit: This bug was first reported by Synthetic.

Current Mood: hopeful

Monday, April 23rd, 2007
7:44 pm
MOMBY-00010000: Myspace Cross-Site Request Forgery (CSRF) Signout
Advisory MOMBY-00010000: Myspace Cross-Site Request Forgery (CSRF) Signout
Noobz: ** 1/2
LOLz: *********
0wnz: * 1/2

Due to a lack of Referer checking or other form of validation, an attacker may arbitrarily cause Myspace users to end their sessions.

Ultimately, an attacker needs to get a user to visit the following URL to log off: http://collect.myspace.com/index.cfm?fuseaction=signout. However, due to the lack of origin checking, an attacker may cause a user to visit a link via any browser request, including background requests. Thus, for example, by setting a redirect action as a 404 error, an attacker may embed a non-existent image to trigger the session-ending GET action.

Example tag: A tag such as <img src="http://momby.phpnet.us/myspace/noimageforyou.jpg"> may be embedded throughout user-controlled areas, and may be targeted to particular users through blog comments, messages, etc.

It's important to note that automated log outs are not the only application of CSRFs.

Credit: AwEsOmE AnDrEw reported specifically the .htaccess-enabled attack in order to silently log out users, and earned a pile of extra LOLs thanks to this vector (to read the specific .htaccess syntax provided, see http://momby.phpnet.us/myspace/.htaccess).

Current Mood: awake
Friday, April 20th, 2007
7:05 pm

It's been 420 all day.

I had this really great bug to post. It was really funny. But damn if I didn't totally forget it.

Oop, Spongebob is on. Gotta go.


Current Mood: i think i'm feeling it
Thursday, April 19th, 2007
10:04 pm
MOMBY-00001111: Myspace FriendsView.aspx "__VIEWSTATE" POST XSS
Advisory MOMBY-00001111: Myspace FriendsView.aspx "__VIEWSTATE" POST XSS
Noobz: **
LOLz: ****
0wnz: *** 1/2

An interesting find, this is an Ajax control present on all "View Friends" pages. Useful for POST-based XSS attacks (which will usually require a form posted off-site in order to trigger), this vulnerability will be exercised in a fashion similar to MOMBY-1001.

First, a simplified attack form for demo purposes:

This can of course be modified to be a one-click or onLoad submit action, requiring only the page to load in the victim's browser. Screenshot of the above form in action: http://pics.livejournal.com/momby/pic/0000hw8z

In order to modify the vulnerable parameter, some base64 encoding and decoding is required. This is easily accomplished with many b64 encoders, one of the easiest to use being the online encoder at http://www.motobit.com/util/base64-decoder-encoder.asp. An attacker may take the __VIEWSTATE value, decode and save the binary, and edit the section at offset 0xdb using his favorite hex editor. This is a standard TLV (type-length-value) node, which supplies the text displayed in the Friends header box, such as |05 10|Tom's Friends... (|05| being type, |10| being length decimal 16, the length of "Tom's Friends...")

Once that's complete, the attacker may re-encode the resulting file back to a single-line base64 format, and voila! An exploit that is not only completely unfiltered at Myspace.com, but is basically impossible to detect by any other means, such as third-party XSS-filtering proxies or browser add-ons (the stealth is worth at least a half an 0wn right there).

This form and its related Ajax cousins are a rich area of unfiltered exploitation, as it is not an obvious vector for most casual XSS bug-hunters. We here at M.O.M.B.Y! hope the original reporter will take a moment to explain further his methodology in finding this bug using the anonymous comment section of this journal.

Note, though, attackers are limited to 127 characters, as the length parameter is a signed single-byte integer. That's plenty of room for evil, though; recall that elements referenced from other sites (such as <script src="www.example.com/whatever.js">) are run in the same context as the originating page, so complex scripts need not be contained in the 127 byte limit.

Credit: Richtr first reported this bug. He also claims that forms such as these may be embeded in a personal profile Friends page, implying that this can be used to launch an XSS worm. We haven't tested this implementation.

