Core Security Technologies Advisory 2009.0109

`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
Core Security Technologies - CoreLabs Advisory  
http://www.coresecurity.com/corelabs/  
  
Multiple XSS in Sun Communications Express  
  
  
1. *Advisory Information*  
  
Title: Multiple XSS in Sun Communications Express  
Advisory ID: CORE-2009-0109  
Advisory URL: http://www.coresecurity.com/content/sun-communications-express  
Date published: 2009-05-20  
Date of last update: 2009-05-20  
Vendors contacted: Sun Microsystems  
Release mode: Coordinated release  
  
  
2. *Vulnerability Information*  
  
Class: Cross site scripting (XSS)  
Remotely Exploitable: Yes  
Locally Exploitable: No  
Bugtraq ID: 34154, 34155  
CVE Name: CVE-2009-1729  
  
  
3. *Vulnerability Description*  
  
Several cross-site scripting vulnerabilities were found in the following  
files/urls of the Sun Java System Communications Express [1] :  
  
1. 'https://<server>/uwc/abs/search.xml?'  
2. 'http://<server>/uwc/base/UWCMain'  
  
Cross-site scripting (XSS) vulnerabilities [2], [3] allow an attacker  
to execute arbitrary scripting code in the context of the user browser  
(in the vulnerable application's domain). For example, an attacker could  
exploit a XSS vulnerability to steal user cookies (and then impersonate  
the legitimate user) or fake a page requesting information to the user  
(i.e. credentials). This vulnerability occurs when user-supplied data is  
displayed without encoding.  
  
  
4. *Vulnerable packages*  
  
4.1. *SPARC Platform*  
  
. Sun Java System Communications Express 6.3 (Communications Suite 5  
or 6) without patch 122793-26.  
. Sun Java System Communications Express 6 2005Q4 (6.2).  
  
  
4.2. *x86 Platform*  
  
. Sun Java System Communications Express 6.3 (Communications Suite 5  
or 6) without patch 122794-26.  
. Sun Java System Communications Express 6 2005Q4 (6.2).  
  
  
4.3. *Linux*  
  
. Sun Java System Communications Express 6.3 (Communications Suite 5  
or 6) without patch 122795-26.  
. Sun Java System Communications Express 6 2005Q4 (6.2).  
  
  
5. *Non-vulnerable packages*  
  
. Sun Java System Communications Express 6.3 with the patches  
described in sections 4.1, 4.2 and 4.3.  
  
  
6. *Vendor Information, Solutions and Workarounds*  
  
The Sun Alert for this issue has been assigned id 258068 and it is  
available at the following URL:  
http://sunsolve.sun.com/search/document.do?assetkey=1-26-258068-1.  
  
  
7. *Credits*  
  
These vulnerabilities were discovered by the SCS team from Core Security  
Technologies.  
  
  
8. *Technical Description / Proof of Concept Code*  
  
Cross-Site Scripting (commonly referred to as XSS) attacks are the  
result of improper encoding or filtering of input obtained from  
untrusted sources. Basically, they consist in the attacker injecting  
malicious tags and/or script code that is executed by the user's web  
browser when accessing the vulnerable web site. The injected code then  
takes advantage of the trust given by the user to the vulnerable site.  
These attacks are usually targeted at all users of a web application  
rather than at the application itself (although one could say that the  
users are affected because of a vulnerability of the web application).  
The term 'cross-site scripting' is also sometimes used in a  
broader-sense referring to different types of attacks involving script  
injection into the client. For additional information, please look at  
the references [2], [3], [4], [5] and [6].  
  
  
8.1. *Vulnerability #1 - XSS (BID 34154, CVE-2009-1729)*  
  
Cross-site scripting vulnerabilities were found in the following file/url:  
  
/-----------  
  
https://<server>/uwc/abs/search.xml?  
- -----------/  
  
This is part of the 'Personal Address Book->Add contact' functionality.  
Although the affected URL is originally accessed through a POST request,  
this vulnerability can be exploited both with a GET and with a POST  
request. Using the following variables:  
  
/-----------  
  
abperson_displayName  
- -----------/  
  
The contents of the variables previously mentioned are not being  
encoded at the time of using them in HTML output, therefore allowing an  
attacker who controls their content to insert javascript code.  
  
