Next Page >>
viewing
Trustwave's SpiderLabs Security Advisory TWSL2010-001:
Multiplatform View State Tampering Vulnerabilities
Published: 2010-02-08 Version: 1.1
SpiderLabs has documented view state tampering
vulnerabilities in three products from separate vendors.
View states are used by some web application frameworks to
store the state of HTML GUI controls. View states are
typically stored in hidden client-side input fields,
The key part of the advisory for me wasn't VIEWSTATE as much as it was the controls, but this statement you made seemed pretty outrageous (with regard to ASP.NET):
'These vulnerabilities show that unsigned client-side viewstates will ALWAYS result in a vulnerability in the affected products.'
I would disagree - it depends how the software developer implemented use of the VIEWSTATE's content. In ASP.NET, the interesting part here was that you appeared to be controlling an innerhtml property of a Form control through the VIEWSTATE. What your example didn't show, I'm assuming, is some code behind that pulled out the <IndexedString> and set the value in the form's innerHtml property/attribute. That's just dangerous coding, akin to trusting client-side input and no different than acting on client input that came from any method, form input, JSON, etc. Your repro was a bit confusing/misleading without that part. Otherwise, were you saying that some controls inherently populate their properties/attributes from VIEWSTATE content automagically?
There have been past discussions on VIEWSTATE's security:
Scott Mitchell documented tampering VIEWSTATE in a 2004 article:
http://msdn.microsoft.com/en-us/library/ms972976.aspx#viewstate_topic12
Hi all,
There is an ongoing conversation about a potential XSS with ViewState of
the .NET framework. However, some were not able to reproduce the issue
and therefore we decided to prepare a short and high resolution movie.
http://www.hacking-lab.com/download/
Regards
Ivan
Cc: Thomas Roethlisberger
Subject: RE: [WEB SECURITY] Trustwave's SpiderLabs Security Advisory TWSL2010-001
Hi all,
There is an ongoing conversation about a potential XSS with ViewState of
the .NET framework. However, some were not able to reproduce the issue
and therefore we decided to prepare a short and high resolution movie.
http://www.hacking-lab.com/download/
Summary
=======
The server side of the Secure Copy (SCP) implementation in Cisco IOS
software contains a vulnerability that could allow authenticated
users with an attached command-line interface (CLI) view to transfer
files to and from a Cisco IOS device that is configured to be an SCP
server, regardless of what users are authorized to do, per the CLI
view configuration. This vulnerability could allow valid users to
retrieve or write to any file on the device's file system, including
the device's saved configuration and Cisco IOS image files, even if
- ------------------------------------------------------------------------
VMware Security Advisory
Advisory ID: VMSA-2010-0008
Synopsis: VMware View 3.1.3 addresses an important
cross-site scripting vulnerability
Issue date: 2010-05-05
Updated on: 2010-05-05 (initial release of advisory)
CVE numbers: CVE-2010-1143
- ------------------------------------------------------------------------
Any input from a user is susceptible to tampering. The advisory is specifically about vulnerabilities in how frameworks handle view states. While the frameworks provide functions to secure the view states, the specific vulnerabilities are not documented by the vendors.
Apache's documentation states that the encryption is only needed when t:SaveState tag is used. Sun provides no specific recommendations on encrypting the view state. Microsoft recommends securing the view state, but doesn't provide concise information about what will happen if you don't.
The purpose of our advisory was to show that unsecured view states will always be vulnerable to real-world attacks. This changes view state security from a best-practice to a demonstrable vulnerability for all applications developed on the three frameworks described.
Regarding your specific questions:
1) Yes, we did find specific vulnerabilities in all three products listed. The Microsoft vulnerability is demonstrated in the advisory. The Apache MyFaces vulnerability is described in the advisory, but a specific attack is beyond the scope of the advisory. Trustwave has released Deface (https://www.trustwave.com/spiderLabs-tools.php) to demonstrate an actual attack. The Sun Mojarra vulnerability is essentially the same as the one in Apache MyFaces, but is not supported by Deface. If you are familiar with Java, Deface can be modified for use with Mojarra.
USN-930-1 fixed vulnerabilities in Firefox and Xulrunner. This update
provides the corresponding updates for Ubuntu 9.04 and 9.10, along with
additional updates affecting Firefox 3.6.6.
Several flaws were discovered in the browser engine of Firefox. If a user
were tricked into viewing a malicious site, a remote attacker could use
this to crash the browser or possibly run arbitrary code as the user
invoking the program. (CVE-2010-1208, CVE-2010-1209, CVE-2010-1211,
CVE-2010-1212)
An integer overflow was discovered in how Firefox processed plugin
Xulrunner 1.9.2.
Original advisory details:
If was discovered that Firefox could be made to access freed memory. If a
user were tricked into viewing a malicious site, a remote attacker could
cause a denial of service or possibly execute arbitrary code with the
privileges of the user invoking the program. This issue only affected
Ubuntu 8.04 LTS. (CVE-2010-1121)
Several flaws were discovered in the browser engine of Firefox. If a
I respectfully defend our statement as very realistic. The .Net exploit provided in the advisory is all that is required to work; no code-behind is required because the vulnerability related to "innerhtml" lies in the .Net code.
The specific flaw is actually in System.Web.UI.HTMLControls.HtmlContainerControl class, which is the super class of the HTMLForm control (among others). The bug is easy to spot in the LoadViewState method as revealed in .Net Reflector:
protected override void LoadViewState(object savedState)
{
if (savedState != null)
{
base.LoadViewState(savedState);
Lotus Notes is the integrated email, calendar, instant messenger, browser
and business collaboration application developed by IBM to work as a
desktop client in conjunction with IBM’s Lotus Domino server application.
The email functionality of Lotus Notes supports previewing and processing
file attachments in various formats. To preview and process files in the
Lotus Worksheet File format (WKS) used by Lotus 1-2-3 the email client
uses a library from a third-party software vendor (Autonomy’s Verity
KeyView SDK). Several buffer overflow vulnerabilities were found in the
third-party library used by Lotus Notes to process Lotus 1-2-3 file
Summary
=======
Unified Contact Center and Intelligent Contact Management products
contain a vulnerability that may result in unauthorized access to the
web-based reporting and script monitoring tool (Web View) and the
web-based configuration tool (Web Admin).
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20071017-IPCC.shtml.
Attackers with an administrator account, possibly gained by using the
exploits described above can exploit local file inclusion and command
execution vulnerabilities to execute arbitrary commands. Journalist and
Editor level accounts can edit any article. Administrator and editor
level accounts can also exploit a partial file disclosure vulnerability
to view all usernames.
Cute News suffers from other security failures such as:
* User registration, in register.php the password input field should be
shown as stars to prevent shoulder surfing. This is fixed in UTF-8b.
Summary
=======
Cisco Small Business Video Surveillance Cameras and Cisco RVS4000 4-port
Gigabit Security Routers contain a vulnerability that could allow an
authenticated user to view passwords for other users, regardless of the
authenticated user's level of authorization.
An unprivileged user could take advantage of this vulnerability to
gain full administrative access on the device or view another user's
credentials.
A HTTP GET request against the following URL will, on a web browser
with Javascript support, cause a dialog box saying '1' to be displayed:
http://CACTIHOST/graph.php?action=zoom&local_graph_id=1&graph_end=1%27%20style=visibility:hidden%3E%3Cscript%3Ealert(1)%3C/script%3E%3Cx%20y=%27
This vulnerability is only exploitable if the victim is allowed to view
graphs. This will be true if the victim has previously authenticated
against Cacti or if both the guest user has been activated (default:
disabled) and the graph view permission was set to 'guest' (default:
'No User').
Details follow:
USN-957-1 fixed vulnerabilities in Firefox and Xulrunner. Daniel Holbert
discovered that the fix for CVE-2010-1214 introduced a regression which did
not properly initialize a plugin pointer. If a user were tricked into
viewing a malicious site, a remote attacker could use this to crash the
browser or run arbitrary code as the user invoking the program.
(CVE-2010-2755)
This update fixes the problem.
code as the user invoking the program. (CVE-2010-2760, CVE-2010-2767,
CVE-2010-3167)
Blake Kaplan and Michal Zalewski discovered several weaknesses in the
XPCSafeJSObjectWrapper (SJOW) security wrapper. If a user were tricked into
viewing a malicious site, a remote attacker could use this to run arbitrary
JavaScript with chrome privileges. (CVE-2010-2762)
Matt Haggard discovered that Firefox did not honor same-origin policy when
processing the statusText property of an XMLHttpRequest object. If a user
were tricked into viewing a malicious site, a remote attacker could use
code as the user invoking the program. (CVE-2010-2760, CVE-2010-2767,
CVE-2010-3167)
Blake Kaplan and Michal Zalewski discovered several weaknesses in the
XPCSafeJSObjectWrapper (SJOW) security wrapper. If a user were tricked into
viewing a malicious site, a remote attacker could use this to run arbitrary
JavaScript with chrome privileges. (CVE-2010-2762)
Matt Haggard discovered that Firefox did not honor same-origin policy when
processing the statusText property of an XMLHttpRequest object. If a user
were tricked into viewing a malicious site, a remote attacker could use
the necessary changes.
Details follow:
Several flaws were discovered in the JavaScript engine of Thunderbird. If a
user had JavaScript enabled and were tricked into viewing malicious web
content, a remote attacker could cause a denial of service or possibly
execute arbitrary code with the privileges of the user invoking the
program. (CVE-2009-1303, CVE-2009-1305, CVE-2009-1392, CVE-2009-1833,
CVE-2009-1838)
Affected: 2008.0
_______________________________________________________________________
Problem Description:
MySQL 5.0.x did not update the DEFINER value of a view when the view
is altered, which allows remote authenticated users to gain privileges
via a sequence of statements including a CREATE SQL SECURITY DEFINER
VIEW statement and an ALTER VIEW statement (CVE-2007-6303).
The federated engine in MySQL 5.0.x, when performing a certain SHOW
Two serious functionality issues after installing this service pack. See following thread for details...
http://forums.microsoft.com/MSDN/ShowPost.aspx?PostID=2173615&SiteID=1
in brief
i) Pages with customized data view web parts or data view web parts linked to lists on other sites are not accesible. Error message either "access denied" or "Unable to display this Web Part. To troubleshoot the problem, open this Web page in a Windows SharePoint Services-compatible HTML editor such as FrontPage. If the problem persists, contact your Web server administrator."
ii) No user can use the Edit in Datasheet view feature on lists. (Possible ok for admins). When the 'Edit in Datasheet View' button is clicked the Datasheet control appears to load however the page is redirected back to the default view in every case.
Issues currently unconfirmed by Microsoft.
Details follow:
Alin Rad Pop discovered a heap-based buffer overflow in Firefox when it
converted strings to floating point numbers. If a user were tricked into
viewing a malicious website, a remote attacker could cause a denial of service
or possibly execute arbitrary code with the privileges of the user invoking the
program. (CVE-2009-1563)
Jeremy Brown discovered that the Firefox Download Manager was vulnerable to
symlink attacks. A local attacker could exploit this to create or overwrite
Original advisory details:
Alin Rad Pop discovered a heap-based buffer overflow in Firefox when it
converted strings to floating point numbers. If a user were tricked into
viewing a malicious website, a remote attacker could cause a denial of service
or possibly execute arbitrary code with the privileges of the user invoking the
program. (CVE-2009-1563)
Jeremy Brown discovered that the Firefox Download Manager was vulnerable to
symlink attacks. A local attacker could exploit this to create or overwrite
necessary changes.
Details follow:
Several flaws were discovered in the browser engine of Firefox. If a user
were tricked into viewing a malicious site, a remote attacker could use
this to crash the browser or possibly run arbitrary code as the user
invoking the program. (CVE-2010-1208, CVE-2010-1209, CVE-2010-1211,
CVE-2010-1212)
An integer overflow was discovered in how Firefox processed plugin
Details follow:
USN-957-1 fixed vulnerabilities in Firefox and Xulrunner. Daniel Holbert
discovered that the fix for CVE-2010-1214 introduced a regression which did
not properly initialize a plugin pointer. If a user were tricked into
viewing a malicious site, a remote attacker could use this to crash the
browser or run arbitrary code as the user invoking the program.
(CVE-2010-2755)
This update fixes the problem.
attacker could exploit this to run untrusted JavaScript from other domains.
(CVE-2010-2763)
Matt Haggard discovered that Thunderbird did not honor same-origin policy
when processing the statusText property of an XMLHttpRequest object. If a
user were tricked into viewing a malicious site, a remote attacker could
use this to gather information about servers on internal private networks.
(CVE-2010-2764)
Chris Rohlf discovered an integer overflow when Thunderbird processed the
HTML frameset element. If a user were tricked into viewing a malicious
attacker could exploit this to run untrusted JavaScript from other domains.
(CVE-2010-2763)
Matt Haggard discovered that Thunderbird did not honor same-origin policy
when processing the statusText property of an XMLHttpRequest object. If a
user were tricked into viewing a malicious site, a remote attacker could
use this to gather information about servers on internal private networks.
(CVE-2010-2764)
Chris Rohlf discovered an integer overflow when Thunderbird processed the
HTML frameset element. If a user were tricked into viewing a malicious
+ else if (op.length == 0)
return svn_error_createf
(SVN_ERR_SVNDIFF_INVALID_OPS, NULL,
- _("Invalid diff stream: insn %d has non-positive length"), n);
+ _("Invalid diff stream: insn %d has length zero"), n);
else if (op.length > tview_len - tpos)
return svn_error_createf
(SVN_ERR_SVNDIFF_INVALID_OPS, NULL,
@@ -499,7 +525,8 @@ count_and_verify_instructions(int *ninst,
switch (op.action_code)
{
vulnerability that could result in a reboot on systems that receive a
crafted packet.
Cisco Video Surveillance 2500 Series IP Cameras contain an
information disclosure vulnerability that could allow an
authenticated user to view any file on a vulnerable camera.
Cisco has released free software updates that address these
vulnerabilities. There are no workarounds that mitigate these
vulnerabilities.
III. ANALYSIS
Exploitation allows an attacker to execute arbitrary code with the
privileges of the current user. Exploitation would require convincing a
targeted user to view a specially crafted image file. An attacker could
host this file on a Web server, attach the file to an e-mail or
embedded the file in an Office document.
This vulnerability also can be triggered through e-mail. If the e-mail
client can automatically display images embedded in the e-mail, the
Next Page>>
|
