=?iso-8859-1?Q?Exploiting_Chrome_and_Operas_inbuilt_ATOM/RSS_reader_with?= =?iso-8859-1?Q?_Script_Execution_and_more?=

Exploiting Chrome and Opera=92s inbuilt ATOM/RSS reader with Script =
Execution
and more
-------------------------------------------------------------------------=
---
---------
For complete post (with images), please visit -
http://securethoughts.com/2009/09/exploiting-chrome-and-operas-inbuilt-at=
omr
ss-reader-with-script-execution-and-more/

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
SECURETHOUGHTS.COM ADVISORY
- CVE-ID	    : CVE-2009-XXXX (Chrome) {Pending}
- Release Date	: September 15, 2009
- Severity	    : Medium to High
- Discovered by	: Inferno
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

I. TITLE
-------------------------
Exploiting Chrome and Opera=92s inbuilt ATOM/RSS reader with Script =
Execution
and more

II. VULNERABLE
-------------------------
Chrome all versions =96 2 and 3 (< 3.0.195.21)
Opera all versions - 9 and 10.

III. BACKGROUND
-------------------------
Back in 2006, there was interesting research done by James Holderness[1] =
and
James M. Snell[2] which uncovered a variety of XSS issues in various =
online
feed aggregator services (e.g. Feed Demon). The vulnerability arises =
from
the fact that it is not expected of RSS readers to render scripted =
content.
I want to extend that research by doing threat analysis on inbuilt feed
readers offered in most modern browsers. I have found Google Chrome =
(v2,3)
and Opera (v9,v10) to be vulnerable, while Internet Explorer(v7,8), =
Firefox
3.5 and Safari 4 are resilient to the exploits mentioned below.

IV. DESCRIPTION
-------------------------
Google Chrome and Opera=92s inbuilt RSS/ATOM Reader renders untrusted
javascript in an RSS/ATOM feed.

Exploit Scenarios
   1. Scenario 1 =96
         1. Attacker social engineers a victim user to visit a rss/atom =
feed
link pointing to his or her evil site.
         2. Victim uses Google Chrome / Opera browser to view the feed.
         3. Malicious javascript gets executed on victim=92s browser. =
Examples
               1. Modifies into a phishing page and asks user =
credentials
for subscribing to Google Reader / My.Opera.com
               2. Searches user=92s browser history for visited url list =
[3]
               3. Scans user=92s internal network with/without =
javascript [4]=20
   2. Scenario 2 =96
         1. Both attacker and victim user have an account to a trusted
website.
         2. Either
               1. The trusted web site lets the attacker inject =
JavaScript
content into any section of the site=92s RSS or an Atom feed.
         3. OR
               1. The trusted website uses blacklist to block known
executable file types for scripted content. E.g. html, jsp, etc.
               2. Attacker uploads a file with extension =
.rss/.atom/arbitary
extension preceded by .rss/.atom [e.g. .atom.tx]. Most widely used =
Apache
web server passes Content-Type as =93application/{atom/rss}+xml=94 for =
all the
three cases automatically in default configuration.
               3. Attacker convinces victim to visit the direct link to
uploaded file.
               4. Victim=92s cookies and other sensitive data gets sent =
to
attacker=92s site.
               5. Note: For Internet Explorer (v7,8), the task is easier
because it does automatic mime type detection. So, you can execute
javascript content in any file extension. E.g. click
http://securethoughts.com/security/rssatomxss/anyfile.tx. However, for =
other
browsers, Firefox 3.5, Safari 4, Opera 10 and Chrome 3, they don=92t =
support
this functionality (perhaps for security reasons). So, using such =
extensions
mentioned above can be used as a workaround for script execution in =
Opera
and Chrome browsers.
   3. Scenario 3 =96
         1. Similar to Scenario 1, but exploit can be used for complete
control over feeds in the Opera browser.

