[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
NASA Orion Mars Program - Bypass, Persistent Issue & Embed Code Execution Vulnerability (Boarding Pass)
- To: bugtraq@xxxxxxxxxxxxxxxxx, bugs@xxxxxxxxxxxxxxxxxxx
- Subject: NASA Orion Mars Program - Bypass, Persistent Issue & Embed Code Execution Vulnerability (Boarding Pass)
- From: Vulnerability Lab <research@xxxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 05 Dec 2014 17:06:32 +0100
Document Title:
===============
NASA Orion - Bypass, Persistent Issue & Embed Code Execution Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1339
[VU#666988] US CERT
Vulnerability Magazine:
http://magazine.vulnerability-db.com/?q=articles/2014/12/05/nasa-mars-orion-program-researcher-reveals-vulnerability-boarding-pass
Reference Article:
http://www.securityweek.com/exploit-payload-possibly-made-it-nasas-orion-spacecraft
Release Date:
=============
2014-12-05
Vulnerability Laboratory ID (VL-ID):
====================================
1339
Common Vulnerability Scoring System:
====================================
6
Product & Service Introduction:
===============================
People are being invited to sign up for a free `boarding pass`for trips into
space. The plan is to start small with orbital flights
but will later involve flights to Mars. The US National Aeronautics and Space
Administration is behind the scheme which is linked to
its new Orion spacecraft. It is expected to bring humans back into space for
travel to far-flung destinations including the Red Planet.
And Nasa wants us all along for the ride. Sort of. It is inviting people to
send in their names for inclusion in a penny-sized microchip
that will be carried on Orion’s first flight planned for December 4th. At time
of publishing just over 114,000 people have signed up for
their “boarding pass” that will bring their name into space for a two-orbit
flight and a splash-down in the Pacific Ocean. The names will
also fly on future Nasa exploration flights including missions to Mars. “When
we set foot on the Red Planet, we’ll be exploring for all of
humanity,” says Mark Geyer, Orion programme manager. “Flying these names will
enable people to be part of our journey.”
Nasa is using the web to collect names and social media to help promote it
(#JourneyToMars). Sending your name isn’t quite like flying
yourself, but then there will be no question of space flight sickness and you
don’t have to worry about getting your feet wet in cold
Pacific waters. Don’t delay as the closing date to add your name is October
31st. Submit your name to fly on Orion’s test flight by
visiting go.usa.gov/vcpz and learn more about Orion at nasa.gov/orion.
(Copy of the Homepage:
http://mars.nasa.gov/participate/send-your-name/orion-first-flight/ &
http://www.cnet.com/news/nasa-you-cant-fly-to-mars-but-your-name-can/)
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered an application-side
vulnerability and a filter bypass issue in the official Nasa Orion (mars)
web-application.
Vulnerability Disclosure Timeline:
==================================
2014-10-09: Researcher Notification & Coordination (Benjamin Kunz Mejri)
2014-10-10: Vendor Notification (US CERT Team)
2014-10-15: Vendor Response/Feedback (US CERT Team - Nasa Security Team)
2014-11-13: Vendor Fix/Patch Notification (Nasa JPL Developer Team)
2014-12-05: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
NASA (US) [GOV]
Product: Orion Mars - Boarding Pass 2014 Q4
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Technical Details & Description:
================================
A filter bypass and persistent input validation web vulnerability (embed code
exeuction) has been discovered in the official NASA Mars Program
web-application.
The high severity vulnerability allows remote attackers to inject own system
specific codes to the application-side of the affected NASA online-service
website.
The issue is located in the firstname and lastname input fields of the nasa
mission orion boarding pass module. Remote attackers are able to inject own
script codes
as firstname and lastname to compromise the embed boarding pass module of the
nasa website. The request method to inject is POST and the attack vector is on
the
application-side of the vulnerable online-service module. After saving the
malicious context to a boarding pass service the attacker can use the embed
module to
stream malicious codes as embed code execution through the boarding pass
application of the nasa mars program website.
In case of the scenario we would like to fly as first and inject a script code
that gets stored in the nasa dbms. In a special case of a pentest ago the user
limit
in the list runs that long since an error occurs. In case of the vote the nasa
boarding pass list runs since the execution occurs and this will be the last
entry
that counts. Result is that the user with the injected special crafted code
could be able to become the first for a ticket.
The web filter of the service encodes for example frames or script code tags.
Img onloads can pass through the filter validation and the second instance
filter of
cloudflare to provoke an execution of script code in the embed nasa boarding
pass module. The dime-size microship carries 1.3 million names that fly aboard
Orion.
Engeneers wrote 1.3 million names onto the tiny 0.8 cm sqare (8 mm square)
silicon wafer microchip. To write the context to the chip the E-beam litography
tool was used.
