Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: IE8 img tag HiJacking
From: Dan Kaminsky <dan () doxpara com>
Date: Thu, 22 Apr 2010 14:06:35 -0400

Interesting use, using filesize to back into the actual CAPTCHA used for a
given query.  Sneaky!

So it's possible to read not only filesize, but image dimensions
cross-domain.  I actually found a use for this -- it's a good way to
exchange a small amount of data between sites that mutually distrust one
another.  The reason for this is that images are pretty much the only
resources that can be loaded cross-domain that won't have embedded script
executed by a browser.

(Side note:  At this point, you're probably thinking:  Vladimir just said
that some browsers allow SVG to load via <img> -- and SVG can embed script
with nothing but a script tag  and a smile!  Doesn't this mean a bunch of
sites are in trouble?

Turns out, no, not as far as I can tell anyway.  IE and Firefox both block
<img> to SVG entirely, while Chrome, Safari, and Opera allow it.  But there
appears to be a script firewall (or more accurately, a missing connection)
between <img>-loaded SVG and the script engine.  Static SVG renders just
fine, but don't expect it to do anything unless you top-level nav, inline,
or use something like embed.)

Back to image dimensions, it turns out that this information channel cannot
be closed; even if the dimensions of the object itself couldn't be queried,
the XY positioning of the objects *around* the imported images must be both
queryable and dependent on image properties.

I was curious however if img.fileSize would leak filesizes of non-image
content.  Doesn't look like it does -- undefined in everything but IE, -1 in
IE.


2010/4/22 T Biehn <tbiehn () gmail com>

It could be used as a technique for defeating the login images used as
"two-factor-authentication" by some online services.
The application of using filesize to fingerprint an image is somewhat
novel. This is a decidedly 'old' vector, though.

-Travis

2010/4/21 Владимир Воронцов <vladimir.vorontsov () onsec ru>

Hello Full disclosure!

Once again, unwinding theme HiJacking found a fun way to get the very
least information about the target resource when the user is located at
the
attacker.

Already crocked <img> tag opens new opportunities using the method
fileSize, described here:
http://msdn.microsoft.com/en-us/library/ms533752
(v = VS.85). Aspx

Consider a simple example - a Web application after authentication
provides some sort of picture for the user, for example:

http://example.com/getImage.php?image=myAvatar

The attacker, knowing this can create a page to read:

<img id="onsec" src="http://example.com/getImage.php?image=myAvatar";>

<input type="button" onclick="if (onsec.fileSize> 0) (alert ('authorized
on example.com') else (alert ('not authorized on example.com')}">

Thus, the attacker learns the simplest case, whether the target user
access to example.com.

Continuing the theme, I want to note that in some cases, can obtain
additional information from the very values of the size of the picture. It
can be any logical information Web applications, say, the same script can
show administrators a picture of the same size, and users - of another.
Thus, we obtain the user rights. And so on.

I'd like to return the size of the method is not only "valid" images, but
also HTML pages, JSON, etc. But, unfortunately, does not work. Maybe, of
course, there are exceptions, call to investigate the matter.

I have some thoughts on the study of vector images in XML format, because
HTML is often valid XML, and then ...

Check for the test version IE9, but he did not support SVG inside tag
<img>, but only as a separate tag.

Works in IE8, in Opera 10.52 does not work on check writing, if not
difficult.

Original at russian language: http://oxod.ru/?p=113

--
Best regards,
Vladimir Vorontsov
ONsec security expert

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/




--
FD1D E574 6CAB 2FAF 2921  F22E B8B7 9D0D 99FF A73C
http://pgp.mit.edu:11371/pks/lookup?search=tbiehn&op=index&fingerprint=on
http://pastebin.com/f6fd606da

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault