UNICREDITBANK DOM-Based XSS / File Upload / CSRF TIME-LINE VULNERABILITY Multiples Advisories but Vendor not response Not Fixed Full Disclosure I. VULNERABILITY ------------------------- #Title: UNICREDITBANK Cross Site Scripting (& Dom Based) / File Upload / Form without CSRF protection #Vendor:http://www.unicreditbank.ru/ #Author:Juan Carlos García (@secnight) #Follow me https://hackingmadrid.blogspot.com https://habemuscurso.blogspot.com @secnight II. DESCRIPTION ------------------------- niCredit Bank is a Russian bank, operating in Russia since 1989. Ranked 8th by total assets based on H1 2013 results (Interfax-100 ranking), UniCredit Bank is the largest foreign bank in Russia. UniCredit Bank is fully owned (100%) by UniCredit Bank Austria AG, Vienna, Austria, member of UniCredit. The Bank benefits from its strong position in the large Russian corporate finance market and sustainable retail banking business. UniCredit Bank at a glance It was founded under the name of International Moscow Bank in 1989 105 branches in Russia and 1 Representative office in Belarus Around 3798 employee More than 1 298 000 retail customers * More than 28 250 corporate clients Ratings: BBB (Fitch), ВВВ (Standard & Poor’s) Total assets: RUR 776.73 billion * Equity: RUR 121.27 billion * UniCredit Bank has General Licence for banking operations №1 of Bank of Russia * As of 30.06.2013, according to consolidated financial statements of ZAO UniCredit Bank prepared in accordance with International Financial Reporting Standards. III. PROOF OF CONCEPT ------------------------- Cross site scripting ********************* Vulnerability description ___________________________ This script is possibly vulnerable to Cross Site Scripting (XSS) attacks. Cross site scripting (also referred to as XSS) is a vulnerability that allows an attacker to send malicious code (usually in the form of Javascript) to another user. Because a browser cannot know if the script should be trusted or not, it will execute the script in the user context allowing the attacker to access any cookies or session tokens retained by the browser. This vulnerability affects /rus/about/community/unicolours/frame.wbp. (46) Attack details ************** URL encoded GET input galleryId was set to 2_901827'():;955734 The input is reflected inside <script> tag between single quote GET /rus/about/community/unicolours/frame.wbp?galleryId=2_901827%27%28%29%3a%3b955734&imgFull=/gallery/medicine/flight-2_tvorchestvo_kak_lekarstvo.jpg/full.jpg&imgId=1819ff22-ea3e-4b80-a8bf-711762ae252c galleryId(15) GET /rus/about/community/unicolours/frame.wbp?galleryId=2_935171%27%28%29%3a%3b994873&imgFull=/gallery/cats/8/full.jpg&imgId=2c1b226d-518e-4877-86e8-d9b57836a7e4 GET /rus/about/community/unicolours/frame.wbp?galleryId=2_985809%27%28%29%3a%3b936300&imgFull=/gallery/cats/9/full.jpg&imgId=0ae7d25c-056b-42d9-8abd-c38523785a81 GET /rus/about/community/unicolours/frame.wbp?galleryId=2_970273%27%28%29%3a%3b940959&imgFull=/gallery/cats/010/full.jpg&imgId=4f2a9956-83cd-498c-aa0e-9d491f2bf827 . . . imageFull(15) URL encoded GET input imgFull was set to /gallery/medicine/flight-2_tvorchestvo_kak_lekarstvo.jpg/full.jpg_997700'():;932188 GET /rus/about/community/unicolours/frame.wbp?galleryId=2&imgFull=%2fgallery%2fmedicine%2fflight-2_tvorchestvo_kak_lekarstvo.jpg%2ffull.jpg_997700%27%28%29%3a%3b932188&imgId=1819ff22-ea3e-4b80-a8bf-711762ae252c GET /rus/about/community/unicolours/frame.wbp?galleryId=1&imgFull=%2fgallery%2fmedicine%2fflight-2_tvorchestvo_kak_lekarstvo.jpg%2ffull.jpg_925822%27%28%29%3a%3b964844&imgId=09b5e392-a316-4a39-8a17-747273376016 GET /rus/about/community/unicolours/frame.wbp?galleryId=1&imgFull=%2fgallery%2fmedicine%2fflight-2_tvorchestvo_kak_lekarstvo.jpg%2ffull.jpg_992446%27%28%29%3a%3b941577&imgId=2c1b226d-518e-4877-86e8-d9b57836a7e4 . . . imgId(15) URL encoded GET input imgId was set to 1819ff22-ea3e-4b80-a8bf-711762ae252c_914453'():;909492 GET /rus/about/community/unicolours/frame.wbp?galleryId=2&imgFull=/gallery/medicine/flight-2_tvorchestvo_kak_lekarstvo.jpg/full.jpg&imgId=1819ff22-ea3e-4b80-a8bf-711762ae252c_914453%27%28%29%3a%3b909492 GET /rus/about/community/unicolours/frame.wbp?galleryId=1&imgFull=/gallery/cats/7/full.jpg&imgId=1819ff22-ea3e-4b80-a8bf-711762ae252c_956295%27%28%29%3a%3b990851 GET /rus/about/community/unicolours/frame.wbp?galleryId=1&imgFull=/gallery/cats/8/full.jpg&imgId=1819ff22-ea3e-4b80-a8bf-711762ae252c_925541%27%28%29%3a%3b927917 DOM-based Cross-Site Scripting ****************************** Script code from document.location path part was executed via document.write() or document.writeln() function. The code was executed in: /eng/reg/personal/deposits/index_special.wbp Script code from document.location path part was executed via document.write() or document.writeln() function. The code was executed in: /rus/reg/moscow/personal/deposits/index_special.wbp Script code from document.location path part was executed via document.write() or document.writeln() function. The code was executed in: /rus/reg/moscow/personal/remote_service/mobile_banking/smartphone.wbp File upload ************ Vulnerability description ___________________________ This page allows visitors to upload files to the server. Various web applications allow users to upload files (such as pictures, images, sounds, ...). Uploaded files may pose a significant risk if not handled correctly. A remote attacker could send a multipart/form-data POST request with a specially-crafted filename or mime type and execute arbitrary code. This vulnerability affects /rus/career/moscow/form.wbp. Attack details ______________ Form name: <empty> Form action: http://www.unicreditbank.ru/rus/career/moscow/form.wbp?ok=true Form method: POST Form inputs: resume [File] vacancy [Hidden] location [Hidden] subject [Hidden] Form [Hidden] This vulnerability affects /rus/reg/moscow/personal/cardsdebit/visa/r_debet.wbp. Attack details Form name: <empty> Form action: http://www.unicreditbank.ru/rus/reg/moscow/personal/cardsdebit/visa/r_debet.wbp?ok=true&formclass=debitcards Form method: POST Form inputs: Form [Hidden] fio [Text] officeCITY [Select] city [Radio] file [File] SUBJECT [Hidden] agree [Checkbox] Confirmation [Text] HTML form without CSRF protection ********************************* Cross-site request forgery, also known as a one-click attack or session riding and abbreviated as CSRF or XSRF, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts. Affected items __________________ /eng/career/form1.wbp /eng/feedback.wbp /eng/index.wbp /rus/career/form1.wbp /rus/career/moscow/form.wbp (4bd115b5b2d18b05418cd5215414de73) /rus/feedback/form_tab_consult.wbp /rus/feedback/form_tab_quality.wbp /rus/index.wbp /rus/reg/arkhangelsk/personal/rko/cash/currency_rates/everyday_archive.wbp /rus/reg/arkhangelsk/personal/rko/cash/currency_rates/everymonth_archive.wbp /rus/reg/menu_4/personal/rko/cash/currency_rates/everyday_archive.wbp /rus/reg/menu_4/personal/rko/cash/currency_rates/everymonth_archive.wbp /rus/reg/moscow/banks/finmarket/analytics/form.wbp /rus/reg/moscow/banks/finmarket/analytics/form_question.wbp /rus/reg/moscow/corporate/factoring/factoringcredit.wbp (ca614aef3245c2f92a7ea16e1ef974bd) /rus/reg/moscow/corporate/finmarket/analytics/form.wbp /rus/reg/moscow/corporate/finmarket/analytics/form_question.wbp /rus/reg/moscow/personal/calc_uni.wbp /rus/reg/moscow/personal/car/express/calc_new.wbp /rus/reg/moscow/personal/car/gfauto/form.wbp /rus/reg/moscow/personal/car/usedauto/calc_used.wbp /rus/reg/moscow/personal/cardscredit/autocard/form.wbp /rus/reg/moscow/personal/cardsdebit/post/ruspost_form.wbp /rus/reg/moscow/personal/cardsdebit/visa/r_debet.wbp /rus/reg/moscow/personal/cardsdebit/visa/r_debet.wbp (65825570bed58511936e2cc0df9d839c) /rus/reg/moscow/personal/consumer/form.wbp (56f3984593e2b24d64f498660d69a303) /rus/reg/moscow/personal/consumer/refund/calc.wbp /rus/reg/moscow/personal/deposits/choise/form.wbp /rus/reg/moscow/personal/deposits/incomecalc.wbp /rus/reg/moscow/personal/investments_savings/mutual_fund/form.wbp /rus/reg/moscow/personal/mortgage/form_new.wbp /rus/reg/moscow/personal/mortgage/index.wbp /rus/reg/moscow/personal/mortgage/purpose/form.wbp /rus/reg/moscow/personal/mortgage/purpose/icalc.wbp /rus/reg/moscow/personal/rko/cash/currency_rates/everyday_archive.wbp /rus/reg/moscow/private_banking/form.wbp /rus/reg/moscow/private_banking/mc_worldelite/form.wbp /rus/reg/moscow/small/factoring/factoringcredit.wbp (ca614aef3245c2f92a7ea16e1ef974bd) /rus/reg/moscow/small/loans/auto/smbusinesscredit.wbp /rus/reg/moscow/small/loans/smbusinesscredit.wbp (de98d6510bf3ecab0c54afbe38ff23de) /rus/reg/moscow/small/package/forbusiness.wbp (00f973dc51d2e6a1ab71991ad9dac9a1) /rus/reg/moscow/small/payroll/form.wbp /rus/reg/moscow/small/rko/accounts/form.wbp (6923d688f3615c0326f50458f34e6048) /rus/reg/moscow/unicredit_primeclub/dolce_vite/events/form.wbp /rus/reg/moscow/unicredit_primeclub/dolce_vite/feedback.wbp /rus/reg/moscow/unicredit_primeclub/form.wbp /rus/reg/moscow/unicredit_primeclub/recepient.wbp /rus/reg/saint_petersburg/personal/rko/cash/currency_rates/everyday_archive.wbp /rus/reg/saint_petersburg/personal/rko/cash/currency_rates/everymonth_archive.wbp /rus/reg/saint_petersburg/small/rko/accounts/form.wbp /rus/reg/sochi/personal/rko/cash/currency_rates/everyday_archive.wbp /rus/reg/sochi/personal/rko/cash/currency_rates/everymonth_archive.wbp /rus/reg/tyumen/personal/rko/cash/currency_rates/everyday_archive.wbp /rus/reg/tyumen/personal/rko/cash/currency_rates/everymonth_archive.wbp /rus/rss.wbp /rus/search.wbp (e3a1a6c4fc11fd7517bb1d4cff832bb2) /rus/subscribe.wbp The impact of this vulnerability __________________________________ An attacker may force the users of a web application to execute actions of the attacker's choosing. A successful CSRF exploit can compromise end user data and operation in case of normal user. If the targeted end user is the administrator account, this can compromise the entire web application. How to fix this vulnerability _________________________________ Check if this form requires CSRF protection and implement CSRF countermeasures if necessary. IV. BUSINESS IMPACT ------------------------- (...) V SOLUTION ------------------------ Write Secure Code VI. CREDITS ------------------------- This vulnerability has been discovered by Juan Carlos García(@secnight) VII. LEGAL NOTICES ------------------------- The Author accepts no responsibility for any damage caused by the use or misuse of this information.