[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [Full-disclosure] Web App Sec: (AT&T Corporation) former American Telecommunication & Telegraph Vuln
From: "Nicholas Lemonias." <lem.nikolas () googlemail ! com>
Date: 2014-02-27 19:01:29
Message-ID: CA+CewVBJSq+rZH5=Ht=O1LpMFiMayn-93Fwa7ph5ucfQynbzcg () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
_____ .___ _________
/ _ \ | |/ _____/
/ /_\ \| |\_____ \
/ | \ |/ \
\____|__ /___/_______ /
\/ \/ Corporation
Published Report: 27/02/2014
Credits: Advanced Information Security Corporation, USA
Severity: High/Critical (OWASP TOP 10)
Type: Web Application / Cross-Site Scripting .
Author: Nicholas Lemonias. (Information Security Expert)
Affected Domain
================
Domain: www.Att.com <http://www.att.com/> (AT&T Corporation) former
American Telecommunication & Telegraph
Vendor Overview
=========================
AT&T Corp., originally the American Telephone and Telegraph Company, is the
subsidiary of AT&T that provides voice, video, data, and Internet
telecommunications and professional services to
businesses, consumers, and government agencies. During its long history,
AT&T was at times the world's largest telephone company, the world's
largest cable television operator, and a regulated
monopoly. At its peak in the 1950s and 1960s, it employed one million
people and its revenue was roughly $300 billion annually in 2006.
In 2005, AT&T was purchased by Baby Bell SBC Communications for more than
$16 billion ($19.1 billion in present-day terms). SBC then rebranded itself
as AT&T Inc.
Today, AT&T Corporation continues to exist as the long distance subsidiary
of AT&T Inc., and its name occasionally shows up in AT&T press releases.
In 1880 the management of American Bell had created what would become AT&T
Long Lines. The project was the first of its kind to create a nationwide
long-distance network with a
commercially viable cost-structure. The project was formally incorporated
in New York State as a separate company named American Telephone and
Telegraph Company on March 3, 1885.
Starting from New York, its long-distance telephone network reached
Chicago, Illinois, in 1892.
Brief Description
============================
This problem allowed reproduction and execution of third-party
heterogeneous code which defied User -> Vendor trust levels, and
consequently affected user and product confidentiality, integrity and
availability of information (CIA Triad); as outlined by security practises
and in accord to formal
international standards (ISO/IEC 27001), (BS 77999) and (ISO/IEC 27002).
Proof-Of-Concept 1
==================
http://www.Att.com/gen/press-room?cdvn=news&newsfunction=
tagresults&pid=20626&tagname=technology&tagtype=att'sTYLe%
3d'ccd:Expre%2f**%2fSSion(prompt(91233))'bad%3d'%3e&tier=TS_PROD<
http://www.att.com/gen/press-room?cdvn=news&newsfunction=tagresults&pid=20626&tagname=technology \
&tagtype=att'sTYLe%3d'ccd:Expre%2f**%2fSSion(prompt(91233))'bad%3d'%3e&tier=TS_PROD
>
Description:
The variable 'tagtype' due to character encoding and insufficient data
sanitisation is vulnerable to a reflected cross-site scripting.
The variable is thus changed to
att'sTYLe='att:Expre/**/SSion(prompt(313371))'bad='>
Proof-of-Concept: 2
====================
www.att.com/gen/press-room?cdvn=news&newsfunction=
tagresults&pid=20626&tagname=technology&tagtype=att'sTYLe%
3d'att:Expre%2f**%2fSSion(confirm("xss"))'bad%3d'%3e&tier=TS_PROD
Description: A confirmation window would prompt the user for confidential
information. Defacement of the website could also occur through an 'Image
onload event'
e.g: IMG onload="JavaScript Code".
A malicious user could take advantage of this problem thus to impersonate
authenticated users, and to exploit user's or to execute open
Url/Java Script execution from third-party heterogeneous sources,
or to install untrusted components exploiting inherent O/S and browser
vulnerabilities, and without any prior notification.
