Monthly Archives: May 2015

CSRF and XSS Vulnerabilities in Ektron CMS 9.10 SP1

I found a couple of vulnerabilities in Ektron CMS 9.10 SP1. Below is the published advisory for anyone that is interested.

# Vulnerability type: Cross-site Request Forgery
# Vendor: http://www.ektron.com/
# Product: Ektron Content Management System
# Affected version: =< 9.10 SP1 (Build 9.1.0.184.1.114)
# Patched version: 9.10 SP1 (Build 9.1.0.184.1.120)
# CVE ID: CVE-2015-3624
# Credit: Jerold Hoong

# PROOF OF CONCEPT (CSRF)

Cross-site request forgery (CSRF) vulnerability in MenuActions.aspx in Ektron CMS 9.10 SP1 before build 9.1.0.184.1.120 allows remote attackers to hijack the authentication of content administrators for requests that could lead to the deletion of content and assets.

csrf

# Vulnerability type: Cross-site Scripting
# Vendor: http://www.ektron.com/
# Product: Ektron Content Management System
# Affected version: =< 9.10 SP1 (Build 9.1.0.184.1.102)
# Patched version: 9.10 SP1 (Build 9.1.0.184.1.114)
# CVE ID: CVE-2015-4427
# Credit: Jerold Hoong

# PROOF OF CONCEPT (XSS)

Cross-site scripting (XSS) vulnerability in workarea.aspx in Ektron CMS 9.10 SP1 on build 9.1.0.184.1.102 and earlier allows remote authenticated users to inject arbitrary javascript via the page, action, folder_id and LangType parameter.

GET /Test/WorkArea/workarea.aspx?page=content.aspx%27%3balert
%28%22XSS%22%29%2f%2f&action=ViewContentByCategory&folder_id=0
&LangType=1033 HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:35.0) Gecko/20100101 Firefox/35.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
... [SNIP] ...
Cookie: EktGUID=014949ec-36ac-4b89-9c0b-8b03ed29b0ed; EkAnalytics=0;
ASP.NET_SessionId=zxucmt5zyugbtwrm4vseakw5;
... [SNIP] ...

# VULNERABLE PARAMETERS:
- page
- action
- folder_id
- LangType

# SAMPLE PAYLOAD
- ';alert("XSS")//

# TIMELINE
– 07/04/2015: Vulnerability found
– 07/04/2015: Vendor informed
– 08/04/2015: Vendor responded and acknowledged
- 01/05/2015: MITRE issued CVE number CVE-2015-3624 (CSRF)
– 28/05/2015: Vendor fixed the issue
– 31/05/2015: Public disclosure

Sample XSS Screenshot:
ektron_xss

IBM Watson SaaS Infrastructure Vulnerability

I recently found a couple of vulnerabilities in the SaaS cloud computing infrastructure of IBM Watson. After reporting the issue on the IBM PSIRT website and working with them to fix the issue, IBM replied with the following:

“Thanks for confirming that the issue has been fixed. Because this is a SaaS offering, we will not be publishing and acknowledging via security bulletin. However please know that we appreciate your cooperation and the effort to inform us of the vulnerability.”

Anyway, I have included the advisory below for anyone who is interested. It is interesting to see that trivial vulnerabilities like these are still in the wild.

# Vulnerability type: Cross-site Scripting & Redirect  
# Vendor: www.ibm.com
# Product: IBM Watson Cloud Computing SaaS (Cognea)
# Product Link: http://www.ibm.com/smarterplanet/us/en/ibmwatson/
# Credit: Jerold Hoong

The logout.jsp page function of the IBM Watson SaaS application is vulnerable 
to reflected XSS and redirect attacks. The value of the Referer HTTP header
is directly referenced by the logout.jsp page and echoes the input unmodified
in to the application’s response.

# PROOF OF CONCEPT (XSS)

- Sample URL: http://127.0.0.1/test/logout.jsp
- Parameter: Referer HTTP header
- Payload: javascript:alert('XSS')//

# PROOF OF CONCEPT (Redirect)

The logout.jsp page is vulnerable to unauthorised redirects.

- Sample URL: http://127.0.0.1/test/logout.jsp
- Parameter: Referer HTTP header
- Payload: http://malicious-site.com/

# TIMELINE
- 16/04/2015: Vulnerability found
- 17/04/2015: Vendor informed
- 18/04/2015: Vendor responded and acknowledged
- 03/06/2015: Vendor fixed the issue
- 04/06/2015: Public disclosure

Sample XSS screenshot:
IBM-Watson

File Extension Trick Using RTLO

Always wanted people to open your malicious msfpayload executable but failed to do so because they knew it was an executable? Here is a neat (albeit trivial) file “extension” trick to fool unsuspecting users into opening executables. The Unicode RTLO (U+202e) character can be used to reverse the order in which text is displayed by the Windows operating system. The legitimate use of this character is for languages such as Hebrew, which is displayed from right to left. Suppose you have a malicious executable file disguised as SysInternals “Procmon.exe”:

procmon_icon

1. Open the Character Map and type a sample text as shown below in the following format (can be found under Start -> Accessories -> System Tools):

Format:
[file name][insert U+202e char here][fake extension in reverse i.e. piz for .zip][.real extension]

charmap

2. Next, copy the contents by clicking on the “Copy” button. Now rename the file by pasting the copied text:

testRTLO

3. That is all! You should have a “zip” file now. 🙂

fakezip

A good trick would be to make it a “png” file and give the file an interesting name that is usually tied to *HOT* pictures. If it is an executable file, you can change the icon to a “png” thumbnail before compilation.

NRIC Number Generation

At times, my job requires the use of “valid” NRIC numbers to conduct certain security testing. There was a time last year where there was a requirement for a sample of approximately 5000 NRIC numbers to conduct user-enumeration tests. I did a quick Google search and found a couple of online generators, but they were clunky and slow and it would probably take ages to generate a sizable sample. There was even this website, http://bit.ly/1ccZXvE that stated: “If you need bulk generation of > 1000 NRIC numbers in any format, please contact me for a quote.” I wonder if this is even legal, so in my curiosity, I proceeded to request for a quotation with a dummy email account (see the email exchange below).

screen-shot-2015-05-04-at-11-44-58-pm

Anyway, I would definitely not pay for stuff like these and decided to do a small research with a good buddy (Joel) of mine on the algorithm behind the generation. After a few minutes, we found the publicly available algorithm online and we started programming a simple generator. 5000 unique NRIC numbers were then generated in less than 1 second, at zero cost. S$30 saved. 🙂

nric-gen

Now that the goodies are in a text file, it would be easy to use it in Burp Intruder and enumerate away…