[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FD] Secunia CSI/VIM - Filter Bypass & Persistent Validation Vulnerabilities
- To: "'Vulnerability Lab'" <research@xxxxxxxxxxxxxxxxxxxxx>, <fulldisclosure@xxxxxxxxxxxx>
- Subject: Re: [FD] Secunia CSI/VIM - Filter Bypass & Persistent Validation Vulnerabilities
- From: "Secunia Research" <vuln@xxxxxxxxxxx>
- Date: Wed, 18 Jun 2014 21:00:05 +0200
Hello List,
First of all to clarify, as the report switches from implying that the CSI /
VIM products are affected to the claim the “CSI & VIM - Web Application &
Online Service 2014 Q2” being affected, this is definitely not an issue in the
CSI nor in the VIM product. The issue is located on the secunia.com website.
The issue you describe makes it possible for a malicious person to inject
potentially malicious content in the firstname and lastname fields, and that
content will be used in an email that is sent out to the email address entered
in the email field, at a later stage.
JavaScript content within emails may of course always execute, if an email
client is used without restricting JavaScript, which in general would be
considered neglectful behavior. Furthermore the step to send JavaScript via
email can actually be performed by e.g. using various web services more
efficiently and directly.
With all that in mind, as an enhancement we have of course taken steps to
ensure the the firstname and lastname fields are sanitized for potentially
malicious content in the future.
Also, should you in the future want to do a coordinated disclosure of your
findings – be it an actual vulnerability or an enhancement - then please feel
free to reach out to us.
--
Kind regards,
Kasper Lindgaard
Director, Research & Security
Follow us on twitter
http://twitter.com/secunia
Secunia
Rued Langgaards Vej 8
DK-2300 Copenhagen S
Denmark
Phone: +45 7020 5144
Fax: +45 7020 5145
-----Original Message-----
From: Fulldisclosure [mailto:fulldisclosure-bounces@xxxxxxxxxxxx] On Behalf Of
Vulnerability Lab
Sent: 18. juni 2014 16:00
To: fulldisclosure@xxxxxxxxxxxx
Cc: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: [FD] Secunia CSI/VIM - Filter Bypass & Persistent Validation
Vulnerabilities
Document Title:
===============
Secunia CSI/VIM - Filter Bypass & Persistent Validation Vulnerabilities
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1272
Release Date:
=============
2014-06-18
Vulnerability Laboratory ID (VL-ID):
====================================
1272
Common Vulnerability Scoring System:
====================================
3.9
Product & Service Introduction:
===============================
The Secunia CSI 7.0 combines scanning and patching, thereby meeting the
requirements of both IT security and IT operations. This combination of
vulnerability intelligence, vulnerability scanning, patch creation and patch
deployment is unique in the industry. The Secunia CSI is an authenticated
internal vulnerability scanner, capable of assessing the security state of
practically all legitimate programs running on Microsoft Windows platforms and
supports scanning of Windows, Apple Mac OSX, Android and Red Hat Enterprise
Linux (RHEL) platforms.
( Copy of the Vendor Homepage: http://secunia.com/vulnerability_scanning/ )
Secunia’s Vulnerability Intelligence Manager is vulnerability intelligence
brought to you on time, every time, by Secunia’s renowned research team.
The Secunia VIM covers more than 50,000 systems and applications. The software
vulnerability alerts are brought to you instantaneously, and threat levels are
prioritized, so you and your team can address the most critical vulnerabilities
first. Comprehensive reporting lets you assess the current state of your IT
infrastructure, manage the risks, meet compliancy policy rules, and get an
increased return on your security investment. With Secunia`s powerful
Vulnerability Intelligence and Management solution you can implement
remediation strategies effectively and keep your organization secure.
( Copy of the Vendor Homepage: http://secunia.com/vulnerability_intelligence/ )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered a medium severity
vulnerability in the official Secunia CSI/VIM web-application service.
Vulnerability Disclosure Timeline:
==================================
2014-06-18: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Secunia
Product: CSI & VIM - Web Application & Online Service 2014 Q2
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Technical Details & Description:
================================
A persistent mail encoding web vulnerability has been discovered in the
official Secunia website web-application for csi/vim account registration.
