You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@openmeetings.apache.org by rahul bhola <rb...@gmail.com> on 2013/09/28 21:01:19 UTC
Code injection confirmed in 3.0
i just made the latest build and i was able to reproduce the code injection
vulnerability. Also i noticed that shell codes can be passed in through
this vulnerability using unescape in JS which opens the possibility of
almost any remote exploit.
regards
Rahul
Re: Code injection confirmed in 3.0
Posted by rahul bhola <rb...@gmail.com>.
no there are always methods to bypass that . if html should not be included
ie there should be no tag support then the best way is to encode the whole
string using html encoding
On Sun, Sep 29, 2013 at 12:21 PM, Maxim Solodovnik <so...@gmail.com>wrote:
> Sure, the cleanup code should be added to the server side.
> I guess replacing '<' with < and '>' with '>' might be sufficient
>
>
> On Sun, Sep 29, 2013 at 1:44 PM, rahul bhola <rb...@gmail.com>
> wrote:
>
> > i guess it is better to apply patch at backend cause sanitization at
> client
> > could easily be passed
> > using interceptors like burp suite
> >
> >
> > On Sun, Sep 29, 2013 at 12:07 PM, Maxim Solodovnik <solomax666@gmail.com
> > >wrote:
> >
> > > Room is the same as in 2.x :(
> > > So the issue should be reproducible, I believe we should add some code
> to
> > > cleanup chat input in flash version
> > >
> > >
> > > On Sun, Sep 29, 2013 at 1:27 PM, rahul bhola <rb...@gmail.com>
> > > wrote:
> > >
> > > > the steps to cheack it are as follows
> > > > 1) to check simple injection just add <a
> href="javascript:alert(123)">
> > in
> > > > the chat . after entering notthing will appear on the chat but n
> > clicking
> > > > that empty line it will execute the JS.
> > > >
> > > > 2)To run shellcodes in the client side of program. Write any program
> in
> > > > assembly or any other lang. Use objdump to obtain its shellcodes.The
> > > > Shellcodes are our payload now. save the payload in a variable as
> given
> > > > below
> > > > var payLoadCode = unescape("insertpayloadhere");
> > > > now we need to point our instruction pointer of computer to it to
> > execute
> > > > the code .that could be done in the following way
> > > > var heapSprayToAddress = 0x05050505;
> > > > var heapBlockSize = 0x400000;
> > > >
> > > >
> > > > On Sun, Sep 29, 2013 at 11:50 AM, rahul bhola <
> rb1223334444@gmail.com
> > > > >wrote:
> > > >
> > > > > it is in chat box of room
> > > > >
> > > > >
> > > > > On Sun, Sep 29, 2013 at 8:50 AM, Maxim Solodovnik <
> > > solomax666@gmail.com
> > > > >wrote:
> > > > >
> > > > >> and what are the steps?
> > > > >>
> > > > >>
> > > > >> On Sun, Sep 29, 2013 at 10:19 AM, Maxim Solodovnik <
> > > > solomax666@gmail.com
> > > > >> >wrote:
> > > > >>
> > > > >> > Hello Rahul,
> > > > >> >
> > > > >> > Was it in the room? or in calendar/dashboard/admin?
> > > > >> >
> > > > >> >
> > > > >> > On Sun, Sep 29, 2013 at 2:01 AM, rahul bhola <
> > > rb1223334444@gmail.com
> > > > >> >wrote:
> > > > >> >
> > > > >> >> i just made the latest build and i was able to reproduce the
> code
> > > > >> >> injection
> > > > >> >> vulnerability. Also i noticed that shell codes can be passed in
> > > > through
> > > > >> >> this vulnerability using unescape in JS which opens the
> > possibility
> > > > of
> > > > >> >> almost any remote exploit.
> > > > >> >>
> > > > >> >> regards
> > > > >> >> Rahul
> > > > >> >>
> > > > >> >
> > > > >> >
> > > > >> >
> > > > >> > --
> > > > >> > WBR
> > > > >> > Maxim aka solomax
> > > > >> >
> > > > >>
> > > > >>
> > > > >>
> > > > >> --
> > > > >> WBR
> > > > >> Maxim aka solomax
> > > > >>
> > > > >
> > > > >
> > > > >
> > > > > --
> > > > > Rahul Bhola
> > > > > B.E.