Current Mood: chipper
Wednesday, April 18th, 2007
11:55 pm
MOMBY-00001110: Careless Myspace Credential Theft (And comedianJoin XSS)
MOMBY-00001110: Careless Myspace Credential Theft (And comedianJoin XSS)
by special guest advisory author, teh_commodore
n00bz: *******
LOLz: *******
0wnz: .0375

Just like all other bugs posted so far, this one relies on the user almost voluntarily revealing their authentication credentials. Troll livejournal accounts, and look for someone's authentication credentials. This may be in the form of a screenshot of some supposed hack or bug.

Screenshot: http://pics.livejournal.com/momby/pic/0000e7d1

From here, type in the user's credentials at myspace and there you have it. Sub-bug, Myspace doesn't send out an e-mail to the user when they go to change their password. You can do it all right there without any further intrusion necessary.

Screenshot: http://pics.livejournal.com/teh_commodore/pic/000049ct

Link: http://www.myspace.com/mombysux

This is the account set up by the MOMBY boys for their previous advisory. Don't believe me? Look here.

Screenshot Numero 00000010: http://pics.livejournal.com/teh_commodore/pic/00003z77

Unfortunately, once the user recovers his or her password, which will be the one you changed it to, they can regain control of their account. No worries though, if you can get to their e-mail account via the previous bug, you can change the e-mail account to which the myspace account is tied. This moves the 0wnz up to **.

To further specify the flaw, the real account hack comes with changing the e-mail address tied to the account you now have temporary control over. This changes temporary control to permanent, at least until the user gets the Myspace secret police involved (more on this later). To change the e-mail address, Myspace requires you to enter a randomly (?) generated code that was e-mailed to your current e-mail account.

Screenshots: http://pics.livejournal.com/teh_commodore/pic/00006h8h


If this is e-mail also intercepted, the attacker can now change the e-mail address of the account to their e-mail address. This means full account access and relatively-permanent control.

Now to the Myspace response to stolen accounts. In order to return control of someones account back to them, Myspace requires a "salute" from the person whose account was stolen. A salute is a picture of that person holding a sign with the friend ID on it.

I'm not clear what happens with the salute, or how it helps anything, but I do have a guess. The only thing that makes sense is if they plan to match the face in the "salute" to the pictures posted on the target account. If that's the case, then all one would have to do is delete all pictures of the target from the account. This is all speculation.

This is, of course, unless the changes are "obviously cruel/false," in which case Myspace at least suggests that they will move faster, and without the need of a "salute".

Point is, once an attacker has complete control of someones account, via linking the account to their e-mail instead of the original users, the entire process required for the user to regain control is very long and arduous. So an attacker could have the fake account for several days/weeks before anything is done.

Credit: Teh_Commodore.

MOMBY Addendum: Thanks for the excellent writeup, Teh_Commodore! Hope you don't mind that we mashed up the two posts together and altered the title a bit (yours was a little long). Since you went to all this effort to prove how lame we are, we felt that we should promote this to a proper journal entry. Again, thanks for your hard work! You showed us!

Bonus Bug: In addition to teh_commodore's bug, we'd like to also disclose a form-based XSS at http://signup.myspace.com/index.cfm?fuseaction=comedianJoin.step1verify, which is the POST action for the http://signup.myspace.com/index.cfm?fuseaction=comedianJoin web application. The "password" and "passwordConfirm" variables do not apply any filtering to HTML elements, including <script> tags. This is easily demonstrated by entering ">0wned as a password. Screenshot: http://pics.livejournal.com/momby/pic/0000fpb3. Credit for this goes to MustLive. Bonus 0wnz: +2 stars.

