Friday, July 5, 2013

A funny issue on BeEF keylogger spotted by Mario


Mario Heiderich, a good friend of mine, spotted a cool issue with the BeEF keylogger. He went “Armin Meiwes” on our favourite open source bovine. He found XSS in BeEF using <svg/onload=blah>. Well-done!

The BeEF team encourages security researchers to help out wherever possible. As such, we are announcing a BeEF bug bounty program. Each bug will receive a kilogram of Minotaur rump (depending upon supply ;-). Contact us if you would like to help out. We want to hear from you!

We're publishing the writeup about the bug Mario found and we're addressing how we fixed it in today's blog post.


To demonstrate, enter the data into the demo hook demo page:
XSS Screenshot
And the final result was:

Returned data
I've added the ability to do context-aware output escaping of data coming from the hooked browser to the BeEF web admin UI jQuery-encoder. It's an awesome and very easy-to-use JavaScript library.

If you search in the BeEF JavaScript code, you can spot multiple instances of $jEncoder.encoder.encodeForHTML(your_untrusted_output). In this case, the issue is that the data coming from the BeEF keylogger was first mangled by this.formatTitle, and then the output was escaped.

Have a look at the patch (lines 57 to 59):

XSS Patch source
Regarding exploitability, I would imagine the following attack:
  • An attacker prepares a website vulnerable to XSS, ready to be exploited with the BeEF hook.
  • The website also includes a piece of JavaScript that monitors the window object for a new global variable called BeEF.
  • When the BeEF variable is found, it's sufficient to use the functionality available in our logger.js (/beef/core/main/client/logger.js) to issue an XHR back to the /event handler, with properly formatted data including the XSS vector. 
This bug was fixed within 3 hours of notification. Update and cover your BeEF!

Cheers
antisnatchor



14 comments:

  1. I like your post about "A funny issue on BeEF keylogger spotted by Mario" very nice post. It is very help full.I do appreciate about this post & this blog ... :)
    vulnerability assessment
    penetration testing

    ReplyDelete
  2. funny indeed, thanks for this post, but i usually use this https://www.hoverwatch.com/free-android-keylogger keylogger.

    ReplyDelete
  3. Keylogger
    The best keylogger for Windows 10 (32bit and 64bit)
    http://keylogger111.tumblr.com/

    ReplyDelete
  4. Thank you for this interesting post! I want to tell you about this spy app for android http://copy9.com/free-keylogger/ I didn't expect it is something unusual. But when I downloaded it, I saw it has so many interesting functions. I haven't seen keylogger better than this one.

    ReplyDelete
  5. Have you ever checked out some of these spy applications, I mean spyera and others

    ReplyDelete
  6. Downloading this spy app can help you go through all the stuff your husband does on his phone. Please, look at this article if you really want to spy. http://www.mireview.com/blog/9-cell-phone-signs-your-husband-is-cheating-on-you/

    ReplyDelete
  7. I wanted to know the email password of my girl. So I installed an android keylogger http://9spyapps.com/best-hidden-keylogger-android/ on her smartphone. Maybe it's not fair. But I'll not deceive ourselves. Cuz, I have a feeling of dignity.

    ReplyDelete
  8. Hellos craze for acting Second home started in lofty college, during by happen he walked by the tragedy group also saw the undergraduates acting love poultrys

    ReplyDelete
  9. The first time I saw this website, I was immediately attracted to zoom. Moreover, all mortgage & tax arrears the information is in my opinion quite interesting and intriguing. I hope you also visit my website and pass judgment on Costa Calida my website. Thanks.

    ReplyDelete
  10. There's no doubt that sometimes students have lots of things to do. U Write My Essay makes their life much more easier by writing a perfect essays for them.

    ReplyDelete
  11. hello yes o like it and agreed with you After reading this blog Second home i am very strong and clear in this topic and
    second mortgage canada explanation also very clear in this blog so easy to understand

    ReplyDelete
  12. Yes, I've seen some discussions on that issues. Check this entry, guys, don't ignore your other users, that don't post on this blog.

    ReplyDelete
  13. I have read you post, Great work you really did it very well. Keep working like this and sharing informative posts like
    this one. keep it up. I'm waiting for your next post...
    burnaby real estate

    ReplyDelete