> > > > > computers
> > > > > Core Member
> > > > > Department of backstage
> > > > > Bits Pilani KK Birla Goa Campus
> > > > >
> > > >
> > > >
> > > >
> > > > --
> > > > Rahul Bhola
> > > > B.E.
> > > > computers
> > > > Core Member
> > > > Department of backstage
> > > > Bits Pilani KK Birla Goa Campus
> > > >
> > >
> > >
> > >
> > > --
> > > WBR
> > > Maxim aka solomax
> > >
> >
> >
> >
> > --
> > Rahul Bhola
> > B.E.
> > computers
> > Core Member
> > Department of backstage
> > Bits Pilani KK Birla Goa Campus
> >
>
>
>
> --
> WBR
> Maxim aka solomax
>
--
Rahul Bhola
B.E.
computers
Core Member
Department of backstage
Bits Pilani KK Birla Goa Campus
Re: Code injection confirmed in 3.0
Posted by Maxim Solodovnik <so...@gmail.com>.
Sure, the cleanup code should be added to the server side.
I guess replacing '<' with < and '>' with '>' might be sufficient
On Sun, Sep 29, 2013 at 1:44 PM, rahul bhola <rb...@gmail.com> wrote:
> i guess it is better to apply patch at backend cause sanitization at client
> could easily be passed
> using interceptors like burp suite
>
>
> On Sun, Sep 29, 2013 at 12:07 PM, Maxim Solodovnik <solomax666@gmail.com
> >wrote:
>
> > Room is the same as in 2.x :(
> > So the issue should be reproducible, I believe we should add some code to
> > cleanup chat input in flash version
> >
> >
> > On Sun, Sep 29, 2013 at 1:27 PM, rahul bhola <rb...@gmail.com>
> > wrote:
> >
> > > the steps to cheack it are as follows
> > > 1) to check simple injection just add <a href="javascript:alert(123)">
> in
> > > the chat . after entering notthing will appear on the chat but n
> clicking
> > > that empty line it will execute the JS.
> > >
> > > 2)To run shellcodes in the client side of program. Write any program in
> > > assembly or any other lang. Use objdump to obtain its shellcodes.The
> > > Shellcodes are our payload now. save the payload in a variable as given
> > > below
> > > var payLoadCode = unescape("insertpayloadhere");
> > > now we need to point our instruction pointer of computer to it to
> execute
> > > the code .that could be done in the following way
> > > var heapSprayToAddress = 0x05050505;
> > > var heapBlockSize = 0x400000;
> > >
> > >
> > > On Sun, Sep 29, 2013 at 11:50 AM, rahul bhola <rb1223334444@gmail.com
> > > >wrote:
> > >
> > > > it is in chat box of room
> > > >
> > > >
> > > > On Sun, Sep 29, 2013 at 8:50 AM, Maxim Solodovnik <
> > solomax666@gmail.com
> > > >wrote:
> > > >
> > > >> and what are the steps?
> > > >>
> > > >>
> > > >> On Sun, Sep 29, 2013 at 10:19 AM, Maxim Solodovnik <
> > > solomax666@gmail.com
> > > >> >wrote:
> > > >>
> > > >> > Hello Rahul,
> > > >> >
> > > >> > Was it in the room? or in calendar/dashboard/admin?
> > > >> >
> > > >> >
> > > >> > On Sun, Sep 29, 2013 at 2:01 AM, rahul bhola <
> > rb1223334444@gmail.com
> > > >> >wrote:
> > > >> >
> > > >> >> i just made the latest build and i was able to reproduce the code
> > > >> >> injection
> > > >> >> vulnerability. Also i noticed that shell codes can be passed in
> > > through
> > > >> >> this vulnerability using unescape in JS which opens the
> possibility
> > > of
> > > >> >> almost any remote exploit.
