UniCredit Bank Cross Site Request Forgery / Cross Site Scripting / Shell Upload

`==============================================================================================  
UNICREDITBANK Cross Site Scripting (& Dom Based) / File Upload / form without CSRF protection =  
==============================================================================================  
  
TIME-LINE VULNERABILITY  
  
Multiples Advisories but Vendor not response   
  
Not Fixed  
  
Full Disclosure  
  
  
I. VULNERABILITY  
-------------------------  
#Title: UNICREDITBANK Cross Site Scripting (& Dom Based) / File Upload / Form without CSRF protection   
  
#Vendor:http://www.unicreditbank.ru/  
  
#Author:Juan Carlos García (@secnight)  
  
#Follow me   
http://www.highsec.es  
HTTP://hackingmadrid.blogspot.com  
Twitter:@secnight  
  
II. DESCRIPTION  
-------------------------  
  
niCredit Bank is a Russian bank, operating in Russia since 1989. Ranked 8th by total assets based on H1 2013 results (Interfax-100 ranking), UniCredit Bank is the largest foreign bank in Russia.  
  
UniCredit Bank is fully owned (100%) by UniCredit Bank Austria AG, Vienna, Austria, member of UniCredit.  
  
The Bank benefits from its strong position in the large Russian corporate finance market and sustainable retail banking business.  
  
  
UniCredit Bank at a glance  
  
It was founded under the name of International Moscow Bank in 1989  
105 branches in Russia and 1 Representative office in Belarus  
Around 3798 employee  
More than 1 298 000 retail customers *  
More than 28 250 corporate clients  
Ratings: BBB (Fitch), ВВВ (Standard & Poor’s)  
Total assets: RUR 776.73 billion *  
Equity: RUR 121.27 billion *  
UniCredit Bank has General Licence for banking operations №1 of Bank of Russia  
  
* As of 30.06.2013, according to consolidated financial statements of ZAO UniCredit Bank prepared in accordance with International Financial Reporting Standards.  
  
  
III. PROOF OF CONCEPT  
-------------------------  
  
Cross site scripting  
*********************  
  
Vulnerability description  
___________________________  
  
This script is possibly vulnerable to Cross Site Scripting (XSS) attacks.  
  
Cross site scripting (also referred to as XSS) is a vulnerability that allows an   
attacker to send malicious code (usually in the form of Javascript) to another user.  
Because a browser cannot know if the script should be trusted or not, it will execute  
the script in the user context allowing the attacker to access any cookies or session tokens retained by the browser.   
  
This vulnerability affects  
  
/rus/about/community/unicolours/frame.wbp. (46)  
  
  
Attack details  
**************  
  
URL encoded GET input galleryId was set to 2_901827'():;955734  
  
The input is reflected inside <script> tag between single quote  
  
GET /rus/about/community/unicolours/frame.wbp?galleryId=2_901827%27%28%29%3a%3b955734&imgFull=/gallery/medicine/flight-2_tvorchestvo_kak_lekarstvo.jpg/full.jpg&imgId=1819ff22-ea3e-4b80-a8bf-711762ae252c   
  
  
  
galleryId(15)  
  
GET /rus/about/community/unicolours/frame.wbp?galleryId=2_935171%27%28%29%3a%3b994873&imgFull=/gallery/cats/8/full.jpg&imgId=2c1b226d-518e-4877-86e8-d9b57836a7e4   
GET /rus/about/community/unicolours/frame.wbp?galleryId=2_985809%27%28%29%3a%3b936300&imgFull=/gallery/cats/9/full.jpg&imgId=0ae7d25c-056b-42d9-8abd-c38523785a81   
GET /rus/about/community/unicolours/frame.wbp?galleryId=2_970273%27%28%29%3a%3b940959&imgFull=/gallery/cats/010/full.jpg&imgId=4f2a9956-83cd-498c-aa0e-9d491f2bf827  
.  
.  
.  
  
  
  
imageFull(15)  
  
  
  
URL encoded GET input imgFull was set to /gallery/medicine/flight-2_tvorchestvo_kak_lekarstvo.jpg/full.jpg_997700'():;932188  
  
GET /rus/about/community/unicolours/frame.wbp?galleryId=2&imgFull=%2fgallery%2fmedicine%2fflight-2_tvorchestvo_kak_lekarstvo.jpg%2ffull.jpg_997700%27%28%29%3a%3b932188&imgId=1819ff22-ea3e-4b80-a8bf-711762ae252c  
GET /rus/about/community/unicolours/frame.wbp?galleryId=1&imgFull=%2fgallery%2fmedicine%2fflight-2_tvorchestvo_kak_lekarstvo.jpg%2ffull.jpg_925822%27%28%29%3a%3b964844&imgId=09b5e392-a316-4a39-8a17-747273376016  
GET /rus/about/community/unicolours/frame.wbp?galleryId=1&imgFull=%2fgallery%2fmedicine%2fflight-2_tvorchestvo_kak_lekarstvo.jpg%2ffull.jpg_992446%27%28%29%3a%3b941577&imgId=2c1b226d-518e-4877-86e8-d9b57836a7e4  
.  
.  
.  
  
