NetEase (163.com) Online Website Covert Redirect Web Security Bugs Based on Google.com

163-neteasy

 

NetEase (163.com) Online Website Covert Redirect Web Security Bugs Based on Google.com


(1) Domain:
163.com

 

 

“NetEase, Inc. (simplified Chinese: 网易; traditional Chinese: 網易; pinyin: Wǎng Yì) is a Chinese Internet company that operates 163.com, a popular web portal ranked 27 by Alexa as of April 2014. 163.com is one of the largest Chinese Internet content providers, and as such frequently appears in the top 10 domains used in spam.” (Wikipedia)

 

 

 

 

(2) Vulnerability Description:

163 web application has a computer security problem. Hacker can exploit it by Covert Redirect cyber attacks.

 

The vulnerabilities can be attacked without user login. Tests were performed on Microsoft IE (10.0.9200.16750) of Windows 8, Mozilla Firefox (34.0) & Google Chromium 39.0.2171.65-0 ubuntu0.14.04.1.1064 (64-bit) of Ubuntu (14.04),Apple Safari 6.1.6 of Mac OS X Lion 10.7.

 

The programming code flaw occurs at page “redirect.html?” with parameter “&url”, e.g.
http://blog.163.com/pub/redirect.html?fromsubscribe&url=http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&uact=8&ved=0CCkQFjAA&url=http%3A%2F%2Fwww.tetraph.com%2F&ei=F-M2U-iiM4HoiAej74HADA&usg=AFQjCNHRJ5hWvXyy2WcSdJPZNEwvbMW9Zg&sig2=bdrpWjJ-87ZbUWuQivt5vA&bvm=bv.63808443,d.aGc

 

 

 

 

(2.1) When a user is redirected from 163 to another site, 163 will check whether this URL belongs to a domain on 163’s whitelist. If this is true, the redirection will be permitted.

However, if the URLs in a whitelisted domain have open URL redirection vulnerabilities themselves, a user could be redirected from 163 to a vulnerable URL in that domain first and later be redirected from this vulnerable site to a malicious site. This is as if being redirected from 163 directly.

 

 

 

 

(2.2) Used one of webpages for the following tests. The webpage is “http://whitehatpostlike.lofter.com/“. Can suppose it is malicious.

 

Below is an example of a vulnerable domain:
google.com

 

Vulnerable URL from 163 that is related to yhd.com:
http://blog.163.com/pub/redirect.html?fromsubscribe&url=http://fusion.google.com

 

POC:
http://blog.163.com/pub/redirect.html?fromsubscribe&url=https://www.google.com/accounts/Logout?service=wise&continue=http%3A%2F%2Fgoogleads.g.doubleclick.net%2Faclk%3Fsa%3DL%26ai%3DCtHoIVxn3UvjLOYGKiAeelIHIBfLQnccEAAAQASAAUNTx5Pf4_____wFgvwWCARdjYS1wdWItMDQ2NjU4MjEwOTU2NjUzMsgBBOACAKgDAaoE5AFP0NHr5cHwFmWgKNs6HNTPVk7TWSV-CDHX83dKdGSWJ2ADoZNIxUHZwjAODRyDY_7nVtpuqSLOTef4xzVxDQ2U22MNbGak33Ur7i2jDB8LdYt9TbC3ifsXmklY5jl3Zpq4_lP7wagVfjt0–tNPPGTR96NGbxgPvfHMq9ZsTXpjhc_lPlnyGjlWzF8yn437iaxhGRwYLt_CymifLO2YaJPkCm9nLpONtUM-mstUSpKQrP2VjjaZkbDtuK0naLLBV37aYEY4TzWQi8fQGN47z4XgpinBCna91zQayZjn2wxccDCl0zgBAGgBhU%26num%3D0%26sig%3DAOD64_3Qi4qG3CRVHRI5AHSkSGuL7HJqSA%26client%3Dca-pub-0466582109566532%26adurl%3Dhttp%3A%2F%2Fwww.tetraph.com%2Fblog

 

 

 

POC video:
https://www.youtube.com/watch?v=8QqKQml1QCE


Blog Detail:
http://tetraph.blogspot.com/2014/05/163com-netease-covert-redirect-based-on.html

 

 

(3) What is Covert Redirect?

Covert Redirect is a class of security bugs disclosed in May 2014. It is an application that takes a parameter and redirects a user to the parameter value without sufficient validation. This often makes use of Open Redirect and XSS (Cross-site Scripting) vulnerabilities in third-party applications.

 

Covert Redirect is also related to single sign-on. It is known by its influence on OAuth and OpenID. Hacker may use it to steal users’ sensitive information. Almost all OAuth 2.0 and OpenID providers worldwide are affected. Covert Redirect can work together with CSRF (Cross-site Request Forgery) as well.



 

Discover and Reporter:
Jing Wang, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)
http://tetraph.com/wangjing/

 

 

 

More Details:
http://tetraph.com/security/covert-redirect/163-com-netease-covert-redirect-based-on-google-com/
https://computertechhut.wordpress.com/2014/05/02/netease-hack/
http://webtechhut.blogspot.com/2014/05/163-bug.html
http://tetraph.blog.163.com/blog/static/234603051201452375727342/
http://diebiyi.com/articles/security/covert-redirect/163-com-netease-covert-redirect-based-on-google-com/
http://testingcode.lofter.com/post/1cd26eb9_72e71fd
http://canghaixiao.tumblr.com/post/119486195192/itinfotech-covert
https://twitter.com/tetraphibious/status/559166137343037440
https://biyiniao.wordpress.com/2014/05/28/163-exploit/
http://www.inzeed.com/kaleidoscope/covert-redirect/163-com-netease-covert-redirect-based-on-google-com/
http://computerobsess.blogspot.com/2014/09/163-website-vulnerability.html





