| New User, Welcome! Login |
Next Page >>
Michal Zalewski
4. Interesting Reads - thanks to Michal.
(a) Security in Depth: Local Web Pages - Adam Barth
http://blog.chromium.org/2008/12/security-in-depth-local-web-pages.html
(b) Same-Origin Policy:Browser Security Handbook - Michal Zalewski
http://code.google.com/p/browsersec/wiki/Part2#Same-origin_policy
IX. CREDITS
-------------------------
This vulnerability is discovered by
The paper
(http://www.trusteer.com/docs/OpenBSD_DNS_Cache_Poisoning_and_Multiple_OS_Predictable_IP_ID_Vulnerability.pdf)
describes how to predict IP ID of various (BSD style) operating systems.
This can be used for "blind TCP data injection" The latter term is a
technique described by Michal Zalewski, and the paper references 2
BugTraq submissions by Zalewski that nicely explain this concept. These
are (from the paper):
[27] “A new TCP/IP blind data injection technique?” (BugTraq mailing
list post),
Martin Barbella discovered an integer overflow in an XSLT node sorting
routine. An attacker could exploit this to overflow a buffer and cause a
denial of service or possibly execute arbitrary code with the privileges of
the user invoking the program. (CVE-2010-1199)
Michal Zalewski discovered that the focus behavior of Firefox could be
subverted. If a user were tricked into viewing a malicious site, a remote
attacker could use this to capture keystrokes. (CVE-2010-1125)
Ilja van Sprundel discovered that the 'Content-Disposition: attachment'
HTTP header was ignored when 'Content-Type: multipart' was also present.
O. Andersen that Firefox did not properly map undefined positions within
certain 8 bit encodings. An attacker could utilize this to perform
cross-site scripting attacks. (CVE-2010-1210)
Michal Zalewski discovered flaws in how Firefox processed the HTTP 204 (no
content) code. An attacker could exploit this to spoof the location bar,
such as in a phishing attack. (CVE-2010-1206)
Jordi Chancel discovered that Firefox did not properly handle when a server
responds to an HTTPS request with plaintext and then processes JavaScript
There are other .Net controls that take properties from the view state that may also be vulnerable. Enumerating them is not very helpful because the solution will always be the same: secure the view state.
Regarding the articles you linked to, I am familiar with Scott Mitchell's. It is a great document, but the vulnerabilities he references have to do with custom use of the view state, not specific flaws inherent in the .Net view state. As we mentioned in the advisory, technically this is a known issue in .Net, although a proof of concept attack against the framework has (to our knowledge) not been documented before.
I've also read Michal Zalewski's advisory. It stands out as (I think) the first specific attacks documented against .Net's view state. However, they are of a different nature than the attack documented in our advisory.
Sacha Faust's post on encoding controls is a useful reference, but isn't directly relevant to view state attacks. The list is of properties that will automatically HTML encode when the programmer sets the value. This isn't necessarily the same as when the value is set in the view state.
Thanks,
Liu Die Yu and Boris Zbarsky discovered an information leak through
local shortcut files. (MFSA 2008-47 MFSA 2008-59)
CVE-2008-5012
Georgi Guninski, Michal Zalewski and Chris Evan discovered that
the canvas element could be used to bypass same-origin
restrictions. (MFSA 2008-48)
CVE-2008-5014
Several dangling pointer vulnerabilities were discovered in Firefox. An
attacker could exploit this to crash the browser or possibly run arbitrary
code as the user invoking the program. (CVE-2010-2760, CVE-2010-2767,
CVE-2010-3167)
Blake Kaplan and Michal Zalewski discovered several weaknesses in the
XPCSafeJSObjectWrapper (SJOW) security wrapper. If a user were tricked into
viewing a malicious site, a remote attacker could use this to run arbitrary
JavaScript with chrome privileges. (CVE-2010-2762)
Matt Haggard discovered that Firefox did not honor same-origin policy when
On 21 Jul 2009, at 08:12, Michal Zalewski wrote:
> There are literally thousands of HTML- and JavaScript-related denial
> of service vectors in modern browsers...
There's one significant difference in this one, though: while a bunch
of nested <div>s (for instance) will just mess with the HTML renderer,
a malformed or oversized <select> element may end up passing bad data
to native menu APIs. It's one of the only elements I can think of
offhand that often has effects which extend outside the HTML canvas.
