XSS and Charset Remembering via charsets in different browsers

RESOLVED DUPLICATE of bug 715319

Status

()

RESOLVED DUPLICATE of bug 715319
6 years ago
6 years ago

People

(Reporter: mustlive, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

6 years ago
Hello Mozilla!

I've wrote you the letter "XSS and Charset Remembering via charsets in different browsers" (which is provided bellow) already almost two months ago (at June 22, 2012). My letter concerns Firefox and all browsers on your Gecko engine, as well as all other browsers (except Google Chrome). But I haven't received any answer (automatic answer that you've received my letter doesn't count).

And it's very not serious. For example, after your ignoring I've later publish this information to the lists (for this reason I haven't made this entry as hidden), I quickly received message from Microsoft, which asked for more information (and they received it), because they were interested in improving security of their browser. At that I haven't informed Microsoft (after multiple case of hidden fixing vulnerabilities without mentioning me, I stopped informing them about vulnerabilities in IE and you were going the same way with similar cases). I've informed only Mozilla, but exactly Microsoft showed interest, unlike Mozilla, which just ignored and not answered at all.

This is similar to case in beginning of 2009, when I was drawing your attention (of Dan Veditz) to XSS via different charsets, but you ignored. It looked that Mozilla don't want to fix any XSS via charsets (and there are a lot of affected charsets). At that since last year you've already fixed such holes two time - MFSA 2011-47 (Potential XSS against sites using Shift-JIS) and MFSA 2012-29 (Potential XSS through ISO-2022-KR/ISO-2022-CN decoding issues). So do you care about such XSS or not? Also note, you called them "potential" vulnerabilities, thinking that there should be sites with such charsets and appropriate input fields, but as I've showed yet in March 2009 it's possible to attack any site with appropriate input fields by tricking user to set any of the affected charsets (the same as I showed for UTF-7 in February 2009, which is similar to attack, which I showed in 2007). I.e. this is universal Strictly social XSS vulnerability - which works as at any web site (with appropriate input fields), as in any browser.

----- Original Message ----- 
From: MustLive 
To: security@mozilla.org 
Sent: Friday, June 22, 2012 6:43 PM
Subject: XSS and Charset Remembering via charsets in different browsers


Hello Mozilla!

First of all, I'll remind you concerning vulnerabilities about which I informed you at beginning of March 2009. That time I've informed you about XSS attacks via charsets EUC-JP and SHIFT_JIS, and also about Charset Remembering attack, which can be used for making persistent attacks via different charsets, which allow to conduct XSS attacks. It was second informing you after Charset Remembering via UTF-7 (attack via UTF-7 you first ignored after my informing in September 2007 and later in September 2008 you had silently fixed).

And that time (in 3rd of February 2009 and 3rd of March 2009 accordingly) I've made two publications about these issues: Charset Remembering vulnerability in Mozilla Firefox (http://websecurity.com.ua/2848/) and Firefox’s Charset Remembering strikes back (http://websecurity.com.ua/2928/). With detailed information about this attacks (which was sent you by e-mail) and in the second post I've presented PoC for testing browsers of XSS via different charset encodings, particularly for demonstrating attacks via charsets EUC-JP and SHIFT_JIS. But you have ignored and not fixed those vulnerabilities in your browsers.

And later, in MFSA 2011-47 Mozilla fixed possibilities of XSS attacks via charset Shift-JIS, about which I've informed you in March 2009 (but still not fixed the same issue with charset EUC-JP). So you have ignored my letter and publication at 03.03.2009, and only after 2,5 years, 08.11.2011, you have fixed one from few vulnerabilities informed by me. Which was not serious. And take into account that Cheng Peng Su in his research article "Bypassing script filters with variable-width encodings" at August 7, 2006 already wrote about these two charsets concerning Firefox 1.5.0.6 (I've used his research about Firefox 1.5.0.6 in my research of Firefox 3.x and my Charset Remembering attack).

