Friday, August 16, 2013

UXSS – Internet Explorer EUC-JP Parsing Bug

While I was using shazzer, one vector had a really weird result.

The vector was: <img src=x *chr*> onerror=alert(1)>;

The result said that in Internet Explorer 10, a certain character in the euc-jp charset consumed the >, which lead to the execution of the onerror event handler but viewing the test case resulted in no code execution.

After retesting the vector, there were either no results or different characters got detected, but still no test case worked.
I assumed that shazzer worked correctly, but certain parameters were different between show test case and the real fuzzing process.

After creating a little fuzzing script, I finally found out that a certain amount of characters have to be before the starter byte 0x8F. The document has to look like this (charset must be euc-jp):

4094 Bytes + 0x8F + characters that “disappears”. (4094+1 = 0xfff)

After knowing how to trigger the bug, I found out that not only > gets consumed, it seems like every char gets consumed. This is especially usefully to consume the “.

A vector could look like this: [4076*A]<img src="x" alt="[0x8F]" test=" onerror=alert(1)//">
Because the " will be consumed, the onerror event will execute.

This parsing bug enables XSS on websites, which use the euc-jp charset, to attack Internet Explorer users even when the site has no XSS vulnerability.

Reported: 27.5.2013
Fixed: 14.8.2013