Current Mood: envious
Tuesday, April 17th, 2007
8:57 pm
MOMBY-00001101: Cleartext Password Recovery via E-Mail
Advisory MOMBY-00001101: Cleartext Password Recovery via E-Mail
Press Embargo until April 17, 2007

Noobs: *****
 LOLs: **
 0wnz: ** 1/2

In MOMBY-111 we discussed the cleartext authentication via the web interface. So, perhaps it's unsurprising to find cleartext passwords being revealed in the e-mail generated when clicking the "Forgot your password?" link on http://www.myspace.com.

Screenshot: http://pics.livejournal.com/momby/pic/0000e7d1

Due to this implementation bug, parties in a position to intercept e-mail are also in a position to recover Myspace passwords.

One may argue that people who operate e-mail in a cleartext manner have more to worry about. But recall that anyone may trigger this cleartext password reveal; thus, an attacker who may watch cleartext e-mail exchanges (again, most commonly an eavesdropper who is listening on a public wireless segment) may induce a password revelation at will. He need not wait for his victim to login to Myspace, but may instead wait for the victim to download e-mail over a cleartext channel (such as Yahoo! webmail), which in this setting, may be considerably more often.

Also note, Fox Interactive does not inform Myspace users when their passwords have been revealed in this way. Thus, an attacker who has complete control over a mail account (such as an untrustworthy mail administrator or a government investigator), may induce the password reveal, intercept the message, then delete the message, without the victim's knowledge.

Credit: Dammit, now you know my awesum password!!!

Current Mood: complacent

Monday, April 16th, 2007
9:02 pm
Advisory MOMBY-00001100: Clickable "returnPath" XSS
Advisory MOMBY-00001100: Clickable "returnPath" XSS
Press Embargo until April 16, 2007

Noobs: ****
 LOLs: **
 0wnz: **

A pretty straight-forward XSS advisory for today. By supplying a user-defined value to the returnPath variable of the messageboard.posted application, attackers may supply a clickable javascript (or apparently any other protocol handler) URI.

The challenge is to make this useful for an attacker. This would likely involve some measure of social engineering to convince the victim to actually click on the "Back to Forum" link. Alternatively, an attacker could take advantage of an origin violation browser bug to automatically click on the link on the user's behalf.

Example link: http://forum.myspace.com/index.cfm?fuseaction=messageboard.posted

Unlike most of our other XSS advisories, this link will only work correctly if the victim is already logged in; thus, a cookie-stealing attack, in this case, is guaranteed to have immediately usable results.

Screenshot: http://pics.livejournal.com/momby/pic/0000d19t

Credit: Synthetic, who upon reflection has decided that listing a Myspace page as a contact point in a Myspace security advisory may not have been the wisest decision.

Current Mood: energetic

Friday, April 13th, 2007
4:14 pm
MOMBY-00001011: XSS "Space Invader" Evasion
Advisory MOMBY-00001011: XSS "Space Invader" Evasion
Press Embargo until April 13, 2007

Noobs: ***
 LOLs: *****
 0wnz: ****

In advisory MOMBY-00001001, we discussed an HTML insertion technique, and gave up on attempting to promote it to XSS. But never fear! Thanks to the diligent efforts of our readers, we now may present the "space invader" technique of circumventing this (and similar) XSS filtering mechanisms.

First, the problem: The XSS filters around the searchForm applications on events.myspace.com makes it difficult to create useful XSS attacks because a) XSS-ish elements such as event handlers, expression() style elements, etc. are stripped, and b) whitespace is stripped. The solution? Take advantage of one filter to circumvent the other! It appears there are at least two (and probably three according to observations) phases to XSS filtering, and attackers can take advantage of the cascading effect of multiple passes as the input. The pseudo-code looks something like this (using Perl notation):

$input = split;
$badwords = 'script|expression|onmouseover|onclick|onload|etc';
if ($input =~ /$badwords/) {
  $input = '..';
$input =~ s/\s//g;

Thus, attackers may invade their code with spaces. "Expre ssion" does not match the check for "expression," then the spaces are removed, then the input is reflected back to the user.

The following works for Internet Explorer:


Note, the above code will send IE 6 into a infinite loop. A real attack will need to be a bit more subtle, of course -- and an onload with an inserted image tag will work for both Firefox and IE.