The vulnerability allows an remote attacker to inject own malicious script
codes to the application-side of the vulnerable web-application service.
The vulnerability is located in the web input form of the registration to the
csi and vim program. The user is able to register with persistent script codes
as first- & lastname.The affect becomes visible in the outgoing email of the
web-server and could maybe affect other sections in the profile. The attacker
injects a payload and streams the malicious mail with own content to a secunia-
or random-user. The filter of the web-server is not validating the context of
the mail on input through the website. The result is an application-side script
code execution in the mail header after the introduction word `Dear`. The mail
includes the registered user (db stored) with the payload context and does not
encode the input.
The secunia web-server tries to encode the input and prevents it with `/`. The
attacker can input multiple strings and between the parse with the `/` the
persistent script code execution occurs. The issue allows attackers to inject
`frames`, `iframes`, `img` and different other html tags with own script codes.
The mails can be send to random user for phishing attacks with persistent
attack vector or directly to well known secunia customers via mail.
The security risk of the persistent input validation web vulnerability in the
mail encldoing of the web-server is estimated as medium with a cvss (common
vulnerability scoring system) count of 3.9.
Exploitation of the mail encoding and web-server validation vulnerability
requires low or medium user interaction and no privileged secunia vim/csi
application user account. Successful exploitation of the persistent mail
encoding web vulnerability results in persistent phishing attacks against
customers or random email users, session hijacking, persistent redirects to
malware and persistent manipulation of affected or connected module context.
Request Method(s):
[+] POST
Vulnerable Module(s):
[+] /products/corporate/vim/trial/
[+] /vulnerability_scanning/corporate/trial/
Vulnerable Parameter(s):
[+] First- & Lastname
Affected Section(s):
[+] Secunia CSI - Mail Notification
[+] Secunia VIM - Mail Notification
Note: A demo user can also become a registered secunia user with the same
profile credentials which impact the risk to receive later compromised service
email notifications or execution of payload in the user frontend/backend next
to the db stored profile values.
Proof of Concept (PoC):
=======================
The persistent mail encoding web vulnerabilities can be exploited remote
attackers without privileged application user account or with low privileged
application user account and without user interaction. For security
demonstration or to reproduce the security vulnerability follow the provided
information and steps below to continue.
1. Open the two vulnerable service registration formulars >
http://secunia.com/products/corporate/vim/trial/ >
http://secunia.com/vulnerability_scanning/corporate/trial/
2. Inject own script code (payload) to the vulnerable first- & lastname input
field values
3. Submit the formulars to secunia
4. Check your registration postbox and review the first arriving email of
secunia during the registration tral procedure for example
5. The persistent script code execution occurs in the mail next to the
introduction word `Dear` x=First- & Lastname
6. Successful reproduce of the persistent mail encoding web-server
vulnerability!
Note: A demo user can become a registered secunia user with the same
credentials which impact also a risk to later email notifications or service
values.
The attacker is able to send the mail to random new email or to other secunia
customers email by a mailing list.
Sender Account: @response.secunia.com
Tester Account: bkm@xxxxxxxxxxxxxxxxx
Test Date: 08.05.2014 23:12 & 18.06.2014
PoC: Secunia CSI - Did you get off to a good start?
