BugTraq
[CVE-2013-2764] Secure Entry Server - URL Redirection Dec 18 2013 08:24AM
Alexandre Herzog (alexandre herzog csnc ch)
#############################################################
#
# COMPASS SECURITY ADVISORY
# http://www.csnc.ch/en/downloads/advisories.html
#
#############################################################
#
# Product: Secure Entry Server (SES)
# Vendor: United Security Providers Ltd.
# CSNC ID: CSNC-2013-008
# CVD ID: CVE-2013-2764
# Subject: URL Redirection
# Risk: High
# Effect: Remotely exploitable
# Author: Alexandre Herzog <alexandre.herzog (at) csnc (dot) ch [email concealed]>
# Date: 18.12.2013
#
#############################################################

Introduction:
-------------
The USP Secure Entry Serverâ?¢ protects company networks and business
transactions with internet access as a Web application firewall (WAF)
and manages access to data and applications.

The USP Secure Entry Serverâ?¢ (SES) offers this protection by scanning
data packages right down to the individual items of content, thus
reliably safeguarding Web applications and all transactions carried out
using them. The SES acts as an x-ray scanner for online transactions; it
identifies data packages infected by viruses and only approves undamaged
or cleaned data packages for use.[1]

Technical Description
---------------------
By default, the USP Secure Entry Server is shipped with option
HSP_AbsoluteRedirects set to off. The consequence is that after a
successful cookie-check, the server replies with a relative instead of
an absolute link. The server doesn't detect that relative URLs starting
with double slash are in fact detected as a valid domain by browsers and
not just a path on the actual server.

1. Initial request
GET //www.hacking-lab.com HTTP/1.1
Host: [victim]
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:19.0) Gecko/20100101 Firefox/19.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive

2. Server redirect to the cookie check procedure
HTTP/1.1 302 Found
Date: Wed, 03 Apr 2013 09:23:56 GMT
Server: server
Location: /cookie-check?trg=[long token]
Set-Cookie: SCDID_S=[session id] path=/; Secure; HttpOnly
Content-Length: 290
Content-Type: text/html; charset=iso-8859-1
Keep-Alive: timeout=65, max=100
Connection: Keep-Alive

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="/cookie-check?trg=[long token]">here</a>.</p>
</body></html>

3. As instructed, the browser accesses the cookie check page, proving it
support cookies:
GET /cookie-check?trg=[long token] HTTP/1.1
Host: [victim]
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:19.0) Gecko/20100101 Firefox/19.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: SCDID_S=[session id]
Connection: keep-alive

4. SES gets the expected request, and redirects the client to the
initially requested page, but without stripping the double-slashes and
without forcing a fully qualified domain name for the redirection:
HTTP/1.1 302 Found
Date: Wed, 03 Apr 2013 09:23:56 GMT
Server: server
Location: //www.hacking-lab.com
Content-Length: 205
Content-Type: text/html; charset=iso-8859-1
Keep-Alive: timeout=65, max=100
Connection: Keep-Alive

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="//www.hacking-lab.com">here</a>.</p>
</body></html>

5. The browser doesn't interpret a redirection to //www.hacking-lab.com
as being http(s)://[victim]//www.hacking-lab.com, but in fact as a
redirection to http(s)://www.hacking-lab.com. This behavior is RFC
conform and is well implemented in most current browsers[2]. The client
gets therefore redirected to another website by the SES.

Workaround / Fix:
-----------------
Upgrade to the latest available version of SES or ensure option
HSP_AbsoluteRedirects is set to on (as it's by default in the appliance
but not the software version), as this would insert the FQDN in the
response of the server.

Timeline:
---------
2013-12-18: Coordinated public disclosure date (after 3 months grace period)
2013-09-18: Release of fixed SES Appliance Version 4.7.0 and HSP Software Version 4.5.0
2013-04-26: Initial vendor response
2013-04-23: Initial formal vendor notification based on advisory and CVE-ID
2013-04-07: Assigned CVE-2013-2764
2013-04-03: Discovery of the same issue but with a different customer
2012-09-10: Discussed with a representative of the vendor, which did not consider it as a major issue but customer related
2012-09-06: Discovery by Alexandre Herzog

References:
-----------
[1] http://www.united-security-providers.com/en/it-security-solutions/protec
tion-for-web-applications/
[2] http://stackoverflow.com/questions/6785442/browser-support-for-urls-begi
nning-with-double-slash
0?n *?H?÷
 ?_0?[1 0 +0  *?H?÷
 ?+0?û0?ã }i>Y-sR⧭[³è30
 *?H?÷
0U1 0 UCH10U
 SwissSign AG1/0-U&SwissSign Personal Silver CA 2008 - G20
120820133715Z
150820133715Z0I10U Email Validated Only1(0&UEmail: alexandre.herzog (at) csnc (dot) ch0 [email concealed]?"0
 *?H?÷
?0?
?º?G?´Æ]ÿº?Ô­{R7?w9ú ®B6¯býÆ6%MæGWbSе¾"ìÇ/SèÕö6
bJa*ù¥'¬ÃVp·#<yù?vþWIît±ÒOÏsÐá
Ѿ«ÂmDï(Ä19?ùýf[
¥,´þªÝÚ8¥( äò?ÔÛ¥ÌÙUõvm«/|ލùÐ?ô]?¼au¿rÅ1???puíÓT|??eÿïgü4ZØÑ?GeD?í?4??]ú?¹YË?
]Ùh 2?£õ!7æÜ?ä Idô¾d=?ÿ¤â²q$R|oÿmÛï]ßEÍI?»ý}?£?Ò0?Î0Uÿ°0U%
 0
+0Uâͪö*WéÚÿÂ$Ò"?'Iu0U#0?ë5±Vm`Xôá"ÍF®Ð
e0ÿU÷0ô0G E C?Ahttp://crl.swisssign.net/EB35B1566D156058F4E122CD
1C461CAED00400650¨ ¥ ¢??ldap://directory.swisssign.net/CN=EB35B1566D
156058F4E122CD1C461CAED0040065%2CO=SwissSign%2CC=CH?certificateRevocatio
nList?base?objectClass=cRLDistributionPoint0dU ]0[0Y `?tY0L0J+>http://repository.swisssign.com/SwissSign-Silve
r-CP-CPS-R4.pdf0Ù+Ì0É0d+0?Xhttp://swisssign.net/cgi
-bin/authority/download/EB35B1566D156058F4E122CD1C461CAED00400650a+
0?Uhttp://silver-personal-g2.ocsp.swisssign.net/EB35B1566D156058F4E12
2CD1C461CAED00400650#U0alexandre.herzog (at) csnc (dot) ch0 [email concealed]
 *?H?÷
?eà?ÞÁU©þO¿ÇJ
à;.¬~"³²`??pÍ?{î?|YûÆ¢ýÓ?o¸òäÖ;`AW©º?C?S6?¡¤xïÞz}ñ¯9èa£luÆ@?^
?¾Þu¢~p¶É
*Þ©ìÙ?ÇÌQ?h·)Z`*?'R{Ý?PT0???í&°·¹?+ô?I¦3ËÇÍ¿jL cO$³\r\} EÀÃ@"ÁãUÎd9ø
²ZÍÜ2µf΍ã§8ÐA§?ÅúTã??ÊU à??æ??­??+P?(¥J@P}«??_*±¢?,8?Ôݐ¹+*y?Z0?g0?O  âV·S?kvX0
 *?H?÷
0G1 0 UCH10U
 SwissSign AG1!0USwissSign Silver CA - G20
080709111109Z
230709111109Z0U1 0 UCH10U
 SwissSign AG1/0-U&SwissSign Personal Silver CA 2008 - G20?"0
 *?H?÷
?0?
?÷óS^Im?å'!`¥v??¸!@Ï63¬*r?aÃkÞzIX=?Ø;ðA¿kV³=¿cº1~ârFh?
×?O É{©Ð9Ñ?Ö5ghvÁ_? ÍÏ:Ñ?
ÚòCò¤¢¬?u è÷4§¿¶æ9hfRG9)M´è*­a´¢1à?ÛäCñ+ÞÁ4Ël?îb'DØ1ñß<!ÌÀ¬h
ÓthÉJ?; §±e¤®.zÞzDo°þtÿ?õXé¦%ñÌ?"'ØË1Á/( qr÷ûNnz¬!?
Zfø¿åù?Ä?º3
??]®¡£?F0?B0Uÿ0Uÿ0ÿ0Uë5±Vm
`Xôá"ÍF®Ðe0U#0? ÍÁäA¶:[;ËE½Â?ú?X0ÿU÷0ô0G E C?Ahttp
://crl.swisssign.net/17A0CDC1E441B63A5B3BCB459DBD1CC298FA86580¨ ¥ ¢?
?ldap://directory.swisssign.net/CN=17A0CDC1E441B63A5B3BCB459DBD1CC298FA8
658%2CO=SwissSign%2CC=CH?certificateRevocationList?base?objectClass=cRLD
istributionPoint0dU ]0[0Y `?tY0L0J+>http://repository.swisssign.com/SwissSign-Silve
r-CP-CPS-R3.pdf0t+h0f0d+0?Xhttp://swisssign.net/cgi-bi
n/authority/download/17A0CDC1E441B63A5B3BCB459DBD1CC298FA86580
 *?H?÷
?.*vÚ?óLßd'á[-?ï¹U.Û¸ e1@°K½|±ÙØqSÎè5,?ºt?ÔW?ÀW??P%{à?Ô]¸Dxé3Aþá¿F?y}r¼8PÀhZ²ÓÞ]gÏi?ø
õ¬ ?ÔÝZ.j9#ïôïsZ6Ãé Gd79y×P²¬º?ê?äEF¾Í/9?
?ðU²&$Q³kÑ|i=XՁ5<hGWÆ³Ï*jE/?©N=Á9ÊëûÞJ?­¸a? ¸?#´vC?®?8^Ò8õ?Ù Õ.øÉ??§ ³Ò(]#lNfñ?c ÜbÄGâr¢àm~=]?E?h?¥ðõíÛ??Îé¦?Úßn5Ú`ö°G?4å¼`´ÀÀ(ôn<¹ú
I?:e8´µa??!ï??Åu(5«^R`/:ï1?¦{÷H p<µ×bË´BÃô¸Dq?$ü×î?!èªc?ÃÏ[òÒ?p'TÌî¡Ñ "?^Ð?C9ªRNgÚ2¼Z??Ú6«Szôwêü×èÞê?ÆnPDàÏ0Ê??¡ §ü¹èÅ-ósõTþ(א##)OI3y
?J^a?f]Ñ?o?.![eDÍvIò¥ƶ~?¢6£)¡x«$]ð
t

y?aHUÞF¹¹Ûª?0?½0?¥ OÔ/T»/K0
 *?H?÷
0G1 0 UCH10U
 SwissSign AG1!0USwissSign Silver CA - G20
061025083246Z
361025083246Z0G1 0 UCH10U
 SwissSign AG1!0USwissSign Silver CA - G20?"0
 *?H?÷
?0?
?Äñ?Óx1÷8ÉøÃ?C¼Ç÷¼7çNqºK¥s\n?®W®87C/=ÈÎhÁx®+ú,y?öè¹h¹UòD§9
ùü?ñ¢M'ùa{º·å¢¶ëa>ÐlÑæûú^í´? 5[¡?ËðI?þ?
>æÙ âO»Ü?7ü?é25"Ñ:N'?°?2Úa
GM`B®?Gè?ZPXé??¹]¡ÜÝ?J6g»Hä?¶7ëH:¯gèÊïj1?ÔÀ¶ù?q{gd¸¶?JB{e.0j õî?æòÍ?ìÙ¡Jìö²KåE?æmx?.??m6©Ä1d?? *ô5
xÉUÏA°Gé0??¾a¨?¹(z_8Ù©8°?sÁÃ;H*?!?¸Ì¨5Ã??³>¾¤?i:?xÙÉô?«V~[??9?¤
, 2?`³?À*¶ ~IòJùÕF/?£?§&¬»?<æ¼GÜsQñpd/ù´G0lDê)7??hf¼?8þ{9.ÓPðû^
`¶©¦ú'Añ?ròõ?tJÉgÄT®Hdß?Ñn°á??qéLØ¥÷GtÑQ??ó¢#@ sÛK¦çs?Á éÁY¬Fú
æ/øÏq?Fm¹Ä8yEHïÄ]×î?9"?²
XC÷q©H.ýêÖ£¬0©0Uÿ0Uÿ0ÿ0U ÍÁäA
¶:[;ËE½Â?ú?X0U#0? ÍÁäA¶:[;ËE½Â?ú?X0FU ?0=0; `?tY0.0,+ http://repository.swisssign.com/0
 *?H?÷
?sƁà'Ò-à?0â?AP,__ba©?ji tIÖ]?êARoX­PV jƽ(iX?Ü?5©:¼¥`?ØE?iÙ~»xrÁ*Ώ?pa¬ Í ¸9)V?2N?»=Ä*Ù×rîþQ¡"A±qc?°
b«^WßËÝu À]y?àPæÞ1þ?{p_¥Ø­ø¶oÓ`Ý@K"Å=­:z?G?y3º?Ü2i?nKðqþãgr ±¿
\?äú?"Ç?¹#??í%àÏe»õaïݲZA"Z¡?],è[Ém© xª`ÆVZ h¼iyÄ~?¿Åé$Q^ÔÕKSíÙ#Z6e£Á­A0óF?¯eµÕ±ä[xu?zmY©*{ÞÃ???IsxÈ=½Q5t
*Õñ~i*»;½%¸?Z=raf?î ÖMÔt jþ ü£UW?þJË®[Èò#1S8Ò-j??¹j÷^AtnÃ~¬)`??8ÊW
½0/Ç¥æA Ú®?? ¤elL ?º¸Ó¹À??0úå?kNgªÚbV>?fÒÄ6}§>ü?àÔ?彪óN£zjùbrã Oë?#ñ?»|ÜÜl?%²ò´cÒ*g??õÎêØ?jìä
»*Lë `9ÎÊbØ.n1? 0?0h0U1 0 UCH10U
 SwissSign AG1/0-U&SwissSign Personal Silver CA 2008 - G2}i>Y-sR⧭[³è30 + z0# *?H?÷
 1È¥?÷¿º!í&ª¥E+ìÔ~850 *?H?÷
 1  *?H?÷
0 *?H?÷
 1
131218082412Z0 *?H?÷
 10 0
*?H?÷
0
 *?H?÷
?$/?Фٱn?¯ÈÁ¨suä ?Òï?C4??ÛÑVµ:?Gá
²??IÚÏ??¬Øj Àm? âx<?ï3Z?Ö}*?6³???+l-ñ¹(ßmíÇÊ3VâÓêr0¼´?Tlý?$Aj2
Ñx
×?Ä "skc;àVèúX7­ÅeÒËã°t?2ÌØ?éÙ?,?ìÔAX¥Û«þy*?5Á®N÷¸´«¸ûõ'£Þjñ?w`(2í?Âúê
E| e© yöëÁfOp~ó*{?ææêÒá8Ã?Àd[em?=NîëÖ
ÈçÐ]ë$???ÛBÍZo˨}½Ã

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus