Niall Kennedy: Robert Auger and Caleb Sima of security firm SPI Dymanics gave a 50-minute security briefing on RSS and Atom feed vulnerabilities at yesterday’s Black Hat conference in Las Vegas. Their talk, Zero Day Subscriptions: Using RSS and Atom feeds As Attack Delivery Systems detailed how many blogging systems and feed aggregators do not block against malicious code insertion by third parties and often run at elevated permission levels on a user’s machine, exposing an entire operating system to a potential scripting attack.
It would be useful if specific examples were included, otherwise this is merely needless defamation. My experience is that the companies listed are ones that respond quickly, once notified of the problem.
Counterarguments to the effect of “the comment section of Phil’s blog is not the appropriate place to disclose such bugs” will be largely ignored until Bloglines provides an official mechanism for reporting such bugs privately. Or did they create such a mechanism since the last time we discussed this issue?
Actually, as of late June, Bloglines treats the comment section of Phil’s (or any other blog) as a valid place to provide “Freedback”.
Now, to test this: the RSS feed for Bloglines news is invalid. Furthermore, the guid given for the “Freedbacking” post mentioned above isn’t a permalink — i.e., the link has since rotted as the news item scrolled off of the page.
Sam: Yes, we know about the issues with our news ‘blog’, its ‘GUIDs’, and that it is invalid. Replacing it is on the a long list of laundry items.
Mark: I know we screwed up everything related to the phil ringnalda blog post. We are working hard to never be in that situation again. There isn’t much I can say to change your mind about it, other than being proactive about fixing these issues as fast as possible once we know about them.
On that count, the issues that SPI has raised were fixed in July, before they were publicly announced. It seems that most of the press has completely missed this fact.
The issue with their contact form was never really whether or not it existed or could be found; it was whether or not they would give a canned response after 60 hours, and then not respond or react for four weeks. I haven’t gone vuln hunting since then, so much as I want to believe they’ve improved their response to private messages in step with their response to public messages, I don’t actually know.
At least these folks aren’t charging aggregator developers to tell them about their own bugs (as far as we know), unlike e.g. the blue pill which was “developed exclusively for COSEINC Research” who is “planning to organize trainings about blue pill”.
Wes: It would have been prudent for SPI to followup (by testing the feeds they claimed had problems) and mention that bugs were fixed. When making a security press release people should really do their homework.
As of right now, Bloglines still appears to be failing 21 of my tests when accessed with IE6. Using Firefox or IE7 it’s much less vulnerable, but not completely safe. The FeedDemon 2.0.0.24 trial which I think I downloaded within the last couple of weeks also still fails, but I don’t know if that’s the most recent version. Sharpreader 0.9.7.0 which was released a couple of days ago now appears to be safe (at least it passed all my tests). Haven’t checked the latest versions of others, but last I checked they weren’t even attempting to strip javascript.
I should stress that my tests don’t involve any actual security exploit though. I was merely trying to get some javascript to execute (specifically an alert window popup). On some systems this did result in the aggregator becoming essentially unusable.
As I said on atom-syntax I was considering blogging about this before, but wasn’t sure whether it was a good idea providing example feeds that are potentially dangerous. I’m still undecided.
wasn’t sure whether it was a good idea providing example feeds that are potentially dangerous
My 2¢: longer term (say, 30 to 90 days), it would be great if these feeds were included in the UFP test suite. Shorter term, it would be ideal if somebody could contact the authors of known, popular feed consumers that are either known to fail or are difficult to test (perhaps due to platform issues).
If I can help make either of these happen, let me know.
My tests really aren’t very good, but UFP is welcome to use them if someone else is willing to do whatever converting is necessary. There are 85 in the set at the moment, but I really ought to add a whole lot more.
As for contacting the aggregator authors, I can email of a copy of my feed to anyone that asks (at least anyone contacting me from a company address), but most people probably aren’t even aware that they have a problem (otherwise they assumedly would have fixed it).
The aggregators known to fail (at least last time I checked) include: AmphetaDesk, FeedDemon, FeedExplorer (with scripting enabled - not sure whether that is default), FeedReader, GreatNews, NewzCrawler, RSS Bandit, RSSOwl, RssReader, Attensa Online, Newsgator Online, Netvibes and Rojo. I’ve already spoken to someone at Bloglines.
The ones that passed my current tests: BlogBridge, BottomFeeder, IE7, JetBrains Omea, Sharpreader (the latest release), Thunderbird and Google Reader. Obviously Snarfer too.
But that still leaves a huge number of aggregators in the “unknown” category. I can’t test any Apple or Linux products, and My Yahoo! still refuses to touch anything from my domain. There are lots more Windows products that I could test, but I don’t really know which are the popular ones that I’ve missed and I obviously can’t test them all.
if someone else is willing to do whatever converting is necessary
/me raises his hand
I don’t really know which are the popular ones that I’ve missed and I obviously can’t test them all.
