Niall Kennedy: Robert Auger and Caleb Sima of security firm SPI Dymanics gave a 50-minute security briefing on RSS and Atom feed vulnerabilities at yesterday’s Black Hat conference in Las Vegas. Their talk, Zero Day Subscriptions: Using RSS and Atom feeds As Attack Delivery Systems detailed how many blogging systems and feed aggregators do not block against malicious code insertion by third parties and often run at elevated permission levels on a user’s machine, exposing an entire operating system to a potential scripting attack.
It would be useful if specific examples were included, otherwise this is merely needless defamation. My experience is that the companies listed are ones that respond quickly, once notified of the problem.
Counterarguments to the effect of “the comment section of Phil’s blog is not the appropriate place to disclose such bugs” will be largely ignored until Bloglines provides an official mechanism for reporting such bugs privately. Or did they create such a mechanism since the last time we discussed this issue?
Actually, as of late June, Bloglines treats the comment section of Phil’s (or any other blog) as a valid place to provide “Freedback”.
Now, to test this: the RSS feed for Bloglines news is invalid. Furthermore, the guid given for the “Freedbacking” post mentioned above isn’t a permalink — i.e., the link has since rotted as the news item scrolled off of the page.
Sam: Yes, we know about the issues with our news ‘blog’, its ‘GUIDs’, and that it is invalid. Replacing it is on the a long list of laundry items.
Mark: I know we screwed up everything related to the phil ringnalda blog post. We are working hard to never be in that situation again. There isn’t much I can say to change your mind about it, other than being proactive about fixing these issues as fast as possible once we know about them.
On that count, the issues that SPI has raised were fixed in July, before they were publicly announced. It seems that most of the press has completely missed this fact.
The issue with their contact form was never really whether or not it existed or could be found; it was whether or not they would give a canned response after 60 hours, and then not respond or react for four weeks. I haven’t gone vuln hunting since then, so much as I want to believe they’ve improved their response to private messages in step with their response to public messages, I don’t actually know.
At least these folks aren’t charging aggregator developers to tell them about their own bugs (as far as we know), unlike e.g. the blue pill which was “developed exclusively for COSEINC Research” who is “planning to organize trainings about blue pill”.
Wes: It would have been prudent for SPI to followup (by testing the feeds they claimed had problems) and mention that bugs were fixed. When making a security press release people should really do their homework.
As I said on atom-syntax I was considering blogging about this before, but wasn’t sure whether it was a good idea providing example feeds that are potentially dangerous. I’m still undecided.
wasn’t sure whether it was a good idea providing example feeds that are potentially dangerous
My 2¢: longer term (say, 30 to 90 days), it would be great if these feeds were included in the UFP test suite. Shorter term, it would be ideal if somebody could contact the authors of known, popular feed consumers that are either known to fail or are difficult to test (perhaps due to platform issues).
If I can help make either of these happen, let me know.
My tests really aren’t very good, but UFP is welcome to use them if someone else is willing to do whatever converting is necessary. There are 85 in the set at the moment, but I really ought to add a whole lot more.
As for contacting the aggregator authors, I can email of a copy of my feed to anyone that asks (at least anyone contacting me from a company address), but most people probably aren’t even aware that they have a problem (otherwise they assumedly would have fixed it).
The aggregators known to fail (at least last time I checked) include: AmphetaDesk, FeedDemon, FeedExplorer (with scripting enabled - not sure whether that is default), FeedReader, GreatNews, NewzCrawler, RSS Bandit, RSSOwl, RssReader, Attensa Online, Newsgator Online, Netvibes and Rojo. I’ve already spoken to someone at Bloglines.
The ones that passed my current tests: BlogBridge, BottomFeeder, IE7, JetBrains Omea, Sharpreader (the latest release), Thunderbird and Google Reader. Obviously Snarfer too.
