Pro2col StingRay FTS login username cross site scripting

scip AG Vulnerability ID 3809 (09/12/2008)
http://www.scip.ch/cgi-bin/smss/showadvf.pl?id=3809

I. INTRODUCTION

StingRay FTS is a file transfer server for Internet communications.
Customers are able to transfer files or to send emails via the device.

More information is available on the official product web site at the
following URL:

     http://pro2col.com/solutions/products/stingray_fts

II. DESCRIPTION

Marc Ruef at scip AG found an input validation error within the current
release.

The initial logon script at /login.jsp that is not protected by any
authentication procedure can be used to run arbitrary script code within
a cross site scripting attack. Other parts of the application might be
affected too.

--- cut ---

<form name="form_login" method="post" action="verify_login.jsp">
   <input type="hidden" name="form_browser_os" value="2">
   <input type="hidden" name="form_browser_type" value="2">
   <table border="0" cellspacing="0" width="100%"
class="loginheadertable">
     <tr>
       <td valign="center" class="loginheadertable">StingRay Login</td>

     </tr>
   </table>
   <img border="0" src="images/line.jpg" width="100%" height="10"></img>
   <table border="0" cellpadding="5" cellspacing="5" width="100%"
class="stdtable">
     <tr height="25" valign="middle">
       <td width="15%">Benutzername</td>
       <td width="35%"><input type="text" name="form_username"
size="30"></td>
       <td width="50%">&nbsp;</td>

     </tr>
     <tr height="15" valign="middle">
       <td>Passwort</td>
       <td>
         <input type="password" name="form_password" size="30">
       </td>
       <td>&nbsp;</td>
     </tr>

   </table>
   <img border="0" src="images/line.jpg" width="100%" height="10">
   <table border="0" cellpadding="5" cellspacing="5" width="100%"
class="stdtable">
     <tr>
       <td width="50%" align="right">
         <input type="Image" src="images/bt_login_de.gif" name="login"
class="formbutton"
               onClick="SetBrowserParam(this.form);">
       </td>
       <td>&nbsp;</td>
     </tr>

   </table>
</form>

--- cut ---

III. EXPLOITATION

Classic script injection techniques and unexpected input data within a
browser session can be used to exploit this vulnerabilities.

The approach to verify an insecure installation is possible with a
simple form input. Use the following string as user name and a wrong
passwort for the proof-of-concept:

    <script>alert('scip');</script>

The script injection happens in this line (between the H3 headers) in
the file /verify_login.jsp:

    <H3>Der Benutzer <script>alert('scip');</script> konnte nicht in der
Datenbank gefunden werden.<br><br>Bitte wiederholen...</H3>

The detection of vulnerable hosts is possible via Google hacking too as
like Johnny Long has documented in his web database[1]. httprecon
supports web fingerprinting for such devices too[2]. A plugin for our
open-source exploiting framework Attack Tool Kit (ATK) will be published
in the future[3].

IV. IMPACT

Because non-authenticated parts of the software are affected, this
vulnerability is serious for every secure environment. Non-authenticated
users might be able to exploit this flaw to gain elevated privileges
(e.g. extracting sensitive cookie information or launch a buffer
overflow attack against another web browser). However, as Robert Welz
with Pro2col told my via email, the discussed login part should be
available on the internal interface only.

Because other parts of the application might be affected too - this
could include some second order vulnerabilities - a severe attack
scenario might be possible.

V. DETECTION

Detection of web based attacks requires a specialized web proxy and/or
intrusion detection system. Patterns for such a detection are available
and easy to implement. Usually the mathematical or logical symbols for
less-than (<) and greater-than (>) are required to propose a HTML tag.
In some cases single (') or double quotes (") are required to inject the
code in a given HTML statement. Some implementation of security systems
are looking for well-known attack tags as like <script> and attack
attributes onMouseOver too. However, these are usually not capable of
identifying highly optimized payload.

VI. SOLUTION

We have informed Pro2col on an early stage. They confirmed the problem
and announced a bugfix for a release scheduled in March 2008 initially.
A re-scheduling was proposed and no further details provided. Our last
request stood unanswered for a long time.

VII. VENDOR RESPONSE

Pro2col has been informed a first time at 2008/06/12 via email at
info-at-pro2col.com. A very kind reply by James Lewis came back a few
hours later. Further discussion of the flaw (how to reproduce) were held
with Robert Welz. A re-scheduling of the planned patch was proposed. Our
last request stood unanswered for a long time.

VIII. SOURCES

scip AG - Security Consulting Information Process (german)
http://www.scip.ch/

scip AG Vulnerability Database (german)
http://www.scip.ch/cgi-bin/smss/showadvf.pl?id=3809

computec.ch document data base (german)
http://www.computec.ch/download.php

IX. DISCLOSURE TIMELINE

2007/12/05 Identification of the vulnerability
2007/12/06 First information to info-at-pro2col.com
2007/12/07 Immediate reply by and further discussion with James Lewis
2008/01/11 Technical confirmation by Robert Welz
2008/03/18 Status report by Robert Welz
2008/07/08 Offering for re-check of the patch by Robert Welz
2008/07/09 Undefined re-scheduling of the patch
2008/08/29 Last request for actual status (no reply)
2008/09/12 Public advisory

X. CREDITS

The vulnerabilities were discovered by Marc Ruef.

     Marc Ruef, scip AG, Zuerich, Switzerland
     maru-at-scip.ch
     http://www.scip.ch/

A1. BIBLIOGRAPHY

[1] http://www.computec.ch/projekte/httprecon/
[2] http://johnny.ihackstuff.com/ghdb.php?function=detail&id=1814
[3] http://www.computec.ch/projekte/atk/

A2. LEGAL NOTICES

Copyright (c) 2007-2008 scip AG, Switzerland.

Permission is granted for the re-distribution of this alert. It may not
be edited in any way without permission of scip AG.

The information in the advisory is believed to be accurate at the time
of publishing based on currently available information. There are no
warranties with regard to this information. Neither the author nor the
publisher accepts any liability for any direct, indirect or
consequential loss or damage from use of or reliance on this advisory.