Web Technology Hut: May 2014

Thursday 22 May 2014

优酷 (Youku) 网站隐蔽重定向 (Covert Redirect) 网络安全漏洞基于百度 (Baidu.com)

优酷 (Youku) 网站隐蔽重定向 (Covert Redirect) 网络安全漏洞基于百度 (Baidu.com)

(1) 域名:
youku.com

"优酷是中国领先的视频分享网站，由古永锵在2006年6月21日创立，优酷网以 “快者为王”为产品理念，注重用户体验，不断完善服务策略，其卓尔不群的“快速播放，快速发布，快速搜索”的产品特性，充分满足用户日益增长的多元化互动需求，使之成为中国视频网站中的领军势力。优酷网现已成为互联网拍客聚集的阵营。美国东部时间2010年12月8日，优酷网成功在纽约证券交易所挂牌上市。2014年4月28日，优酷土豆集团宣布与阿里巴巴（滚动资讯）集团建立战略投资与合作伙伴关系。2014年，优酷正式宣布多屏日视频播放量（VV）突破6亿，截至2014年6月，中国网络视频用户规模达4.39亿。" (百度百科)

(2) 漏洞描述:

优酷网站有有一个计算机安全问题，黑客可以对它进行隐蔽重定向 (Covert Redirect) 网络攻击。

这个漏洞不需要用户登录，测试是基于微软 Windows 8 的 IE (10.0.9200.16750); Ubuntu (14.04) 的 Mozilla 火狐 (Firefox 34.0) 和谷歌 Chromium 39.0.2171.65-0; 以及苹果 OS X Lion 10.7 的 Safari 6.16。

漏洞地点 "click.php?"，参数"&url", e.g.
http://hz.youku.com/red/click.php?tp=1&cp=4009224&cpp=1000807&url=http://www.baidu.com/ulink?url=http%3A%2F%2Fwww.163.com

(2.1) Youku 对跳转的页面存在一个 domain white-list，如果跳转的页面属于这些 domain，则允许跳转。

但是这些被whitelist domain 本身可能有 URL 跳转漏洞。因此，Youku 用户意识不到他会被先从 Youku 跳转到有漏洞的网页，然后从此网页跳转到有害的网页。这与从 Youku 直接跳转到有害网页是一样的。

下面是一个有漏洞的 domain:
baidu.com

(2.2) 用了一个页面进行了测试，页面是 "http://aibiyi.lofter.com/". 可以假定它是有害的。

Youku 与 baidu.com 有关的有漏洞的 URL:
http://hz.youku.com/red/click.php?tp=1&cp=4009224&cpp=1000807&url=http://www.baidu.com

POC:
http://hz.youku.com/red/click.php?tp=1&cp=4009224&cpp=1000807&url=http://www.baidu.com/ulink?url=http%3A%2F%2Fwww.tetraph.com/chinese.html

POC 视频:
https://www.youtube.com/watch?v=m7_NSa9CJ2A

博客细节:
http://tetraph.blogspot.com/2014/05/youku-covert-redirect-based-on-baiducom.html

(3) 什么是隐蔽重定向?

隐蔽重定向 (Covert Redirect) 是一个计算机网络安全漏洞。这个漏洞发布于 2014年5月。漏洞成因是网络应用软件对跳转到合作者的跳转没有充分过滤。这个漏洞经常利用第三方网站 (包括合作网站) 的公开重定向 (Open Redirect) 或者跨站脚本漏洞 (XSS - Cross-site Scripting) 问题。

隐蔽重定向也对单点登录 (single sign-on) 有影响。最初发布的是对两款常用登录软件 OAuth 2.0 和 OpenID 的影响。黑客可以利用真实的网站进行网络钓鱼，从而窃取用户敏感信息。几乎所用提供 OAuth 2.0 和 OpenID 服务的网站都被影响。隐蔽重定向还可以和跨站请求伪造 (CSRF - Cross-site Request Forgery) 一起利用。它的 scipID ID 是 13185; OSVDB ID 是 106567; Bugtraq ID 是 67196; X-Force ID 是 93031。

漏洞发布:

王晶 (Wang Jing) 新加坡南洋理工大学物理与数学学院数学系 (@justqdjing)
http://www.tetraph.com/wangjing/

Youku Online Website Covert Redirect Web Security Bugs Based on Baidu.com

(1) Domain:
Youku.com

"Youku Inc., formerly Youku.com Inc., doing business as Youku (simplified Chinese: 优酷; traditional Chinese: 優酷; pinyin: yōukù; literally: "excellent (and) cool"), is a video hosting service based in China. Youku has its headquarters on the fifth floor of Sinosteel Plaza (S: 中钢国际广场, T: 中鋼國際廣場, P: Zhōnggāng Guójì Guǎngchǎng) in Haidian District, Beijing. On March 12, 2012, Youku reached an agreement to acquire Tudou in a stock-for-stock transaction, the new entity being named Youku Tudou Inc. It has more than 500 million active users." (Wikipedia)

(2) Vulnerability Description:
Youku web application has a computer security problem. Hacker can exploit it by Covert Redirect cyber attacks.
The vulnerabilities can be attacked without user login. Tests were performed on Microsoft IE (10.0.9200.16750) of Windows 8, Mozilla Firefox (34.0) & Google Chromium 39.0.2171.65-0 ubuntu0.14.04.1.1064 (64-bit) of Ubuntu (14.04)，Apple Safari 6.1.6 of Mac OS X Lion 10.7.

