Re: [Full-disclosure] SEC-Consult SA 20051025-0 :: Snoopy Remote Code Execution Vulnerability

To: "Florian Weimer" <fw@xxxxxxxxxxxxx>
Subject: Re: [Full-disclosure] SEC-Consult SA 20051025-0 :: Snoopy Remote Code Execution Vulnerability
From: "SEC Consult Research" <research@xxxxxxxxxxxxxxx>
Date: Thu, 27 Oct 2005 16:14:52 +0200 (CEST)
Cc: "Bernhard Mueller" <research@xxxxxxxxxxxxxxx>, "Full Disclosure" <full-disclosure@xxxxxxxxxxxxxxxxx>, bugtraq@xxxxxxxxxxxxxxxxx
Importance: Normal
In-reply-to: <87hdb3gyyy.fsf@xxxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <435E9496.9080207@xxxxxxxxxxxxxxx> <87hdb3gyyy.fsf@xxxxxxxxxxxxxxxxx>
Reply-to: research@xxxxxxxxxxxxxxx
User-agent: SquirrelMail/1.4.4

On Thu, October 27, 2005 10:12 am, Florian Weimer said:
> Have you considered in your analysis that malicious servers might
> return HTTP redirects which contain suitable URLs?  This requires that
> the offsiteok member is set to true, though, because in the version I
> looked at, only http:// URLs are considered site-local.

Yes, I can confirm this. While I have not thought of this possibility, it
seems to boost the risk coming from the vulnerability.

I found the flaw during a review of Wordpress which uses MagpieRSS which
in turn uses Snoopy. As MagpieRSS is widly used, the concequence is that
any RSS feed-provider can replace the feed with a small redirect script,
exploiting the flaw with a crafted redirect https URL. Doing this with a
highly frequented RSS feed might result in many many servers being
simultaniously compromized. I might add that the offsiteok member defaults
to true and MagpieRSS does not seem to change that default value.

A notice to MagpieRSS has already been sent.

Daniel



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Unternehmensberatung GmbH

Office Vienna
Blindengasse 3
A-1080 Wien
Austria

Tel.: +43 / 1 / 409 0307 - 570
Fax.: +43 / 1 / 409 0307 - 590
Mail: office at sec-consult dot com
www.sec-consult.com

EOF Daniel Fabian / @2005
d.fabian at sec-consult dot com

References:
- SEC-Consult SA 20051025-0 :: Snoopy Remote Code Execution Vulnerability
  - From: Bernhard Mueller
- Re: [Full-disclosure] SEC-Consult SA 20051025-0 :: Snoopy Remote Code Execution Vulnerability
  - From: Florian Weimer

Prev by Date: Re: [Full-disclosure] Re: phpBB 2.0.17 (and other BB systems as well) Cookie disclosure exploit.
Next by Date: Re: [Full-disclosure] Multiple Vendor Anti-Virus Software DetectionEvasion Vulnerability through forged magic byte
Previous by thread: Re: [Full-disclosure] SEC-Consult SA 20051025-0 :: Snoopy Remote Code Execution Vulnerability
Next by thread: iDEFENSE Security Advisory 10.24.05: SCO Openserver authsh 'Home' Buffer Overflow Vulnerability
Index(es):
- Date
- Thread