Responsible Disclosure Timeline
==========================
[+] 8th of August 2013 - Informed vendor concerning this security
realisation.
[+] 8th of August 2013 - Vendor acknowledgement of the problem.
[+] 11th of August 2013 - Feedback request on remediation procedures.
[+] 9th of December 2013 - Problem remediation process.
[+] 27th of February, 2014 - Public Disclosure.
Recommendations for QoS & Security Compliance
=========================================
The recommendations made to AT&T Corp were therefore:
To consider encrypting the view state of the application. Furthermore to
implement a stronger Cross-Site Scripting protection.
Apparently XSS filtering is not properly applied, and meta-character
filtering allowed data input over the HTTP protocol to inject third-party
untrusted code, in JavaScript, Active-X and Visual Basic Script.
Please note that malicious users could take advantage of such instances, as
we have seen in malware and virus propagation instances - with a severe
impact
to systems of strategic and political importance.
Our consultation to AT&T Corp, has therefore been for a full and urgent
security risk assessment, as benchmarked in (ISO/IEC 27001), (ISO/IEC
27002),
and (ISO/IEC 27005). Furthermore we consulted for the effective
enumeration and revisitation of upper-level security policies.
Dissemination of information is often gathered in the form of a hyperlink,
either through an e-mail message, social networking websites, forums and
other online sources. A malicious user could take advantage of this
vulnerability, for: the
mass exploitation of unsuspected users, through malware and virus
propagation instances.
A malicious user could make use of defects in the encoding methods, so that
propagation is further obfuscated.
Appendices
============================
A. We have consulted AT&T Corp to consider the filtering of meta-characters.
B. To review server-level encoding of < and > to < and > in application
output.
C. Thus it is known, that a Cross- Site Scripting attack could embrace
mass user and product exploitation, theft of confidential information such
as: credit cards, passwords, security tokens and stored accounts.
Furthermore the use and exploitation of Cross-Site Scripting
vulnerabilities were widespread in notable cases of malware
propagation to systems of strategic and political importance
Stuxnet and Duqu.
D. We consulted to AT&T to consider filtering < and > and to make use
of appropriate encoding methods.
where ( and ) are also filtered and encoded to ( and ),
Example cited:
# and & should be converted to # (#) and & (&).
References
============================
OWASP. 2013. Cross Site Scripting (XSS) attacks, [ONLINE]
https://www.owasp.org/index.php/Cross-site_Scripting_(XSS), 2011
OWASP. 2013. XSS Filter Evasion Cheat-Sheet, [ONLINE]
https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet?, 2013.
Microsoft. 2011. Protecting against XSS attacks. [ONLINE] Available at:
http://msdn.microsoft.com/en-us/library/ff649310.aspx.
We would like to thank the vendor for the immediate deployment of best
security practise.
** This vulnerability report is posted for the wider benefit of the
security community, as is and without any warranties, including the
warranty of merchantability and capability fit for a particular purpose.
The information is posted under the FOI as per best security practises.