The programming code flaw occurs at "click.php?" page with "&url" parameter, i.e.

http://hz.youku.com/red/click.php?tp=1&cp=4009224&cpp=1000807&url=http://www.baidu.com/ulink?url=http%3A%2F%2Fwww.163.com

(2.1) When a user is redirected from Youku to another site, Youku will check whether the redirected URL belongs to domains in its white-list, e.g.

baidu.com

If this is true, the redirection will be allowed.

However, if the URLs in a redirected domain have open URL redirection vulnerabilities themselves, a user could be redirected from Youku to a vulnerable URL in that domain first and later be redirected from this vulnerable site to a malicious site. This is as if being redirected from Youku directly.

One of the vulnerable domain is,

baidu.com

(2.2) Use one webpage for the following tests. The webpage address is "http://www.inzeed.com/kaleidoscope". Can suppose that this webpage is malicious.

Vulnerable URL:

http://hz.youku.com/red/click.php?tp=1&cp=4009224&cpp=1000807&url=http://www.baidu.com

POC:

http://hz.youku.com/red/click.php?tp=1&cp=4009224&cpp=1000807&url=http://www.baidu.com/ulink?url=http%3A%2F%2Fwww.tetraph.com/chinese.html

POC video:
https://www.youtube.com/watch?v=m7_NSa9CJ2A

Blog Detail:
http://tetraph.blogspot.com/2014/05/youku-covert-redirect-based-on-baiducom.html

(3) What is Covert Redirect?

Covert Redirect is a class of security bugs disclosed in May 2014. It is an application that takes a parameter and redirects a user to the parameter value without sufficient validation. This often makes use of Open Redirect and XSS (Cross-site Scripting) vulnerabilities in third-party applications.

Covert Redirect is also related to single sign-on. It is known by its influence on OAuth and OpenID. Hacker may use it to steal users' sensitive information. Almost all OAuth 2.0 and OpenID providers worldwide are affected. Covert Redirect can work together with CSRF (Cross-site Request Forgery) as well. After Covert Redirect was published, it is kept in some common databases such as SCIP, OSVDB, Bugtraq, and X-Force. Its scipID is 13185, while OSVDB reference number is 106567. Bugtraq ID: 67196. X-Force reference number is 93031.

Discover and Reporter:
Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)

http://tetraph.com/wangjing/

More Details:

http://tetraph.com/security/covert-redirect/youku
http://ittechnology.lofter.com/post/1cfbf60d_7063549
http://securityrelated.blogspot.com/2014/10/youkucovertredirectbaiducom.html
https://tetraph.wordpress.com/2014/10/15/youku
http://webcabinet.tumblr.com/post/119496186352/securitypost#notes
https://mathfas.wordpress.com/2014/10/15/youku
https://twitter.com/essayjeans/status/558977106223190016
http://www.inzeed.com/kaleidoscope/covert-redirect/youku
http://tetraph.blog.163.com/blog/static/234603051201445102713900/
http://computerobsess.blogspot.com/2014/10/youkucovertredirectbaiducom.html
http://diebiyi.com/articles/security/covert-redirect/youku_bug

Friday 9 May 2014

VK.com OAuth 2.0 Service Covert Redirect Web Security Bugs (Information Leakage & Open Redirect)

VK.com OAuth 2.0 Service Covert Redirect Web Security Bugs (Information Leakage & Open Redirect)

(1) Domain:
vk.com

"VK (originally VKontakte, Russian: ВКонтакте, literally "in touch") is the largest Russian social network in Europe. It is available in several languages, but is especially popular among Russian-speaking users, particularly in Russia, Ukraine, Belarus, Kazakhstan and Uzbekistan. Like other social networks, VK allows users to message each other publicly or privately, to create groups, public pages and events, share and tag images, audio and video, and to play browser-based games. As of November 2014, VK had at least 280 million accounts. VK is ranked 22 (as of November 1, 2014) in Alexa's global Top 500 sites and is the second most visited website in Russia, after Yandex. According to eBizMBA Rank, it is the 8th most popular social networking site in the world. As of January 2015, VK had an average of 70 million daily users." (Wikipedia)

(2) Vulnerability Description:
VK.com web application has a computer security problem. Hacker can exploit it by Covert Redirect cyber attacks.

The vulnerabilities can be attacked without user login. Tests were performed on Microsoft IE (10.0.9200.16750) of Windows 8, Mozilla Firefox (34.0) & Google Chromium 39.0.2171.65-0 ubuntu0.14.04.1.1064 (64-bit) of Ubuntu (14.04)，Apple Safari 6.1.6 of Mac OS X Lion 10.7.

(2.1) Vulnerability Detail:
VK's OAuth system is susceptible to Attacks. More specifically, the authentication of parameter "&redirct_uri" in OAuth system is insufficient. It can be misused to design Open Redirect Attacks to VK.

