| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 27 Feb 2014 19:01:29 +0000
From: "Nicholas Lemonias." <lem.nikolas@...glemail.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Web App Sec: (AT&T Corporation) former American
Telecommunication & Telegraph Vulnerabilities (Cross-Site Scripting / OWASP
Top 10)
_____ .___ _________
/ _ \ | |/ _____/
/ /_\ \| |\_____ \
/ | \ |/ \
\____|__ /___/_______ /
\/ \/ Corporation
Published Report: 27/02/2014
Credits: Advanced Information Security Corporation, USA
Severity: High/Critical (OWASP TOP 10)
Type: Web Application / Cross-Site Scripting .
Author: Nicholas Lemonias. (Information Security Expert)
Affected Domain
================
Domain: www.Att.com <http://www.att.com/> (AT&T Corporation) former
American Telecommunication & Telegraph
Vendor Overview
=========================
AT&T Corp., originally the American Telephone and Telegraph Company, is the
subsidiary of AT&T that provides voice, video, data, and Internet
telecommunications and professional services to
businesses, consumers, and government agencies. During its long history,
AT&T was at times the world's largest telephone company, the world's
largest cable television operator, and a regulated
monopoly. At its peak in the 1950s and 1960s, it employed one million
people and its revenue was roughly $300 billion annually in 2006.
In 2005, AT&T was purchased by Baby Bell SBC Communications for more than
$16 billion ($19.1 billion in present-day terms). SBC then rebranded itself
as AT&T Inc.
Today, AT&T Corporation continues to exist as the long distance subsidiary
of AT&T Inc., and its name occasionally shows up in AT&T press releases.
In 1880 the management of American Bell had created what would become AT&T
Long Lines. The project was the first of its kind to create a nationwide
long-distance network with a
commercially viable cost-structure. The project was formally incorporated
in New York State as a separate company named American Telephone and
Telegraph Company on March 3, 1885.
Starting from New York, its long-distance telephone network reached
Chicago, Illinois, in 1892.
Brief Description
============================
This problem allowed reproduction and execution of third-party
heterogeneous code which defied User -> Vendor trust levels, and
consequently affected user and product confidentiality, integrity and
availability of information (CIA Triad); as outlined by security practises
and in accord to formal
international standards (ISO/IEC 27001), (BS 77999) and (ISO/IEC 27002).
Proof-Of-Concept 1
==================
http://www.Att.com/gen/press-room?cdvn=news&newsfunction=
tagresults&pid=20626&tagname=technology&tagtype=att'sTYLe%
3d'ccd:Expre%2f**%2fSSion(prompt(91233))'bad%3d'%3e&tier=TS_PROD<
http://www.att.com/gen/press-room?cdvn=news&newsfunction=tagresults&pid=20626&tagname=technology&tagtype=att'sTYLe%3d'ccd:Expre%2f**%2fSSion(prompt(91233))'bad%3d'%3e&tier=TS_PROD
>
Description:
The variable 'tagtype' due to character encoding and insufficient data
sanitisation is vulnerable to a reflected cross-site scripting.
The variable is thus changed to
att'sTYLe='att:Expre/**/SSion(prompt(313371))'bad='>
Proof-of-Concept: 2
====================
www.att.com/gen/press-room?cdvn=news&newsfunction=
tagresults&pid=20626&tagname=technology&tagtype=att'sTYLe%
3d'att:Expre%2f**%2fSSion(confirm("xss"))'bad%3d'%3e&tier=TS_PROD
Description: A confirmation window would prompt the user for confidential
information. Defacement of the website could also occur through an 'Image
onload event'
e.g: IMG onload="JavaScript Code".
A malicious user could take advantage of this problem thus to impersonate
authenticated users, and to exploit user's or to execute open
Url/Java Script execution from third-party heterogeneous sources,
or to install untrusted components exploiting inherent O/S and browser
vulnerabilities, and without any prior notification.
Responsible Disclosure Timeline
==========================
[+] 8th of August 2013 - Informed vendor concerning this security
realisation.
[+] 8th of August 2013 - Vendor acknowledgement of the problem.
[+] 11th of August 2013 - Feedback request on remediation procedures.
[+] 9th of December 2013 - Problem remediation process.
[+] 27th of February, 2014 - Public Disclosure.
Recommendations for QoS & Security Compliance
=========================================
The recommendations made to AT&T Corp were therefore:
To consider encrypting the view state of the application. Furthermore to
implement a stronger Cross-Site Scripting protection.
Apparently XSS filtering is not properly applied, and meta-character
filtering allowed data input over the HTTP protocol to inject third-party
untrusted code, in JavaScript, Active-X and Visual Basic Script.
Please note that malicious users could take advantage of such instances, as
we have seen in malware and virus propagation instances - with a severe
impact
to systems of strategic and political importance.
Our consultation to AT&T Corp, has therefore been for a full and urgent
security risk assessment, as benchmarked in (ISO/IEC 27001), (ISO/IEC
27002),
and (ISO/IEC 27005). Furthermore we consulted for the effective
enumeration and revisitation of upper-level security policies.
Dissemination of information is often gathered in the form of a hyperlink,
either through an e-mail message, social networking websites, forums and
other online sources. A malicious user could take advantage of this
vulnerability, for: the
mass exploitation of unsuspected users, through malware and virus
propagation instances.
A malicious user could make use of defects in the encoding methods, so that
propagation is further obfuscated.
Appendices
============================
A. We have consulted AT&T Corp to consider the filtering of meta-characters.
B. To review server-level encoding of < and > to < and > in application
output.
C. Thus it is known, that a Cross- Site Scripting attack could embrace
mass user and product exploitation, theft of confidential information such
as: credit cards, passwords, security tokens and stored accounts.
Furthermore the use and exploitation of Cross-Site Scripting
vulnerabilities were widespread in notable cases of malware
propagation to systems of strategic and political importance
Stuxnet and Duqu.
D. We consulted to AT&T to consider filtering < and > and to make use
of appropriate encoding methods.
where ( and ) are also filtered and encoded to ( and ),
Example cited:
# and & should be converted to # (#) and & (&).
References
============================
OWASP. 2013. Cross Site Scripting (XSS) attacks, [ONLINE]
https://www.owasp.org/index.php/Cross-site_Scripting_(XSS), 2011
OWASP. 2013. XSS Filter Evasion Cheat-Sheet, [ONLINE]
https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet?, 2013.
Microsoft. 2011. Protecting against XSS attacks. [ONLINE] Available at:
http://msdn.microsoft.com/en-us/library/ff649310.aspx.
We would like to thank the vendor for the immediate deployment of best
security practise.
** This vulnerability report is posted for the wider benefit of the
security community, as is and without any warranties, including the
warranty of merchantability and capability fit for a particular purpose.
The information is posted under the FOI as per best security practises.
* Copyright Advanced Information Security Corp , (2014) *
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists