Tuesday, June 12, 2012

For Fun - XSS in ICE IX C&C Panel

Our team is working on ICE IX botnet analysis. We will be releasing a detailed paper about the working of ICE bot in coming time (very soon). However, this post is meant for some fun purposes but the provided information can be used to complete different tasks. We have detected an interesting XSS in main login page of ICE botnet C&C panel. It does not require any authentication as such though. The POC is presented in figure below


 So what exactly you have to do is to hack the below XML construct in order to trigger it
.

The interesting part is to understand the entry point in this as discussed.

Consider this, /adm/index.php?m=login , so usually "m" parameter in this URI is considered as an entry point which is true in certain sense. However, for this XSS, the entry point is present in /adm/index.php/ [Injection Point] ?m=login.

So, the point is, XSS finds its own entry points. :)

Browser Security Talk:
On additional note, the above presented screenshot shows that payload is sent in URL and Google Chrome parses it and then the payload becomes persistent. Seems like a bypass, yes it is. It depends whether Google Chrome team considers it or not.  IE and NoScript triggers an alert.

Enjoy !