At the same time, it can be used to collect sensitive information of both third-party app and users by using the following parameters (sensitive information is contained in HTTP header.),
"&response_type"=code,token...
"&scope"=basic information...

It increases the likelihood of successful Open Redirect Attacks to third-party websites, too.

The vulnerabilities occurs at page "/authorize?" with parameter "&redirect_uri", e.g.
http://oauth.vk.com/authorize?response_type=code&scope=12&client_id=2852163&redirect_uri=http%3A%2F%2Fmy.kp.ru%2Flogin.do%3FreturnUrl%3Dhttp%253A%252F%252Fwww.tetraph.com%252Fessayjeans%252Fpoems%252Ffish_water.html [1]

Before acceptance of third-party application:
When a logged-in VK user clicks the URL ([1]) above, he/she will be asked for consent as in whether to allow a third-party website to receive his/her information. If the user clicks OK, he/she will be then redirected to the URL assigned to the parameter "&redirect_uri".

If a user has not logged onto VK and clicks the URL ([1]) above, the same situation will happen upon login.

After acceptance of third-party application:
A logged-in VK user would no longer be asked for consent and could be redirected to a webpage controlled by the attacker when he/she clicks the URL ([1]).

For a user who has not logged in, the attack could still be completed after a pop-up page that prompts him/her to log in.

(2.1.1) VK would normally allow all the URLs that belong to the domain of an authorized third-party website. However, these URLs could be prone to manipulation. For example, the "&redirect_uri" parameter in the URLs is supposed to be set by the third-party websites, but an attacker could change its value to make Attacks.

Hence, a user could be redirected from VK to a vulnerable URL in that domain first and later be redirected from this vulnerable site to a malicious site unwillingly. This is as if the user is redirected from VK directly. The number of VK's OAuth client websites is so huge that such Attacks could be commonplace.

Before acceptance of the third-party application, VK's OAuth system makes the redirects appear more trustworthy and could potentially increase the likelihood of successful Open Redirect Attacks of third-party website.

Once the user accepts the application, the attackers could completely bypass VK's authentication system and attack more easily.

(2.2) Used one of webpages for the following tests. The webpage is "http://diebiyi.com/articles/". Can suppose it is malicious and contains code that collect sensitive information of both third-party app and users.

Below is an example of a vulnerable third-party domain:
kp.ru

Vulnerable URL in this domain:
http://my.kp.ru/login.do?returnUrl=http%3A%2F%2Fwww.tetraph.com%2Fessayjeans%2Fpoems%2Ffish_water.html

Vulnerable URL from VK that is related to kp.ru:
http://oauth.vk.com/authorize?response_type=code&scope=12&client_id=2852163&redirect_uri=http%3A%2F%2Fmy.kp.ru%2Flogin%2Fvkontakte.do%3FreturnUrl%3Dhttp%253A%252F%252Fwww.kp.ru%252F

http://api.vk.com/oauth/authorize?client_id=2852163&redirect_uri=http://my.kp.ru/login.do?returnUrl=http%3A%2F%2Fwww.kp.ru&display=page&scope=wall,offline

POC:
http://oauth.vk.com/authorize?response_type=code&scope=12&client_id=2852163&redirect_uri=http%3A%2F%2Fmy.kp.ru%2Flogin.do%3FreturnUrl%3Dhttp%253A%252F%252Fwww.tetraph.com%252Fessayjeans%252Fpoems%252Ffish_water.html

http://api.vk.com/oauth/authorize?client_id=2852163&redirect_uri=http://my.kp.ru/login.do?returnUrl=http%3A%2F%2Fwww.tetraph.com%2Fessayjeans%2Fpoems%2Ffish_water.html&display=page&scope=wall,offline

POC Video:
https://www.youtube.com/watch?v=3gNhi8h2AQY

Blog Detail:
http://www.tetraph.com/blog/covert-redirect/vk-com-oauth-2-0-covert-redirect-vulnerability/

(3) What is Covert Redirect? Covert Redirect is a class of security bugs disclosed in May 2014. It is an application that takes a parameter and redirects a user to the parameter value without sufficient validation. This often makes use of Open Redirect and XSS (Cross-site Scripting) vulnerabilities in third-party applications.

Covert Redirect is also related to single sign-on, such as OAuth and OpenID. Hacker may use it to steal users' sensitive information. Almost all OAuth 2.0 and OpenID providers worldwide are affected. Covert Redirect can work together with CSRF (Cross-site Request Forgery) as well.

