H5 Image Recognition vulnerability can cause malicious script execution
I. Details:
Http://read.html5.qq.com/image? ImageUrl = http: // XXX
This service compresses third-party images for mobile users and uses HAProxy for load balancing.
In actual tests, it is found that the page content can be contaminated because the image EXIF information is not filtered during compression, and HAProxy has incorrect configuration, which has a high probability of returning the wrong MIME type, this causes the browser to recognize images as HTML pages and execute malicious scripts.
Ii. Proof of vulnerability:
Prepare a bitmap of any content. The image format must support EXIF.
Add malicious scripts to any field of EXIF, for example:
Exiftool '-Make = <script> alert (/xss/) </script> 'test.jpg
Use the server to publish to the public network. By modifying the suffix to htm, make sure that the Content-Type Returns text/html when the user accesses the url of this image.
PoC:
Http://read.html5.qq.com/image? ImageUrl = http://chichou.0ginr.com/wtf.htm
Because the service uses HAProxy for load balancing, it may return the correct type, that is, there is a certain probability of failure. However, you only need to refresh it multiple times to reproduce it.
The figure shows the trigger failure:
After some tests, we found that this service also supports the svg (vector graph) cache, And the jpeg bitmap is returned to the user, but the error MIME type is still given. The MIME type value is the same as the value returned by the source image link server (that is, it is controllable and quite large ).
Iii. solution:
In the image compression service, the original image EXIF information is erased and the HAProxy configuration is checked. The correct Content-Type is returned. Deploy such services to non-Main Site Domain Names (similar to gtimg or something ?)
Iv. vulnerability status:
The vulnerability was marked as fixed at 16:00:20, January 22 ,.