In my 2009's PoC and 2012's PoC I'm using 0x8F (which I've selected for my PoC because it was related to both EUC-JP and SHIFT_JIS). And Yosuke Hasegawa told only about 0x82 for SHIFT_JIS (in MFSA 2011-47, bug #690225). At that Cheng Peng Su wrote about 0x81-0x9F and 0xE0-0xFC for SHIFT_JIS in his article.

Now let's go to my new research, published last week. In which I've made new exploit (added one character to make it work not only in Firefox, but in other browsers) and checked multiple browsers and additional charsets. In concerns vulnerabilities in Firefox and I hope this time you will not ignore them and fix these vulnerabilities.

XSS and Charset Remembering:

Last week, in the last Patch Tuesday, Microsoft fixed vulnerabilities in Internet Explorer and among them there was vulnerability CVE-2012-1872 (http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1872).

This vulnerability surprised me. Because information about XSS via EUC-JP in IE6 was known already in 2006 - Cheng Peng Su wrote about it (he checked few charsets in browsers Internet Explorer 6, Firefox 1.5.0.6 and Opera 9.0.1). Including my exploit (http://websecurity.com.ua/uploads/2009/Firefox_XSS_Charset_Remembering.html) for XSS via EUC-JP and SHIFT_JIS charsets  in Mozilla Firefox also was suitable for IE (only one char should be added to it). Just the attack via EUC-JP works in IE 6 and 7, but in IE 8 it was fixed. It looks that new chars of EUC-JP charset was found, via which it's possible to conduct attack.

So I've made new exploit (for work in different browsers) and tested XSS attack via different charsets in different browsers. In result I've found, that many browsers are vulnerable to attacks via EUC-JP, SHIFT_JIS and Chinese Simplified (HZ) charsets. And some browsers also are vulnerable to attacks via other charsets. And I'll note, that Charset remembering attack, described by me three years ago, besides Mozilla and Firefox (all browsers on Gecko engine) also works in Internet Explorer and Opera.

PoC:

http://websecurity.com.ua/uploads/2012/XSS_charsets_in_browsers.html

The code will execute at setting of appropriate character encoding in the browser (so you can test any mentioned and other charsets). The last version of Firefox which I have is 4.0, so you need to check it in 13.0.1.

This attack via EUC-JP, SHIFT_JIS and Chinese Simplified (HZ) charsets works in Mozilla Firefox 3 (3.0, 3.5, 3.6), 4 and previous versions (and must work in next versions), in Internet Explorer 6, 7, 8 (and must work in other versions), in Opera 10.62 (and must work in other versions).

If you've already fixed SHIFT_JIS in MFSA 2011-47, then you'd fix EUC-JP and Chinese Simplified (HZ). Also I've found some other charsets from East Asian group, which are affected (for XSS attacks) in IE 6, 7, 8 and Opera 10.62, but not in Firefox.

Attend to security of all of yours web sites, web software, browsers and to security audit.

I mentioned about these vulnerabilities at my site (http://websecurity.com.ua/5902/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
PoC didn't work with 14.0.1. Maybe fixed by bug 715319.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 715319
(Reporter)

Comment 2

6 years ago
Masatoshi!

You are right. In last versions of Firefox it's already fixed. The first part of the holes via charsets, which I've informed Mozilla in March 2009, was fixed in November 2011 in MFSA 2011-47 (bug #690225) and the second part of the holes via charsets was fixed in April 2012 in MFSA 2012-24 (bug 715319). At the beginning of this week I've tested them in Firefox 10.0.7 ESR and Firefox 15.0.1 and confirmed, that all holes were fixed (as those from March 2009's research, as  hose new from June 2012's research).

The only thing you should draw attention concerning what to count as duplicate ;-). Because I've informed Mozilla in March 2009 and Yosuke did it in September 2011 and Anne did it in January 2012. And it's not my problem, that Mozilla lamerly ignored my letter and not filled Bugzilla entry in March 2009 and not fixed these holes already that time. And it's not a problem of those Internet users, who could be attacked via these holes all previous years (because they were fixed only partly after 2,5 years and partly after 3 years).
You need to log in before you can comment on or make changes to this bug.