Discover and Reporter:

Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)

http://tetraph.com/wangjing/

More Details:
http://tetraph.com/security/covert-redirect/vk-com-oauth-2-0-covert-redirect-vulnerability/
https://itswift.wordpress.com/2014/05/02/vk-exploit/
http://tetraph.blogspot.com/2014/05/vkcom-oauth-20-covert-redirect.html
https://twitter.com/tetraphibious/status/559166795525799936
http://frenchairing.blogspot.fr/2014/05/vk-exploit.html
http://whitehatview.tumblr.com/post/119487379761/securitypost
http://webtech.lofter.com/post/1cd3e0d3_706aec6
http://tetraph.blog.163.com/blog/static/234603051201445111630165/
http://www.inzeed.com/kaleidoscope/covert-redirect/vk-com-oauth-2-0-covert-redirect-vulnerability/
https://itinfotechnology.wordpress.com/2014/05/07/vk-bug/
http://russiapost.blogspot.ru/2014/05/vk-exploit.html

=================

ВКонтакте OAuth 2.0 Ошибки служба Скрытое перенаправление веб-безопасности (утечка информации и открытого редирект)

(1) Домен:
vk.com

"«ВКонта́кте» (vk.com) — социальная сеть, принадлежащая Mail.Ru Group. По данным SimilarWeb, «ВКонтакте» является первым по популярности сайтом в России и на Украине, 6-м — в мире. По данным Alexa Internet, второй по популярности сайт в России и на Украине, третий — в Белоруссии, 24-й — в мире. Проект запущен 10 октября 2006 года. Ресурс изначально позиционировал себя в качестве социальной сети студентов и выпускников российских вузов, позднее стал называть себя «современным, быстрым и эстетичным способом общения в сети». В январе 2014 года ежедневная аудитория «ВКонтакте» составляла около 60 миллионов человек, а в январе 2015 года — 70 миллионов человек в день. Генеральный директор (с 2014 года) — Борис Добродеев, сын Олега Добродеева — генерального директора Всероссийской государственной телевизионной и радиовещательной компании.". (ru.wikipedia)

(2) Уязвимость Описание:
Веб-приложение ВКонтакте имеет проблемы компьютерной безопасности. Хакер может использовать его Скрытое перенаправление кибератак.

Уязвимости могут быть атакованы без входа пользователя в систему. Испытания проводились на Microsoft IE (10.0.9200.16750) в Windows 8, Mozilla Firefox (34,0) и Google Хром 39.0.2171.65-0 ubuntu0.14.04.1.1064 (64-бит) Ubuntu (14.04), Apple Safari 6.1.6 от Mac OS X Lion 10.7.

(2.1) Уязвимость деталь:
Система OAuth ВКонтакте подвержен атакам. Более конкретно, аутентификация параметра "& redirct_uri" в системе OAuth является недостаточным. Это может быть неправильно для разработки открытым перенаправление атак на VK.

В то же время, он может быть использован, чтобы собирать конфиденциальную информацию как стороннего приложения и пользователей, используя следующие параметры (секретная информация, содержащаяся в заголовке HTTP.),
"& Response_type" = код маркера ...
"& Область" = базовая информация ...

Это увеличивает вероятность успешных атак Открыть перенаправление на сторонних веб-сайтах, тоже.

Уязвимости происходит на странице "/ разрешить?" с параметром "& redirect_uri", например
http://oauth.vk.com/authorize?response_type=code&scope=12&client_id=2852163&redirect_uri=http%3A%2F%2Fmy.kp.ru%2Flogin.do%3FreturnUrl%3Dhttp%253A%252F%252Fwww.tetraph.com%252Fessayjeans%252Fpoems%252Ffish_water.html [1]

До принятия сторонних применения:
Когда вошедшего в систему пользователя ВКонтакте нажимает URL ([1]) выше, то он / она будет предложено согласия, в том, чтобы позволить сторонних веб-сайт для получения его / ее информацию. Если пользователь нажимает кнопку ОК, он / она будет затем перенаправляется на URL, назначенного параметра "& redirect_uri».

Если пользователь не вошел на VK и нажимает URL ([1]) выше, такая же ситуация произойдет при входе.

После принятия стороннем приложении:
не вошедшего в систему пользователя ВКонтакте больше не будет предложено для согласия и может быть перенаправлен на веб-страницу, контролируемой злоумышленником, когда он / она нажимает URL ([1]).

Для пользователя, который не авторизованы атака еще может быть завершена после всплывающая страница, что побуждает его / ее войти.

(2.1.1) ВК, как правило, позволяют все адреса, которые принадлежат к сфере уполномоченным сторонних веб-сайт. Тем не менее, эти URL-адреса могут быть склонны к манипуляциям. Например, параметр "& redirect_uri" в URL, как предполагается, будет установлен сторонних веб-сайтах, но злоумышленник может изменить его значение, чтобы атак.

Следовательно, пользователь может быть перенаправлен от VK с уязвимой URL в этой области первым, а затем будет перенаправлен из этого уязвимого сайта на вредоносный сайт неохотно. Это как если бы пользователь перенаправляется от VK напрямую. Количество OAuth клиентских сайтов В.К. настолько огромен, что такие атаки могут быть обычным явлением.

До принятия стороннего приложения, система OAuth ВКонтакте делает редирект кажутся более надежными и потенциально может увеличить вероятность успешных атак Открыть перенаправление сторонних веб-сайта.

После того, как пользователь принимает заявки, нападавшие могли полностью обойти систему аутентификации ВКонтакте и нападение легче.

(2.2) Используется один из веб-страниц для следующих испытаний. Веб-страница "http://diebiyi.com/articles/". Можно предположить, что это злая и содержит код, который собирают конфиденциальную информацию как сторонних приложений и пользователей.

