Thursday, October 21, 2010

Minor leak, major headache

I find this bug interesting, because at first it looks like a relatively minor cross-origin leak. But with a bit of investigation, it has major consequence.

The bug is specific to Internet Explorer, and still seems unfixed (in stable versions) at the time of writing. I told Microsoft about it back in 2008. Therefore this disclosure is not an 0-day, but more like a 600-day.

The bug is pretty simple: IE supports a window.onerror callback which fires whenever a Javascript parse or runtime error occurs. Trouble is, it fires even if www.evil.com registers its own window.onerror handler and then uses <script src="http://www.bank.com/">. We'll demonstrate the consequence of this later.

The bug has a very interesting history, which is worth briefly outlining here:
So why is this a serious bug? Well, Javascript error messages are usually pretty terse but in at least one case, cross-origin content is echoed back to the attacker: variable names. e.g. 'blah' is not defined.

So if the cross-origin text looks like a Javascript variable reference, then the attacker has a very useful leak!

Here is a proof-of-concept against Google Reader, which works by stealing cross-origin content which happens to be an anti-XSRF token:

http://scary.beasts.org/misc/reader.html

As it happens, the Reader product deployed a change which detects the vulnerable User-Agent string (Internet Explorer) and uses a workaround. So the PoC is neutered. This is a shame because the PoC used to force your friend to subscribe to a goat-farming feed against their will. For now, you'll have to locate an alternate attack vector for this vulnerability -- do let me know what you find via a comment.

It's worth closing with some notes that this area is ripe for further research. There are a varied number of text structures which can be stolen (iteratively if necessary) with this trick:
  • a,b,c -- i.e. the CSV syntax
  • The b in a:b
  • a.b.c
  • The b in {a:b}
  • Expression constructs such as a/b/c
  • Constructs like the above, if wrapped in () or [] etc.
To experiment with what Javscript error message you might see with a given piece of cross-origin text, you can use:

http://scary.beasts.org/misc/onerr.html

(Only works in browsers with window.onerror, such as IE).

Please leave a comment if you have more constructs which can be stolen; or more examples of sites where stuff can be stolen from.