After the input the payload gets flashed to a nasa chip that is configured to
get send with mission orion to the space.
After the report to the US CERT Team informed the nasa about the issue and they
closed the active ticket of the researcher. To ensure the ticket got closed the
NASA
included an image that shows the user in the official Nasa `NO FLY List`. The
researcher was that intelligent to inject three payloads. Two ids got observed
by the
nasa team and one passed through the procedure of verification and validation
with id 344***.
In a statement the nasa wrote back that the chip itself is not at risk because
there is no interaction or running code with it. In case of the research the
code has
been blocked since it got written to the silicon microchip. The context that
gets written to the chip will be done manually for about 1.3 million users. In
a later
conversation to other security team they acknowledged that it would be
impossible to check 1.3 million user accounts. By watching the last id of the
researcher included
as reference, the people can see that the name value of an accepted ticket is
not secure validated. He used the word Payload1 as firstname and Payload2 as
second name to
approve the validation.
The security risk of the embed code execution vulnerability in the boarding
pass is estimated as high with a cvss (common vulnerability scoring system)
count of 6.0.
Exploitation of the persistent remote web vulnerability requires no privileged
application user account and only low user interaction. Successful
exploitation of the
security vulnerability results in session hijacking, persistent phishing,
persistent external redirect through nasa domains and persistent manipulation
of affected or
connected module context.
Request Method(s):
[+] POST
Vulnerable Module(s):
[+] NASA Mars > Boarding Pass > Registration
Vulnerable Parameter(s):
[+] firstname
[+] lastname
Affected Module(s):
[+] NASA Mars - Boarding Pass (Embed Boarding
Pass)
Proof of Concept (PoC):
=======================
The persistent input validation web vulnerability can be exploited by remote
attackers without privileged application user account and
with low user interaction. For security demonstration or to reproduce the
security vulnerability follow the provided information and
steps below to continue.
Manual steps to reproduce the remote vulnerability ...
1. Open the mars.nasa.gov website portal
2. Register a new boarding pass to register for the orion program
3. Iclude as firstname and lastname own script code to inject and to provoke
the execution
Note: After saving the input the payload will be streamed to the invite of the
boardpass index but also to the embed board pass module
4. The code execution occurs in the boarding pass website that displays the
saved embed context information of the nasa customer/client
5. Successful reproduce of the security vulnerability!
PoC: Embed Exploitcode (Mars BoardingCard)
<iframe
src="http://mars.nasa.gov/participate/send-your-name/orion-first-flight/?action=getcert&e=1&cn=334902";
width="750" height="307" scrolling="no" frameborder="0"></iframe>
PoC: J2M1000000158467 (send-your-name/orion-first-flight/?s=confirm&cn=334902)
<div class="boarding">
<img src="/images/general/layout/hexAccentImage.png" class="graphic-right">
<div class="certificate-id">J2M1000000158467</div>
<div class="name">
<div style="font-size:1.5em;">"><"<[PERSISTENT INJECTED SCRIPT CODE
VIA FIRSTNAME VALUES!]"></div>
<div>"><"<[PERSISTENT INJECTED SCRIPT CODE VIA LASTNAME
VALUES!]"></div></div>
<img src="/images/mep/send-name-to-mars/Boarding-Pass.png"
class="image-boarding" alt="boarding pass">
<div
style="bottom:0;left:0;position:absolute;z-index:100;background-color: rgba(85,
85, 85, 0.5);width:100%;">
<div
style="position:relative;z-index:101;float:right;margin-right:0%;margin-top:2px;margin-bottom:2px;">
<a target="_blank"
style="color:#eee;text-decoration:none;font-weight:normal
!important;border:none;display:inline-block;padding-right:
8px;padding-right:10px;line-height:16px; font-family: 'Helvetica
Neue',Arial,sans-
serif;font-size: 12px;"