I can help to get the word out. Many aggregator authors follow my feed (mostly for self defensive purposes ;-)).
If you want to be the point of contact, make a post on your weblog, and I will try to spread the word. Otherwise, let me know and I will take care of that too.
James: If you don’t mind I’d like to add the tests to Abdera’s test suite as well. I’ve been thinking about adding a “bad vibes” bit to Abdera (as in, "this feed is giving off some bad vibes") in addition to the content and element filtering mechanism that is there.
I can email of a copy of my feed to anyone that asks (at least anyone contacting me from a company address)
rsayre /\ mozilla.com
speaking of that particular .com, we may or may not have openings for programmers with 25+ years experience, COM expertise, and dynamic language implementation experience. ;)
Just sent it again. Didn’t get a bounce or anything last time. Used your address from atompub. Of course I am using hotmail so who knows what it’s doing. If you don’t get anything this time around I’ll try with another account.
Actually SPI did mention specific vulnerable vendors, provided live demo’s of those vulnerable vendors, and walked through the different risks associated with the different reader types. They mentioned others they are currently working with that they didn’t want to disclose until the vendor had a reasonable amount of time to fix the issue.
To test this account, I sent two emails using my hosting provider. They never arrived. I then switched to the smtp address to the one provided by my ISP, and the email arrived.
Damn Hotmail. Earlier today they did eventually get around to sending me a bounce response of sorts: “Delivery Status Notification (Delay)”. I suspect that means you’ll receive ten copies of the message a week from now. In the meantime though, I’ve sent yet another copy via my official, never-before-used company address. Hopefully that’ll get through.
This message is going to be such an anticlimax when you finally do get it.
And in an effort to get this comment thread somewhat back on topic, I should add that the new SharpReader isn’t as impervious to attack as I’d originally thought. Having reread the release notes, I see they aren’t disabling scripting - they’re just running the renderer in the restricted security zone. By default this means no scripting, but it’s still theoretically possible that some idiot user could turn it on. Highly unlikely, of course, but you never can tell what users might do.
You strike me as an individual on a mission, and I wholeheartedly approve.
I am on a quest to track down every Sam on the internet and get them competing head-to-head gladitorially for kudos.
I’ve set up a Sam-tracking top-sites type thing you may or may not be interested in. Swing by my site (linked in submission) for more information - it’s no scam, just some fun.
Seriously. I’m not just traffic hunting (we’re all at it, right) but this could be a chance to laud it over the lesser Sams out there!
Essentially I’m aiming to recruit as many Sams from the internet as possible for a showdown of some kind. We’re an interesting bunch, and it’s worth celebrating that fact.
Hope all is well. Yes, I know it’s a little weird, but I find the unusual to be interesting.
I wouldn’t guess that anyone’s example exploit feed could be anticlimactic, after SPI’s: “um, we put a <script> element in some places, and got some alerts.” After all the fun we had last fall with inventive things like <marquee onfinish=""> and http:// followed by <style>, I’m beyond disappointed.
(Sam, the “ followed by ” in that last sentence is a bug report: without it, linkification made the preview page not-well-formed.)
Ditto. Knowing as little as I do about “black hat” techniques and their associated conferences and communities, it was supremely disappointing to realize that I knew more about two of the presentations than the presenters. (The other was Monkeyspaw, a Greasemonkey script that, uh, looks up stuff on 4 hard-coded web sites when you click one of 4 buttons. The script itself is full of “shout outs” and “greetz” to me and my scripts, which was awfully nice of them. But I can’t help thinking, sh#t, if that’s all it takes to get a speaker’s gig at a big-name security conference, I’m in the wrong f#cking business.)
Weekend discovery: don’t try to use Process.Start() with a username from an ASP.NET Web Service. PerfConsole is unleashed...- If you’re the command-line sort, this utility for dealing with VSTS Profiler output will probably interest you. Replacing...
You might have read the c|net article “Blog feeds may carry security risk” which summarizes the presentation given by Robert Auger and Caleb Sima of SPI Dynamics. The presentation points to potential dangers of malicious script embedded in...
Thunderbird thinks this message might be an email scam
Probably shouldn’t have started my message with: “DEAR MR SAM. I AM THE SON OF THE LATE GENERAL SANI ABACHA...” I’m assuming you could read it though?
Also UTF-7 as another XSS attack vector
I’ve yet to come across an aggregator that was vulnerable to that. By the time the data gets to the HTML renderer the charset is firmly established so any meta tag trying to set it has no effect. At least I couldn’t get it to work - that doesn’t mean to say it’s not possible.
Feeddemon author weighs in
I’m not convinced by Nick’s assertion that embedded objects and scripts are rendered harmless by local machine zone lockdown. Less dangerous, perhaps, but not harmless. Maybe I’m wrong.
James, I’d love to get ahold of your sample feed.
For anyone: if you do suspect a vulnerability in a NewsGator product, you can email it to support@newsgator.com with the details. This is what Phil did. Stuff like this gets a really high priority with us.