Document Title: =============== Secunia CSI/VIM - Filter Bypass & Persistent Validation Vulnerabilities References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=1272 Release Date: ============= 2014-06-18 Vulnerability Laboratory ID (VL-ID): ==================================== 1272 Common Vulnerability Scoring System: ==================================== 3.9 Product & Service Introduction: =============================== The Secunia CSI 7.0 combines scanning and patching, thereby meeting the requirements of both IT security and IT operations. This combination of vulnerability intelligence, vulnerability scanning, patch creation and patch deployment is unique in the industry. The Secunia CSI is an authenticated internal vulnerability scanner, capable of assessing the security state of practically all legitimate programs running on Microsoft Windows platforms and supports scanning of Windows, Apple Mac OSX, Android and Red Hat Enterprise Linux (RHEL) platforms. ( Copy of the Vendor Homepage: http://secunia.com/vulnerability_scanning/ ) Secunia’s Vulnerability Intelligence Manager is vulnerability intelligence brought to you on time, every time, by Secunia’s renowned research team. The Secunia VIM covers more than 50,000 systems and applications. The software vulnerability alerts are brought to you instantaneously, and threat levels are prioritized, so you and your team can address the most critical vulnerabilities first. Comprehensive reporting lets you assess the current state of your IT infrastructure, manage the risks, meet compliancy policy rules, and get an increased return on your security investment. With Secunia`s powerful Vulnerability Intelligence and Management solution you can implement remediation strategies effectively and keep your organization secure. ( Copy of the Vendor Homepage: http://secunia.com/vulnerability_intelligence/ ) Abstract Advisory Information: ============================== The Vulnerability Laboratory Research Team discovered a medium severity vulnerability in the official Secunia CSI/VIM web-application service. Vulnerability Disclosure Timeline: ================================== 2014-06-18: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== Secunia Product: CSI & VIM - Web Application & Online Service 2014 Q2 Exploitation Technique: ======================= Remote Severity Level: =============== Medium Technical Details & Description: ================================ A persistent mail encoding web vulnerability has been discovered in the official Secunia website web-application for csi/vim account registration. The vulnerability allows an remote attacker to inject own malicious script codes to the application-side of the vulnerable web-application service. The vulnerability is located in the web input form of the registration to the csi and vim program. The user is able to register with persistent script codes as first- & lastname.The affect becomes visible in the outgoing email of the web-server and could maybe affect other sections in the profile. The attacker injects a payload and streams the malicious mail with own content to a secunia- or random-user. The filter of the web-server is not validating the context of the mail on input through the website. The result is an application-side script code execution in the mail header after the introduction word `Dear`. The mail includes the registered user (db stored) with the payload context and does not encode the input. The secunia web-server tries to encode the input and prevents it with `/`. The attacker can input multiple strings and between the parse with the `/` the persistent script code execution occurs. The issue allows attackers to inject `frames`, `iframes`, `img` and different other html tags with own script codes. The mails can be send to random user for phishing attacks with persistent attack vector or directly to well known secunia customers via mail. The security risk of the persistent input validation web vulnerability in the mail encldoing of the web-server is estimated as medium with a cvss (common vulnerability scoring system) count of 3.9. Exploitation of the mail encoding and web-server validation vulnerability requires low or medium user interaction and no privileged secunia vim/csi application user account. Successful exploitation of the persistent mail encoding web vulnerability results in persistent phishing attacks against customers or random email users, session hijacking, persistent redirects to malware and persistent manipulation of affected or connected module context. Request Method(s): [+] POST Vulnerable Module(s): [+] /products/corporate/vim/trial/ [+] /vulnerability_scanning/corporate/trial/ Vulnerable Parameter(s): [+] First- & Lastname Affected Section(s): [+] Secunia CSI - Mail Notification [+] Secunia VIM - Mail Notification Note: A demo user can also become a registered secunia user with the same profile credentials which impact the risk to receive later compromised service email notifications or execution of payload in the user frontend/backend next to the db stored profile values. Proof of Concept (PoC): ======================= The persistent mail encoding web vulnerabilities can be exploited remote attackers without privileged application user account or with low privileged application user account and without user interaction. For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue. 1. Open the two vulnerable service registration formulars > http://secunia.com/products/corporate/vim/trial/ > http://secunia.com/vulnerability_scanning/corporate/trial/ 2. Inject own script code (payload) to the vulnerable first- & lastname input field values 3. Submit the formulars to secunia 4. Check your registration postbox and review the first arriving email of secunia during the registration tral procedure for example 5. The persistent script code execution occurs in the mail next to the introduction word `Dear` x=First- & Lastname 6. Successful reproduce of the persistent mail encoding web-server vulnerability! Note: A demo user can become a registered secunia user with the same credentials which impact also a risk to later email notifications or service values. The attacker is able to send the mail to random new email or to other secunia customers email by a mailing list. Sender Account: @response.secunia.com Tester Account: bkm@evolution-sec.com Test Date: 08.05.2014 23:12 & 18.06.2014 PoC: Secunia CSI - Did you get off to a good start?
Dear \">%20">

We just want to make sure that your installation went well.

We know from experience that getting a good start is crucial to making the most of your free trial. Therefore it is very important to us that you are satisfied with the installation and don’t encounter any problems during the first few days.

Please don’t hesitate to contact our Customer Support Center at csc@secunia.com if you need any assistance or have any questions.

Stay Secure,
Secunia ... or PoC: Kommende Secunia Partner Events in Deutschland
Sehr geehrte \">%20>\ "<\">%20">">