href="http://mars.nasa.gov/participate/send-your-name/orion-first-flight/";><div
style="font-size:16px;margin-left:6px;float:
right;font-weight:bold;">+</div><div style="float:left;">Image Credit:
mars.nasa.gov</div></a>
</div>
<br clear="all">
</div>
</div>
--- PoC Session Logs [POST] ---
Status: 200[OK]
POST http://mars.nasa.gov/participate/send-your-name/orion-first-flight/ Load
Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[144]
Mime Type[text/html]
Request Header:
Host[mars.nasa.gov]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101
Firefox/32.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://mars.nasa.gov/participate/send-your-name/orion-first-flight/]
Cookie[s_cc=true; s_vnum=1415451392569%26vn%3D3; s_sq=%5B%5BB%5D%5D;
__utma=36124604.1688619800.1412859393.1412866915.1412869134.3;
__utmc=36124604;
__utmz=36124604.1412859393.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);
s_vi=[CS]v1|2A1B4302851D2BE0-40000107A00688CE[CE];
fsr.s=%7B%22v2%22%3A1%2C%22v1%22%3A1%2C%22rid%22%3A%22d036702-53567014-5eea-b60c-7e184%22%2C%22ru%22%3A%22http%3A%2F%2F
mars.nasa.gov%2Fparticipate%2Fsend-your-name%2Forion-first-flight%2F%3Fcn%3D161115%22%2C%22r%22%3A%22mars.nasa.gov%22%2C%22st%22%3A%22%22%2C%22cp%22%3A%7B%22
delivery_src%22%3A%22none%22%7D%2C%22to%22%3A3%2C%22mid%22%3A%22d036702-53567258-d212-8c96-20007%22%2C%22rt%22%3Afalse%2C%22rc%22%3Afalse%2C%22c%22%3A%22
http%3A%2F%2Fwww.nasa.gov%2F%22%2C%22pv%22%3A1%2C%22lc%22%3A%7B%22d3%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A3%2C%22meta%22%3A%7B%22rtp
%22%3A%22a%22%2C%22rta%22%3A3%2C%22rts%22%3A3%7D%7D;
__utma=259910805.435627752.1412859567.1412859567.1412859567.1;
__utmc=259910805;
__utmz=259910805.1412859567.1.1.utmcsr=mars.nasa.gov|utmccn=(referral)|utmcmd=referral|utmcct=/participate/send-your-name/orion-first-flight/;
gpv_pe5=MEP%20-%20Send%20Your%20Name%20on%20NASA%27s%20Journey%20to%20Mars%2C%20Starting%20with%20Orion%27s%20First%20Flight;
s_invisit=true; __utmb=36124604.0.10.1412869134]
Connection[keep-alive]
POST-Daten:
action[submit]
pid[2]
FirstName[[PERSISTENT INJECTED SCRIPT CODE!]]
LastName[[PERSISTENT INJECTED SCRIPT CODE!]]
CountryCode[DE]
ZipCode[34128]
Email[research%40vulnerability-lab.com]
rp[]
recaptcha_challenge_field[03AHJ_VutiAgzfSZseCHPF92TfRrOZIIX-E6X078M8JwT-meq1bJthIybgz2TGRb_fl0QJdopcWTcJLSp2vy-DirSlgF370p4a4xnMI1D-
oypqwieb2Q5ckPquDsbrDV4Gp4u3B2jRORQn4KW4VEont0UfwogAMQgKBpqEjer1MrSEimu9LxVJRD3v-Jz40RRNTcR2FvsQqCL3hGPl27ca9RjTd7KrzM56-
xZRWdnXHfHmFNyLNSNzOrcCEvcv3ZW9oZVBoV0IQzL19g_zMXEOt61sAKOZbVDI0cT0DGUt2EGDlBJ81uj8dp0]
recaptcha_response_field[619]
Submit[SEND+MY+NAME]
Response Header:
Content-Type[text/html;charset=UTF-8]
Content-Length[144]
Connection[keep-alive]
Access-Control-Allow-Origin[http://marsdev.jpl.nasa.gov]
Cache-Control[max-age=600]
Date[Thu, 09 Oct 2014 15:46:04 GMT]
Location[./?s=confirm&cn=344616]
Server[nginx/1.1.19]
X-Cache[Miss from cloudfront]
Via[1.1 641720e73fe93af037f911457c12ae1e.cloudfront.net (CloudFront)]
X-Amz-Cf-Id[Ol1wi0YiljsLjsNOdJjXmYAjmvQgVMvLCh9WnjvbTFF0a4GKSVHifw==]
-
Status: 200[OK]
GET
http://mars.nasa.gov/participate/send-your-name/orion-first-flight/?s=confirm&cn=344616
Load Flags[LOAD_DOCUMENT_URI LOAD_REPLACE LOAD_INITIAL_DOCUMENT_URI ] Größe
des Inhalts[7642] Mime Type[text/html]
Request Header:
Host[mars.nasa.gov]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101
Firefox/32.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://mars.nasa.gov/participate/send-your-name/orion-first-flight/]
Cookie[s_cc=true; s_vnum=1415451392569%26vn%3D3; s_sq=%5B%5BB%5D%5D;
__utma=36124604.1688619800.1412859393.1412866915.1412869134.3;
__utmc=36124604;
__utmz=36124604.1412859393.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);
s_vi=[CS]v1|2A1B4302851D2BE0-40000107A00688CE[CE];
fsr.s=%7B%22v2%22%3A1%2C%22v1%22%3A1%2C%22rid%22%3A%22d036702-53567014-5eea-b60c-7e184%22%2C%22ru%22%3A%22http%3A%2F%2Fmars.nasa.gov%2Fparticipate
%2Fsend-your-name%2Forion-first-flight%2F%3Fcn%3D161115%22%2C%22r%22%3A%22mars.nasa.gov%22%2C%22st%22%3A%22%22%2C%22cp%22%3A%7B%22delivery_src%22%3A
