It’s just data

Feeds As Attack Delivery Systems

Niall Kennedy: Robert Auger and Caleb Sima of security firm SPI Dymanics gave a 50-minute security briefing on RSS and Atom feed vulnerabilities at yesterday’s Black Hat conference in Las Vegas. Their talk, Zero Day Subscriptions: Using RSS and Atom feeds As Attack Delivery Systems detailed how many blogging systems and feed aggregators do not block against malicious code insertion by third parties and often run at elevated permission levels on a user’s machine, exposing an entire operating system to a potential scripting attack.

It would be useful if specific examples were included, otherwise this is merely needless defamation.  My experience is that the companies listed are ones that respond quickly, once notified of the problem.

Update: A whitepaper on the exploits, including example feeds, is available from SPI Dynamics.


2005-11-30: disclosed

2006-04-14: fixed

Counterarguments to the effect of “the comment section of Phil’s blog is not the appropriate place to disclose such bugs” will be largely ignored until Bloglines provides an official mechanism for reporting such bugs privately.  Or did they create such a mechanism since the last time we discussed this issue?

Posted by Mark at

Actually, as of late June, Bloglines treats the comment section of Phil’s (or any other blog) as a valid place to provide “Freedback”.

Now, to test this: the RSS feed for Bloglines news is invalid.  Furthermore, the guid given for the “Freedbacking” post mentioned above isn’t a permalink — i.e., the link has since rotted as the news item scrolled off of the page.

Posted by Sam Ruby at

Sam: Yes, we know about the issues with our news ‘blog’, its ‘GUIDs’, and that it is invalid. Replacing it is on the a long list of laundry items.

Mark: I know we screwed up everything related to the phil ringnalda blog post.  We are working hard to never be in that situation again.  There isn’t much I can say to change your mind about it, other than being proactive about fixing these issues as fast as possible once we know about them.

On that count, the issues that SPI has raised were fixed in July, before they were publicly announced.  It seems that most of the press has completely missed this fact.

Thanks,

Paul Querna
Bloglines Engineer

Posted by Paul Querna at

the issues that SPI has raised were fixed in July, before they were publicly announced

Aha!  So there is a way to privately report vulnerabilities.

Posted by Mark at

Aha!  So there is a way to privately report vulnerabilities.

It is hidden in plain sight.  Go to bloglines.com and click on the Contact Us link.  Fill out the form.  Click on Send Message.  Voilà!

Posted by Sam Ruby at

The issue with their contact form was never really whether or not it existed or could be found; it was whether or not they would give a canned response after 60 hours, and then not respond or react for four weeks. I haven’t gone vuln hunting since then, so much as I want to believe they’ve improved their response to private messages in step with their response to public messages, I don’t actually know.

Posted by Phil Ringnalda at

It would be useful if specific examples were included, otherwise this is merely needless defamation.

Actually Sam, it may be a form of good old-fashioned capitalist self-promotion. See:

Marcus J. Ranum: Vulnerability Disclosure – let’s be honest about motives shall we?

At least these folks aren’t charging aggregator developers to tell them about their own bugs (as far as we know), unlike e.g. the blue pill which was “developed exclusively for COSEINC Research” who is “planning to organize trainings about blue pill”.

Posted by Wes Felter at

Wes: It would have been prudent for SPI to followup (by testing the feeds they claimed had problems) and mention that bugs were fixed.  When making a security press release people should really do their homework.

Posted by Ryan at

As of right now, Bloglines still appears to be failing 21 of my tests when accessed with IE6. Using Firefox or IE7 it’s much less vulnerable, but not completely safe. The FeedDemon 2.0.0.24 trial which I think I downloaded within the last couple of weeks also still fails, but I don’t know if that’s the most recent version. Sharpreader 0.9.7.0 which was released a couple of days ago now appears to be safe (at least it passed all my tests). Haven’t checked the latest versions of others, but last I checked they weren’t even attempting to strip javascript.

I should stress that my tests don’t involve any actual security exploit though. I was merely trying to get some javascript to execute (specifically an alert window popup). On some systems this did result in the aggregator becoming essentially unusable.

As I said on atom-syntax I was considering blogging about this before, but wasn’t sure whether it was a good idea providing example feeds that are potentially dangerous. I’m still undecided.

