lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <bfdf88ad49ed494b93b155f6967d353e@Wapiti.compass-security.com>
Date: Wed, 24 Jun 2015 14:34:30 +0000
From: Marco Delai <Marco.Delai@...c.ch>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>,
	"bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>
Subject: [FD] CVE-2015-3443 XSS in Thycotic Secret Server version 8.6.000000
 to 8.8.000004

#############################################################
#
# COMPASS SECURITY ADVISORY
# http://www.csnc.ch/en/downloads/advisories.html
#
#############################################################
#
# CVE ID : 	CVE-2015-3443
# Product: 	Secret Server [1]
# Vendor: 	Thycotic
# Subject: 	Stored Cross-Site Scripting Vulnerability (XSS)
# Risk:		High
# Effect: 	Remotely exploitable
# Author: 	Marco Delai (marco.delai@...c.ch)
# Date: 	June 24th 2015
#
#############################################################


Introduction:
-------------
Thycotic Secret Server enterprise password management software allows 
the creation, management and control of critical passwords in one 
centralized, web-based repository [1]. 

The identified vulnerability (stored Cross-Site Scripting) allows the 
execution of JavaScript code in the browser of a valid user when it 
toggle the password mask on a specially crafted password. This allows, 
for example, an attacker to prepare a specially crafted shared password, 
which when read by another user, can steal all other passwords the 
victim has access to. 


Vulnerable:
-----------
Secret Server customers on version 8.6.000000 to 8.8.000004 [2]. 


Technical Details
--------------------
Exploiting the vulnerability simply requires to:
1. Create a new password entry within Secret Server with the following
   value: "Compass Security<script>alert("Compass Security")</script>"
2. Open the basic dashboard and toggle the password mask. The password 
   is retrieved from the server using an AJAX call and its value is 
   added straight to the page's DOM without validation. Thus, the 
   script included in step 1 is executed. 

Note that the payload defined in step 1 did only get executed in the 
basic dashboard view. The advanced dashboard did adequately encode the
password. Extract of the vulnerable page: 

	GET
/SecretServer/api.ashx/simplehome/GetSecretItemValue?secretItemId=[...]&audi
tAction=unmask HTTP/1.1

	HTTP/1.1 200 OK
	Cache-Control: no-cache, no-store, must-revalidate
	Pragma: no-cache
	Content-Length: 62
	Content-Type: application/json; charset=utf-8
	Expires: -1
	[...]
	Content-Security-Policy: connect-src 'self'; font-src 'self';
frame-src 'self' sslauncher:; img-src 'self' data:; media-src 'self';
object-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self'
'unsafe-inline' 'unsafe-eval'
	X-Content-Security-Policy: connect-src 'self'; font-src 'self';
frame-src 'self' sslauncher:; img-src 'self' data:; media-src 'self';
object-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self'
'unsafe-inline' 'unsafe-eval'
	X-Content-Type-Options: nosniff
	X-XSS-Protection: 1; mode=block
	X-UA-Compatible: IE=edge
	
	"Compass Security<script>alert(\"Compass Security\")</script>"
	

Remediation:
------------
Update Secret Server to the latest version, which fixes the
vulnerability [2]. 


Milestones:
-----------
2015-02-19 Vulnerability discovered
2015-02-20 Vulnerability reported to vendor
2015-02-20 Vendor patch [2]
2015-06-24 Public disclosure


References:
-----------
[1] http://thycotic.com/products/secret-server/
[2]
http://thycotic.com/products/secret-server/resources/advisories/thy-ss-004/

Download attachment "smime.p7s" of type "application/pkcs7-signature" (5669 bytes)


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