lunes, 18 de abril de 2016

[POC] "Crash Browser" | Dos besos a tu Browser.

Se necesitan tan solo dos besos para voltear a tu browser. SI dos besos: ๐Ÿ’‹๐Ÿ’‹


El caso mas reciente de crash/dos en navegadores (que tengo en mente) fue el descubierto en septiembre del aรฑo pasado por; "Andris Atteka", aquel fallo era explotado con la inserciรณn de 16 caracteres, y es provocado mediante la inserciรณn de un carรกcter NULL en URL. 



Hace unos dias descubri un fallo que crashea al navegador, pero con tan solo 2 caracteres.

Resulta que sobre los formularios simples de autenticacion (Basic access authentication ) existe un fallo que genera una denegaciรณn de servicio al browser. El fallo se da cuando (sin necesidad de darle al enter), en el campo de contraseรฑa se ingresan dos caracteres. Para poder reproducir el fallo uno de los caracteres ingresados tiene que ser, alguno de la siguiente lista(entre muchos otros):
:cyclone::foggy::closed_umbrella::night_with_stars::sunrise_over_mountains::sunrise::city_sunset::city_sunrise::rainbow::bridge_at_night::ocean::volcano::milky_way::earth_africa::earth_americas::earth_asia::globe_with_meridians::new_moon::waxing_crescent_moon::first_quarter_moon::moon::full_moon::waning_gibbous_moon::last_quarter_moon::waning_crescent_moon::crescent_moon::new_moon_with_face::first_quarter_moon_with_face::last_quarter_moon_with_face::full_moon_with_face::sun_with_face::star2::stars:๐ŸŒก๐ŸŒข๐ŸŒฃ๐ŸŒค๐ŸŒฅ๐ŸŒฆ๐ŸŒง๐ŸŒจ๐ŸŒฉ๐ŸŒช๐ŸŒซ๐ŸŒฌ๐ŸŒญ๐ŸŒฎ๐ŸŒฏ:chestnut::seedling::evergreen_tree::deciduous_tree::palm_tree::cactus:๐ŸŒถ:tulip::cherry_blossom::rose::hibiscus::sunflower::blossom::corn::ear_of_rice::herb::four_leaf_clover::maple_leaf::fallen_leaf::leaves::mushroom::tomato::eggplant::grapes::melon: :watermelon::tangerine::lemon::banana::pineapple::apple::green_apple::pear::peach::cherries::strawberry::hamburger::pizza::meat_on_bone::poultry_leg::rice_cracker::rice_ball::rice::curry::ramen::spaghetti::bread::fries::sweet_potato::dango::oden::sushi::fried_shrimp::fish_cake::icecream::shaved_ice::ice_cream::doughnut::cookie::chocolate_bar::candy::lollipop::custard::honey_pot::cake::bento::stew::egg::fork_and_knife::tea::sake::wine_glass::cocktail::tropical_drink::beer::beers::baby_bottle:๐Ÿฝ๐Ÿพ๐Ÿฟ:ribbon::gift::birthday::jack_o_lantern::christmas_tree::santa::fireworks::sparkler::balloon::tada::confetti_ball::tanabata_tree::crossed_flags::bamboo::dolls::flags::wind_chime::rice_scene: :school_satchel::mortar_board:๐ŸŽ”๐ŸŽ•๐ŸŽ–๐ŸŽ—๐ŸŽ˜๐ŸŽ™๐ŸŽš๐ŸŽ›๐ŸŽœ๐ŸŽ๐ŸŽž๐ŸŽŸ:carousel_horse::ferris_wheel::roller_coaster::fishing_pole_and_fish::microphone::movie_camera::cinema::headphones::art::tophat::circus_tent::ticket::clapper::performing_arts::video_game::dart::slot_machine::8ball::game_die::bowling::flower_playing_cards::musical_note::notes::saxophone::guitar::musical_keyboard::trumpet::violin::musical_score::running_shirt_with_sash::tennis::ski::basketball::checkered_flag::snowboarder::runner::surfer:๐Ÿ…:trophy::horse_racing::football::rugby_football::swimmer:๐Ÿ‹๐ŸŒ๐Ÿ๐ŸŽ๐Ÿ๐Ÿ๐Ÿ‘๐Ÿ’๐Ÿ“๐Ÿ”๐Ÿ•๐Ÿ–๐Ÿ—๐Ÿ˜๐Ÿ™๐Ÿš๐Ÿ›๐Ÿœ ๐Ÿ๐Ÿž๐ŸŸ:house::house_with_garden::office::post_office::european_post_office::hospital::bank::atm::hotel::love_hotel::convenience_store::school::department_store::factory::izakaya_lantern::japanese_castle::european_castle:๐Ÿฑ๐Ÿฒ๐Ÿณ๐Ÿด๐Ÿต๐Ÿถ๐Ÿท๐Ÿธ๐Ÿน๐Ÿบ๐Ÿป๐Ÿผ๐Ÿฝ๐Ÿพ๐Ÿฟ:rat::mouse2::ox::water_buffalo::cow2::tiger2::leopard::rabbit2::cat2::dragon::crocodile::whale2::snail::snake::racehorse::ram::goat::sheep::monkey::rooster::chicken::dog2::pig2::boar::elephant::octopus::shell::bug::ant::bee::beetle::fish::tropical_fish::blowfish::turtle::hatching_chick::baby_chick::hatched_chick::bird::penguin: :koala::poodle::dromedary_camel::camel::dolphin::mouse::cow::tiger::rabbit::cat::dragon_face::whale::horse::monkey_face::dog::pig::frog::hamster::wolf::bear::panda_face::pig_nose::feet:๐Ÿฟ:eyes:๐Ÿ‘:ear::nose::lips::tongue::point_up_2::point_down::point_left::point_right::facepunch::wave::ok_hand::+1::-1::clap::open_hands::crown::womans_hat::eyeglasses::necktie::shirt::jeans::dress::kimono::bikini::womans_clothes::purse::handbag::pouch::mans_shoe::athletic_shoe::high_heel::sandal::boot::footprints::bust_in_silhouette::busts_in_silhouette::boy::girl::man::woman::family::couple::two_men_holding_hands::two_women_holding_hands::cop::dancers::bride_with_veil: :person_with_blond_hair::man_with_gua_pi_mao::man_with_turban::older_man::older_woman::baby::construction_worker::princess::japanese_ogre::japanese_goblin::ghost::angel::alien::space_invader::imp::skull::information_desk_person::guardsman::dancer::lipstick::nail_care::massage::haircut::barber::syringe::pill::kiss::love_letter::ring::gem::couplekiss::bouquet::couple_with_heart::wedding::heartbeat::broken_heart::two_hearts::sparkling_heart::heartpulse::cupid::blue_heart::green_heart::yellow_heart::purple_heart::gift_heart::revolving_hearts::heart_decoration::diamond_shape_with_a_dot_inside::bulb::anger::bomb::zzz::boom::sweat_drops::droplet::dash::hankey::muscle::dizzy::speech_balloon::thought_balloon::white_flower::100::moneybag::currency_exchange::heavy_dollar_sign::credit_card::yen::dollar::euro::pound::money_with_wings::chart: :seat::computer::briefcase::minidisc::floppy_disk::cd::dvd::file_folder::open_file_folder::page_with_curl::page_facing_up::date::calendar::card_index::chart_with_upwards_trend::chart_with_downwards_trend::bar_chart::clipboard::pushpin::round_pushpin::paperclip::straight_ruler::triangular_ruler::bookmark_tabs::ledger::notebook::notebook_with_decorative_cover::closed_book::book::green_book::blue_book::orange_book::books::name_badge::scroll::memo::telephone_receiver::pager::fax::satellite::loudspeaker::mega::outbox_tray::inbox_tray::package::e-mail::incoming_envelope::envelope_with_arrow::mailbox_closed::mailbox::mailbox_with_mail::mailbox_with_no_mail::postbox::postal_horn::newspaper::iphone::calling::vibration_mode::mobile_phone_off::no_mobile_phones::signal_strength::camera:๐Ÿ“ธ:video_camera::tv::radio::vhs:๐Ÿ“ฝ๐Ÿ“พ๐Ÿ“ฟ:twisted_rightwards_arrows::repeat::repeat_one: :arrows_clockwise::arrows_counterclockwise::low_brightness::high_brightness::mute::speaker::sound::loud_sound::battery::electric_plug::mag::mag_right::lock_with_ink_pen::closed_lock_with_key::key::lock::unlock::bell::no_bell::bookmark::link::radio_button::back::end::on::soon::top::underage::keycap_ten::capital_abcd::abcd::1234::symbols::abc::fire::flashlight::wrench::hammer::nut_and_bolt::hocho::gun::microscope::telescope::crystal_ball::six_pointed_star::beginner::trident::black_square_button::white_square_button::red_circle::large_blue_circle::large_orange_diamond::large_blue_diamond::small_orange_diamond::small_blue_diamond::small_red_triangle::small_red_triangle_down::arrow_up_small::arrow_down_small:๐Ÿ”พ๐Ÿ”ฟ๐Ÿ•€๐Ÿ•๐Ÿ•‚๐Ÿ•ƒ๐Ÿ•„๐Ÿ•…๐Ÿ•†๐Ÿ•‡๐Ÿ•ˆ๐Ÿ•‰๐Ÿ•Š๐Ÿ•‹๐Ÿ•Œ๐Ÿ•๐Ÿ•Ž๐Ÿ•:clock1::clock2: :clock3::clock4::clock5::clock6::clock7::clock8::clock9::clock10::clock11::clock12::clock130::clock230::clock330::clock430::clock530::clock630::clock730::clock830::clock930::clock1030::clock1130::clock1230:๐Ÿ•จ๐Ÿ•ฉ๐Ÿ•ช๐Ÿ•ซ๐Ÿ•ฌ๐Ÿ•ญ๐Ÿ•ฎ๐Ÿ•ฏ๐Ÿ•ฐ๐Ÿ•ฑ๐Ÿ•ฒ๐Ÿ•ณ๐Ÿ•ด๐Ÿ•ต๐Ÿ•ถ๐Ÿ•ท๐Ÿ•ธ๐Ÿ•น๐Ÿ•บ๐Ÿ•ป๐Ÿ•ผ๐Ÿ•ฝ๐Ÿ•พ๐Ÿ•ฟ๐Ÿ–€๐Ÿ–๐Ÿ–‚๐Ÿ–ƒ๐Ÿ–„๐Ÿ–…๐Ÿ–†๐Ÿ–‡๐Ÿ–ˆ๐Ÿ–‰๐Ÿ–Š๐Ÿ–‹๐Ÿ–Œ๐Ÿ–๐Ÿ–Ž๐Ÿ–๐Ÿ–๐Ÿ–‘๐Ÿ–’๐Ÿ–“๐Ÿ–”๐Ÿ–•๐Ÿ––๐Ÿ–—๐Ÿ–˜๐Ÿ–™๐Ÿ–š๐Ÿ–›๐Ÿ–œ๐Ÿ–๐Ÿ–ž๐Ÿ–Ÿ๐Ÿ– ๐Ÿ–ก๐Ÿ–ข๐Ÿ–ฃ๐Ÿ–ค ๐Ÿ–ฅ๐Ÿ–ฆ๐Ÿ–ง๐Ÿ–จ๐Ÿ–ฉ๐Ÿ–ช๐Ÿ–ซ๐Ÿ–ฌ๐Ÿ–ญ๐Ÿ–ฎ๐Ÿ–ฏ๐Ÿ–ฐ๐Ÿ–ฑ๐Ÿ–ฒ๐Ÿ–ณ๐Ÿ–ด๐Ÿ–ต๐Ÿ–ถ๐Ÿ–ท๐Ÿ–ธ๐Ÿ–น๐Ÿ–บ๐Ÿ–ป๐Ÿ–ผ๐Ÿ–ฝ๐Ÿ–พ๐Ÿ–ฟ๐Ÿ—€๐Ÿ—๐Ÿ—‚๐Ÿ—ƒ๐Ÿ—„๐Ÿ—…๐Ÿ—†๐Ÿ—‡๐Ÿ—ˆ๐Ÿ—‰๐Ÿ—Š๐Ÿ—‹๐Ÿ—Œ๐Ÿ—๐Ÿ—Ž๐Ÿ—๐Ÿ—๐Ÿ—‘๐Ÿ—’๐Ÿ—“๐Ÿ—”๐Ÿ—•๐Ÿ—–๐Ÿ——๐Ÿ—˜๐Ÿ—™๐Ÿ—š๐Ÿ—›๐Ÿ—œ๐Ÿ—๐Ÿ—ž๐Ÿ—Ÿ๐Ÿ— ๐Ÿ—ก๐Ÿ—ข๐Ÿ—ฃ๐Ÿ—ค๐Ÿ—ฅ๐Ÿ—ฆ๐Ÿ—ง๐Ÿ—จ๐Ÿ—ฉ๐Ÿ—ช๐Ÿ—ซ๐Ÿ—ฌ๐Ÿ—ญ๐Ÿ—ฎ๐Ÿ—ฏ๐Ÿ—ฐ๐Ÿ—ฑ๐Ÿ—ฒ ๐Ÿ—ณ๐Ÿ—ด๐Ÿ—ต๐Ÿ—ถ๐Ÿ—ท๐Ÿ—ธ๐Ÿ—น๐Ÿ—บ:mount_fuji::tokyo_tower::statue_of_liberty::japan::moyai:
Fuente de caracteres unicode.
http://unicode-table.com/es/blocks/miscellaneous-symbols-and-pictographs/

A este fallo son vulnerable los nevegadores; "Chrome" & "Opera".



Paso a paso.


No es necesario completar en campo: "usuario". Con completar el password con alguno de los caracteres antes mencionados, basta para hacer caer el  navegador
CODE PHP PARA LLAMAR AL FORMULARIO:
<a href="index.php?auth=login" class="btn btn-lg btn-default">Kill the Browser</a>
<?php if (isset($_GET['auth'])) { $get_login = $_GET['auth']; }
else { $get_login = 'auth'; }
// ----------------- BASIC LOGIN FORM --------------------------------------- //
if(isset($get_login) && $get_login =='login') {
if (!isset($_SERVER['PHP_AUTH_USER'])) {
header('WWW-Authenticate: Basic realm="Dominio X"');
header('HTTP/1.0 401 Unauthorized');
} else {
echo "<p>XD</p>\n";
}
}
// ------------------------------------------------------------------------ //
?>
POC LIVE:
http://crasheando.site88.net/index.php?auth=login

## VIDEO ##




Las credenciales que van por ese tipo de formulario, se codean en base64 antes de ser enviadas. sospecho, que Chrome/Opera para aligerar laburo, en cuanto se ingresa el dato ”password” lo van encodeando y CREO que por esos lados es donde esta la metida de pata.  

https://github.com/ezelf/JuniorCrashCollection/tree/master/litleBrowserCrash
Saludos. y exitos

No hay comentarios.:

Publicar un comentario