Also as this is an user attention issue,
targeting pages that are heavily animated or otherwise distracting may
help in the exploit.
On Thu, Dec 8, 2011 at 5:09 PM, Michal Zalewski <lcamtuf@coredump.cx> wrote:
>> And you don't believe that people would think that's suspicious?
>
> What part? The change of a URL that is not associated with the
> repainting of window contents? I believe that they are very unlikely
> to catch this after initially examining the URL, in absence of other
On Tue, Apr 24, 2012 at 11:13 AM, Michal Zalewski <lcamtuf@coredump.cx> wrote:
>> IMHO, anyone who willingly, knowingly places customer data at risk by inviting attacks on their production systems is playing a very dangerous game. There is no guarantee that a vuln discovered by a truly honest researcher couldn't become a weapon for the dishonest "researcher" through secondary discovery
>
> I'm not sure I follow. Are you saying that the dishonest researcher
> will not try to find vulnerabilities if there is no reward program for
> the honest ones?
>
> /mz
>
designMode elements, which can lead to information disclosure or
potentially the execution of arbitrary code.
CVE-2008-0591
Michal Zalewski discovered that timers protecting security-sensitive
dialogs (which disable dialog elements until a timeout is reached)
could be bypassed by window focus changes through Javascript.
For the stable distribution (etch), these problems have been fixed in
version 1.5.0.13+1.5.0.15b.dfsg1-0etch2.
Sent from my iPhone
On Oct 20, 2010, at 8:58 AM, Michal Zalewski <lcamtuf@coredump.cx> wrote:
>> Security-Assessment.com follows responsible disclosure
>> and promptly contacted Oracle after discovering
>> the issue. Oracle was contacted on August 1,
>> 2010.
browser, an unbranded version of the Firefox browser. The Common
Vulnerabilities and Exposures project identifies the following problems:
CVE-2007-1095
Michal Zalewski discovered that the unload event handler had access to
the address of the next page to be loaded, which could allow information
disclosure or spoofing.
CVE-2007-2292
Several problems were discovered in the JavaScript engine. If a user were
tricked into opening a malicious web page, an attacker could exploit this to
crash the browser or possibly run arbitrary code as the user invoking the
program. (CVE-2010-3766, CVE-2010-3767, CVE-2010-3773)
Michal Zalewski discovered that Firefox did not always properly handle
displaying pages from network or certificate errors. An attacker could
exploit this to spoof the location bar, such as in a phishing attack.
(CVE-2010-3774)
Yosuke Hasegawa and Masatoshi Kimura discovered that several character
> compatibility.
I agree that is what is happening. I'm also strongly reminded of the
quote "As the Web grew larger and more diverse, a sneaky disease
spread across browser engines under the guise of fault tolerance."
[Michal Zalewski, The Tangled Web, p 11.]
Simply ignoring the tag would be the better option in my opinion.
That way compatibility (or better: fault tolerance) is maximized,
without creating unexpected situations.
This issue is just so damn easy to fix (browser-side), compared to
designMode elements, which can lead to information disclosure or
potentially the execution of arbitrary code.
CVE-2008-0591
Michal Zalewski discovered that timers protecting security-sensitive
dialogs (which disable dialog elements until a timeout is reached)
could be bypassed by window focus changes through Javascript.
CVE-2008-0592
Monday, May 2, 2011.
We look forward to your submissions.
David Brumley, Carnegie Mellon University
Michal Zalewski, Google
Martin Barbella discovered an integer overflow in an XSLT node sorting
routine. An attacker could exploit this to overflow a buffer and cause a
denial of service or possibly execute arbitrary code with the privileges of
the user invoking the program. (CVE-2010-1199)
Michal Zalewski discovered that the focus behavior of Firefox could be
subverted. If a user were tricked into viewing a malicious site, a remote
attacker could use this to capture keystrokes. (CVE-2010-1125)
Ilja van Sprundel discovered that the 'Content-Disposition: attachment'
HTTP header was ignored when 'Content-Type: multipart' was also present.
designMode elements, which could lead to information disclosure or
potentially the execution of arbitrary code.
CVE-2008-0591
Michal Zalewski discovered that timers protecting security-sensitive
dialogs (which disable dialog elements until a timeout is reached)
could be bypassed by window focus changes through Javascript.
CVE-2008-0592
O. Andersen that Firefox did not properly map undefined positions within
certain 8 bit encodings. An attacker could utilize this to perform
cross-site scripting attacks. (CVE-2010-1210)
Michal Zalewski discovered flaws in how Firefox processed the HTTP 204 (no
content) code. An attacker could exploit this to spoof the location bar,
such as in a phishing attack. (CVE-2010-1206)
Jordi Chancel discovered that Firefox did not properly handle when a server
responds to an HTTPS request with plaintext and then processes JavaScript
runtime environment for XUL applications. The Common Vulnerabilities
and Exposures project identifies the following problems:
CVE-2007-1095
Michal Zalewski discovered that the unload event handler had access to
the address of the next page to be loaded, which could allow information
disclosure or spoofing.
CVE-2007-2292
long header in a news article, which could lead to arbitrary code
execution. (MFSA 2008-46)
CVE-2008-5012
Georgi Guninski, Michal Zalewski and Chris Evan discovered that
the canvas element could be used to bypass same-origin
restrictions. (MFSA 2008-48)
CVE-2008-5013
suite, an unbranded version of the Seamonkey Internet Suite. The Common
Vulnerabilities and Exposures project identifies the following problems:
CVE-2007-1095
Michal Zalewski discovered that the unload event handler had access to
the address of the next page to be loaded, which could allow information
disclosure or spoofing.
CVE-2007-2292
Vendor Patch: August 9, 2011
Public Disclosure: August 9, 2011
################# €nd #########################
Thnx to Michal Zalewski for his extraordinary mind
and knowledge, people like him should have a virtual
statue for the rest of the times
Thnx To Jack, Gerardo, Nate and all MSRC
for his support in this issue.
designMode elements, which can lead to information disclosure or
potentially the execution of arbitrary code.
CVE-2008-0591
Michal Zalewski discovered that timers protecting security-sensitive
dialogs (which disable dialog elements until a timeout is reached)
could be bypassed by window focus changes through Javascript.
CVE-2008-0592
Anyway I hope credits will be at least shared between me and Roberto.
Cheers,
Stefano
2010/10/20 Michal Zalewski <lcamtuf@coredump.cx>:
>> Security-Assessment.com follows responsible disclosure
>> and promptly contacted Oracle after discovering
>> the issue. Oracle was contacted on August 1,
>> 2010.
>
angle brackets when displayed by the rendering engine. Sites using
these character encodings would thus be potentially vulnerable to
script injection attacks if their script filtering code fails to
strip out these specific characters (CVE-2010-3770).
Google security researcher Michal Zalewski reported that when a
window was opened to a site resulting in a network or certificate
error page, the opening site could access the document inside the
opened window and inject arbitrary content. An attacker could use
this bug to spoof the location bar and trick a user into thinking
they were on a different site than they actually were (CVE-2010-3774).
On Tue, 21 Jul 2009, Michal Zalewski wrote:
> The code created an oversized list, which does not seem to be that far
> from creating an overly nested DOM tree, or drawing an oversized CANVAS
> shape, or any other creating-too-many-things-for-the-renderer-to-handle
> attacks... but really, I'm not trying to be dismissive, just saying that
> a more holistic approach might be more beneficial in the long run.
I agree here.
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
----- Original Message -----
From: "Michal Zalewski" <lcamtuf@coredump.cx>
To: "MustLive" <mustlive@websecurity.com.ua>
Cc: <bugtraq@securityfocus.com>
Sent: Wednesday, July 15, 2009 11:00 PM
Subject: Re: Cross-Site Scripting vulnerability in Mozilla, Firefox and
Chrome
designMode elements, which can lead to information disclosure or
potentially the execution of arbitrary code.
CVE-2008-0591
Michal Zalewski discovered that timers protecting security-sensitive
dialogs (which disable dialog elements until a timeout is reached)
could be bypassed by window focus changes through Javascript.
For the stable distribution (etch), these problems have been fixed in
version 1.5.0.13+1.5.0.15b.dfsg1-0etch1.
Next Page>>
|
|
|