%22none%22%7D%2C%22to%22%3A3%2C%22mid%22%3A%22d036702-53567258-d212-8c96-20007%22%2C%22rt%22%3Afalse%2C%22rc%22%3Afalse%2C%22c%22%3A%22http%3A%2F%2F
www.nasa.gov%2F%22%2C%22pv%22%3A1%2C%22lc%22%3A%7B%22d3%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A3%2C%22meta%22%3A%7B%22rtp%22%3A%22
a%22%2C%22rta%22%3A3%2C%22rts%22%3A3%7D%7D;
__utma=259910805.435627752.1412859567.1412859567.1412859567.1;
__utmc=259910805;
__utmz=259910805.1412859567.1.1.utmcsr=mars.nasa.gov|utmccn=(referral)|utmcmd=referral|utmcct=/participate/send-your-name/orion-first-flight/;
gpv_pe5=MEP%20-%20Send%20Your%20Name%20on%20NASA%27s%20Journey%20to%20Mars%2C%20Starting%20with%20Orion%27s%20First%20Flight;
s_invisit=true; __utmb=36124604.0.10.1412869134]
Connection[keep-alive]
Response Header:
Content-Type[text/html;charset=UTF-8]
Content-Length[7642]
Connection[keep-alive]
Access-Control-Allow-Origin[http://marsdev.jpl.nasa.gov]
Cache-Control[max-age=600]
Content-Encoding[gzip]
Date[Thu, 09 Oct 2014 15:46:05 GMT]
Server[nginx/1.1.19]
Vary[Accept-Encoding]
X-Cache[Miss from cloudfront]
Via[1.1 641720e73fe93af037f911457c12ae1e.cloudfront.net (CloudFront)]
X-Amz-Cf-Id[fcCNBQ3RNkRMQ_9nK-1v_ConkoOko6ttxX2F0IDcwKGyovh3SJSAZg==]
Reference(s):
http://mars.nasa.gov/
http://mars.nasa.gov/participate/
http://mars.nasa.gov/participate/send-your-name/
http://mars.nasa.gov/participate/send-your-name/orion-first-flight/
http://mars.nasa.gov/participate/send-your-name/orion-first-flight/?s=confirm&cn=334902
http://mars.nasa.gov/participate/send-your-name/orion-first-flight/?s=confirm&cn=344616
Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure parse and encode of the vulnerable
firstname and lastname input fields.
Restrict and filter the input to prevent execution of persistent script codes
in the board pass service.
Encode the boarding pass output values in the embed code module to block
application-side script code executions.
Upgrade the filter and capture image onloads and image cookie requests.
Security Risk:
==============
The security risk of the filter bypass and persistent script code inject web
vulnerability in the nasa boarding pass application is estimated as high. (CVSS
6.0)
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri
(bkm@xxxxxxxxxxxxxxxxx) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any
warranty. Vulnerability Lab disclaims all warranties, either
expressed or implied, including the warranties of merchantability and
capability for a particular purpose. Vulnerability-Lab or its suppliers
are not liable in any case of damage, including direct, indirect, incidental,
consequential loss of business profits or special damages, even
if Vulnerability-Lab or its suppliers have been advised of the possibility of
such damages. Some states do not allow the exclusion or limitation
of liability for consequential or incidental damages so the foregoing
limitation may not apply. We do not approve or encourage anybody to break
any vendor licenses, policies, deface websites, hack into databases or trade
with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com
- www.evolution-sec.com
Contact: admin@xxxxxxxxxxxxxxxxxxxxx -
research@xxxxxxxxxxxxxxxxxxxxx - admin@xxxxxxxxxxxxxxxxx
Section: dev.vulnerability-db.com - forum.vulnerability-db.com
- magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab
- youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php -
vulnerability-lab.com/rss/rss_upcoming.php -
vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php -
vulnerability-lab.com/list-of-bug-bounty-programs.php -
vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file
requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All
other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts,
advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To
record, list (feed), modify, use or edit our material contact
(admin@xxxxxxxxxxxxxxxxxxxxx or research@xxxxxxxxxxxxxxxxxxxxx) to get a
permission.
Copyright © 2014 | Vulnerability Laboratory
[Evolution Security]
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@xxxxxxxxxxxxxxxxxxxxx
PGP KEY:
http://www.vulnerability-lab.com/keys/admin@xxxxxxxxxxxxxxxxxxxxx%280x198E9928%29.txt