Posted by James Holderness at

wasn’t sure whether it was a good idea providing example feeds that are potentially dangerous

My 2¢: longer term (say, 30 to 90 days), it would be great if these feeds were included in the UFP test suite.  Shorter term, it would be ideal if somebody could contact the authors of known, popular feed consumers that are either known to fail or are difficult to test (perhaps due to platform issues).

If I can help make either of these happen, let me know.

Posted by Sam Ruby at

My tests really aren’t very good, but UFP is welcome to use them if someone else is willing to do whatever converting is necessary. There are 85 in the set at the moment, but I really ought to add a whole lot more.

As for contacting the aggregator authors, I can email of a copy of my feed to anyone that asks (at least anyone contacting me from a company address), but most people probably aren’t even aware that they have a problem (otherwise they assumedly would have fixed it).

The aggregators known to fail (at least last time I checked) include: AmphetaDesk, FeedDemon, FeedExplorer (with scripting enabled - not sure whether that is default), FeedReader, GreatNews, NewzCrawler, RSS Bandit, RSSOwl, RssReader, Attensa Online, Newsgator Online, Netvibes and Rojo. I’ve already spoken to someone at Bloglines.

The ones that passed my current tests: BlogBridge, BottomFeeder, IE7, JetBrains Omea, Sharpreader (the latest release), Thunderbird and Google Reader. Obviously Snarfer too.

But that still leaves a huge number of aggregators in the “unknown” category. I can’t test any Apple or Linux products, and My Yahoo! still refuses to touch anything from my domain. There are lots more Windows products that I could test, but I don’t really know which are the popular ones that I’ve missed and I obviously can’t test them all.

Posted by James Holderness at

if someone else is willing to do whatever converting is necessary

/me raises his hand

I don’t really know which are the popular ones that I’ve missed and I obviously can’t test them all.

I can help to get the word out.  Many aggregator authors follow my feed (mostly for self defensive purposes ;-)).

If you want to be the point of contact, make a post on your weblog, and I will try to spread the word.  Otherwise, let me know and I will take care of that too.

Posted by Sam Ruby at

James: If you don’t mind I’d like to add the tests to Abdera’s test suite as well.  I’ve been thinking about adding a “bad vibes” bit to Abdera (as in, "this feed is giving off some bad vibes") in addition to the content and element filtering mechanism that is there.

Posted by James Snell at

I can email of a copy of my feed to anyone that asks (at least anyone contacting me from a company address)

rsayre /\ mozilla.com

speaking of that particular .com, we may or may not have openings for programmers with 25+ years experience, COM expertise, and dynamic language implementation experience. ;)

Posted by Robert Sayre at

Sorry for the delay - Saturday party night - but I’ve just sent you all an email with the good stuff.

Posted by James Holderness at

I can’t find the email — and I’ve checked my spam folders.  Can you resend?

Posted by Sam Ruby at

Just sent it again. Didn’t get a bounce or anything last time. Used your address from atompub. Of course I am using hotmail so who knows what it’s doing. If you don’t get anything this time around I’ll try with another account.

Posted by James Holderness at

Actually SPI did mention specific vulnerable vendors, provided live demo’s of those vulnerable vendors, and walked through the different risks associated with the different reader types. They mentioned others they are currently working with that they didn’t want to disclose until the vendor had a reasonable amount of time to fix the issue.

Posted by Mark at

If you don’t get anything this time around I’ll try with another account.

I didn’t.  To make this easier, I used the fake name generator to create a disposable hotmail account.

To test this account, I sent two emails using my hosting provider.  They never arrived.  I then switched to the smtp address to the one provided by my ISP, and the email arrived.

Posted by Sam Ruby at

Damn Hotmail. Earlier today they did eventually get around to sending me a bounce response of sorts: “Delivery Status Notification (Delay)”. I suspect that means you’ll receive ten copies of the message a week from now. In the meantime though, I’ve sent yet another copy via my official, never-before-used company address. Hopefully that’ll get through.

This message is going to be such an anticlimax when you finally do get it.

And in an effort to get this comment thread somewhat back on topic, I should add that the new SharpReader isn’t as impervious to attack as I’d originally thought. Having reread the release notes, I see they aren’t disabling scripting - they’re just running the renderer in the restricted security zone. By default this means no scripting, but it’s still theoretically possible that some idiot user could turn it on. Highly unlikely, of course, but you never can tell what users might do.

Posted by James Holderness at

Hello there fellow Sam.

You strike me as an individual on a mission, and I wholeheartedly approve.

I am on a quest to track down every Sam on the internet and get them competing head-to-head gladitorially for kudos.

