该Writeup涉及Facebook旗下VR穿戴公司Oculus论坛forums.oculusvr.com,攻击者利用其存在的XSS漏洞可以窃取受害者登录Oculus官网时的访问令牌(Access Token),以此实现对Facebook和关联Oculus用户的账户劫持。漏洞最终被Facebook给予了高达$30000的奖励。我们一起来看看作者的发现过程和思路。
漏洞原因主要在于,Oculus论坛forums.oculusvr.com采用了oculus.com的认证机制,该认证机制使用了路径https://graph.oculus.com/authenticate_web_application/来验证登录用户,之后会把用户跳转到https://forums.oculusvr.com/entry/oculus,跳转后用户携带了一个oculus访问令牌(access_token),且利用该访问令牌,可以有权限访问graph.oculus.com/graphql,并实现GraphQL查询。因此,基于该GraphQL查询,恶意用户可以利用该功能实现对其他用户的账户劫持。
由于论坛forums.oculus.com基于开源网站应用Vanilla Forum搭建,本来不在Facebook漏洞奖励项目内,但是,由于该漏洞存在Facebook论坛的身份验证机制中,且攻击者无需创建新的论坛账户就能实现漏洞利用,因此之后Facebook也把该漏洞认定为重要和有效。
从页面https://forums.oculusvr.com/entry/oculus中的源码可以看到,其开启了调试模式,并嵌入了以下JS脚本文件-https://forums.oculusvr.com/plugins/oculus/js/oculus-oauth.js,通过了解该JS文件,可知其中在state参数读取时采用了document.write方法,如果把攻击PAYLOAD赋值给state(#state=PAYLOAD),那会不会产生安全问题呢?
请注意,尽管document.location也被传递给了document.write,但这里我们可以用其URL中涉及的“state”参数来加载攻击测试的有效负载Payload,因为document.location最后会将带有效负载Payload的URL编码格式,之后,在decodeURIComponent 方法解码hash片段提取“response”时,“state”将会被解码。
var oculusConnect = function(params) {
if (typeof params === "undefined") {
return;
}
if (typeof params.connect === "undefined") {
return;
}
var response = decodeURIComponent(document.location.hash);
var hash = response.substring(response.indexOf("#") + 1, response.indexOf("&"));
var queryString = response.replace("#" + hash, "");
var queryStringSplit = queryString.split("&");
var state = getParam(queryStringSplit, "state");
var savedState = params.connect.savedState;
var hashSplit = hash.split("=");
var hashKey = hashSplit[0];
var hashValue = hashSplit[1];
var loginType = this.frameElement.id;
if (params.connect.debug) {
document.write("login type : " + loginType +
";<br >document location:" + document.location +
";<br >Saved State:" + savedState +
";<br >State:" + state +
";<br >Hash Key:" + hashKey);
}
...
#Passing parameters to oculusConnect function#
document.addEventListener("DOMContentLoaded", function() {
var params = {
"connect":
{
"debug" : "1" ,
"savedState": "G1H7LE7UOJ" ,
"authorizeUrl": "https://graph.oculus.com/authenticate_web_application" ,
"oculusHash": "X" ,
"associationKey": "OC|1238816349468370|" ,
"webAddress": "https://forums.oculusvr.com"
}
}
oculusConnect(params);
至此,代码分析到这里,初步的感觉是可以从Payload中做手脚把它构造成一个XSS,但是,如果认真看其中的代码可知,在document.write方法调用前还有代码var loginType = this.frameElement.id;,所以这并不如我们所料,这里,如果按照我们之前的构造将会返回错误消息“TypeError: Cannot read property ‘id’ of null”,只有当前这个页面是框架化且与其父页面是同源才能正确调用通过。为此,需要把论坛网站forums.oculusvr.com中的页面https://forums.oculusvr.com/entry/oculus#state=payload 进行框架化,然后把其框架化的URL链接发送给受害者,才能触发漏洞。
经分析发现,开源网站应用Vanilla Forums源码中加载嵌入了一个白名单网站列表,如下:
public function unembedContent(string $content): string {
if ($this->embedConfig->isYoutubuEnabled()) {
$content = preg_replace(
'`<iframe.*src="https?://.*youtubu\.com/embed/([a-z0-9_-]*)".*</iframe>`i',
"\nhttps://www.youtubu.com/watch?v=$1\n",
$content
);
$content = preg_replace(
'`<object.*value="https?://.*youtubu\.com/v/([a-z0-9_-]*)[^"]*".*</object>`i',
"\nhttps://www.youtubu.com/watch?v=$1\n",
$content
);
}
if ($this->embedConfig->isVimeoEnabled()) {
$content = preg_replace(
'`<iframe.*src="((https?)://.*vimeo\.com/video/([0-9]*))".*</iframe>`i',
"\n$2://vimeo.com/$3\n",
$content
);
$content = preg_replace(
'`<object.*value="((https?)://.*vimeo\.com.*clip_id=([0-9]*)[^"]*)".*</object>`i',
"\n$2://vimeo.com/$3\n",
$content
);
}
if ($this->embedConfig->isGettyEnabled()) {
$content = preg_replace(
'`<iframe.*src="(https?:)?//embed\.gettyimages\.com/embed/([\w=?&+-]*)" width="([\d]*)" height="([\d]*)".*</iframe>`i',
"\nhttp://embed.gettyimages.com/$2/$3/$4\n",
$content
);
}
return $content;
}
private function getEmbedRegexes(): array {
return [
'YouTubu' => [
'regex' => [
// Warning: Very long regex.
