Full Disclosure mailing list archives

By Date By Thread XSS and Charset Remembering via charsets in different browsers From: "MustLive" <mustlive () websecurity com ua>

Date: Fri, 22 Jun 2012 21:26:13 +0300

Hello list! I want to warn you about XSS and Charset Remembering vulnerabilities via multiple charsets in different browsers. ---------- Details: ---------- XSS and Charset Remembering (WASC-08): In the beginning of 2009 I've write about Charset Remembering vulnerability in Mozilla Firefox via UTF-7 (http://websecurity.com.ua/2848/) and EUC-JP and SHIFT_JIS charsets (http://websecurity.com.ua/2928/). The Charset Remembering attack can be used for making persistent attacks via different charsets, which are affected to XSS. With this attack it's possible to conduct XSS attacks via affected charset not only at pages with the same charset, but at any suitable page with any charset. Last week, in the last Patch Tuesday, Microsoft fixed vulnerabilities in Internet Explorer and among them there was vulnerability CVE-2012-1872 (http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1872). This vulnerability surprised me. Because information about XSS via EUC-JP in IE6 was known already in 2006 - Cheng Peng Su wrote about it (he checked few charsets in browsers Internet Explorer 6, Firefox 1.5.0.6 and Opera 9.0.1). Including my exploit (http://websecurity.com.ua/uploads/2009/Firefox_XSS_Charset_Remembering.html) for XSS via EUC-JP and SHIFT_JIS charsets in Mozilla Firefox also was suitable for IE (only one char should be added to it). Just the attack via EUC-JP works in IE 6 and 7, but in IE 8 it was fixed. It looks that new chars of EUC-JP charset was found, via which it's possible to conduct attack. Note, that in MFSA 2011-47 Mozilla fixed possibilities of XSS attacks via charset Shift-JIS, about which I've informed them in March 2009 (but still not fixed the same issue with charset EUC-JP). So first Mozilla have ignored my letter and publication at 03.03.2009, and only after 2,5 years, at 08.11.2011, they have fixed one from few vulnerabilities informed by me. So I've made new exploit (for work in different browsers) and tested XSS attacks via different charsets in different browsers. In result I've found, that many browsers are vulnerable to attacks via EUC-JP, SHIFT_JIS and Chinese Simplified (HZ) charsets. And some browsers also are vulnerable to attacks via other charsets. And I'll note, that Charset Remembering attack, described by me three years ago, besides Mozilla and Firefox (all browsers on Gecko engine) also works in Internet Explorer and Opera. PoC: http://websecurity.com.ua/uploads/2012/XSS_charsets_in_browsers.html The code will execute at setting of appropriate character encoding in the browser (the PoC designed for Charset Remembering attack). This attack via EUC-JP, SHIFT_JIS and Chinese Simplified (HZ) charsets works in Mozilla Firefox 3, 4 and previous versions (and must work in next versions), in Internet Explorer 6, 7, 8 (and must work in other versions), in Opera 10.62 (and must work in other versions). Also I've found some other affected charsets from East Asian group. In IE 6, 7 and 8 the attack will work via charset Chinese Simplified (GB2312 and Big5), and in IE 6 and 7 the attack will work via charset Korean (in other browsers named as EUC-KR). In version IE8 (and obviously in IE9) the attack is not working via charsets EUC-JP and Korean. And in Opera 10.62 it also works in Chinese Simplified (GB2312, GB18030 and Big5-HKSCS), but doesn't work in Big5 and HZ. ------------ Timeline: ------------ 2009.02.03 - published at my site about UTF-7 charset in Mozilla. 2009.02.05 - informed developers. UTF-7 attack vector was fixed by Mozilla. 2009.03.03 - published at my site about EUC-JP and SHIFT_JIS charsets in Mozilla. 2009.03.04 - informed developers. Mozilla ignored to fix these vulnerabilities. 2011.11.08 - Mozilla fixed vulnerability in Firefox related to SHIFT_JIS (MFSA 2011-47 / CVE-2011-3648). 2012.06.12 - Microsoft fixed vulnerability in Internet Explorer related to EUC-JP (CVE-2012-1872). 2012.06.06 - published at my site about multiple charsets in different browsers (http://websecurity.com.ua/5902/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ By Date By Thread Current thread: XSS and Charset Remembering via charsets in different browsers MustLive (Jun 22)