Next Page >>
Client Side
October 30th, 2007. The date remains flexible on the basis of receiving
concrete and specific details about availability of fixes by Wednesday,
October 24th. An up to date copy of the security advisory provided for
comments and suggested workarounds.
2007-10-23: Email from Lotus Notes Security indicating that a ticket had
been opened with Autonomy and that since this is a client-side issue the
fix would be provided in one of the future maintenance releases of the
Lotus Notes client. Ongoing work with Autonomy needs to continue before
being able to confirm when the fix will be rolled into the product.
2007-10-23: Email from Core’s advisory team with follow up questions to
Lotus Notes Security: 1. Is it official policy to include fixes to
The key part of the advisory for me wasn't VIEWSTATE as much as it was the controls, but this statement you made seemed pretty outrageous (with regard to ASP.NET):
'These vulnerabilities show that unsigned client-side viewstates will ALWAYS result in a vulnerability in the affected products.'
I would disagree - it depends how the software developer implemented use of the VIEWSTATE's content. In ASP.NET, the interesting part here was that you appeared to be controlling an innerhtml property of a Form control through the VIEWSTATE. What your example didn't show, I'm assuming, is some code behind that pulled out the <IndexedString> and set the value in the form's innerHtml property/attribute. That's just dangerous coding, akin to trusting client-side input and no different than acting on client input that came from any method, form input, JSON, etc. Your repro was a bit confusing/misleading without that part. Otherwise, were you saying that some controls inherently populate their properties/attributes from VIEWSTATE content automagically?
There have been past discussions on VIEWSTATE's security:
Scott Mitchell documented tampering VIEWSTATE in a 2004 article:
http://msdn.microsoft.com/en-us/library/ms972976.aspx#viewstate_topic12
*Vulnerability Information*
Class: Input Validation
Remotely Exploitable: Yes (client-side)
Locally Exploitable: No
Bugtraq ID: 28629 28632 28633
CVE Name: CVE-2008-1035 CVE-2008-2006 CVE-2008-2007
*Vulnerability Information*
Class: Input Validation
Remotely Exploitable: Yes (client-side)
Locally Exploitable: No
Bugtraq ID: 28629 28632 28633
CVE Name: CVE-2008-1035 CVE-2008-2006 CVE-2008-2007
[+] Select Month
[+] New Access Record - ID
[+] Department ID & Description
1.2
A client-side cross site vulnerability is detected on iGuards - Biometric Access Control Application.
The bug allows an remote attacker to attack (high user inter action) a customer on client-side. Successful exploitation can result in
phishing passwords or manipulation of content when processing client-side requests.
Vulnerable Module(s): (Non-Persistent)
I included any exploit that took any end-user's interaction into the 86%
number. I included the list of exploits and what I considered a
client-side attack (versus truly remote) in the article:
http://weblog.infoworld.com/securityadviser/archives/WindowsExploitAnaly
sis.xls
It's not perfect, and may even contain a few mistakes. However, I don't
think any of the mistakes would change the overall numbers much. The
exploit chart (I listed two years of vulnerabilities, not three as I
vulnerabilities in the ActiveX objects themselves or use their
functionality to, for example, read arbitrary files from the victim's
file system or even execute arbitrary shell commands in the victim's
workstation.
- - Directly attack vulnerable versions of Internet Explorer in user
workstations. This is a typical client-side attack scenario and could
lead to the remote execution of arbitrary code in the victim's
workstation. In this scenario "one-click" IE bugs (exploitation requires
user assistance) become "zero-click" bugs (exploitation does not require
user interaction).
Darwin/10.0.0d3 ). Update to iOS4 to improve your security.
More information here:
CVE-2010-1752 in http://support.apple.com/kb/HT4225
o Security-Advisory: TEHTRI-SA-2010-028 - 0day on BlackBerry
TEHTRI-Security found a security issue, and created a client-side attack
0day for BlackBerry cellphone devices (Hotspot Browser). The code was
shared with RIM who handled this vulnerability quickly, so that a fix
might be added in a future release. It allows an attacker to crash the
remote web application. This was scored with a CVSS of 5.
Advisory: IceWarp WebMail Server: Client-Side Specification of "Forgot
Password" eMail Content
During a penetration test, RedTeam Pentesting discovered that the emails
sent by the IceWarp WebMail Server when using the "Forgot Password"
function are generated on the client side. Furthermore, the server
expands certain keywords in these emails to users' full names, usernames
and passwords. This allows for advanced social engineering attacks and
the potential disclosure of usernames and passwords.
vulnerabilities in the ActiveX objects themselves or use their
functionality to, for example, read arbitrary files from the victim's
file system or even execute arbitrary shell commands in the victim's
workstation.