The following code is a proof of concept of this flaw:  
  
/-----------  
  
https://<server>/uwc/abs/search.xml?bookid=e11e46531a8a0&j_encoding=UTF-8&uiaction=quickaddcontact&entryid=&valueseparator=%3B&prefix=abperson_&stopalreadyselected=1&isselchanged=0&idstoadd=&selectedbookid=&type=abperson%2Cgroup&wcfg_groupview=&wcfg_searchmode=&stopsearch=1&expandgroup=&expandselectedgroup=&expandonmissing=&nextview=&bookid=e11e46531a8a0&actionbookid=e11e46531a8a0&searchid=7&filter=entry%2Fdisplayname%3D*&firstentry=0&sortby=%2Bentry%2Fdisplayname&curbookid=e11e46531a8a0&searchelem=0&searchby=contains&searchstring=Search+for&searchbookid=e11e46531a8a0&abperson_givenName=aa&abperson_sn=aa&abperson_piEmail1=a%40a.com&abperson_piEmail1Type=work&abperson_piPhone1=11&abperson_piPhone1Type=work&quickaddprefix=abperson_&abperson_displayName=%3Cscript%3Ealert%28%27xss2%27%29%3C%2Fscript%3E%2C+%3Cscript%3Ealert%28%27xss1%27%29%3C%2Fscript%3E&abperson_entrytype=abperson&abperson_memberOfPIBook=e11e46531a8a0  
- -----------/  
  
  
8.2. *Vulnerability #2 - XSS (BID 34155, CVE-2009-1729)*  
  
Cross-site scripting vulnerabilities were found in the following file/url:  
  
/-----------  
  
http://<server>/uwc/base/UWCMain  
- -----------/  
  
The contents of the url are not being encoded at the time of using them  
in HTML output, therefore allowing an attacker who controls their  
content to insert javascript code.  
  
This vulnerability can be exploited through a GET request, and the user  
does not need to be logged into the web application. This makes this  
cross-site scripting vulnerability perfect to be used by attackers on  
email-based attacks. An attacker can send via email a link to a  
'calendar' and 'exploit' the victim.  
  
The following code is a proof of concept of this flaw:  
  
/-----------  
  
http://<server>/uwc/base/UWCMain?anon=true&[email protected]&caltype=temporaryCalids&date=20081223T143836Z&category=All&viewctx=day&[email protected]%27;alert(%27hello%27);a=%27  
- -----------/  
  
  
9. *Report Timeline*  
  
. 2009-01-09:  
Core Security Technologies notifies Sun Security Coordination Team of  
the vulnerability, setting the estimated publication date of the  
advisory to Feb 2nd. Technical details are sent to Communications  
Express team.  
  
. 2009-01-09:  
The vendor acknowledges reception of the report and asks Core to  
postpone publication of the security advisory in order to have enough  
time to investigate and fix the bugs. Vendor requests GPG key of Core's  
security Advisories team.  
  
. 2009-01-12:  
Core agrees to postpone the advisory publication but asks the vendor for  
a feedback of their engineering team as soon as possible in order to  
coordinate the release date of fixes and security advisories.  
  
. 2009-01-21:  
Core asks the vendor an estimated date for the release of patches and  
fixes.  
  
. 2009-01-21:  
Sun Security Coordination Team notifies Core that the vendor's  
engineering team is hoping to have patches released sometime near the  
end of February or the beginning of March. The time-frame is tentative  
due to the vendor's QA testing process that includes testing of all  
patches which may include fixes to bugs unrelated to those reported by  
Core.  
  
. 2009-02-06:  
Core re-schedules the advisory publication date to Feb 25th. Updated  
timeline sent to the vendor requesting confirmation that patches will be  
released by then.  
  
. 2009-02-16:  
The vendor asks Core to delay the advisory publication until the end of  
March, in order to finish a rigorous process of internal testing.  
  
. 2009-02-16:  
Core re-schedules the advisory publication date to March 30th. Core  
indicates that it would appreciate further technical details about the  
flaws from the vendors engineering team.  
  
. 2009-02-17:  
Vendor acknowledges previous email.  
  
. 2009-03-17:  
Core reminds the vendor that the publication of the advisory is  
scheduled for March 30th. Core also requests updated information about  
the development and release of fixed versions.  
  
. 2009-03-23:  
Vendor confirms that it is on track to have the fix ready for  
publication at the end of this month, March 30th, and provides a list of  
affected products and versions.  
  
. 2009-03-24:  
Vendor states that there was a confusion on his end, and that patches  
are scheduled to complete testing and to be published on 22nd April  
2009. Vendor requests Core to delay publication of its advisory.  
  
. 2009-03-25:  
Core confirms that the advisory publication is rescheduled to April 22nd.  
  
. 2009-04-08:  
Sun engineering team informs that they have a fix for other flaw  
reported by Core [7]. This fix is currently undergoing Sun standard  
testing, and vendor expect to be ready to publish the patch on Monday  
20th April 2009.  
  
. 2009-04-16:  
Sun engineering team confirms they are still planning to release the fix  
for [7] on 20th April 2009.  
  
. 2009-04-17:  
Core ask Sun engineering team for the vulnerability reported in this  
advisory (Sun Communication Express). Core requires an estimated date  
for the release of patches and fixes.  
  
. 2009-04-20:  
Sun engineering team informs that the issue which affects Communications  
Express is planned for publication later in the week. The vendor will  
get back to Core with a more final date once they have confirmed the  
details.  
  
. 2009-04-22:  
Sun engineering team informs that the fix related to Communications  
Express is currently undergoing internal testing and they expect to be  
ready to publish the fixes and the sun alert on 6th May 2009.  
  
. 2009-04-29:  
Core re-schedules the advisory publication date to 6th May 2009, asks  
Sun for an URL of the corresponding Sun alert and a list of  
non-vulnerable packages.  
  
. 2009-05-05:  
Sun engineering team informs that they are experiencing some  
difficulties related to the final release stages of the fix for this  
bug. The vendor will not be ready to go public with this fix tomorrow.  
  
. 2009-05-05:  
Core responds that it is possible to postpone the publication of the  
advisory, but asks Sun engineering team for an estimated date to reach  
the final release of the fix as soon as possible.  
  
. 2009-05-08:  
Sun engineering team informs they are still experiencing some delays  
with the final stages of this release process and asks to delay the  
publication of the advisory.  
  
. 2009-05-18:  
Sun engineering team confirms that they have resolved the outstanding  
issues related to this vulnerability and they expect to be ready to  
publish the fixes on Wednesday 20th May.  
  
. 2009-05-18:  
Core re-schedules the advisory publication date to 20th May.  
  
. 2009-05-20: The advisory CORE-2009-0109 is published.  
  
  
10. *References*  
  
[1]  
http://www.sun.com/software/products/calendar_srvr/comms_express/index.xml  
[2] HTML Code Injection and Cross-Site Scripting  
http://www.technicalinfo.net/papers/CSS.html.  
[3] The Cross-Site Scripting FAQ (XSS)  
http://www.cgisecurity.com/articles/xss-faq.shtml  
[4] How to prevent Cross-Site Scripting Security Issues  
http://support.microsoft.com/default.aspx?scid=KB;en-us;q252985  
[5] How to review ASP Code for CSSI Vulnerability  
http://support.microsoft.com/default.aspx?scid=kb;EN-US;253119  
[6] How to review Visual InterDev Generated Code for CSSI Vulnerability  
http://support.microsoft.com/default.aspx?scid=kb;EN-US;253120  
[7] HTTP Response Splitting vulnerability in Sun Delegated Administrator  
- - http://www.coresecurity.com/content/sun-delegated-administrator  
  
  
11. *About CoreLabs*  
  
CoreLabs, the research center of Core Security Technologies, is charged  
with anticipating the future needs and requirements for information  
security technologies. We conduct our research in several important  
areas of computer security including system vulnerabilities, cyber  
attack planning and simulation, source code auditing, and cryptography.  
Our results include problem formalization, identification of  
vulnerabilities, novel solutions and prototypes for new technologies.  
CoreLabs regularly publishes security advisories, technical papers,  
project information and shared software tools for public use at:  
http://www.coresecurity.com/corelabs.  
  
  
12. *About Core Security Technologies*  
  
Core Security Technologies develops strategic solutions that help  
security-conscious organizations worldwide develop and maintain a  
proactive process for securing their networks. The company's flagship  
product, CORE IMPACT, is the most comprehensive product for performing  
enterprise security assurance testing. CORE IMPACT evaluates network,  
endpoint and end-user vulnerabilities and identifies what resources are  
exposed. It enables organizations to determine if current security  
investments are detecting and preventing attacks. Core Security  
Technologies augments its leading technology solution with world-class  
security consulting services, including penetration testing and software  
security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core  
Security Technologies can be reached at 617-399-6980 or on the Web at  
http://www.coresecurity.com.  
  
  
13. *Disclaimer*  
  
The contents of this advisory are copyright (c) 2009 Core Security  
Technologies and (c) 2009 CoreLabs, and may be distributed freely  
provided that no fee is charged for this distribution and proper credit  
is given.  
  
  
14. *PGP/GPG Keys*  
  
This advisory has been signed with the GPG key of Core Security  
Technologies advisories team, which is available for download at  
http://www.coresecurity.com/files/attachments/core_security_advisories.asc.  
  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1.4.7 (MingW32)  
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org  
  
iD8DBQFKFEWVyNibggitWa0RAqSuAKCRr0zxGIvhYRVD92VLI7W1pJezQwCfVvSO  
SNbJmS6GjYkZPyIfI3+JIpw=  
=wOZe  
-----END PGP SIGNATURE-----  
`