Ph'nglui mglw'nafh RedCloth R'lyeh wgah'nagl fhtagn

I am a big fan of the author H. P. Lovecraft and especially of the Cthulhu mythos he started. Nowadays I am kept awake at night by obscure thoughts about what I will do to bugbounty report reviewers who classify my reports as duplicate, but in my younger days I used to scare my imaginary friends by muttering the phrase Ph'nglui mglw'nafh Cthulhu R'lyeh wgah'nagl fhtagn from the Lovecraft book The Call of Cthulhu. This translates roughly as In his house at R'lyeh dead Cthulhu waits dreaming.

A few months ago I targeted a Ruby web application and suddenly this phrase seemed to catch what was wrong with the application: a dead piece of software that is still lurking around, waiting for not so innocent developers to include it in their app which is then hacked to pieces.

I must admit that for the untrained eye reading a hacker write-up is as exciting as watching paint dry, but in reality most of the groundwork a hacker does is indeed very boring. Sorry kids, better take up an accountant job! But I will try to keep this write-up short and to the point.

I started the security review as usual by browsing as much as possible in order to detect technologies in use and things that trigger a faint "Hmm, that's weird" echo in my synapses. In hacker speak that is called assessing the attack surface but that is just because we like to present mundane things as something exciting so we can charge more for it.

I noticed the application allowed pictures and links in user profiles and my tests showed some weird and at first un-explicable behavior.

Inserting an image was done by by surrounding its URL with exclamation marks, example:

!http://example.com/igbuend.jpg!

Inserting a link was done by placing the descriptive phrase in quotation marks and following it immediately by a colon and the URL. Example:

"Example":http://example.com

This is textile parsing as explained here. I also guessed Based on my decades long experience with critical internet facing applications I detected that the popular Ruby RedCloth package was used.

Attacking a parser is relatively straightforward, just start with the special characters that act as markers for the parser to transform the input:

  • from the first statement you learn that exclamation marks are special.
  • from the second statement you learn that quotation marks and colons are important.

Everything else is just trial and error and you just need to find the mistake the developers made because of wrong expectations of the input.

I could have looked at the source code, but that is even more boring.

Since in bounty programs being fast is of the essence, I combined both constructs by inserting an image in a link to get a working exploit, a Stored Cross-Site-Scripting (XSS), as follows:

!<javascript:alert(1)(2)!:javascript:prompt(document.domain)

This resulted in the following output:

<p style="float:left;"><a href="javascript:prompt(document.domain)"><img src="javascript:alert(1)" title="2" alt="2" /></a></p>

In (very) old browsers the <img> tag will result in reflected XSS. In newer browsers, the victim needs to click the image (you might want to insert a real image) and the JavaScript in the <a> tag will execute.

Interestingly enough, this was not detected by an automated scan. One of the reasons is that the (1)(2) is needed to make it work, while scanners only insert one () in an attempt to start a function.

I rushed to write the vulnerability report, the customer liked it and I was awarded a high. Great, a zero-day! I started thinking of a sexy name (e.g. RubyRedMassacre) and preparing the press release.

Unfortunately, my research in the darker corners of the web (translate this as type "redcloth xss" in a Google or Baidu search) lead to an earlier documented exploit and the discovery of the fact that the RedCloth package was not actively maintained.

I still thought that a write-up might be interesting and started writing it in search for fame and glory.

To rub some salt in my wounded pride, I discovered just before publishing that the package had a new maintainer and the long-standing bug had been fixed!

However, although the originally documented exploit was fixed, my slightly different way more advanced exploit still worked! Aha, zero-day at last!

I contacted the new maintainer and a few hours ago the new version 4.3.1 was released making it finally possible to publish this report.

Hope you liked it!

Herman Stevens

Just some guy on the internet. Loves technology, diving, travelling, photography and Belgian Trappist beers.