  
  
imgId(15)  
  
URL encoded GET input imgId was set to 1819ff22-ea3e-4b80-a8bf-711762ae252c_914453'():;909492  
  
GET /rus/about/community/unicolours/frame.wbp?galleryId=2&imgFull=/gallery/medicine/flight-2_tvorchestvo_kak_lekarstvo.jpg/full.jpg&imgId=1819ff22-ea3e-4b80-a8bf-711762ae252c_914453%27%28%29%3a%3b909492  
GET /rus/about/community/unicolours/frame.wbp?galleryId=1&imgFull=/gallery/cats/7/full.jpg&imgId=1819ff22-ea3e-4b80-a8bf-711762ae252c_956295%27%28%29%3a%3b990851  
GET /rus/about/community/unicolours/frame.wbp?galleryId=1&imgFull=/gallery/cats/8/full.jpg&imgId=1819ff22-ea3e-4b80-a8bf-711762ae252c_925541%27%28%29%3a%3b927917   
  
  
DOM-based Cross-Site Scripting  
******************************  
Script code from document.location path part was executed via document.write() or document.writeln() function.  
The code was executed in: /eng/reg/personal/deposits/index_special.wbp  
  
Script code from document.location path part was executed via document.write() or document.writeln() function.  
The code was executed in: /rus/reg/moscow/personal/deposits/index_special.wbp  
  
  
Script code from document.location path part was executed via document.write() or document.writeln() function.  
The code was executed in: /rus/reg/moscow/personal/remote_service/mobile_banking/smartphone.wbp  
  
  
File upload  
************  
  
Vulnerability description  
___________________________  
  
This page allows visitors to upload files to the server. Various web applications allow users to upload files (such as pictures, images, sounds, ...).  
Uploaded files may pose a significant risk if not handled correctly.   
A remote attacker could send a multipart/form-data POST request with a specially-crafted filename or mime type and execute arbitrary code.  
  
This vulnerability affects /rus/career/moscow/form.wbp.   
  
  
Attack details  
______________  
  
Form name: <empty>  
Form action: http://www.unicreditbank.ru/rus/career/moscow/form.wbp?ok=true  
Form method: POST  
  
Form inputs:  
  
resume [File]  
vacancy [Hidden]  
location [Hidden]  
subject [Hidden]  
Form [Hidden]  
  
  
This vulnerability affects /rus/reg/moscow/personal/cardsdebit/visa/r_debet.wbp.   
  
  
  
Attack details  
Form name: <empty>  
Form action: http://www.unicreditbank.ru/rus/reg/moscow/personal/cardsdebit/visa/r_debet.wbp?ok=true&formclass=debitcards  
Form method: POST  
  
Form inputs:  
  
Form [Hidden]  
fio [Text]  
officeCITY [Select]  
city [Radio]  
file [File]  
SUBJECT [Hidden]  
agree [Checkbox]  
Confirmation [Text]  
  
  
  
  
HTML form without CSRF protection  
*********************************  
  
Cross-site request forgery, also known as a one-click attack or session riding and abbreviated as CSRF or XSRF, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website   
  
trusts.  
  
Affected items  
__________________  
  
/eng/career/form1.wbp   
/eng/feedback.wbp   
/eng/index.wbp   
/rus/career/form1.wbp   
/rus/career/moscow/form.wbp (4bd115b5b2d18b05418cd5215414de73)   
/rus/feedback/form_tab_consult.wbp   
/rus/feedback/form_tab_quality.wbp   
/rus/index.wbp   
/rus/reg/arkhangelsk/personal/rko/cash/currency_rates/everyday_archive.wbp   
/rus/reg/arkhangelsk/personal/rko/cash/currency_rates/everymonth_archive.wbp   
/rus/reg/menu_4/personal/rko/cash/currency_rates/everyday_archive.wbp   
/rus/reg/menu_4/personal/rko/cash/currency_rates/everymonth_archive.wbp   
/rus/reg/moscow/banks/finmarket/analytics/form.wbp   
/rus/reg/moscow/banks/finmarket/analytics/form_question.wbp   
/rus/reg/moscow/corporate/factoring/factoringcredit.wbp (ca614aef3245c2f92a7ea16e1ef974bd)   
/rus/reg/moscow/corporate/finmarket/analytics/form.wbp   
/rus/reg/moscow/corporate/finmarket/analytics/form_question.wbp   
/rus/reg/moscow/personal/calc_uni.wbp   
/rus/reg/moscow/personal/car/express/calc_new.wbp   
/rus/reg/moscow/personal/car/gfauto/form.wbp   
/rus/reg/moscow/personal/car/usedauto/calc_used.wbp   
/rus/reg/moscow/personal/cardscredit/autocard/form.wbp   
/rus/reg/moscow/personal/cardsdebit/post/ruspost_form.wbp   
/rus/reg/moscow/personal/cardsdebit/visa/r_debet.wbp   
/rus/reg/moscow/personal/cardsdebit/visa/r_debet.wbp (65825570bed58511936e2cc0df9d839c)   
/rus/reg/moscow/personal/consumer/form.wbp (56f3984593e2b24d64f498660d69a303)   
/rus/reg/moscow/personal/consumer/refund/calc.wbp   
/rus/reg/moscow/personal/deposits/choise/form.wbp   
/rus/reg/moscow/personal/deposits/incomecalc.wbp   
/rus/reg/moscow/personal/investments_savings/mutual_fund/form.wbp   
/rus/reg/moscow/personal/mortgage/form_new.wbp   
/rus/reg/moscow/personal/mortgage/index.wbp   
/rus/reg/moscow/personal/mortgage/purpose/form.wbp   
/rus/reg/moscow/personal/mortgage/purpose/icalc.wbp   
/rus/reg/moscow/personal/rko/cash/currency_rates/everyday_archive.wbp   
/rus/reg/moscow/private_banking/form.wbp   
/rus/reg/moscow/private_banking/mc_worldelite/form.wbp   
/rus/reg/moscow/small/factoring/factoringcredit.wbp (ca614aef3245c2f92a7ea16e1ef974bd)   
/rus/reg/moscow/small/loans/auto/smbusinesscredit.wbp   
/rus/reg/moscow/small/loans/smbusinesscredit.wbp (de98d6510bf3ecab0c54afbe38ff23de)   
/rus/reg/moscow/small/package/forbusiness.wbp (00f973dc51d2e6a1ab71991ad9dac9a1)   
/rus/reg/moscow/small/payroll/form.wbp   
/rus/reg/moscow/small/rko/accounts/form.wbp (6923d688f3615c0326f50458f34e6048)   
/rus/reg/moscow/unicredit_primeclub/dolce_vite/events/form.wbp   
/rus/reg/moscow/unicredit_primeclub/dolce_vite/feedback.wbp   
/rus/reg/moscow/unicredit_primeclub/form.wbp   
/rus/reg/moscow/unicredit_primeclub/recepient.wbp   
/rus/reg/saint_petersburg/personal/rko/cash/currency_rates/everyday_archive.wbp   
/rus/reg/saint_petersburg/personal/rko/cash/currency_rates/everymonth_archive.wbp   
/rus/reg/saint_petersburg/small/rko/accounts/form.wbp   
/rus/reg/sochi/personal/rko/cash/currency_rates/everyday_archive.wbp   
/rus/reg/sochi/personal/rko/cash/currency_rates/everymonth_archive.wbp   
/rus/reg/tyumen/personal/rko/cash/currency_rates/everyday_archive.wbp   
/rus/reg/tyumen/personal/rko/cash/currency_rates/everymonth_archive.wbp   
/rus/rss.wbp   
/rus/search.wbp (e3a1a6c4fc11fd7517bb1d4cff832bb2)   
/rus/subscribe.wbp   
  
The impact of this vulnerability  
__________________________________  
An attacker may force the users of a web application to execute actions of the attacker's choosing. A successful CSRF exploit can compromise end user data and operation in case of normal user. If the targeted end user is the   
  
administrator account, this can compromise the entire web application.  
  
How to fix this vulnerability  
_________________________________  
Check if this form requires CSRF protection and implement CSRF countermeasures if necessary.  
  
  
  
IV. BUSINESS IMPACT  
-------------------------  
  
(...)  
  
V SOLUTION  
------------------------  
Write Secure Code  
  
  
VI. CREDITS  
-------------------------  
  
This vulnerability has been discovered  
by Juan Carlos García(@secnight)  
  
  
VII. LEGAL NOTICES  
-------------------------  
  
The Author accepts no responsibility for any damage  
caused by the use or misuse of this information.  
`