> > > >> >>
> > > >> >> regards
> > > >> >> Rahul
> > > >> >>
> > > >> >
> > > >> >
> > > >> >
> > > >> > --
> > > >> > WBR
> > > >> > Maxim aka solomax
> > > >> >
> > > >>
> > > >>
> > > >>
> > > >> --
> > > >> WBR
> > > >> Maxim aka solomax
> > > >>
> > > >
> > > >
> > > >
> > > > --
> > > > Rahul Bhola
> > > > B.E.
> > > > computers
> > > > Core Member
> > > > Department of backstage
> > > > Bits Pilani KK Birla Goa Campus
> > > >
> > >
> > >
> > >
> > > --
> > > Rahul Bhola
> > > B.E.
> > > computers
> > > Core Member
> > > Department of backstage
> > > Bits Pilani KK Birla Goa Campus
> > >
> >
> >
> >
> > --
> > WBR
> > Maxim aka solomax
> >
>
>
>
> --
> Rahul Bhola
> B.E.
> computers
> Core Member
> Department of backstage
> Bits Pilani KK Birla Goa Campus
>
--
WBR
Maxim aka solomax
Re: Code injection confirmed in 3.0
Posted by rahul bhola <rb...@gmail.com>.
i guess it is better to apply patch at backend cause sanitization at client
could easily be passed
using interceptors like burp suite
On Sun, Sep 29, 2013 at 12:07 PM, Maxim Solodovnik <so...@gmail.com>wrote:
> Room is the same as in 2.x :(
> So the issue should be reproducible, I believe we should add some code to
> cleanup chat input in flash version
>
>
> On Sun, Sep 29, 2013 at 1:27 PM, rahul bhola <rb...@gmail.com>
> wrote:
>
> > the steps to cheack it are as follows
> > 1) to check simple injection just add <a href="javascript:alert(123)"> in
> > the chat . after entering notthing will appear on the chat but n clicking
> > that empty line it will execute the JS.
> >
> > 2)To run shellcodes in the client side of program. Write any program in
> > assembly or any other lang. Use objdump to obtain its shellcodes.The
> > Shellcodes are our payload now. save the payload in a variable as given
> > below
> > var payLoadCode = unescape("insertpayloadhere");
> > now we need to point our instruction pointer of computer to it to execute
> > the code .that could be done in the following way
> > var heapSprayToAddress = 0x05050505;
> > var heapBlockSize = 0x400000;
> >
> >
> > On Sun, Sep 29, 2013 at 11:50 AM, rahul bhola <rb1223334444@gmail.com
> > >wrote:
> >
> > > it is in chat box of room
> > >
> > >
> > > On Sun, Sep 29, 2013 at 8:50 AM, Maxim Solodovnik <
> solomax666@gmail.com
> > >wrote:
> > >
> > >> and what are the steps?
> > >>
> > >>
> > >> On Sun, Sep 29, 2013 at 10:19 AM, Maxim Solodovnik <
> > solomax666@gmail.com
> > >> >wrote:
> > >>
> > >> > Hello Rahul,
> > >> >
> > >> > Was it in the room? or in calendar/dashboard/admin?
> > >> >
> > >> >
> > >> > On Sun, Sep 29, 2013 at 2:01 AM, rahul bhola <
> rb1223334444@gmail.com
> > >> >wrote:
> > >> >
> > >> >> i just made the latest build and i was able to reproduce the code
> > >> >> injection
> > >> >> vulnerability. Also i noticed that shell codes can be passed in
> > through
> > >> >> this vulnerability using unescape in JS which opens the possibility
> > of
> > >> >> almost any remote exploit.
> > >> >>
> > >> >> regards
> > >> >> Rahul
> > >> >>
> > >> >
> > >> >
> > >> >
> > >> > --
> > >> > WBR
> > >> > Maxim aka solomax
> > >> >
> > >>
> > >>
> > >>
> > >> --
> > >> WBR
> > >> Maxim aka solomax
> > >>
> > >
> > >
> > >
> > > --
> > > Rahul Bhola
> > > B.E.