Credit: MustLive first reported the space invasion. As a mark of his genius, it is now obvious, and we feel pretty dumb for missing it. He also has some much nicer exploits than the one above.

Weekend Update

Note, there will be no advisories from MOMBY over the weekend. We expect the the Myspace security responders would like some time away from work for a couple days, and we have a busy weekend ahead of us of bacchanalian debauchery -- for details, look for photos of mysterious men in false mustaches on SpyOnVegas.com. So, either wait around for Monday's advisory, or write your own advisory/exploit. Hacking is not a spectator sport.

Current Mood: amused
Thursday, April 12th, 2007
8:49 pm
MOMBY-00001010: Multiple Myspace Operational Bugs
Advisory MOMBY-00001010: Multiple Myspace Operational Bugs
Press Embargo until April 12, 2007

Noobs: ****
 LOLs: *
 0wnz: ***

As part of the ongoing series of Myspace password thefts, one such list of just over 550,000 entries was posted to the highly-trafficked Full-Disclosure mailing list on January 15, 2007. The attack used was of the sort described in recent MOMBY advisories.

While this is three-month old news, the "bug" exposed by this event is one of operational security, which speaks to a lack of a coherent, organized security policy to deal with such events.

  1. Myspace was unaware of the issue for at least 48 hours, or otherwise failed to act. This indicates either a lack of basic security intelligence, or a lack of a coherent, written security response plan in the event of a disaster (or, half a million users compromised does not constitute a disaster).

  2. Given that Fox Interactive had already gone through a similar exercise less than a year prior (reported here and picked up by Digg), the security plan of early 2006 did not contain a post-mortem phase for disaster recovery.

  3. The security organization at Fox Interactive does not appear to have a full understanding of How The Internet Works. This is evinced by the attempts to quash the spread of the password list by asking various registrars and ISPs to disable web sites hosting the password list (such as the n SecLists.Org incident). This speaks to a basic lack of training or hiring qualifications for Myspace's security responders. Screenshot: http://tinyurl.com/2q85zh
  4. Myspace's Privacy Policy states, in part, "MySpace.com takes precautions to insure that member account information is kept private." (Emphasis added.) This is incorrect, as there is no obvious means to purchase or otherwise acquire the insurance mentioned. In the likely event this is a grammar error, Myspace probably intended to state that they "ensure that member account information is kept private." However, this is also incorrect, given the cleartext exposure of passwords detailed in MOMBY-111. In either case, it is clear there was inadequate review of the Privacy Policy by anyone familiar with Myspace authentication.

  5. Finally, no coordinated action has been taken in light of the half-million password leak, now almost 90 days past; namely, many accounts remained active at least at the time of the SecLists.Org incident, and to date, the account holders have not been informed directly by Myspace their passwords have been compromised. While it's uncomfortable to officially recognize security incidents, mature organizations understand that these actions are the only responsible position to take.

Credit: Mondo Armando, MOMBY. And everyone else who thought about this issue for more than five minutes. And yes, that's five, count 'em five, bugs in one advisory. I dare you to post a comment that this "isn't a bug report." Also, yes, the screenshot has nothing to do with the advisory. I just thought it might alleviate the boredom of reading a rant about policy documents.

Current Mood: preachy

Wednesday, April 11th, 2007
7:08 pm
Special Guest Advisory: CAU-2006-0001

Instead of busting our hump and posting yet another XSS for the day, we here at MOMBY are proud to introduce a special guest advisory, brought to you by the fine non-criminals at Computer Academic Underground. It's more or less new -- as far as we know, CAU hasn't done a lot to publicize this (very well-written) attack.

Enjoy. We're spending the rest of the night eating Cheetos and watching Lost.

