Friday, January 25, 2008

Yet another XSS, yet another w0rm!

December 18-19 2007 was like a nightmare for orkut. Some bad code was executing behind the browsers of orkut users.This is about the worm outbreak which affected more than 600000 orkut users within a night. Although the worm was relatively harmless, it just demonstrated again, how disastrous a simple flaw can become, if it concerns persistent XSS. These days you may get a lot of search results if you search for "orkut scrapbook xss", but at that time the news wasnt that widespread.It was received as a hot cake by many who were in search of a good XSS to be discovered. And the only source of information was a few hacking communities on orkut and of course the infected scrapbooks.

Well for the first time when I heard of that embedded flash XSS I was a bit perplexed, I knew few things about XSS and I didnt even know how to embed a flash object in someone's scrapbook. When Orkut introduced the concept of embedding flash objects in scrapbooks, i never had a look on it, may be I never knew about the possibilities of XSS involved while embedding flash objects or simply because I wasnt interested in making flashy colorful scraps to orkut friends. But the vulnerability wasnt a very incredible one. If you search about flash XSS in general, you will find many good articles discussing about the common errors that can happen. And even one of these articles date back to 2003. So the concept isnt very new. Orkut embedded flash XSS vulnerability seems just to be another case.
Even other social networking websites like Myspace was hit by a flash worm in 2006. But the functionality of Myspace worm was far different from this worm.

The worm didnt do any harm to anyone, even if you dont know much about the technical workings of traditional viruses and worms, still you can have an idea on how web based worms work.
Here is the modus-operandi of the orkut worm...

1.It will appear in a scrapbook as a scrap

2.Normally orkut does not allow to scrap any executable code (javascript in most cases) in scrapbook. But because of the flaw in the handling of flash objects by the orkut filter, this worm code gets into your scrapbook.

3.Now whoever opens that scrapbook will have that javascript code executed. The code instructs the browser (Internet Explorer or Mozilla or any other) to (1) send the same infected scrap to all the friends in the friend list and (2) to join a community "Infectados pelo Vírus do Orkut" just for the sake of counting of infected profiles.

Still the simple vulnerability could have been exploited in more dangerous way by simply redirecting them to a fake orkut login page. Although this version was a harmless one.And thanks to orkut for making their cookies safe (httpOnly), otherwise it could have a devastating effect. As I discussed in my previous article how orkut tightened the security of its cookies by making them inaccessible to javascript.

As for the technical details, the injection of code in this case reminds me of SQL injections. When you are embedding a flash object in the scrapbook, it is required that you paste the exact html code for embedding a flash object. Orkut handles the code in its own way and makes it appear in the scrapbook. Though I am not great at embedding flash files in html, but I know where the problem occurred. Suppose you are embedding a scrap with a flash file xss.swf on Then you will have to paste the following code in the scrapbook.

<embed src="" type="application/x-shockwave-flash" wmode="transparent" width="10"

After submitting the scrap. You can view the source of scrapbook and you will find the orkut implemented code:

<script type="text/javascript"> var flashWriter = new _SWFObject('', '704557008', '10', '10', '9', '#FFFFFF', 'autohigh', '', '', '704557008'); flashWriter._addParam('wmode', 'transparent
/e');flashWriter._addParam('allowNetworking','internal');flashWriter._addParam('allowScriptAccess', 'never'); flashWriter._setAttribute('style', ''); flashWriter._write('flashDiv704557008');</script>

Here it implements its own object called _SWFObject for handling flash files, and picks the parameters as the user provided. The problem occured because orkut never sanitized or may be incorrectly sanitized the input parameters that the user was providing. It did not validate correctly the wmode parameter. As a result it became possible to inject any javascript code if it is appended correctly to the "transparent" value
For example we could replace the "transparent" by "transparent');alert('xss" . So that our scrap to be posted looks like this.

<embed src="" type="application/x-shockwave-flash" wmode="transparent'); alert('xss" width="10"

and after posting, in the scrapbook source it would look like this...

<script type="text/javascript"> var flashWriter = new _SWFObject('', '704557008', '10', '10', '9', '#FFFFFF', 'autohigh', '', '', '704557008'); flashWriter._addParam('wmode', 'transparent');alert('xss'); flashWriter._addParam('allowNetworking', 'internal'); flashWriter._addParam('allowScriptAccess', 'never'); flashWriter._setAttribute('style', ''); flashWriter._write('flashDiv704557008');</script>

See the alert box looks so beautiful when embedded successfully in orkut page code.:D
This is just an explanation of how the problem occurred and how it was exploited. If you try it now then orkut will successfully filter it out. The correction was made pretty quickly, i think it didnt took more than 2 days. As I already told you that orkut is getting smart day by day.
If you have a question that how can we protect ourselves from such web-based worms? Or how can we ensure that harmful scripts dont run on our browser..then the answer is that there is no such full proof solution. One thing that I didnt mention till now is perhaps the most imporatnt thing I wanted to focus on. Despite the widespread effect of worm and so many of my orkut friends getting infected and unknowingly joining the community "Infectados pelo Vírus do Orkut", I didnt get a single infection. Though I searched like hell on orkut and unknowingly visited infected scrapbooks, I was still not infected. My browser doesnt allow any kind of hidden code to run on my machine without my permission.
Yes the lesson of the story is I used a firefox extension called Noscript. Almost every website today uses javascript to provide greater functionality to the users. But things dont end here, a lot can happen over small code of javascript :D, as was the case of Myspace and orkut worms. Noscript is a small utility that blocks any kind of script to run without your permission. This way you can select the websites that you trust and allow only those that provide you added functionality. It helps greatly while browsing unknown sites listed by google. And believe me you will feel a lot more secure once you understand its working and the safety it offers. It also provides security against common XSS attacks and other harmful code executions. It certainly helps in blocking the most common XSS attacks, where your security can be compromised if if the site is a trusted one.

I you are interested in the exact javascript code that the virus used then you can read the article from symantec. I must say, the javascript code is heavily obfuscated. You will have to scratch your head for understanding it. And also I have given the link for noscript firefox addon. So just install the latest version of noscript and make your firefox a lot more safer. Happy Browsing! :)

Special Thanks to Mr. Nobody.