> > > computers
> > > Core Member
> > > Department of backstage
> > > Bits Pilani KK Birla Goa Campus
> > >
> >
> >
> >
> > --
> > Rahul Bhola
> > B.E.
> > computers
> > Core Member
> > Department of backstage
> > Bits Pilani KK Birla Goa Campus
> >
>
>
>
> --
> WBR
> Maxim aka solomax
>
--
Rahul Bhola
B.E.
computers
Core Member
Department of backstage
Bits Pilani KK Birla Goa Campus
Re: Code injection confirmed in 3.0
Posted by Maxim Solodovnik <so...@gmail.com>.
Room is the same as in 2.x :(
So the issue should be reproducible, I believe we should add some code to
cleanup chat input in flash version
On Sun, Sep 29, 2013 at 1:27 PM, rahul bhola <rb...@gmail.com> wrote:
> the steps to cheack it are as follows
> 1) to check simple injection just add <a href="javascript:alert(123)"> in
> the chat . after entering notthing will appear on the chat but n clicking
> that empty line it will execute the JS.
>
> 2)To run shellcodes in the client side of program. Write any program in
> assembly or any other lang. Use objdump to obtain its shellcodes.The
> Shellcodes are our payload now. save the payload in a variable as given
> below
> var payLoadCode = unescape("insertpayloadhere");
> now we need to point our instruction pointer of computer to it to execute
> the code .that could be done in the following way
> var heapSprayToAddress = 0x05050505;
> var heapBlockSize = 0x400000;
>
>
> On Sun, Sep 29, 2013 at 11:50 AM, rahul bhola <rb1223334444@gmail.com
> >wrote:
>
> > it is in chat box of room
> >
> >
> > On Sun, Sep 29, 2013 at 8:50 AM, Maxim Solodovnik <solomax666@gmail.com
> >wrote:
> >
> >> and what are the steps?
> >>
> >>
> >> On Sun, Sep 29, 2013 at 10:19 AM, Maxim Solodovnik <
> solomax666@gmail.com
> >> >wrote:
> >>
> >> > Hello Rahul,
> >> >
> >> > Was it in the room? or in calendar/dashboard/admin?
> >> >
> >> >
> >> > On Sun, Sep 29, 2013 at 2:01 AM, rahul bhola <rb1223334444@gmail.com
> >> >wrote:
> >> >
> >> >> i just made the latest build and i was able to reproduce the code
> >> >> injection
> >> >> vulnerability. Also i noticed that shell codes can be passed in
> through
> >> >> this vulnerability using unescape in JS which opens the possibility
> of
> >> >> almost any remote exploit.
> >> >>
> >> >> regards
> >> >> Rahul
> >> >>
> >> >
> >> >
> >> >
> >> > --
> >> > WBR
> >> > Maxim aka solomax
> >> >
> >>
> >>
> >>
> >> --
> >> WBR
> >> Maxim aka solomax
> >>
> >
> >
> >
> > --
> > Rahul Bhola
> > B.E.
> > computers
> > Core Member
> > Department of backstage
> > Bits Pilani KK Birla Goa Campus
> >
>
>
>
> --
> Rahul Bhola
> B.E.
> computers
> Core Member
> Department of backstage
> Bits Pilani KK Birla Goa Campus
>
--
WBR
Maxim aka solomax
Re: Code injection confirmed in 3.0
Posted by rahul bhola <rb...@gmail.com>.
the steps to cheack it are as follows
1) to check simple injection just add <a href="javascript:alert(123)"> in
the chat . after entering notthing will appear on the chat but n clicking
that empty line it will execute the JS.
2)To run shellcodes in the client side of program. Write any program in
assembly or any other lang. Use objdump to obtain its shellcodes.The
Shellcodes are our payload now. save the payload in a variable as given
below
var payLoadCode = unescape("insertpayloadhere");
now we need to point our instruction pointer of computer to it to execute
the code .that could be done in the following way
var heapSprayToAddress = 0x05050505;
var heapBlockSize = 0x400000;
On Sun, Sep 29, 2013 at 11:50 AM, rahul bhola <rb...@gmail.com>wrote:
> it is in chat box of room
>
>
> On Sun, Sep 29, 2013 at 8:50 AM, Maxim Solodovnik <so...@gmail.com>wrote:
>
>> and what are the steps?