Current Mood: lazy
Tuesday, April 10th, 2007
10:00 pm
MOMBY-00001001: Myspace Events searchForm "zip" HTML insertion
Advisory MOMBY-00001001: Myspace Events searchForm "zip" HTML insertion
Press Embargo until April 10, 2007

Noobs: ***
 LOLs: ****
 0wnz: ***

It is possible to break out of the zip parameter the e search form on http://events.myspace.com using simple quote insertion, allowing for somewhat arbitrary HTML. The form is presented here: http://events.myspace.com/index.cfm?fuseaction=events&Mytoken=x.

The filtering that is available does limit the usability of this vulnerabilty somewhat; quick manual auditing of script tags, expression attributes, et cetera, reveals that there is little room for manuvering in this attack. The filtering of whitespace makes this vector especially difficult to work with. However, for Firefox, we are able to come up with the below:

Screenshot: http://pics.livejournal.com/momby/pic/0000btbr

This is the code to produce the html:

<FORM name="searchForm" action="http://events.myspace.com/index.cfm?fuseacti
on=events&Mytoken=x" method="post">
 <INPUT type="hidden" size=100 value='"></div></div><span/
"center">Win	A	Date	With	Tila	Tequila!!</h1><div/align="center">
tila_nguyen_20.jpg"></span	a="' id="eventsearchzip" name="zip" /> <a
href=# onClick="document.searchForm.submit()">Click here for awesomeness!</a>

The above is wrapped horribly -- the bolded red part is the important bit. A simpler demo is to enter ">0wned! in the zip code input field and notice the phrase reflected outside the feild. But that has far fewer boobies. Also note, since this is a POST action, an attacker would need to construct an HTML form like the one above and entice users to click on it. (Attempts to convert to a GET were fruitless.)

In the above, note the use of the slash character as a word seperator -- while this is valid for Firefox 2.x, this does not work for Internet Explorer. However, in some cases, <TAB&tab; characters will work as whitespace for IE, especially for #text nodes. None of this is to say that it's impossible to exploit for IE users; it's just not particularly easy on the fly. No doubt, your local professional Cyber-Terrorist(tm) already has working code for insertion points such as this.

Credit: rMrGvG of sni-labs first reported this HTML insertion vulnerability. Olé!

Current Mood: artistic

Monday, April 9th, 2007
8:13 pm
MOMBY-00001000: Myspace "Fuseaction" Event Handler XSS

Advisory MOMBY-00001000: Myspace "Fuseaction" Event Handler XSS
Press Embargo until April 9, 2007


Noobs: **
 LOLs: *******
 0wnz: *****

A cross-site scripting vulnerability exists in the "index.cfm?fuseaction" web application on Myspace.com. Fuseaction is the main navigation application, common to nearly all aspects of the *.myspace.com domain. This XSS vector is good for all tested areas of Myspace. The problem occurs due to a lack of quote-termination sanitation on the URL, which is subsequently represented to the user.

This vulnerability ranks two "Noobs" due to the complexity of the underlying reponse -- the XSS insertion point is not immediately obvious in the HTTP responses generated when inspecting the transactions using simple web code auditing techniques using FireBug and TamperData. Note, these are both excellent tools for discovering low-hanging XSS fruit -- just not this one.

Sample link: http://www.myspace.com/index.cfm?fuseaction=splash&schoolID=test'/onload='alert(document.location)

(Works for both IE and Firefox)

Screenshot: http://pics.livejournal.com/momby/pic/0000abhy

Credit: Wladimir first reported this vulnerability. He is also smarter than MOMBY, and provided several other vectors and implementations of this bug, but not much in the way of discovery methodology or background. Hopefully he (or someone else more familiar with the vulnerability) will explain the details a little better in the comments section of this advisory.

Current Mood: contemplative

Saturday, April 7th, 2007
10:54 pm
What Would Jesus 0wn?
There will be no MOMBY advisories posted on Easter, on account of Jesus.