Ниже пример уязвимой области стороннего:
kp.ru

Уязвимые URL в этой области:
http://my.kp.ru/login.do?returnUrl=http%3A%2F%2Fwww.tetraph.com%2Fessayjeans%2Fpoems%2Ffish_water.html

Уязвимые URL из ВК, что это связано с kp.ru:
http://oauth.vk.com/authorize?response_type=code&scope=12&client_id=2852163&redirect_uri=http%3A%2F%2Fmy.kp.ru%2Flogin%2Fvkontakte.do%3FreturnUrl%3Dhttp%253A%252F%252Fwww.kp.ru%252F

http://api.vk.com/oauth/authorize?client_id=2852163&redirect_uri=http://my.kp.ru/login.do?returnUrl=http%3A%2F%2Fwww.kp.ru&display=page&scope=wall,offline

СПЭ:
http://oauth.vk.com/authorize?response_type=code&scope=12&client_id=2852163&redirect_uri=http%3A%2F%2Fmy.kp.ru%2Flogin.do%3FreturnUrl%3Dhttp%253A%252F%252Fwww.tetraph.com%252Fessayjeans%252Fpoems%252Ffish_water.html

http://api.vk.com/oauth/authorize?client_id=2852163&redirect_uri=http://my.kp.ru/login.do?returnUrl=http%3A%2F%2Fwww.tetraph.com%2Fessayjeans%2Fpoems%2Ffish_water.html&display=page&scope=wall,offline

СПЭ Видео:
https://www.youtube.com/watch?v=3gNhi8h2AQY

Блог деталь:
http://www.tetraph.com/blog/covert-redirect/vk-com-oauth-2-0-covert-redirect-vulnerability/

(3) Что такое Скрытое перенаправление?
Скрытое перенаправление класс ошибок безопасности, описанных мая 2014 Это приложение, которое принимает параметр и перенаправляет пользователя на значение параметра без достаточного обоснования. Это часто делает использование открытого Redirect и XSS (Cross-Site Scripting) уязвимостей в сторонних приложениях.

Скрытое перенаправление также связано с единого входа, такие как OAuth и OpenID. Хакер может использовать это, чтобы украсть конфиденциальную информацию пользователей. Почти все OAuth 2.0 и OpenID-провайдеров по всему миру страдают. Скрытое перенаправление может работать вместе с CSRF (Cross-Site Request подлог), а также.

Откройте для себя и Докладчик:
Ван Цзин, Отдел математических наук (MAS), школа физико-математических наук (ВПУ), Nanyang технологический университет (НТУ), Сингапур. (@justqdjing)
http://tetraph.com/wangjing/

Подробнее:
http://tetraph.com/security/covert-redirect/vk-com-oauth-2-0-covert-redirect-vulnerability/
https://itswift.wordpress.com/2014/05/02/vk-exploit/
http://tetraph.blogspot.com/2014/05/vkcom-oauth-20-covert-redirect.html
https://twitter.com/tetraphibious/status/559166795525799936
http://frenchairing.blogspot.fr/2014/05/vk-exploit.html
http://whitehatview.tumblr.com/post/119487379761/securitypost
http://webtech.lofter.com/post/1cd3e0d3_706aec6
http://tetraph.blog.163.com/blog/static/234603051201445111630165/
http://www.inzeed.com/kaleidoscope/covert-redirect/vk-com-oauth-2-0-covert-redirect-vulnerability/
https://itinfotechnology.wordpress.com/2014/05/07/vk-bug/
http://russiapost.blogspot.ru/2014/05/vk-exploit.html

Wednesday 7 May 2014

网易 (NetEase) 网站隐蔽重定向 (Covert Redirect) 网络安全漏洞基于谷歌 (Google.com)

网易 (NetEase) 网站隐蔽重定向 (Covert Redirect) 网络安全漏洞基于 谷歌 (Google.com)

(1) 域名:163.com

" 网易 (NASDAQ: NTES)是中国领先的互联网技术公司，利用最先进的互联网技术，加强人与人之间信息的交流和共享，实现“网聚人的力量”。创始人兼CEO是丁磊。在开发互联网应用、服务及其它技术方面，网易始终保持业界的领先地位，并在中国互联网行业内率先推出了包括中文全文检索、全中文大容量免费邮件系统、无限容量免费网络相册、免费电子贺卡站、网上虚拟社区、网上拍卖平台、24小时客户服务中心在内的业内领先产品或服务，还通过自主研发推出了一款率先取得白金地位的国产网络游戏。网易公司推出了门户网站、在线游戏、电子邮箱、在线教育、电子商务、在线音乐、网易bobo等多种服务。" (百度百科)

(2) 漏洞描述:

163 网站有有一个计算机安全问题，黑客可以对它用隐蔽重定向 (Covert Redirect) 网络攻击。

这个漏洞不需要用户登录，测试是基于微软 Windows 8 的 IE (10.0.9200.16750); Ubuntu (14.04) 的 Mozilla 火狐 (Firefox 34.0) 和谷歌 Chromium 39.0.2171.65-0; 以及苹果 OS X Lion 10.7 的 Safari 6.16。

漏洞地点 “redirect.html?"，参数"&url", e.g.
http://blog.163.com/pub/redirect.html?fromsubscribe&url=http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&uact=8&ved=0CCkQFjAA&url=http%3A%2F%2Fwww.tetraph.com%2F&ei=F-M2U-iiM4HoiAej74HADA&usg=AFQjCNHRJ5hWvXyy2WcSdJPZNEwvbMW9Zg&sig2=bdrpWjJ-87ZbUWuQivt5vA&bvm=bv.63808443,d.aGc

(2.1) 163 对跳转的页面存在一个 domain whitelist，如果跳转的页面属于这些 domain，则允许跳转。

但是这些被whitelist domain 本身可能有 URL 跳转漏洞。因此，163 用户意识不到他会被先从 163 跳转到有漏洞的网页，然后从此网页跳转到有害的网页。这与从 163 直接跳转到有害网页是一样的。

(2.2) 用了一个页面进行了测试，页面是 “http://shellmantis.tumblr.com/“. 可以假定它是有害的。

下面是一个有漏洞的 domain:
google.com

163 与 google.com 有关的有漏洞的 URL:
http://blog.163.com/pub/redirect.html?fromsubscribe&url=http://fusion.google.com

POC:
http://blog.163.com/pub/redirect.html?fromsubscribe&url=https://www.google.com/accounts/Logout?service=wise&continue=http%3A%2F%2Fgoogleads.g.doubleclick.net%2Faclk%3Fsa%3DL%26ai%3DCtHoIVxn3UvjLOYGKiAeelIHIBfLQnccEAAAQASAAUNTx5Pf4_____wFgvwWCARdjYS1wdWItMDQ2NjU4MjEwOTU2NjUzMsgBBOACAKgDAaoE5AFP0NHr5cHwFmWgKNs6HNTPVk7TWSV-CDHX83dKdGSWJ2ADoZNIxUHZwjAODRyDY_7nVtpuqSLOTef4xzVxDQ2U22MNbGak33Ur7i2jDB8LdYt9TbC3ifsXmklY5jl3Zpq4_lP7wagVfjt0–tNPPGTR96NGbxgPvfHMq9ZsTXpjhc_lPlnyGjlWzF8yn437iaxhGRwYLt_CymifLO2YaJPkCm9nLpONtUM-mstUSpKQrP2VjjaZkbDtuK0naLLBV37aYEY4TzWQi8fQGN47z4XgpinBCna91zQayZjn2wxccDCl0zgBAGgBhU%26num%3D0%26sig%3DAOD64_3Qi4qG3CRVHRI5AHSkSGuL7HJqSA%26client%3Dca-pub-0466582109566532%26adurl%3Dhttp%3A%2F%2Fwww.tetraph.com%2Fblog

POC 视频:
https://www.youtube.com/watch?v=8QqKQml1QCE

博客细节:
http://tetraph.blogspot.com/2014/05/163com-netease-covert-redirect-based-on.html

(3) 什么是隐蔽重定向?

隐蔽重定向 (Covert Redirect) 是一个计算机网络安全漏洞。这个漏洞发布于 2014年5月。漏洞成因是网络应用软件对跳转到合作者的跳转没有充分过滤。这个漏洞经常利用第三方网站 (包括合作网站) 的公开重定向 (Open Redirect) 或者跨站脚本漏洞 (XSS – Cross-site Scripting) 问题。

隐蔽重定向也对单点登录 (single sign-on) 有影响。最初发布的是对两款常用登录软件 OAuth 2.0 和 OpenID 的影响。黑客可以利用真实的网站进行网络钓鱼，从而窃取用户敏感信息。几乎所用提供 OAuth 2.0 和 OpenID 服务的网站都被影响。隐蔽重定向还可以和跨站请求伪造 (CSRF – Cross-site Request Forgery) 一起利用。

漏洞发布:
王晶 (Wang Jing)
新加坡南洋理工大学物理与数学学院数学系 (@justqdjing)
http://www.tetraph.com/wangjing/

NetEase (163.com) Online Website Covert Redirect Web Security Bugs Based on Google.com

(1) Domain:163.com

“NetEase, Inc. (simplified Chinese: 网易; traditional Chinese: 網易; pinyin: Wǎng Yì) is a Chinese Internet company that operates 163.com, a popular web portal ranked 27 by Alexa as of April 2014. 163.com is one of the largest Chinese Internet content providers, and as such frequently appears in the top 10 domains used in spam." (Wikipedia)

(2) Vulnerability Description:

163 web application has a computer security problem. Hacker can exploit it by Covert Redirect cyber attacks.

The vulnerabilities can be attacked without user login. Tests were performed on Microsoft IE (10.0.9200.16750) of Windows 8, Mozilla Firefox (34.0) & Google Chromium 39.0.2171.65-0 ubuntu0.14.04.1.1064 (64-bit) of Ubuntu (14.04)，Apple Safari 6.1.6 of Mac OS X Lion 10.7.