>>
>>
>> On Sun, Sep 29, 2013 at 10:19 AM, Maxim Solodovnik <solomax666@gmail.com
>> >wrote:
>>
>> > Hello Rahul,
>> >
>> > Was it in the room? or in calendar/dashboard/admin?
>> >
>> >
>> > On Sun, Sep 29, 2013 at 2:01 AM, rahul bhola <rb1223334444@gmail.com
>> >wrote:
>> >
>> >> i just made the latest build and i was able to reproduce the code
>> >> injection
>> >> vulnerability. Also i noticed that shell codes can be passed in through
>> >> this vulnerability using unescape in JS which opens the possibility of
>> >> almost any remote exploit.
>> >>
>> >> regards
>> >> Rahul
>> >>
>> >
>> >
>> >
>> > --
>> > WBR
>> > Maxim aka solomax
>> >
>>
>>
>>
>> --
>> WBR
>> Maxim aka solomax
>>
>
>
>
> --
> Rahul Bhola
> B.E.
> computers
> Core Member
> Department of backstage
> Bits Pilani KK Birla Goa Campus
>
--
Rahul Bhola
B.E.
computers
Core Member
Department of backstage
Bits Pilani KK Birla Goa Campus
Re: Code injection confirmed in 3.0
Posted by rahul bhola <rb...@gmail.com>.
it is in chat box of room
On Sun, Sep 29, 2013 at 8:50 AM, Maxim Solodovnik <so...@gmail.com>wrote:
> and what are the steps?
>
>
> On Sun, Sep 29, 2013 at 10:19 AM, Maxim Solodovnik <solomax666@gmail.com
> >wrote:
>
> > Hello Rahul,
> >
> > Was it in the room? or in calendar/dashboard/admin?
> >
> >
> > On Sun, Sep 29, 2013 at 2:01 AM, rahul bhola <rb1223334444@gmail.com
> >wrote:
> >
> >> i just made the latest build and i was able to reproduce the code
> >> injection
> >> vulnerability. Also i noticed that shell codes can be passed in through
> >> this vulnerability using unescape in JS which opens the possibility of
> >> almost any remote exploit.
> >>
> >> regards
> >> Rahul
> >>
> >
> >
> >
> > --
> > WBR
> > Maxim aka solomax
> >
>
>
>
> --
> WBR
> Maxim aka solomax
>
--
Rahul Bhola
B.E.
computers
Core Member
Department of backstage
Bits Pilani KK Birla Goa Campus
Re: Code injection confirmed in 3.0
Posted by Maxim Solodovnik <so...@gmail.com>.
and what are the steps?
On Sun, Sep 29, 2013 at 10:19 AM, Maxim Solodovnik <so...@gmail.com>wrote:
> Hello Rahul,
>
> Was it in the room? or in calendar/dashboard/admin?
>
>
> On Sun, Sep 29, 2013 at 2:01 AM, rahul bhola <rb...@gmail.com>wrote:
>
>> i just made the latest build and i was able to reproduce the code
>> injection
>> vulnerability. Also i noticed that shell codes can be passed in through
>> this vulnerability using unescape in JS which opens the possibility of
>> almost any remote exploit.
>>
>> regards
>> Rahul
>>
>
>
>
> --
> WBR
> Maxim aka solomax
>
--
WBR
Maxim aka solomax
Re: Code injection confirmed in 3.0
Posted by Maxim Solodovnik <so...@gmail.com>.
Hello Rahul,
Was it in the room? or in calendar/dashboard/admin?
On Sun, Sep 29, 2013 at 2:01 AM, rahul bhola <rb...@gmail.com> wrote:
> i just made the latest build and i was able to reproduce the code injection
> vulnerability. Also i noticed that shell codes can be passed in through
> this vulnerability using unescape in JS which opens the possibility of
> almost any remote exploit.
>
> regards
> Rahul
>
--
WBR
Maxim aka solomax