Current Mood: pious
10:44 am
MOMBY-00000111: Myspace Cleartext Authentication

Advisory MOMBY-00000111: Myspace Cleartext Authentication
Press Embargo until April 7, 2007


Noobs: ***
 LOLs: *****
 0wnz: ****

The Myspace website authentication system requires users to expose usernames and passwords in cleartext. The login application is a standard <FORM> presented usually on http://www.myspace.com and http://login.myspace.com with a form handler at http://login.myspace.com. There is no assurance made or implied to the user that either the login form or the login information is cryptographically secure.

Example HTTP response to a Myspace login:

POST /index.cfm?fuseaction=login.process&MyToken=[token] HTTP/1.1
Host: login.myspace.com
User-Agent: Mozilla/5.0 ([browser info])
Accept: text/xml,[browser accept options, etc.]
Keep-Alive: 300
Connection: keep-alive
Referer: http://www.myspace.com/
Cookie: MSCulture=IP=; [other cookie information]
Content-Type: application/x-www-form-urlencoded
Content-Length: 168

This exposes the user name and password to any listener on the local network or intermediate networks. As MySpace is usually in the top five of most-accessed websites in the world, a sizable fraction of logins must originate from insecure networks. Insecure networks would include public wireless hotspots and larger jurisdictions subject to pervasive state-sanctioned eavesdropping, such as the People's Republic of China and the United States of America.

Listening for login credentials on a local segment is trivial with an application such as Wireshark or ngrep. If these credentials are captured, attackers may immediately compromise the targeted account.

Screenshot: http://pics.livejournal.com/momby/pic/00009att

It's interesting to note, while the www.mypsace.com host does not offer an HTTPS listener on port 443 for more security-conscious users, login.myspace.com:443 is listening and has a valid SSL certificate. However, this interface appears to offer only a 302 redirect to https://www.myspace.com -- which doesn't exist. Why this is implemented this way is a mystery.

Credit: Just about anyone with a passing interest in security has noticed this -- this bug is a large component of MySpace's reputation of insecurity.

Friday, April 6th, 2007
4:38 pm
MOMBY-00000110: Myspace Jobs Search XSS

Advisory MOMBY-00000110: Myspace Jobs Search XSS
Press Embargo until April 6, 2007


Noobs: **
 LOLs: ***
 0wnz: ***

The "careers.search" application at http://jobs.myspace.com is vulnerable to cross-site scripting (XSS) attacks. While this insertion point is valid for all browsers worth mentioning, it should be noted that the insertion point is for the event handler of an <INPUT> tag, and does not appear to allow for direct insertion of <SCRIPT> tags. While this does limit the style of attack -- attackers need to be careful with spaces and quotes -- the substance of the attack should be unaffected given some creative syntax.

As with all MOMBY Advisories, actually leveraging XSS to do something useful is left as an exercise to the reader. Google "XSS" and learn all about it. It's great fun and nobody takes XSS seriously.

Example link: http://jobs.myspace.com/index.cfm?fuseaction=careers.search&sb=&locale=US&startIndex=0&keywords=&location=%22+onMouseOver%3Dalert%28document.location%29%3E&x=0&y=0

Screenshot: http://pics.livejournal.com/momby/pic/000089eb

Credit: The reporter of this vulnerability prefers to remain any mouse.

Apologies: I'm sorry for being a weepy drunk yesterday. I'm over it. Mustachio didn't die, by the way. Although, upon reflection, we probably should have called an ambulance rather than post an auth bypass bug.

Thursday, April 5th, 2007
11:08 pm
Advisory MOMBY-00000101: Myspace Pics Authentication Bypass

Advisory MOMBY-00000101: Myspace Pics Authentication Bypass
Press Embargo until April 5, 2007


Noobs: ****
 LOLs: ****
 0wnz: * 1/2

Each Myspace profile has a "Pics" section where users may upload pictures, typically of themselves and their outrageous hair-dos. Clicking on the "Pics" URL of a member profile will take the user to the URL http://viewmorepics.myspace.com/index.cfm?fuseaction=user.viewPicture&friendID=XXXX, where "XXXX" is the FriendID of the user. At this point, viewmorepics.myspace.com checks to see if a valid MYUSERINFO cookie is set; if not, the user is redirected (via a 302 Object Moved response) to the login page.

