lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 12 Jul 2017 11:56:09 -0600
From: Security Researcher <rootresearcher@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] CVE-2017-11173 Missing anchor in generated regex for rack-cors
 before 0.4.1 allows a malicious third-party site to perform CORS requests

Missing anchor in generated regex for rack-cors before 0.4.1
allows a malicious third-party site to perform CORS requests.
If the configuration were intended to allow only the trusted
example.com domain name and not the malicious example.net domain name,
then example.com.example.net (as well as example.com-example.net) would
be inadvertently allowed.

------------------------------------------

[Additional Information]
The rack-cors gem can be used to configure CORS access headers for
any web site. A security researcher, Jens Mueller, notified us of
exploitable CORS misconfiguration for the [REDACTED] web site. During
the course of investigation, we realized the rack-cors 0.4.0 gem was
generating regexes without proper trailing anchors for configured
origin domains. The issue is fixed in version 0.4.1 of the gem, but no
attention was drawn to the fix in
https://github.com/cyu/rack-cors/blob/master/CHANGELOG and there were
no assigned CVEs (as of early 2017) for the vulnerable versions of the
gem. According to rubygems.org, there are at least 7,614,856 downloads
for versions < 0.4.1 of the gem.

The researcher, Jens, reports there are a number of top Alexa sites
that have vulnerable CORS configurations. He tells us many of these
sites are using the rack-cors gem. He has been scanning the web at
large and has published a tool at https://github.com/RUB-NDS/CORStest
to check for vulnerable CORS configurations.

Affected sites are those that are running rack-cors < 0.4.1 and are
specifying
origin domains as string parameters:

use Rack::Cors do
  allow do
    origins 'example.com', ...
  ...
end

We have been in contact with Jens and suggested filing a CVE for
vulnerable versions of the gem. He said he does not have the time to
fill out the paperwork, so we are publishing this for him. All credits
to Jens for discovery of the vulnerability.

------------------------------------------

[VulnerabilityType Other]
Incorrect Access Control

------------------------------------------

[Affected Product Code Base]
rack-cors gem - Affected: 0.4.0 and below, Fixed: 0.4.1

------------------------------------------

[Affected Component]
https://github.com/cyu/rack-cors/blob/v0.4.0/lib/rack/cors.rb#L256

------------------------------------------

[Attack Type]
Remote

------------------------------------------

[CVE Impact Other]
Incorrect handling of origin configuration results in CORS request
authorization for malicious third-party sites/domains

------------------------------------------

[Attack Vectors]
A malicious actor may perform actions on behalf of a logged-in user
for example.com by convincing the logged-in user to visit
example.com.example.net or example.com-example.net. This
may be disguised via phishing with URL shortener services. E.g. "A
politician does something crazy again! Read about it here:
http://t.co/xyz" -> expands to example.com.example.net,
performs CORS requests to example.com, and then redirects to the
original article.

------------------------------------------

[Discoverer]
Jens Mueller <jens.a.mueller@....de>

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux - Powered by OpenVZ