Disclosing CVE-2014-4958: Stored Attribute-Based Cross-Site Scripting (XSS) Vulnerability in Telerik UI for ASP.NET AJAX RadEditor Control

All versions of the popular UI for ASP.NET AJAX RadEditor Control product by Telerik may be affected by a high-risk stored attribute-based cross-site scripting (XSS) vulnerability that is assigned CVE-2014-4958 by MITRE, NVD, by OSVDB as ID 112083, and covered in the news. This WYSIWYG rich text editor is “…what Microsoft chose to use in MSDN, CodePlex, TechNet, MCMS and even as an alternative to the default editor in SharePoint.”

Telerik UI for ASP.NET AJAX RadEditor Control

 

Personally tested and confirmed are versions: 2014.1.403.35 (much newer) and 2009.3.1208.20 (much older) using Internet Explorer 8, version 8.0.7601.17514. However, all versions from Telerik at this time may be vulnerable and will continue to be until a patched is released. A workaround may be available.

What makes this discovery interesting are two parts:

  1. It leverages attribute-based cross-site scripting to exploit the input validation vulnerability. This achieves the malicious objective without using JavaScript script tags. Instead it uses an inline style attribute of an HTML element.
  2. The RadEditor exchanges the editor window’s mixed content containing elements, attributes, and text with the server in a double URL-encoded hexadecimal value format detailed below that is translated on the client-side dynamically by Telerik JavaScript into its unencoded form. For example, < first becomes %3C and then finally becomes %253C when the percent sign for the encoded character representation in the first processing round gets encoded again in a second round. This vulnerability is harder to detect than with a typical input vector due to this obfuscated communication protocol. Automated penetration testing tools and Web Application Firewalls (WAFs) may miss this, as might manual testers attempting to directly submit through a proxy an attribute-based exploit in its unencoded, or once-encoded form.

Let’s now look at the example payload as it needs to be submitted to the server from a proxy such as PortSwigger’s Burp Suite for this to work. Ensure that you place this payload somewhere within the parameter value used for the editor window’s contents:

%253cdiv STYLE=”background-image: expression(alert(‘XSS’))”%253e%253c%2fdiv%253e

… which is dynamically translated into the following form after client-side processing by Telerik UI JavaScript:

<div STYLE=”background-image: expression(alert(‘XSS’))”></div>

At the time of discovery the only available XSS protection on the server side was to use the RemoveScripts filter to strip out script tags, which is why attribute-based XSS is necessary here.

Carte blanche output encoding will not fix this issue, but instead may actually break the HTML that is rendered in the WYSIWYG editor window if the wrong encoding type is chosen. Troy Hunt explains the nuance of validating rich text input best by pointing out that markup is being stored in the data layer. Both data and HTML need to be handled by the same input vector here and so looking for script tags is irrelevant in this case because this problem is not that simple. Encoding everything would ensure that user input is displayed only as data and not executed as code by the web browser. However in this case some of the user-supplied content of the rich text editor needs to execute to achieve formatted text.

As an aside, double encoding is a type of attack used to bypass security controls. Double encoding may bypass Web Application Firewalls (WAFs).

Previous guidance on the general issue of XSS in the Telerik forums quietly placed the responsibility of sanitization on developers, but this is likely overlooked in most implementations. Further, the obscure nature of attribute-based XSS leveraging an HTML attribute to achieve execution instead of using the popular script tag route makes this harder to filter against. HTML sanitization involves inspection at a deeper level. Read more about HTML escaping.

Remediation: Telerik states: We have applied a patch to the editor that will be delivered with our Q3 edition of the controls that should be released towards the end of October. A blog post on the issue has been published here.

Additional credit goes to Tyler Hoyle and the rest of my team in CGI Federal’s Emerging Technologies Security Practice for their hard work. This is the original Bugtraq announcement.

Questions? Email me today: main at gsmcnamara dot com.

Share

How to Verify the Rails CookieStore Session Termination Weakness

I want to try it out myself you say.

