Monday, February 7, 2011

Tricky exploit - a penetration test puzzle - Solution



This entry provides the details of an interesting exploit I had found recently. If you haven't done so, please read the introductory entry before reading on, as some of the information is not repeated.




Site Map

Before going on to describe the actual exploit, I'll analyze the various elements of the website stressing their relevant properties.

The mock-website's domain is g1.playground.quaji.com.
It contains 2 subdomains:
1. www. - the public site.
  • This section contains all the publicly available pages.
  • In the mock-site there is a search page in search.php.

2. client. - the client site.
  • This is the section requiring login. (login.php).
  • Access here is session based. The session cookie is set to the client sub-domain (client.g1.playground.quaji.com).
  • Upon successful log-in, a menu is shown (menu.php) with a link to the Printing system. 
  • As described in the previous entry, a click on this link causes a two step process: browser goes to printAutoLogin.php which contains the user's previously entered credentials in a form which is auto-submitted to printSystem.php which attempts to validate them.





Relevant Findings


First off search.php contains an obvious XSS vulnerability. By injecting malicious values in the query parameter we can have the page do whatever we want.

But what can we do with it?
It does not contain the session cookie because its on a different domain (www. vs client.) and an XMLHTTP request to printAutoLogin.php would also fail for the same reason: violation of the same origin policy.


    So we have to look onward.


    1.  It seems that printAutoLogin.php works on authentication-failed sessions too!

    When entering invalid credentials in the login page (login.php), a fail message is rightfully displayed. But printAutoLogin.php still returns the invalid parameters on their way to printSystem.php. Apparently the server code saves them too early.

    But there's no harm in that right? the printing system authentication would just find them equally invalid and deny access. So no harm there. Right?



    2. It seems that printAutoLogin.php does not escape the outputted credentials!

    This is basically another XSS. Malicious content can be entered at login.php, and printAutoLogin.php would echo them. This is an odd type of XSS because its not reflected, nor is it exactly stored: Its only available in the current session! Other users can't see it.

    We could in theory, use CSRF to write malicious parameters to the login page in the user's session. Then printAutoLogin.php would do whatever we want, but in doing so we run over the very details we were after. The user's credentials!


    So the hacker can basically only XSS himself. No big deal. Right? :)



    3. Did you know it's possible to have multiple cookies with the same name?!

    It's even legitamate, and supported by all modern browsers. A cookie is identified by its name, path, and domain parts. So if a second cookie is set having the same name but a different path or domain then another cookie, both will be sent along with subsequent requests.

     
    The order of appearance of cookies is explained in the RFC:
    If multiple cookies satisfy the criteria, they are ordered in
       the Cookie header such that those with more specific Path attributes
       precede those with less specific.

    When presented with multiple Session cookies, the server takes the first one and discards the rest. I am not sure this is ubiquitous with all server software but its what happens with the audited server, and with the mock-website server.

    The original session cookie has path /.
    In order to create a second cookie that would precede the first one, its path should be more specific. For example: /printAutoLogin.php (yes, path could be an actual file).





    Putting it all together

    With all this we can construct the full attack.

     Click image to enlarge

    Figure 1. The double XSS, back-flip exploit show down.

    0. The user has an authenticated session opened with the server. Session ID = 1111

    1. The attacker manually creates a session (ID=1337) on his own computer with malicious credentials that comprise an XSS payload (XSS Payload 2). He must then make sure the session does not invalidate by using keep-alives.
         

    2. The attacker attempts to initiate an XSS attack using search.php (Payload One) on the user. For example, in the form of a link in an email messagew.

    3. By clicking the link, the user's browser engages in Payload 1 that preforms:
       3.1 Set a second Session ID cookie (value 1337) to path /printAutoLogin.php. This cookie does not erase the previous one, but rather precedes it in precedence (as explained above).
       3.2 Redirect browser to printAutoLogin.php.

    4. When fetching printAutoLogin.php both cookies are sent but because the second cookie comes first, the server returns that session's credentials which are in fact XSS Payload 2 which preforms:
       4.1 Remove newly set session Cookie. Original cookie is intact.
       4.2 Using XMLHTTP request printAutoLogin.php and save the response. The document appears to be fetching itself! However, because the second cookie has been deleted, the response is the user session's and contains his credentials! (Step 5)
      4.3 Send the credentials to Attacker. (Step 6)



    See it in action

    Log-in into the system, and then ... "check this out."  :)







    I hope you enjoyed reading this as much as I writing it!
    Your comments are most welcome.

      Ronen

    22 comments:

    1. Hey ,
      Thats great read and work too.
      Thanks :)

      ReplyDelete
    2. Good mock-up. Kudos.

      ReplyDelete
    3. Fantastic to read through, a good practical example too.

      As a web application coder it's invaluable information to get pieces of demonstration like this to ensure that we don't fall into the trap.

      It's also a good example for us relative newbies in the security world to make a start at penetration testing generally.

      Many thanks for the write up and mock site!

      ReplyDelete
    4. WHAT WAS THE XSS PAYLOAD 2 THAT YOU USE ???

      ReplyDelete
    5. Nice! Great work!

      ReplyDelete
    6. Yes, How attacker creates "XSS PAYLOAD 2" is not so clear & it only works with PHPSESSID=1337.
      Please explain how XSS Payload 2 is added to printAutoLogin.php's password field.

      ReplyDelete
    7. Failed log-in credentials are still accessible using printAutoLogin.php. The attacker uses this bug to create a malicious session:
      He attempts to log-in with a username and password that make up XSS PAYLOAD 2. The log-in obviously fails, but he makes use of the session ID.

      ReplyDelete
    8. If you describe the steps, it would be more understandable to us ...

      Thanks in advance ...

      ReplyDelete
    9. Great article!! Very informative and enjoyable ready.

      Thanks for writing it!

      ReplyDelete
    10. I’m hoping the same very best perform from you in the long run also. In fact your inventive writing skills has inspired me to begin my own blog engine blog now.

      ReplyDelete
    11. And that's why I love NoScript :)

      ReplyDelete
    12. Wholesale Sexy Lingerie,High Quality!Low Price! Wholesale Leggings,Plus Size Corsets,Wholesale Halloween Costumes From China Suppliers LingeriePark.Wholesale Only,No Retail!Wholesale Costumes
      Wholesale Plus Size Corsets
      Lingerie Suppliers
      Lingerie China Suppliers
      LingeriePark

      ReplyDelete
    13. يوجد العديد من معدات و تقنيات التأمين و الحراسة المختلفة و التي شركة حراسات امنية أثبتت جدارة العمل في عملية لأمن و الحراسة ومن أهمها البوابات الالكترونية في الحراسة حيث تمكنت هذا النوع من البوابات علي تجنب العديد من المخاطر شركة امنية التي قد تقع في المؤسسات و المنشآت المختلفة لذلك تعمل شركة حراسات خاصة علي اتباع أحدث تقنيات من هذه شركة امن وحراسة البوابات و التي لها العديد من الامكانيات في مجال الأمن و الحراسة

      ReplyDelete
    14. ندما يصبح الشاب رجلا كهل فإنه رعاية المسنين يكون أكثر عرضة لمزيد من الأمراض و منها امراض الجهاز العصبي لدى كبار السن و التي تكون عبارة عن اضطرابات أو تلف دار مسنين بالقاهرة في أحد أجزاء الجهاز العصبي و التي تؤدي دار المسنين إلى ضعف قدرته على القيام بالأنشطة و الأعمال التي اعتاد عليها من قبل

      ReplyDelete
    15. لاعطال الاجهزة الكهربية المختلفة الموديلات فقط تواصلوا مع مراكز صيانة يونيون اير التى تنتشر فى فروع صيانة يونيون اير عدة على مستوى الجمهورية , حيث ان خدمات الصيانة لا تنتهى فمن خلال افضل الحملات المجانية تمتعوا رقم صيانة يونيون اير بصيانة فورية لجميع الاعطال المختلفة فى كافة الاجهزة الموجودة لديكم ومن خلال فريق من الفنيين المختصين والمدربين على اعلى مستوى فى مراكز تدريبية تابعه توكيل يونيون اير يمكنكم صيانة الاجهزة با احدث التقنيات التفاعلية

      ReplyDelete
    16. Thank you for sharing valuable information. Nice post. I enjoyed reading this post.
      Do my Assignment

      ReplyDelete