The programming code flaw occurs at page “redirect.html?" with parameter “&url", e.g.
http://blog.163.com/pub/redirect.html?fromsubscribe&url=http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&uact=8&ved=0CCkQFjAA&url=http%3A%2F%2Fwww.tetraph.com%2F&ei=F-M2U-iiM4HoiAej74HADA&usg=AFQjCNHRJ5hWvXyy2WcSdJPZNEwvbMW9Zg&sig2=bdrpWjJ-87ZbUWuQivt5vA&bvm=bv.63808443,d.aGc

(2.1) When a user is redirected from 163 to another site, 163 will check whether this URL belongs to a domain on 163’s whitelist. If this is true, the redirection will be permitted.
However, if the URLs in a whitelisted domain have open URL redirection vulnerabilities themselves, a user could be redirected from 163 to a vulnerable URL in that domain first and later be redirected from this vulnerable site to a malicious site. This is as if being redirected from 163 directly.

(2.2) Used one of webpages for the following tests. The webpage is “http://whitehatpostlike.lofter.com/“. Can suppose it is malicious.

Below is an example of a vulnerable domain:
google.com

Vulnerable URL from 163 that is related to yhd.com:
http://blog.163.com/pub/redirect.html?fromsubscribe&url=http://fusion.google.com

POC:
http://blog.163.com/pub/redirect.html?fromsubscribe&url=https://www.google.com/accounts/Logout?service=wise&continue=http%3A%2F%2Fgoogleads.g.doubleclick.net%2Faclk%3Fsa%3DL%26ai%3DCtHoIVxn3UvjLOYGKiAeelIHIBfLQnccEAAAQASAAUNTx5Pf4_____wFgvwWCARdjYS1wdWItMDQ2NjU4MjEwOTU2NjUzMsgBBOACAKgDAaoE5AFP0NHr5cHwFmWgKNs6HNTPVk7TWSV-CDHX83dKdGSWJ2ADoZNIxUHZwjAODRyDY_7nVtpuqSLOTef4xzVxDQ2U22MNbGak33Ur7i2jDB8LdYt9TbC3ifsXmklY5jl3Zpq4_lP7wagVfjt0–tNPPGTR96NGbxgPvfHMq9ZsTXpjhc_lPlnyGjlWzF8yn437iaxhGRwYLt_CymifLO2YaJPkCm9nLpONtUM-mstUSpKQrP2VjjaZkbDtuK0naLLBV37aYEY4TzWQi8fQGN47z4XgpinBCna91zQayZjn2wxccDCl0zgBAGgBhU%26num%3D0%26sig%3DAOD64_3Qi4qG3CRVHRI5AHSkSGuL7HJqSA%26client%3Dca-pub-0466582109566532%26adurl%3Dhttp%3A%2F%2Fwww.tetraph.com%2Fblog

POC video:
https://www.youtube.com/watch?v=8QqKQml1QCE

Blog Detail:
http://tetraph.blogspot.com/2014/05/163com-netease-covert-redirect-based-on.html

(3) What is Covert Redirect?
Covert Redirect is a class of security bugs disclosed in May 2014. It is an application that takes a parameter and redirects a user to the parameter value without sufficient validation. This often makes use of Open Redirect and XSS (Cross-site Scripting) vulnerabilities in third-party applications.

Covert Redirect is also related to single sign-on. It is known by its influence on OAuth and OpenID. Hacker may use it to steal users’ sensitive information. Almost all OAuth 2.0 and OpenID providers worldwide are affected. Covert Redirect can work together with CSRF (Cross-site Request Forgery) as well.

Discover and Reporter:
Jing Wang, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)
http://tetraph.com/wangjing/

More Details:
http://tetraph.com/security/covert-redirect/163-com-netease-covert-redirect-based-on-google-com/
https://computertechhut.wordpress.com/2014/05/02/netease-hack/
http://webtechhut.blogspot.com/2014/05/163-bug.html
http://tetraph.blog.163.com/blog/static/234603051201452375727342/
http://diebiyi.com/articles/security/covert-redirect/163-com-netease-covert-redirect-based-on-google-com/
http://testingcode.lofter.com/post/1cd26eb9_72e71fd
http://canghaixiao.tumblr.com/post/119486195192/itinfotech-covert
https://twitter.com/tetraphibious/status/559166137343037440
https://biyiniao.wordpress.com/2014/05/28/163-exploit/
http://www.inzeed.com/kaleidoscope/covert-redirect/163-com-netease-covert-redirect-based-on-google-com/
http://computerobsess.blogspot.com/2014/09/163-website-vulnerability.html

Saturday 3 May 2014

Mail.ru Website Service OAuth 2.0 Covert Redirect Web Security Bugs (Information Leakage & Open Redirect)

Mail.ru Website Service OAuth 2.0 Covert Redirect Web Security Bugs (Information Leakage & Open Redirect)

(1) Domain:
mail.ru

"Mail.Ru Group (London Stock Exchange listed since November 5, 2010) is a Russian Internet company. It was started in 1998 as an e-mail service and went on to become a major corporate figure in the Russian-speaking segment of the Internet. As of 2013, according to comScore, websites owned by Mail.ru collectively had the largest audience in Russia and captured the most screen time. Mail.Ru's sites reach approximately 86% of Russian Internet users on a monthly basis and the company is in the top 5 of largest Internet companies, based on the number of total pages viewed. Mail.ru controls the 3 largest Russian social networking sites. It operates the second and third most popular Russian social networking sites, Odnoklassniki and Moy Mir, respectively. Mail.ru holds 100% of shares of Russia's most popular social network VKontakte and minority stakes in Qiwi, formerly OE Investments (15.04%). It also operates two instant messaging networks (Mail.Ru Agent and ICQ), an e-mail service and Internet portal Mail.ru, as well as a number of online games." (Wikipedia)

"Mail.Ru — крупный коммуникационный портал российского Интернета, ежемесячная аудитория которого по данным на октябрь 2012 года превышает 31,9 млн человек. Ресурс занимает 52-е место по популярности в мире и 5-е — в России. Число работников составляет 2800 человек. Ресурс принадлежит инвестиционной группе Mail.Ru Group." (Ru.Wikipedia)

(2) Vulnerability Description:
Mail.ru web application has a computer security problem. Hacker can exploit it by Covert Redirect cyber attacks.

The vulnerabilities can be attacked without user login. Tests were performed on Microsoft IE (10.0.9200.16750) of Windows 8, Mozilla Firefox (34.0) & Google Chromium 39.0.2171.65-0 ubuntu0.14.04.1.1064 (64-bit) of Ubuntu (14.04)，Apple Safari 6.1.6 of Mac OS X Lion 10.7.

(2.1) Vulnerability Detail:
Mail.Ru's OAuth system is susceptible to Attacks. More specifically, the authentication of parameter "&redirct_uri" in OAuth system is insufficient. It can be misused to design Open Redirect Attacks to Mail.Ru.

At the same time, it can be used to collect sensitive information of both third-party app and users by using the following parameters (sensitive information is contained in HTTP header.),
"&response_type"=code,token...
"&scope"=get_user_info...

It increases the likelihood of successful Open Redirect Attacks to third-party websites, too.

The vulnerabilities occurs at page "/oauth/authorize?" with parameter "&redirect_uri", e.g.
https://connect.mail.ru/oauth/authorize?response_type=token&client_id=667668&redirect_uri=http%3A%2F%2Fmy.kp.ru%2Flogin.do%3FreturnUrl%3Dhttp%253A%252F%252Fwww.tetraph.com%252Fessayjeans%252Fpoems%252Fdistance.html [1]

Before acceptance of third-party application:
When a logged-in Mail.Ru user clicks the URL ([1]) above, he/she will be asked for consent as in whether to allow a third-party website to receive his/her information. If the user clicks OK, he/she will be then redirected to the URL assigned to the parameter "&redirect_uri".

If a user has not logged onto Mail.Ru and clicks the URL ([1]) above, the same situation will happen upon login.

After acceptance of third-party application:
A logged-in Mail.Ru user would no longer be asked for consent and could be redirected to a webpage controlled by the attacker when he/she clicks the URL ([1]).

For a user who has not logged in, the attack could still be completed after a pop-up page that prompts him/her to log in.

(2.1.1) Mail.Ru would normally allow all the URLs that belong to the domain of an authorized third-party website. However, these URLs could be prone to manipulation. For example, the "&redirect_uri" parameter in the URLs is supposed to be set by the third-party websites, but an attacker could change its value to make Attacks.

Hence, a user could be redirected from Mail.Ru to a vulnerable URL in that domain first and later be redirected from this vulnerable site to a malicious site unwillingly. This is as if the user is redirected from Mail.Ru directly. The number of Mail.Ru's OAuth client websites is so huge that such Attacks could be commonplace.

Before acceptance of the third-party application, Mail.Ru's OAuth system makes the redirects appear more trustworthy and could potentially increase the likelihood of successful Open Redirect Attacks of third-party website.

Once the user accepts the application, the attackers could completely bypass Mail.Ru's authentication system and attack more easily.

(2.2) Used one of webpages for the following tests. The webpage is "http://biboying.lofter.com/". We can suppose it is malicious and contains code that collect sensitive information of both third-party app and users.

Below is an example of a vulnerable third-party domain:
kp.ru

Vulnerable URL in this domain:
http://my.kp.ru/login.do?returnUrl=http%3A%2F%2Fwww.tetraph.com%2Fessayjeans%2Fpoems%2Fdistance.html

Vulnerable URL from Mail.Ru that is related to kp.ru:
https://connect.mail.ru/oauth/authorize?response_type=code&client_id=667668&redirect_uri=http%3A%2F%2Fmy.kp.ru%2Flogin%2Fmailru.do%3FreturnUrl%3Dhttp%253A%252F%252Fizh.kp.ru

POC:
https://connect.mail.ru/oauth/authorize?response_type=code&client_id=667668&redirect_uri=http%3A%2F%2Fmy.kp.ru%2Flogin.do%3FreturnUrl%3Dhttp%253A%252F%252Fwww.tetraph.com%252Fessayjeans%252Fpoems%252Fdistance.html

POC Video:
https://www.youtube.com/watch?v=0yEB58S8WBI

Blog Detail:
http://tetraph.blogspot.com/2014/05/mailru-oauth-20-covert-redirect.html

(3) What is Covert Redirect?