Friday, July 5, 2013

A funny issue on BeEF keylogger spotted by Mario


Mario Heiderich, a good friend of mine, spotted a cool issue with the BeEF keylogger. He went “Armin Meiwes” on our favourite open source bovine. He found XSS in BeEF using <svg/onload=blah>. Well-done!

The BeEF team encourages security researchers to help out wherever possible. As such, we are announcing a BeEF bug bounty program. Each bug will receive a kilogram of Minotaur rump (depending upon supply ;-). Contact us if you would like to help out. We want to hear from you!

We're publishing the writeup about the bug Mario found and we're addressing how we fixed it in today's blog post.


To demonstrate, enter the data into the demo hook demo page:
XSS Screenshot
And the final result was:

Returned data
I've added the ability to do context-aware output escaping of data coming from the hooked browser to the BeEF web admin UI jQuery-encoder. It's an awesome and very easy-to-use JavaScript library.

If you search in the BeEF JavaScript code, you can spot multiple instances of $jEncoder.encoder.encodeForHTML(your_untrusted_output). In this case, the issue is that the data coming from the BeEF keylogger was first mangled by this.formatTitle, and then the output was escaped.

Have a look at the patch (lines 57 to 59):

XSS Patch source
Regarding exploitability, I would imagine the following attack:
  • An attacker prepares a website vulnerable to XSS, ready to be exploited with the BeEF hook.
  • The website also includes a piece of JavaScript that monitors the window object for a new global variable called BeEF.
  • When the BeEF variable is found, it's sufficient to use the functionality available in our logger.js (/beef/core/main/client/logger.js) to issue an XHR back to the /event handler, with properly formatted data including the XSS vector. 
This bug was fixed within 3 hours of notification. Update and cover your BeEF!

Cheers
antisnatchor



2 comments:

  1. I like your post about "A funny issue on BeEF keylogger spotted by Mario" very nice post. It is very help full.I do appreciate about this post & this blog ... :)
    vulnerability assessment
    penetration testing

    ReplyDelete