<tr><td id="empty30" align="left" height="30" valign="top" width="30"></td><td
rowspan="12" colspan="1" id="view31" style="color: #000000;
font-family: Arial; font-size: 12px; line-height: 18px; letter-spacing: 0px"
align="left" height="300" valign="top" width="410"><div id="sc54725"
class="sc-view hidden-border inline-styled-view editor-outline" style="left:
30px; width: 410px; top: 30px; height: 300px; color: #000000; font-family:
Arial; font-size: 12px; line-height: 18px; letter-spacing: 0px; overflow:
hidden"><div class="co-border-style" style="">
<table bordercollapse="collapse" class="co-style-table" style="color: #000000;
font-family: Arial; font-size: 12px; line-height: 18px; letter-spacing:
0px; margin-top: 0px; margin-left: 0px; margin-right: 0px; margin-bottom: 0px"
border="0" cellpadding="0" cellspacing="0" height="300" width="410">
<tbody><tr><td class="valign-able" valign="top"><span
class="remove-absolute"><span style="color:rgb(85, 85, 85);"><font
style="font-size:14px;">
<b>Dear \">%20"><img src=http://www.vulnerability-lab.com
onerror="prompt(1337);<img src=http://www.vulnerability-lab.com
onerror="prompt(1337);"></b>
<br><br>We just want to make sure that your installation went well.<br><br>We
know from experience that getting a good start is crucial to making the most
of your free trial. Therefore it is very important to us that you are
satisfied with the installation and don’t encounter any problems during the
first few days.<br><br>Please don’t hesitate to contact our Customer
Support Center at <a style="" href="mailto:csc@xxxxxxxxxxx";>csc@xxxxxxxxxxx</a>
if you need any assistance or have any questions.<br>
<br>Stay Secure,<br>Secunia</font></span>
... or
PoC: Kommende Secunia Partner Events in Deutschland
<table cellpadding="0" cellspacing="0" border="0" width="100%"><tbody><tr><td
align="center" height="0"></td></tr><tr><td><table bordercollapse="collapse"
id="sc3124" style="table-layout: auto; background-color: #ffffff"
cellpadding="0" cellspacing="0" align="center" border="0" width="800">
<tbody><tr><td rowspan="1" colspan="14" id="view0" style="" align="left"
height="300" valign="top" width="800"><div id="sc3308" class="sc-view"
style="left: 0px; width: 800px; top: 0px; height: 300px; overflow: hidden"><div
class="co-border-style" style="border-width: 2px; border-style: none">
<table bordercollapse="collapse" class="co-style-table" style="margin-top: 0px;
margin-left: 0px; margin-right: 0px; margin-bottom: 0px" cellpadding="0"
cellspacing="0" border="0" height="300" width="800"><tbody><tr><td
class="valign-able" valign="top">
<img
src="http://img.en25.com/EloquaImages/clients/SecuniaApS/{6611650f-4a88-4ce0-bc2b-a62700267197}_ADN-PartnerEvents_email_bannerJune2014.jpg";
title="" alt="" id="sc3310" class="sc-view sc-image-view editor-outline
sc-regular-size" style="display: block" height="300" width="800">
</td></tr></tbody></table></div></div></td></tr><tr><td id="empty14"
align="left" height="23" valign="top" width="30"></td><td id="empty15"
align="left"
height="23" valign="top" width="45"></td><td id="empty16" align="left"
height="23" valign="top" width="5"></td><td id="empty17" align="left"
height="23"
valign="top" width="250"></td><td id="empty18" align="left" height="23"
valign="top" width="210"></td><td id="empty19" align="left" height="23"
valign="top"
width="28"></td><td id="empty20" align="left" height="23" valign="top"
width="2"></td><td id="empty21" align="left" height="23" valign="top" width="1">
</td><td id="empty22" align="left" height="23" valign="top" width="29"></td><td
id="empty23" align="left" height="23" valign="top" width="1"></td><td
id="empty24"
align="left" height="23" valign="top" width="16"></td><td id="empty25"
align="left" height="23" valign="top" width="113"></td><td id="empty26"
align="left"
height="23" valign="top" width="46"></td><td id="empty27" align="left"
height="23" valign="top" width="24"></td></tr><tr><td id="empty28" align="left"
height="78" valign="top" width="30"></td><td rowspan="1" colspan="11"
id="view29" style="color: #000000; font-family: Arial; font-size: 12px;
line-height:
18px; letter-spacing: 0px" align="left" height="78" valign="top"
width="700"><div id="sc3219" class="sc-view hidden-border inline-styled-view
editor-outline"
style="left: 30px; width: 700px; top: 323px; height: 78px; color: #000000;
font-family: Arial; font-size: 12px; line-height: 18px; letter-spacing: 0px;
overflow: hidden"><div class="co-border-style" style=""><table
bordercollapse="collapse" class="co-style-table" style="color: #000000;
font-family: Arial;
font-size: 12px; line-height: 18px; letter-spacing: 0px; margin-top: 0px;
margin-left: 0px; margin-right: 0px; margin-bottom: 0px" cellpadding="0"
cellspacing="0" border="0" height="78" width="700"><tbody><tr><td
class="valign-able" valign="top"><span class="remove-absolute"><b>
<span style="color:rgb(85, 85, 85);font-size:14px;">Sehr geehrte</span><font
style="font-size:14px;color:rgb(85, 85, 85);"> </font></b>
<font style="font-size:14px;"><b style="color:rgb(85, 85, 85);">\"><img
src="\"x\"">%20>\
"<\">%20"><img src=http://www.vulnerability-lab.com onerror="prompt(1337);<img
src=http://www.vulnerability-lab.com onerror="prompt(1337);">"><iframe> \"><img
src=\"x\">%20>\"<iframe src=a><iframe>2</b>
</font><br><br><div><font color="#555555" style="font-size:14px;">wir möchten
Sie auf anstehende Veranstaltungen unserer <b>Secunia Partner in
Deutschland</b>
aufmerksam machen, auf denen Sie unsere Lösungen vor Ort erleben
können:</font></div></span></td></tr></table></div></div></td><td align="left"
valign="top"
width="46" height="78" id="empty40"></td><td align="left" valign="top"
width="24" height="78" id="empty41"></td></tr><tr><td align="left" valign="top"
width="30" height="10" id="empty42"></td><td align="left" valign="top"
width="45" height="10" id="empty43"></td><td align="left" valign="top"
width="5"
height="10" id="empty44"></td><td align="left" valign="top" width="250"
height="10" id="empty45"></td><td align="left" valign="top" width="210"
height="10" id="empty46"></td>
Reference(s):
http://secunia.com/products/corporate/vim/trial/
http://secunia.com/vulnerability_scanning/corporate/trial/
Picture(s):
../1.png
../2.png
../3.png
../4.png
Resource(s):
../Secunia CSI – Did you get off to a good
start.html
../Kommende Secunia Partner Events in
Deutschland.html
Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure parse and encode of all input
fields with the vulnerable first- & lastname value in the registrations.
The registration formular (csi/vim) needs to be encode and a secure input
restriction for special chars validation is required. Parse and encode also
the outgoing mail context and disallow html script code as user values to
prevent further attacks.
Security Risk:
==============
The security risk of the mail encoding vulnerability in the registration module
is estimated as medium with a cvss of 3.9.
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri
(bkm@xxxxxxxxxxxxxxxxx) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any
warranty. Vulnerability Lab disclaims all warranties, either
expressed or implied, including the warranties of merchantability and
capability for a particular purpose. Vulnerability-Lab or its suppliers
are not liable in any case of damage, including direct, indirect, incidental,
consequential loss of business profits or special damages, even
if Vulnerability-Lab or its suppliers have been advised of the possibility of
such damages. Some states do not allow the exclusion or limitation
of liability for consequential or incidental damages so the foregoing
limitation may not apply. We do not approve or encourage anybody to break
any vendor licenses, policies, deface websites, hack into databases or trade
with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com
- www.evolution-sec.com
Contact: admin@xxxxxxxxxxxxxxxxxxxxx -
research@xxxxxxxxxxxxxxxxxxxxx - admin@xxxxxxxxxxxxxxxxx
Section: dev.vulnerability-db.com - forum.vulnerability-db.com
- magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab
- youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php -
vulnerability-lab.com/rss/rss_upcoming.php -
vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php -
vulnerability-lab.com/list-of-bug-bounty-programs.php -
vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file
requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All
other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts,
advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To
record, list (feed), modify, use or edit our material contact
(admin@xxxxxxxxxxxxxxxxxxxxx or research@xxxxxxxxxxxxxxxxxxxxx) to get a
permission.
Copyright © 2014 | Vulnerability Laboratory
[Evolution Security]
--
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@xxxxxxxxxxxxxxxxxxxxx
_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/