- - Directly attack vulnerable versions of Internet Explorer in user
workstations. This is a typical client-side attack scenario and could
lead to the remote execution of arbitrary code in the victim's
workstation. In this scenario "one-click" IE bugs (exploitation requires
user assistance) become "zero-click" bugs (exploitation does not require
user interaction).
SpiderLabs has documented view state tampering
vulnerabilities in three products from separate vendors.
View states are used by some web application frameworks to
store the state of HTML GUI controls. View states are
typically stored in hidden client-side input fields,
although server-side storage is widely supported.
The affected vendors generally recommend that client-side
view states are cryptographically signed and/or encrypted,
but specific exploits have not been previously documented.
SpiderLabs has documented view state tampering
vulnerabilities in three products from separate vendors.
View states are used by some web application frameworks to
store the state of HTML GUI controls. View states are
typically stored in hidden client-side input fields,
although server-side storage is widely supported.
The affected vendors generally recommend that client-side
view states are cryptographically signed and/or encrypted,
but specific exploits have not been previously documented.
Advisory: Client Side Authorization ZyXEL ZyWALL USG Appliances Web
Interface
The ZyXEL ZyWALL USG appliances perform parts of the authorization for
their management web interface on the client side using JavaScript. By
setting the JavaScript variable "isAdmin" to "true", a user with limited
access gets full access to the web interface.
Details
Disclosure Policy :
http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html
Affected products :
Client-side products
---------------------
These will not be patched, trends reason is that
malware will be detected up on extraction. While this is true for end-user
setups this is not the case if you use such products to scan Fileservers,
Database servers or any server where an enduser does not actively extract
different third-party open source libraries to implement processing of
several image formats.
Android includes a web browser based on the Webkit framework that
contains multiple binary vulnerabilities when processing .GIF, .PNG and
.BMP image files, allowing malicious client-side attacks on the web
browser. A client-side attack could be launched from a malicious web
site, hosting specially crafted content, with the possibility of
executing arbitrary code on the victim's Android system.
These client-side binary vulnerabilities were discovered using the
SpiderLabs has documented view state tampering
vulnerabilities in three products from separate vendors.
View states are used by some web application frameworks to
store the state of HTML GUI controls. View states are
typically stored in hidden client-side input fields,
although server-side storage is widely supported.
The affected vendors generally recommend that client-side
view states are cryptographically signed and/or encrypted,
but specific exploits have not been previously documented.
2. *Vulnerability Information*
Class: Stack-based Buffer Overflow [CWE-121], Stack-based Buffer
Overflow [CWE-121]
Impact: Code execution
Remotely Exploitable: Yes (client-side)
Locally Exploitable: No
CVE Name: CVE-2010-3269, CVE-2010-3270
Bugtraq ID: N/A
SEC Consult Vulnerability Lab Security Advisory < 20110810-0 >
=======================================================================
title: Client-side remote file upload & command execution
product: Check Point SSL VPN On-Demand applications (signed
Java applet and ActiveX control)
* SSL Network Extender (SNX)
* SecureWorkSpace
* Endpoint Security On-Demand
supplied by Check Point Connectra or other security
gateways
To: Trustwave Advisories; webappsec@lists.securityfocus.com; websecurity@webappsec.org; full-disclosure@lists.grok.org.uk; bugtraq@securityfocus.com
Subject: [Full-disclosure] (resend) RE: [WEB SECURITY] Trustwave's SpiderLabs Security Advisory TWSL2010-001
The key part of the advisory for me wasn't VIEWSTATE as much as it was the controls, but this statement you made seemed pretty outrageous (with regard to ASP.NET):
'These vulnerabilities show that unsigned client-side viewstates will ALWAYS result in a vulnerability in the affected products.'
I would disagree - it depends how the software developer implemented use of the VIEWSTATE's content. In ASP.NET, the interesting part here was that you appeared to be controlling an innerhtml property of a Form control through the VIEWSTATE. What your example didn't show, I'm assuming, is some code behind that pulled out the <IndexedString> and set the value in the form's innerHtml property/attribute. That's just dangerous coding, akin to trusting client-side input and no different than acting on client input that came from any method, form input, JSON, etc. Your repro was a bit confusing/misleading without that part. Otherwise, were you saying that some controls inherently populate their properties/attributes from VIEWSTATE content automagically?
There have been past discussions on VIEWSTATE's security:
form of an active scripting language, such as VBScript. Unfortunately, these
rules are delivered insecurely, over HTTP, both unencrypted and unsigned as
they are blissfully executed by the client.
Exploitation by injecting code into these rules can result in completely
arbitrary execution on the client side, and could thusly perform any action
such as installing or downloading additional malicious code and instructions
from an arbitrary source. This execution could potentially happen completely
transparently and go unnoticed by users.
Such exploitation could take place by a number of mechanisms. For example:
Affected versions. 2.1.1 ((v2.1 Patch06)(9.1_02 Patch12))
(build b31g-fcs) verified and possibly
others
Severity Rating. Medium
Impact. Cookie/credential theft, impersonation,
loss of confidentiality, client-side
code execution
Attack Vector. Remote without authentication
Solution Status. Vendor patch
CVE reference. CVE-2011-2260
Oracle Bug ID. 7030596
The reasons being:
1. It generates lot of noise on the network and is slow. So most probably an IDS or Web App Firewall will pick up the malicious behavior and block your ip. For example, a Base16 CSRF token of length 5 characters (starting with a character) will generate approximately 393,216 requests.
2. Many applications are programmed to invalidate your session after it detects more than a certain number of requests with invalid token values. E.g. 30.
I am going to change this belief by showing you a technique to quicky find csrf tokens without generating alerts. This technique is a client side attack, so there is almost no network traffic generated and hence, your server and IDS/Web App Firewalls won’t notice it at all. This attack is based on the popular CSS History Hack found by Jeremiah Grossman 3 years ago.
In this exploit, we discover the csrf token by brute forcing the various set of urls in browser history. We will try to embed different csrf token values as part of url and check if the user has visited that url. If yes, there is a good chance that the user is either using the same CSRF token in the current active session or might have used that token in a previous session. Once we have a list of all such tokens, we can just try our csrf attack on the server using that small list. Currently this attack is feasible for tokens with length of 5 characters or shorter. I tried it on a base16 string of length 5 and was able to brute force the entire key space in less than 2 minutes.
Some of the prerequisites for this attack to work are either
##### Vulnerability #####
When adding a new course to the schedule, the application relies on
Client Side controls for input. This can easily be bypassed by using an
intercepting proxy or CSRF attack.
##### Affected Variables #####
SEC Consult Vulnerability Lab Security Advisory < 20111012-0 >
=======================================================================
title: Client-side remote file upload & command execution
product: Microsoft Forefront Unified Access Gateway Remote
Access Agent (signed Java applet)
vulnerable version: 4.0.0.1
fixed version:
CVE number: CVE-2011-1969
impact: critical
homepage:
Do not perform administrative access of security management consoles from computers exposed to the Internet through web browsing, email, and other applications. Lock down and heavily monitor systems used to perform administrative tasks such as accessing security management consoles.
Details
When a user loads the login page of the Network Security Manager, the server sets a cookie within the browser before authentication occurs. This cookie is accessible from client-side JavaScript because the “HttpOnly” flag is not set. An attacker with access to this cookie may gain privileged access to the Network Security Manager without the need to authenticate.
SecureWorks Risk Scoring
Likelihood: 2 – Best practice is to deploy the management console web application on a segmented management network.
Impact: 5 – Control over security appliances managed by the management console.
Symantec multiple products - Generic PDF bypass
________________________________________________________________________
***********************************************************************
Cheap plug :
Speaking of PDF - If you are interested in client-side vulnerabilities
visit HACK.LU starting tomorrow [28-30 Oct] with :
Workshop:
* Bypassing the Perimeter: Client Side Exploitation - Nitesh Dhanjani,
Billy K Rios
deployment of fixes may suddenly become unpatched and exploitable
security bugs in the context of this vulnerability.
The vulnerability can be exploited locally within a virtualized system
to escalate privileges or remotely for code execution in combination
with any client-side bug for which existing patches have not been
applied or with any client-side bug for which a fix has not been
developed after dismissing the bug as not exploitable or of low
priority. The vulnerability does not seem usable to escape from a
virtualized OS (guest) to execute code in the context of the
non-virtualized OS (host). Use of the vulnerability to implement covert
XSS Type 1:
-----------
Web application fails to validate and/or htmlencode user input when
handling erroneous requests. This allows attacker to inject HTML and
client-side scripts to victim's browser by creating suitable links.
This vulnerability cannot be used for session hijacking, because
CMC-TC PU II requires each valid request to contain current session
ID as URL parameter. Requests without session ID are redirected to
the login page. Therefore only phishing-type attacks or attacks
Notice that if you already updated your iPhone with iOS4, our exploits
for this particular vulnerability would not work anymore.
( search for "CVE-2010-1752" here: http://support.apple.com/kb/ht4225 )
But, thanks to our proof of concepts (client-side attacks), it was not
only possible to abuse the iPhone devices, but also any current Mac OS X
( Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6 through
v10.6.4, Mac OS X Server v10.6 through v10.6.4 ).
Hopefully, this week, Apple released many interesting security patches
F-SECURE multiple products - Generic PDF detection bypass
________________________________________________________________________
***********************************************************************
Cheap plug :
If you are interested in client-side vulnerabilities visit HACK.LU
starting tomorrow [28-30 Oct] with :
Workshop:
* Bypassing the Perimeter: Client Side Exploitation - Nitesh Dhanjani,
Billy K Rios
Next Page>>
|