V. PROOF OF CONCEPT
-------------------------
   1. Exploit Scenario 1 [Testcases - 18 XSS for Chrome, 38 XSS for =
Opera] =96
         1. Chrome:
http://securethoughts.com/security/rssatomxss/googlechromexss.atom [or =
.rss]
         2. Opera:
http://securethoughts.com/security/rssatomxss/opera10xss.atom [or .rss]
   2. Exploit Scenario 2 =96
         1. Include all in Scenario 1
         2. Opera:
http://securethoughts.com/security/rssatomxss/opera10xss.atom.tx [Any
arbitary file extension at. E.g .tx, .tm]
         3. Chrome:
http://securethoughts.com/security/rssatomxss/googlechromexss.atom.tx =
[Any
arbitary file extension at. E.g .tx, .tm]
   3. Exploit Scenario 3 =96
         1. Details and PoC will be released after patch is provided by
Opera Security Team in next minor release.=20

For research purposes, you can try out the PoCs on these virtualized =
(and
vulnerable) versions of various browsers, without installing any bits on
your computer [5].

VI. FIX DESCRIPTION
-------------------------
Chrome: ATOM/RSS feed rendering is completely disabled by forcing a
text/plain MIME type [6]. If you need feed rendering, a good alternative =
is
FeedBurner which protects from any script execution attacks by blocking =
them
at time of the feed registration.

Opera: Scenarios (1) and (2) will not be fixed, as it is a design =
feature.
Scenario (3) will be patched in next minor release.

VII. SOLUTION
-------------------------
Chrome: Upgrade to latest version of Google Chrome (v3.0.195.21 or =
higher).
If you remain connected to the internet, this should be automatic.
Opera: Wait for upcoming patch for Scenario (3) in next minor release
(non-alpha/beta) of Opera 10 [Opera 9 users need to upgrade]. However, =
you
will still continue to be vulnerable to script execution.

VIII. REFERENCES
-------------------------
1. Attack Delivery TestSuite =96 James Holderness
http://intertwingly.net/blog/2006/08/09/Attack-Delivery-TestSuite

2. Feed Security =96 James M. Snell
http://www.snellspace.com/wp/?p=3D448

3. CSS History Hack =96 Jeremiah Grossman
http://jeremiahgrossman.blogspot.com/2006/08/i-know-where-youve-been.html=


4. Browser Port Scanning without Javascript =96 Jeremiah Grossman
http://jeremiahgrossman.blogspot.com/2006/11/browser-port-scanning-withou=
t.h
tml

5. Downloading Xenocode=92s =93sandboxed=94 applications =96 Wladimir =
Palant
http://adblockplus.org/blog/downloading-xenocode-s-sandboxed-applications=


6. Google Chrome Fix Details
http://code.google.com/p/chromium/issues/detail?id=3D21238

IX. CREDITS
-------------------------
This vulnerability is discovered by
Inferno (inferno {at} securethoughts {dot} com)

X. DISCLOSURE TIMELINE
-------------------------
Sep 7, 2009 12:09 PM: Vulnerability reported to Google and Opera =
Security
Teams.
Sep 7, 2009 12:10 PM: Automated Response from Google Security Team.
Sep 7, 2009 03:49 PM: First Status update provided by Google Security =
Team.
Quick response for a Holiday.
Sep 8, 2009 01:09 AM: First Status update provided by Opera Security =
Team.
Vulnerability concluded as design feature.
Sep 8, 2009 03:28 PM: Vulnerability confirmed by Google Chrome Security
Team. Patch timelines provided.
Sep 9, 2009 07:39 AM: Second Status update provided by Opera Security =
Team.
Asked for exploit possibility for certain scenarios.
Sep 10, 2009 01:33 AM: Third Status update provided by Opera Security =
Team.
Vulnerability confirmed for new provided testcases.
Sep 15, 2009 01:31 AM: Final Status update provided by Opera Security =
Team.
Scenario (3) will be fixed, while Scenarios (1), (2) will not be.
Sep 15, 2009 03:04 PM: Patch released by Google Security Team in
v3.0.195.21.
Sep XX, 2009 XX:XX XX: Patch planned by Opera Security Team for next =
minor
release.

I would like to thank Chris Evans from Google Chrome Security Team and
Sigbj=F8rn Vik from Opera Security Team for their prompt responses, =
engaging
in insightful discussions and getting the fix ready in a timely manner. =
It
was a pleasure working with them.