lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Sat, 6 Jul 2013 02:55:01 +0000
From: xnite@...te.org
To: full-disclosure@...ts.grok.org.uk
Subject: Maltego Radium ?XSS?

Maltego Radium is a piece of software written in Java which allows you to
compile and centralize information gathered on an entity from the web.
These datasets can be brought together and graphed out throughout the
application. One feature of this application is that you put an alias
entity within the graph, and use the pastebin transform on it in order to
find all posts on pastebin related to that entity.
On a related note in October 2012 I found a vulnerability in Internet
Explorer 9 and below which allowed a regular plain text file to be executed
as HTML, this flaw allowed for one to put malicious code into a Pastebin
post and give out the raw link. Anyone who opened the "raw" post in
Internet Explorer would be subjected to any and all HTML code within it.POC
Provided: http://pastebin.com/raw.php?i=94zDf9PG
(http://pastebin.com/raw.php?i=94zDf9PG)
This is my write up on the IE vulnerability:
http://xnite.org/2012/10/06/ie-vuln-ie-renders-plain-text-files-as-html
(http://xnite.org/2012/10/06/ie-vuln-ie-renders-plain-text-files-as-html)
This bug in IE appears to have been fixed as of Internet Explorer 10,
however the issue still exists within applications which use or have used
the IE libraries in their work (this is an assumption as I could not RE the
code to find out why the bug exists, but only that it exists in certain
configurations).
If maltego is setup to use IE as it's default browser, even on a patched IE
browser, an XSS exists where if you were to lookup my handle (for example),
xnite, and move your mouse cursor over my IE POC code then a message box
would pop up on the screen displaying the text created by JavaScript within
my POC code from before.
The suggested fix would be to disable Maltego from opening any links that
have NOT been clicked, no browsing should be executed simply by
highlighting over something. Instead of linking these entities to the raw
pastebin post, they should be linked instead to the regular URL for the
post.
This has been tested against Maltego Radium v3.3.0, and may exist in
versions before and after 3.3.0. The vulnerability has been reported to the
Maltego Radium development team.
As a side note: I'm not sure if I should call this an "arbitrary code
execution" or "XSS". XSS makes the most sense but lacks sense in that
Maltego is not a website but rather an application, yet it executes
malicious code fed to it through a web entity. Please feel free to offer a
correction on what type of vulnerability this would be. :)

---
R. Whitney - Independent IT ConsultantPhone:  (347)674-4835
Postal: PO Box 5984, Bloomington, IL 61702-5984
Other: My Blog (http://xnite.org) / LinkedIn
(http://www.linkedin.com/in/whitneyr) / Twitter (http://twitter.com/xnite)


Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