Here is a video explanation using Kickstarter.com as an example:

 

And here are the steps you take to verify the weakness yourself–using Kickstarter.com, as well as on other websites you suspect are using Rails’ CookieStore (such as those on this list):

  1. Install a Chrome plugin such as Edit This Cookie to make viewing and editing cookies easier.
  2. Go to a site such as Kickstarter.com (no SSL!) or one you suspect is using Rails’ CookieStore.
  3. Find a cookie whose value starts with “BAh7″. That’s a good indicator of Ruby on Rails CookieStore-based websites before version 4.0 of Rails, or those that don’t encrypt their CookieStore values. The session cookie will have a value starting with “BAh7″ then a separator of “–” then a hash digest.
  4. Open Edit This Cookie using the little icon in the top right of your browser. Find the cookie whose value starts with “BAh7″ and take note of the cookie’s name. In the case of Kickstarter.com it’s “_ksr_session”. Copy the entire cookie data (“BAh7…”).
  5. Screen Shot 2013-11-24 at 12.01.20 PM

  6. Log out of the website.
  7. Open Edit This Cookie and overwrite the session cookie’s current value (“_ksr_session” in this case) with the data you copied previously.
  8. Go to the website. You should be in again!
Share

List of websites using Ruby on Rails’ CookieStore for session management

When bringing attention to the session termination security issue present with Ruby on Rails’ CookieStore and Django’s cookie-based session storage mechanism, one of the common questions I get is “Who is using it?”

Well, I did some digging and have the following list of 1,897 websites for your review. These are Rails sites only (before version 4.0, and not including Rails sites that encrypt their cookie values). This is not an exhaustive list, and there is future work to be done in detecting remotely the use of Rails’ CookieStore with encrypted values as well as the presence of Django’s cookie-based storage mechanism.

This Insufficient Session Expiration weakness (WASC-47) is pretty common I found, and it is especially bad when the site does not use SSL. Many of the websites and tools we use store the session hash on the client side, including the applications Redmine, Zendesk, and Spiceworks.

If you don’t have access to the app’s source code, you may be able to figure out if the site you are visiting is using Rails’ CookieStore (before version 4.0 due to its encrypted cookie values) by checking for the string “BAh7″ at the beginning of the value of any of the cookies. A SHODAN search will reveal tens of thousands of these apps: www.shodanhq.com/search?q=BAh7*

Contact me if you are on the development team of any of the following websites and need help switching.

Continue reading

Share

Security Vulnerability with Django Cookie-Based Sessions

UPDATE: Django updated their documentation to include a warning about this risk: “Unlike other session backends which keep a server-side record of each session and invalidate it when a user logs out, cookie-based sessions are not invalidated when a user logs out. Thus if an attacker steals a user’s cookie, he can use that cookie to login as that user even if the user logs out.”

OSVDB catalogued the vulnerability and Threatpost covered it in an article.

 

Django has a session invalidation security vulnerability like the Ruby on Rails vulnerability I wrote about here.

Django is a free and open source Web application framework that is written in Python. Django version 1.4 introduced cookie-based session storage and Django version 1.7 is currently under development.

Background

Django provides options for how and where user session data is stored. One of those options is cookie-based storage, which stores all session data in the cookie and signs it.

Without access to the app’s code, detecting which session storage mechanism is in use is slightly harder than with the similar Rails vulnerability. With Django, the default name for a session cookie is “sessionid” regardless of whether the cookie stores only a session identifier or the complete session data hash. So, you’ll need to examine the value of the cookie to determine which session storage mechanism may be in use for a given application.

The Impact

When using Django cookie-based session storage in your Web app, if someone were to find, steal, or intercept a user’s cookie they could log into your website as that user even if that user had logged out.

The main difference from the Rails session security vulnerability is that Django does not use cookie-based sessions by default.

I found most developers are completely shocked to learn about this kind of behavior. I believe this is a risk that was written off without adequate documentation or warning.

Happy hacking! Email me with questions: Main@GSMcNamara.com

Share

First iPhone 5 broken in 4 days or less

As far as eBay auctions go in the U.S., the first iPhone 5 with a cracked screen surfaced not even four full days after the phone was released to the market.

A seller from New Jersey wins the title for being the first to break an iPhone 5 and appears to be an individual–not a powerseller that got their hands on a shipment of broken phones.

4 days … that is skillful. Even more so: taking into account the possibility that the owner may not have even gotten the phone the instant it came out and that they probably did not list it for sale the second it got smashed, they may have owned it for even less than ~4 days.

It must have been a wild weekend, but for a final difference of $60 the damage to the wallet was less than it could have been.

Share

Facebook is having a rough day

Facebook doesn’t go down … ever.

As reported, Facebook is experiencing technical issues today. This is very usual. Twitter blew up with tweets about the issues.

Loading comments for the wrong pictures, messages being dropped, everything being unbearably slow are all the more obvious symptoms. As my friend put it, “Pages load like they did in 1994.”

But, I also noticed something more subtle:

Facebook Shared Link Algorithm Fail

Notice that the “link” referenced by Facebook as supposedly being shared by both Lifehacker and Kogeto? Yea, the links published by the two users are different.

I got trapped in an elevator leaving the office today. Not a great day for technology all around.

 

Share

The New Face of P2P BitTorrent – “Pirate Bay ‘could soon be obsolete'”

Here is a good article that was sent to me about The Pirate Bay’s legal outcome and why it really will not make a difference in the future. New technology such as iPredator and Tribler would eliminate the need for centralized torrent tracking sites.

The Pirate Bay

“Peter Sunde, one of the founders and spokesperson for bitorrent tracker site, The Pirate Bay, is said to have found out that they had lost their court case in Sweden several hours before the official verdict was delivered thanks to information supposedly leaked by what is claimed to be a “trustworthy source”.

The Swedish Courts are unimpressed and brought in the police to investigate. Regardless of the final outcome after the dust has cleared from any remaining legal wrangles, The Pirate Bay verdict appears to be achieving the opposite to the outcome intended by the copyright advocates with support for the site and its political offshoot, the Pirate Party reportedly going from strength to strength.”


Discuss the latest controversies, or voice your opinion: Forum
Get notified about latest post: RSS Feed
Twitter
Email Me
Share

Nuclear Bunker Data Center In Sweden

Here is another short post about something interesting. Its a bit dated, but still sweet.

Over at Royal.Pingdom.com there is an article about “an underground data center that has greenhouses, waterfalls, German submarine engines, simulated daylight and can withstand a hit from a hydrogen bomb. It looks like the secret HQ of a James Bond villain.”

Not bad.

A little excessive, but cool nonetheless. Owned by one of Sweden’s largest ISPs, it is located in an old nuclear bunker that dates back to the Cold War era. Click the link to read the full story and see the awesome pictures.

Share

Free Software – Nmap for Conficker, PortableApps, FreeMind Mindmap, and Twitter News

Nmap 4.85BETA7 Released to Scan for Conficker Worm
Front page news over at http://insecure.org/. I downloaded the latest version of Nmap and ran a scan on the local machines. Seems that are good. The newest version of Nmap contains a script that when run will give you a probable prognosis on your computer’s status. They list the command to run the script as well.

Over at PortableApps.com I just finished downloading the full suite version of PortableApps for USB drives. Using this allows you to store your bookmarks, settings, and other info on USB flash storage drive and take them with you wherever you go. Includes popular applications such as Mozilla Firefox, Thunderbird, Sunbird, ClamWin (AntiVirus), Pidgin, Sumatra PDF Reader, KeePass Password Manager, OpenOffice, AbiWord Word Processor, a notepad, an audio player, and a few games. All of these are run directly off the USB storage drive and leave nothing behind.

Direct Download Link: http://portableapps.com/download

FreeMind is a mind mapping application that I recently started using pretty heavily. Its Java-based implementation appeals to both Windows and Linux users. Found this originally on LifeHacker.

FreeMind info link: http://freemind.sourceforge.net/wiki/index.php/Main_Page

Twitter:
There is some talk about Google possibly acquiring Twitter. I know that Twitter has received offers in the past, and I am wondering if they will consider this one. I like Google’s apps anyways. Full story here: http://www.tgdaily.com/html_tmp/content-view-41940-118.html

I have not been posting much because I am working on some new stuff behind the scenes. Be one of the first in the forums.

Share