I’ve set up a Sam-tracking top-sites type thing you may or may not be interested in. Swing by my site (linked in submission) for more information - it’s no scam, just some fun.

Seriously. I’m not just traffic hunting (we’re all at it, right) but this could be a chance to laud it over the lesser Sams out there!

Essentially I’m aiming to recruit as many Sams from the internet as possible for a showdown of some kind. We’re an interesting bunch, and it’s worth celebrating that fact.

Hope all is well. Yes, I know it’s a little weird, but I find the unusual to be interesting.

Best regards

Sam

Posted by Sam at

I’ve sent yet another copy via my official, never-before-used company address.

LOL: Thunderbird thinks this message might be an email scam

Perhaps Thunderbird doesn’t like dot addresses in emails content.  Just to mix things up, you might want to try http://3630016887/ in the future.

Posted by Sam Ruby at

I wouldn’t guess that anyone’s example exploit feed could be anticlimactic, after SPI’s: “um, we put a <script> element in some places, and got some alerts.” After all the fun we had last fall with inventive things like <marquee onfinish=""> and http:// followed by &lt;style>, I’m beyond disappointed.

(Sam, the “ followed by ” in that last sentence is a bug report: without it, linkification made the preview page not-well-formed.)

Posted by Phil Ringnalda at

linkification made the preview page not-well-formed

Fixed.

Posted by Sam Ruby at

About “various forms of attacks based on Web feeds that follow the RSS, Atom and XML standards.”...

Excerpt from Public marks at

I’m beyond disappointed.

Ditto.  Knowing as little as I do about “black hat” techniques and their associated conferences and communities, it was supremely disappointing to realize that I knew more about two of the presentations than the presenters.  (The other was Monkeyspaw, a Greasemonkey script that, uh, looks up stuff on 4 hard-coded web sites when you click one of 4 buttons.  The script itself is full of “shout outs” and “greetz” to me and my scripts, which was awfully nice of them.  But I can’t help thinking, sh#t, if that’s all it takes to get a speaker’s gig at a big-name security conference, I’m in the wrong f#cking business.)

Posted by Mark at

What about comments containing malformed UTF-8 as a path to “denial of service” (XML parsers should choke)?

Also UTF-7 as another XSS attack vector a while back, as Google demonstrated: [link]

Posted by Harry Fuecks at

The Daily Grind 942

Weekend discovery: don’t try to use Process.Start() with a username from an ASP.NET Web Service. PerfConsole is unleashed...- If you’re the command-line sort, this utility for dealing with VSTS Profiler output will probably interest you. Replacing...

Excerpt from Larkware News at

Feeddemon author weighs in:
[link]

Posted by Dilip at

Script in Feeds

You might have read the c|net article “Blog feeds may carry security risk” which summarizes the presentation given by Robert Auger and Caleb Sima of SPI Dynamics. The presentation points to potential dangers of malicious script embedded in...

Excerpt from Microsoft Team RSS Blog at

Thunderbird thinks this message might be an email scam

Probably shouldn’t have started my message with: “DEAR MR SAM. I AM THE SON OF THE LATE GENERAL SANI ABACHA...” I’m assuming you could read it though?

Also UTF-7 as another XSS attack vector

I’ve yet to come across an aggregator that was vulnerable to that. By the time the data gets to the HTML renderer the charset is firmly established so any meta tag trying to set it has no effect. At least I couldn’t get it to work - that doesn’t mean to say it’s not possible.

Feeddemon author weighs in

I’m not convinced by Nick’s assertion that embedded objects and scripts are rendered harmless by local machine zone lockdown. Less dangerous, perhaps, but not harmless. Maybe I’m wrong.

Posted by James Holderness at

James, I’d love to get ahold of your sample feed. 
For anyone: if you do suspect a vulnerability in a NewsGator product, you can email it to support@newsgator.com with the details.  This is what Phil did.  Stuff like this gets a really high priority with us.

Posted by Gordon Weakliem at

I’m assuming you could read it though?

Yes.  And oddly, the hotmail messages also eventually arrived.

I’d love to get ahold of your sample feed. 

Sent.

Posted by Sam Ruby at

Tell me you were lyin’

Filing security bugs with Netscape 7.1? Please, no....

Excerpt from phil ringnalda at

Script in Feeds

You might have read the c|net article “ Blog feeds may carry security risk ” which summarizes the presentation... [more]

Trackback from Microsoft Team RSS Blog

at

Add your comment