Header

Wed, 15 Aug 2007

On hamsters, Escaping, Escaping of Hamsters and the Lack of escaping in Hamster...
Tags: conferences, fun, time-waster, publicharoon @ 09:05

hamster_escape1.jpg
"

OK.. So as i mentioned before, I saw Robert Graham from Erratasec demo hamster live on stage and wondered if hamster was doing useful input/output sanitization.. If it wasn't, he was setting himself up for a pop-up that read "owned on stage" or worse a re-direct to tubgirl.. He didnt get owned on stage, which suggested that either the crowd was really well behaved or the tool was doing some tidying up so i decided to wait till i got home to check..

Robert released the tool to the public on his blog on the 5th of August..

At first blush it seems as if hamster does do some sort of sanitization, since merely surfing to a location and including javascript in the URL doesnt harm the hamster interface..

Picture 12.PNG
"

But all is not lost.. As a quick test we have a webserver send us a cookie that contains JavaScript:

Picture 13.PNG
"

This works as expected, and if the hamster-meister clicks his [cookies] link, you get to execute script in his browser..

Picture 4.PNG
"

Now, although XSS has long been frowned upon as a decent attack vector, we need to keep in mind that we are effectively injecting JavaScript into our attackers browser.. Simply re-directing him to a backframe or beef hook will translate to making his browser a zombie..

But the fact that attacking our attacker needs him to click on [cookies] in pane-1 (pic below) is annoying.. We want click-free injection so we keep playing..

frames.png
"

Now it turns out that when an IP in frame (2) is spotted logging in to his gmail account, hamster will list the users email address next to the IP-Address.. A quick look at the traffic shows that hamster makes this deduction based on it spotting the gmailchat=haroon.meer@gmail.com/12345 cookie value we used while talking to mail.google.com.

Now, this means if we can get the server to send us another value for that cookie, we should be good.. This sounds tricky, but its also unneccessary. Since hamster doesnt care which direction its sniffed traffic is flowing from (and needs to since it could miss a set-cookie due to late arrival on the network) it cant tell if we are using a cookie that was actually issued by the server at all.. This means, using netcat (or telnet) we can do the following:

Picture 2.PNG
"

And the hamster-console happily shows our new persona..

Picture 7.PNG
"

A quick check shows that there are no real length restrictions (or format restrictions) on what we can place there, except for one piece of protection that gets through by accident.. Since the email address appears to be taken as the value between gmailchat= and the /12345, the / has become a delimeter.. effectiving preventing us from using a </script tag..

We can still inject JavaScript without a "/" so make use of:

Picture 31.PNG
"

This gets us the ability to run simple script in the hamster-console with no attacker intervention at all..

Picture 9.PNG
"

Now any reasonable piece of JavaScript (even the simple redirect to beef/backframe) is going to need /'s even if just as part of the http:// .. So we need to get past the annoyance.. It turns out hamster actually escapes the \ char, preventing \/ type bypasses..

Instead we try a simple document.write piece of JS:

Picture 41.PNG
"

This works just fine:

Picture 10.PNG
"

Which means the game is just about over.. The interwebs gives us a handy JS encoder/decoder at: http://scriptasylum.com/tutorials/encdec/encode-decode.html So using this to encode the string (including both \ and /) we get:

Picture 111.PNG
"

We can then use JavaScripts unescape function to get:

Picture 5.PNG
"

which ends up with:

Picture 121.PNG
"

Now we can fully write huge long pieces of JavaScript, encode them, pass them to unescape within our gmailchat cookie and the Hamster console will execute it.. (Simple document.location redirect to www.sensepost.com starts of like this:

Picture 6.PNG
"

and ends up like this:

Picture 131.PNG
"

)

Of course, Since the hamster is running on your local machine, it will execute script in the context of "Local Intranet"

Picture 15.PNG
"

Which makes this even more fun..

(Of course: simply setting your gmailchat cookie to a piece of script that spawns a squillion windows will suffice too)

* We did inform erratasec about this, who responded that Hamster is not meant for public usage (which is reasonable.. ie.. it was a POC for a demo), so i dont suspect it will get fixed.. If you running it.. better start considering noscript..

1 comment

Erik on 2011/2/13
Have a look at the Netresec blog for more info on the gmailchat cookie: http://www.netresec.com/?page=Blog&month=2011-02&post=Webmail-Information-Leakage

Leave a comment

Name*:
Email*:(Won't be displayed)
URL:
Comment*:
*required
Blog
Video
Research
QotW
Categories
.ac.za (1)
about:us (38)
analysis (1)
auctions (1)
auditors (1)
b-sides (2)
blackhat (17)
blog (10)
broadview (4)
build-it (1)
ccdcoe (1)
cloud (12)
community (16)
conferences (70)
consulting (1)
crypto (4)
estonia (1)
fail (3)
foos (1)
fun (51)
goodbye (1)
hackrack (2)
Hope? (2)
howto (9)
imsojaded (2)
infosec-soapies (25)
infrastructure (3)
interns (1)
ios (1)
jobs (1)
local (6)
mac (15)
management (12)
materials (3)
memcached (2)
metricon (2)
metrics (3)
mindless-politics (4)
mindmaps (1)
mobile (2)
modelling (3)
PCI (2)
penny (1)
phone (1)
pickle (4)
policy (1)
post-it (1)
presentations (1)
Press (1)
privacy (6)
product (2)
programming (5)
public (319)
python (5)
qo[w|m|?] (5)
rambling (1)
README (1)
real-world (16)
Release (1)
report-info (1)
research (49)
reversing (7)
risk (2)
SAP (1)
security-fyi (8)
security-news (6)
silly-yammerings (19)
suru (1)
tech-toys (3)
threat (3)
time-waster (6)
tin-foil-hat (6)
tools (49)
training (30)
travel (2)
tricks (1)
UK (2)
Uncategorized (3)
uncon (2)
vendors (7)
videos (6)
vulnerability (10)
wasc (1)
webapps (6)
web_x.0 (2)
windows (1)
writing-advice (1)
zaprize (2)
zen-hacking (6)
Archives
December 2011 (3)
November 2011 (2)
October 2011 (6)
September 2011 (3)
August 2011 (3)
July 2011 (3)
June 2011 (2)
May 2011 (6)
March 2011 (3)
Feburary 2011 (3)
January 2011 (1)
December 2010 (2)
November 2010 (4)
October 2010 (3)
August 2010 (4)
July 2010 (1)
June 2010 (4)
May 2010 (3)
April 2010 (3)
March 2010 (7)
Feburary 2010 (2)
January 2010 (3)
December 2009 (4)
November 2009 (4)
October 2009 (3)
September 2009 (5)
August 2009 (9)
July 2009 (1)
June 2009 (5)
May 2009 (4)
April 2009 (10)
March 2009 (13)
Feburary 2009 (12)
January 2009 (11)
December 2008 (9)
November 2008 (8)
October 2008 (5)
September 2008 (5)
August 2008 (6)
July 2008 (6)
June 2008 (6)
May 2008 (2)
April 2008 (3)
March 2008 (7)
Feburary 2008 (12)
January 2008 (9)
December 2007 (8)
November 2007 (4)
October 2007 (9)
September 2007 (14)
August 2007 (18)
July 2007 (13)
June 2007 (17)
May 2007 (2)
July 2006 (1)
April 2006 (1)
August 2005 (1)
June 2005 (1)
May 2005 (2)
Blogroll
JYeti
Dominic
Junaid
Archives
Conditions of use Privacy statement
Top of Page Legal stuff