This redirect, of course, sucks for people who don't want to give up their e-mail address in order to view some lousy snapshots of their ex-girlfriend and her new boyfriend.

So, instead, MOMBY suggests an alternate URL for the "Pics" list: http://myspace.com/services/media/photosXML.ashx?friendid=XXXX. This displays the underlying XML of the user's "Pics" set, as shown in the screenshot below. From there, it's trivial to view all the pictures, all without logging in and getting snagged by some "Myspace Tracker," which is apparently what the kids are now calling "information disclosure XSS exploits."

Screenshot: http://pics.livejournal.com/momby/pic/00007a5r

Note, the correct FriendID can be determined by simply hovering over the "Pics" link and noting the target displayed in the browser status bar.

Credit: AwEsOmE AnDrEw, who was thoughtful enough to package this up in an easy to use format, the Lame Myspace Picture Raper, here: http://www.awesomeandrew.net/downloads/lmpraper.zip. This is a VBScript application, which means that "Internet Explorer" has to be in your personal set of "easy to use" things.

Why This Lame Bug: We thought we posted a bug for today, but then remembered; that wasn't bug-posting, that was beer and whiskey shooters since 3pm! Dammit! And that would explain why every lamp in the apartment is broken, and that explains why I'm typing this in the dark while Mustachio is passed out, fairly precariously, on the balcony!

So, we kinda needed an easy one. Plus, you people don't appear to actually appreciate the good bugs. You "oo" and "ah" over them, but where's the press? "Month of MySpace bugs starts with a dud" is the last we've heard. No follow-up headline of "MOMBY Kicks Ass With Insightful XSS Explanations" to be seen? Fine, fuckers. Have it your way. We have plenty of "duds" left, if that's what you want.

And we've been drinking. Just as soon as we sober up, we're going to find that Jeremy Kirk guy and tell him what-for.

Current Mood: cranky

Wednesday, April 4th, 2007
7:55 pm
MOMBY-00000100: MySpace XSS (filter evasion)

Advisory MOMBY-00000100: MySpace XSS (classifieds.searchCategory)
Press Embargo until April 4, 2007


Noobs: **
 LOLs: ****
 0wnz: *** 1/2

In MOMBY-00000011, we discussed a well-filtered HTML and link insertion in the classifieds.searchCategory on http://classifieds.myspace.com. Let's look again, shall we?

Example url: http://classifieds.myspace.com/index.cfm?fuseaction=classifieds.searchCategory&keyword=%22%20style=%22zing:expre%00ssion(document.write('<table><tdvalign=top>Your Cookie:<br><b>'%2bdocument.cookie%2b'</b><h1>greetz Shades!<br>http://www.mrshades.org/momby</td><td>My girlfriend:<br><img src=http://i12.photobucket.com/albums/a206/Cide_FX/Tila/TilaTequila.jpg></td></table>'))

Smaller: http://tinyurl.com/3cohn5

Screenshot: http://pics.livejournal.com/momby/pic/000069xg

The bold section is the important bit: style=%22zing:expre%00ssion(. Note the "expression" style function. This is a Microsoft-only device, used mostly for dynamically updating positioning information for HTML elements. While Myspace correctly accounts for, and filters, "expression" functions of style tags, they sadly do not account for "expression" when broken up by URL-encoded nulls.

This allows the full range of XSS attacks against the myspace.com domain, ranging from full browser window hijacking on down through pin-up girl oogling. Note, due to the reliance on expression(), this is an Internet Explorer-only issue. Which is only 90% of the entire Myspace user community. Oh well!

Credit: Wladimir first reported this nifty evasion independent of MOMBY-00000011. It's probably pretty good for other insertion points reported through the MOMBY Institute For the Advancement of the Haxological Arts.

Current Mood: satisfied

[ << Previous 20 ]
My Favoritest Site in the World   About LiveJournal.com