==============

 

 

 

网易 (NetEase) 网站 隐蔽重定向 (Covert Redirect) 网络安全漏洞 基于 谷歌 (Google.com)





(1) 域名:
163.com


” 网易 (NASDAQ: NTES)是中国领先的互联网技术公司,利用最先进的互联网技术,加强人与人之间信息的交流和共享,实现“网聚人的力量”。创始人兼CEO是丁磊。在开发 互联网应用、服务及其它技术方面,网易始终保持业界的领先地位,并在中国互联网行业内率先推出了包括中文全文检索、全中文大容量免费邮件系统、无限容量免 费网络相册、免费电子贺卡站、网上虚拟社区、网上拍卖平台、24小时客户服务中心在内的业内领先产品或服务,还通过自主研发推出了一款率先取得白金地位的 国产网络游戏。网易公司推出了门户网站、在线游戏、电子邮箱、在线教育、电子商务、在线音乐、网易bobo等多种服务。” (百度百科)

 

 

(2) 漏洞描述:

163 网站有有一个计算机安全问题,黑客可以对它用隐蔽重定向 (Covert Redirect) 网络攻击。

 

 

 

这 个漏洞不需要用户登录,测试是基于微软 Windows 8 的 IE (10.0.9200.16750); Ubuntu (14.04) 的 Mozilla 火狐 (Firefox 34.0) 和 谷歌 Chromium 39.0.2171.65-0; 以及苹果 OS X Lion 10.7 的 Safari 6.16。

 

 

漏洞地点 “redirect.html?”,参数”&url”, e.g.
http://blog.163.com/pub/redirect.html?fromsubscribe&url=http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&uact=8&ved=0CCkQFjAA&url=http%3A%2F%2Fwww.tetraph.com%2F&ei=F-M2U-iiM4HoiAej74HADA&usg=AFQjCNHRJ5hWvXyy2WcSdJPZNEwvbMW9Zg&sig2=bdrpWjJ-87ZbUWuQivt5vA&bvm=bv.63808443,d.aGc

 

 

 

 

(2.1) 163 对跳转的页面存在一个 domain whitelist, 如果跳转的页面属于这些 domain, 则允许跳转。

 

但是这些被whitelist domain 本身可能有 URL 跳转漏洞。因此,163 用户意识不到他会被先从 163 跳转到有漏洞的网页,然后从此网页跳转到有害的网页。这与从 163 直接跳转到有害网页是一样的。

 

 

 

 

(2.2) 用了一个页面进行了测试, 页面是 “http://shellmantis.tumblr.com/“. 可以假定它是有害的。

 

下面是一个有漏洞的 domain:
google.com

 

 

163 与 google.com 有关的有漏洞的 URL:
http://blog.163.com/pub/redirect.html?fromsubscribe&url=http://fusion.google.com

 

 

POC:
http://blog.163.com/pub/redirect.html?fromsubscribe&url=https://www.google.com/accounts/Logout?service=wise&continue=http%3A%2F%2Fgoogleads.g.doubleclick.net%2Faclk%3Fsa%3DL%26ai%3DCtHoIVxn3UvjLOYGKiAeelIHIBfLQnccEAAAQASAAUNTx5Pf4_____wFgvwWCARdjYS1wdWItMDQ2NjU4MjEwOTU2NjUzMsgBBOACAKgDAaoE5AFP0NHr5cHwFmWgKNs6HNTPVk7TWSV-CDHX83dKdGSWJ2ADoZNIxUHZwjAODRyDY_7nVtpuqSLOTef4xzVxDQ2U22MNbGak33Ur7i2jDB8LdYt9TbC3ifsXmklY5jl3Zpq4_lP7wagVfjt0–tNPPGTR96NGbxgPvfHMq9ZsTXpjhc_lPlnyGjlWzF8yn437iaxhGRwYLt_CymifLO2YaJPkCm9nLpONtUM-mstUSpKQrP2VjjaZkbDtuK0naLLBV37aYEY4TzWQi8fQGN47z4XgpinBCna91zQayZjn2wxccDCl0zgBAGgBhU%26num%3D0%26sig%3DAOD64_3Qi4qG3CRVHRI5AHSkSGuL7HJqSA%26client%3Dca-pub-0466582109566532%26adurl%3Dhttp%3A%2F%2Fwww.tetraph.com%2Fblog

 

 

 

POC 视频:
https://www.youtube.com/watch?v=8QqKQml1QCE


博客细节:
http://tetraph.blogspot.com/2014/05/163com-netease-covert-redirect-based-on.html

 

 

 

 

(3) 什么是隐蔽重定向?

隐蔽重定向 (Covert Redirect) 是一个计算机网络安全漏洞。这个漏洞发布于 2014年5月。漏洞成因是网络应用软件对跳转到合作者的跳转没有充分过滤。这个漏洞经常利用第三方网站 (包括合作网站) 的公开重定向 (Open Redirect) 或者 跨站脚本漏洞 (XSS – Cross-site Scripting) 问题。

 

隐蔽重定向也对单点登录 (single sign-on) 有影响。最初发布的是对两款常用登录软件 OAuth 2.0 和 OpenID 的影响。黑客可以利用真实的网站进行网络钓鱼,从而窃取用户敏感信息。几乎所用提供 OAuth 2.0 和 OpenID 服务的网站都被影响。隐蔽重定向还可以和 跨站请求伪造 (CSRF – Cross-site Request Forgery) 一起利用。

 

 

 

Advertisements
This entry was posted in 0Day, Covert Redirect Vulnerability, Web Security and tagged , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s