But that still leaves a huge number of aggregators in the “unknown” category. I can’t test any Apple or Linux products, and My Yahoo! still refuses to touch anything from my domain. There are lots more Windows products that I could test, but I don’t really know which are the popular ones that I’ve missed and I obviously can’t test them all.
James: If you don’t mind I’d like to add the tests to Abdera’s test suite as well. I’ve been thinking about adding a “bad vibes” bit to Abdera (as in, "this feed is giving off some bad vibes") in addition to the content and element filtering mechanism that is there.
Just sent it again. Didn’t get a bounce or anything last time. Used your address from atompub. Of course I am using hotmail so who knows what it’s doing. If you don’t get anything this time around I’ll try with another account.
Actually SPI did mention specific vulnerable vendors, provided live demo’s of those vulnerable vendors, and walked through the different risks associated with the different reader types. They mentioned others they are currently working with that they didn’t want to disclose until the vendor had a reasonable amount of time to fix the issue.
Damn Hotmail. Earlier today they did eventually get around to sending me a bounce response of sorts: “Delivery Status Notification (Delay)”. I suspect that means you’ll receive ten copies of the message a week from now. In the meantime though, I’ve sent yet another copy via my official, never-before-used company address. Hopefully that’ll get through.
This message is going to be such an anticlimax when you finally do get it.
And in an effort to get this comment thread somewhat back on topic, I should add that the new SharpReader isn’t as impervious to attack as I’d originally thought. Having reread the release notes, I see they aren’t disabling scripting - they’re just running the renderer in the restricted security zone. By default this means no scripting, but it’s still theoretically possible that some idiot user could turn it on. Highly unlikely, of course, but you never can tell what users might do.
I wouldn’t guess that anyone’s example exploit feed could be anticlimactic, after SPI’s: “um, we put a <script> element in some places, and got some alerts.” After all the fun we had last fall with inventive things like <marquee onfinish=""> and http:// followed by <style>, I’m beyond disappointed.
(Sam, the “ followed by ” in that last sentence is a bug report: without it, linkification made the preview page not-well-formed.)
Ditto. Knowing as little as I do about “black hat” techniques and their associated conferences and communities, it was supremely disappointing to realize that I knew more about two of the presentations than the presenters. (The other was Monkeyspaw, a Greasemonkey script that, uh, looks up stuff on 4 hard-coded web sites when you click one of 4 buttons. The script itself is full of “shout outs” and “greetz” to me and my scripts, which was awfully nice of them. But I can’t help thinking, sh#t, if that’s all it takes to get a speaker’s gig at a big-name security conference, I’m in the wrong f#cking business.)
Weekend discovery: don’t try to use Process.Start() with a username from an ASP.NET Web Service. PerfConsole is unleashed...- If you’re the command-line sort, this utility for dealing with VSTS Profiler output will probably interest you. Replacing...
You might have read the c|net article “Blog feeds may carry security risk” which summarizes the presentation given by Robert Auger and Caleb Sima of SPI Dynamics. The presentation points to potential dangers of malicious script embedded in...
Thunderbird thinks this message might be an email scam
Probably shouldn’t have started my message with: “DEAR MR SAM. I AM THE SON OF THE LATE GENERAL SANI ABACHA...” I’m assuming you could read it though?
Also UTF-7 as another XSS attack vector
I’ve yet to come across an aggregator that was vulnerable to that. By the time the data gets to the HTML renderer the charset is firmly established so any meta tag trying to set it has no effect. At least I couldn’t get it to work - that doesn’t mean to say it’s not possible.
Feeddemon author weighs in
I’m not convinced by Nick’s assertion that embedded objects and scripts are rendered harmless by local machine zone lockdown. Less dangerous, perhaps, but not harmless. Maybe I’m wrong.
James, I’d love to get ahold of your sample feed.
For anyone: if you do suspect a vulnerability in a NewsGator product, you can email it to firstname.lastname@example.org with the details. This is what Phil did. Stuff like this gets a really high priority with us.