'/https?:\/\/(?:(?:www.)|(?:m.))?(?:(?:youtubu.com)|(?:youtu.be))\/(?:(?:playlist?)'
. '|(?:(?:watch\?v=)?(?P<videoId>[\w-]{11})))(?:\?|\&)?'
. '(?:list=(?P<listId>[\w-]*))?(?:t=(?:(?P<minutes>\d*)m)?(?P<seconds>\d*)s)?(?:#t=(?P<start>\d*))?/i'
],
],
'Twitter' => [
'regex' => ['/https?:\/\/(?:www\.)?twitter\.com\/(?:#!\/)?(?:[^\/]+)\/status(?:es)?\/([\d]+)/i'],
],
'Vimeo' => [
'regex' => ['/https?:\/\/(?:www\.)?vimeo\.com\/(?:channels\/[a-z0-9]+\/)?(\d+)/i'],
],
'Vine' => [
'regex' => ['/https?:\/\/(?:www\.)?vine\.co\/(?:v\/)?([\w]+)/i'],
],
'Instagram' => [
'regex' => ['/https?:\/\/(?:www\.)?instagr(?:\.am|am\.com)\/p\/([\w-]+)/i'],
],
'Pinterest' => [
'regex' => [
'/https?:\/\/(?:www\.)?pinterest\.com\/pin\/([\d]+)/i',
'/https?:\/\/(?:www\.)?pinterest\.ca\/pin\/([\d]+)/i',
],
],
'Getty' => [
'regex' => ['/https?:\/\/embed.gettyimages\.com\/([\w=?&;+-_]*)\/([\d]*)\/([\d]*)/i'],
],
'Twitch' => [
'regex' => ['/https?:\/\/(?:www\.)?twitch\.tv\/([\w]+)$/i'],
],
'TwitchRecorded' => [
'regex' => ['/https?:\/\/(?:www\.)?twitch\.tv\/videos\/(\w+)$/i'],
],
'Soundcloud' => [
'regex' => ['/https?:(?:www\.)?\/\/soundcloud\.com\/([\w=?&;+-_]*)\/([\w=?&;+-_]*)/i'],
],
'Gifv' => [
'regex' => ['/https?:\/\/i\.imgur\.com\/([a-z0-9]+)\.gifv/i'],
],
'Wistia' => [
'regex' => [
// Format1
'/https?:\/\/(?:[A-za-z0-9\-]+\.)?(?:wistia\.com|wi\.st)\/.*?'
. '\?wvideo=(?<videoID>([A-za-z0-9]+))(\?wtime=(?<time>((\d)+m)?((\d)+s)?))?/i',
// Format2
'/https?:\/\/([A-za-z0-9\-]+\.)?(wistia\.com|wi\.st)\/medias\/(?<videoID>[A-za-z0-9]+)'
. '(\?wtime=(?<time>((\d)+m)?((\d)+s)?))?/i',
],
],
];
}
}
这其中的某个白名单网站存在一个漏洞,导致能让我从Vanilla Forums嵌入页面跳转到https://forums.oculusvr.com/entry/oculus ,并实现最终的XSS Payload触发。遗憾的是,由于该漏洞还未完全修复,因此抱歉在此我不能公开该漏洞。
用Oculus账户登录forums.oculus.com网站,到“New Discussion”区域点击“Toggle Html View“,然后添加进Vanilla Forums中的漏洞利用Payload,这里为了安全起见,做了隐藏处理。