* Copyright Advanced Information Security Corp , (2014) *
[Attachment #5 (text/html)]
<div dir="ltr"><div> </div><pre><code> _____ .___ _________<br> / _ \ | |/ \
_____/<br> / /_\ \| |\_____ \<br>/ | \ |/ \<br>\____|__ /___/_______ \
/<br> \/ \/ Corporation<br> </code><br> <br>Published Report: \
27/02/2014</pre><p><br>Credits: Advanced Information Security Corporation, USA</p><p>Severity: \
High/Critical (OWASP TOP 10)</p><p>Type: Web Application / Cross-Site Scripting .</p><p> </p> \
<p>Author: Nicholas Lemonias. (Information Security Expert)</p><p><br>Affected \
Domain<br>================<br>Domain: <a href="http://www.Att.com">www.Att.com</a> <<a \
href="http://www.att.com/">http://www.att.com/</a>> (AT&T Corporation) former</p> \
<p>American Telecommunication & Telegraph</p><p><br>Vendor \
Overview</p><p>=========================<br>AT&T Corp., originally the American Telephone \
and Telegraph Company, is the<br>subsidiary of AT&T that provides voice, video, data, and \
Internet</p> <p>telecommunications and professional services to<br>businesses, consumers, and \
government agencies. During its long history,<br>AT&T was at times the world's largest \
telephone company, the world's<br>largest cable television operator, and a regulated</p> \
<p>monopoly. At its peak in the 1950s and 1960s, it employed one million<br>people and its \
revenue was roughly $300 billion annually in 2006.<br>In 2005, AT&T was purchased by Baby \
Bell SBC Communications for more than</p> <p>$16 billion ($19.1 billion in present-day terms). \
SBC then rebranded itself<br>as AT&T Inc.<br>Today, AT&T Corporation continues to exist \
as the long distance subsidiary<br>of AT&T Inc., and its name occasionally shows up in \
AT&T press releases.</p> <p>In 1880 the management of American Bell had created what would \
become AT&T<br>Long Lines. The project was the first of its kind to create a \
nationwide<br>long-distance network with a<br>commercially viable cost-structure. The project \
was formally incorporated</p> <p>in New York State as a separate company named American \
Telephone and<br>Telegraph Company on March 3, 1885.<br>Starting from New York, its \
long-distance telephone network reached<br>Chicago, Illinois, in 1892.</p><p> </p> <p>Brief \
Description<br>============================<br>This problem allowed reproduction and execution \
of third-party<br>heterogeneous code which defied User -> Vendor trust levels, \
and<br>consequently affected user and product confidentiality, integrity and availability of \
information (CIA Triad); as outlined by security practises and in accord to formal</p> \
<p>international standards (ISO/IEC 27001), (BS 77999) and (ISO/IEC \
27002).</p><p><br>Proof-Of-Concept 1<br>==================<br><a \
href="http://www.Att.com/gen/press-room?cdvn=news&newsfunction=">http://www.Att.com/gen/press-room?cdvn=news&newsfunction=</a><br>
tagresults&pid=20626&tagname=technology&tagtype=att'sTYLe%<br>3d'ccd:Expre%2f**%2fSSion(prompt(91233))'bad%3d'%3e&tier=TS_PROD<<a \
href="http://www.att.com/gen/press-room?cdvn=news&newsfunction=tagresults&pid=20626& \
tagname=technology&tagtype=att'sTYLe%3d'ccd:Expre%2f**%2fSSion(prompt(91233))'ba \
d%3d'%3e&tier=TS_PROD">http://www.att.com/gen/press-room?cdvn=news&newsfunction=tagr \
esults&pid=20626&tagname=technology&tagtype=att'sTYLe%3d'ccd:Expre%2f**%2fSSion(prompt(91233))'bad%3d'%3e&tier=TS_PROD</a>></p>
<p><br>Description:<br>The variable 'tagtype' due to character encoding and \
insufficient data<br>sanitisation is vulnerable to a reflected cross-site scripting.<br>The \
variable is thus changed \
to<br>att'sTYLe='att:Expre/**/SSion(prompt(313371))'bad='></p> <p> \
</p><p>Proof-of-Concept: 2<br>====================<br><a \
href="http://www.att.com/gen/press-room?cdvn=news&newsfunction=">www.att.com/gen/press-room? \
cdvn=news&newsfunction=</a><br>tagresults&pid=20626&tagname=technology&tagtype=att'sTYLe%<br>
3d'att:Expre%2f**%2fSSion(confirm("xss"))'bad%3d'%3e&tier=TS_PROD</p><p>Description: \
A confirmation window would prompt the user for confidential<br>information. Defacement of the \
website could also occur through an 'Image</p> <p>onload event'<br>e.g: IMG \
onload="JavaScript Code".<br>A malicious user could take advantage of this problem \
thus to impersonate<br>authenticated users, and to exploit user's or to execute \
open<br>Url/Java Script execution from third-party heterogeneous sources,</p> <p>or to install \
untrusted components exploiting inherent O/S and browser<br>vulnerabilities, and without any \
prior notification.</p><p><br>Responsible Disclosure \
Timeline<br>==========================<br>[+] 8th of August 2013 - Informed vendor \
concerning this security realisation.</p> <p>[+] 8th of August 2013 - Vendor \
acknowledgement of the problem.</p><p>[+] 11th of August 2013 - Feedback request on \
remediation procedures.</p><p>[+] 9th of December 2013 - Problem remediation \
process.</p><p><br> [+] 27th of February, 2014 - Public Disclosure.</p><p><br>Recommendations \
for QoS & Security Compliance<br>=========================================<br>The \
recommendations made to AT&T Corp were therefore:</p><p> To consider encrypting the view \
state of the application. Furthermore to<br>implement a stronger Cross-Site Scripting \
protection.</p><p><br>Apparently XSS filtering is not properly applied, and \
meta-character<br>filtering allowed data input over the HTTP protocol to inject third-party<br> \
untrusted code, in JavaScript, Active-X and Visual Basic Script.<br>Please note that malicious \
users could take advantage of such instances, as<br>we have seen in malware and virus \
propagation instances - with a severe impact<br> to systems of strategic and political \
importance.</p><p><br>Our consultation to AT&T Corp, has therefore been for a full and \
urgent<br>security risk assessment, as benchmarked in (ISO/IEC 27001), (ISO/IEC 27002),<br>and \
(ISO/IEC 27005). Furthermore we consulted for the effective enumeration and revisitation of \
upper-level security policies.</p> <p> </p><p>Dissemination of information is often gathered in \
the form of a hyperlink,<br>either through an e-mail message, social networking websites, \
forums and other online sources. A malicious user could take advantage of this vulnerability, \
for: the<br> mass exploitation of unsuspected users, through malware and virus propagation \
instances. <br>A malicious user could make use of defects in the encoding methods, so that \
propagation is further obfuscated.</p><p><br>Appendices<br> ============================<br>A. \
We have consulted AT&T Corp to consider the filtering of meta-characters.<br>B. To review \
server-level encoding of < and > to < and > in application<br>output.<br>C. Thus it \
is known, that a Cross- Site Scripting attack could embrace<br> mass user and product \
exploitation, theft of confidential information such<br>as: credit cards, passwords, security \
tokens and stored accounts.<br>Furthermore the use and exploitation of Cross-Site \
Scripting<br>vulnerabilities were widespread in notable cases of malware<br> propagation to \
systems of strategic and political importance <br>Stuxnet and Duqu.<br>D. We consulted to \
AT&T to consider filtering < and > and to make use<br>of appropriate encoding \
methods.<br>where ( and ) are also filtered and encoded to ( and ),<br> Example cited:<br># \
and & should be converted to &#35 (#) and &#38 \
(&).</p><p>References<br>============================<br>OWASP. 2013. Cross Site Scripting \
(XSS) attacks, [ONLINE]<br><a \
href="https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)">https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)</a>, \
2011<br> OWASP. 2013. XSS Filter Evasion Cheat-Sheet, [ONLINE]<br><a \
href="https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet">https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet</a>?, \
2013.<br> Microsoft. 2011. Protecting against XSS attacks. [ONLINE] Available at:<br> <a \
href="http://msdn.microsoft.com/en-us/library/ff649310.aspx">http://msdn.microsoft.com/en-us/library/ff649310.aspx</a>.</p><p>We \
would like to thank the vendor for the immediate deployment of best<br>security practise.</p> \
<p>** This vulnerability report is posted for the wider benefit of the<br>security community, \
as is and without any warranties, including the<br> warranty of merchantability and capability \
fit for a particular purpose.<br> The information is posted under the FOI as per best security \
practises.</p><p><br>* Copyright Advanced Information Security Corp , (2014) *</p></div>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic