BugTraq
CVE-2015-3443 XSS in Thycotic Secret Server version 8.6.000000 to 8.8.000004 Jun 24 2015 02:34PM
Marco Delai (Marco Delai csnc ch)
#############################################################
#
# COMPASS SECURITY ADVISORY
# http://www.csnc.ch/en/downloads/advisories.html
#
#############################################################
#
# CVE ID : CVE-2015-3443
# Product: Secret Server [1]
# Vendor: Thycotic
# Subject: Stored Cross-Site Scripting Vulnerability (XSS)
# Risk: High
# Effect: Remotely exploitable
# Author: Marco Delai (marco.delai (at) csnc (dot) ch [email concealed])
# Date: June 24th 2015
#
#############################################################

Introduction:
-------------
Thycotic Secret Server enterprise password management software allows
the creation, management and control of critical passwords in one
centralized, web-based repository [1].

The identified vulnerability (stored Cross-Site Scripting) allows the
execution of JavaScript code in the browser of a valid user when it
toggle the password mask on a specially crafted password. This allows,
for example, an attacker to prepare a specially crafted shared password,
which when read by another user, can steal all other passwords the
victim has access to.

Vulnerable:
-----------
Secret Server customers on version 8.6.000000 to 8.8.000004 [2].

Technical Details
--------------------
Exploiting the vulnerability simply requires to:
1. Create a new password entry within Secret Server with the following
value: "Compass Security<script>alert("Compass Security")</script>"
2. Open the basic dashboard and toggle the password mask. The password
is retrieved from the server using an AJAX call and its value is
added straight to the page's DOM without validation. Thus, the
script included in step 1 is executed.

Note that the payload defined in step 1 did only get executed in the
basic dashboard view. The advanced dashboard did adequately encode the
password. Extract of the vulnerable page:

GET
/SecretServer/api.ashx/simplehome/GetSecretItemValue?secretItemId=[...]&
audi
tAction=unmask HTTP/1.1

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, must-revalidate
Pragma: no-cache
Content-Length: 62
Content-Type: application/json; charset=utf-8
Expires: -1
[...]
Content-Security-Policy: connect-src 'self'; font-src 'self';
frame-src 'self' sslauncher:; img-src 'self' data:; media-src 'self';
object-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self'
'unsafe-inline' 'unsafe-eval'
X-Content-Security-Policy: connect-src 'self'; font-src 'self';
frame-src 'self' sslauncher:; img-src 'self' data:; media-src 'self';
object-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self'
'unsafe-inline' 'unsafe-eval'
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-UA-Compatible: IE=edge

"Compass Security<script>alert(\"Compass Security\")</script>"

Remediation:
------------
Update Secret Server to the latest version, which fixes the
vulnerability [2].

Milestones:
-----------
2015-02-19 Vulnerability discovered
2015-02-20 Vulnerability reported to vendor
2015-02-20 Vendor patch [2]
2015-06-24 Public disclosure

References:
-----------
[1] http://thycotic.com/products/secret-server/
[2]
http://thycotic.com/products/secret-server/resources/advisories/thy-ss-0
04/
0? *?H?÷
 ?0?10
 `?He0? *?H?÷
 ?!0?½0?¥ OÔ/T»/K0
 *?H?÷
0G1 0 UCH10U
 SwissSign AG1!0USwissSign Silver CA - G20
061025083246Z
361025083246Z0G1 0 UCH10U
 SwissSign AG1!0USwissSign Silver CA - G20?"0
 *?H?÷
?0?
?Äñ?Óx1÷8ÉøÃ?C¼Ç÷¼7çNqºK¥s\n?®W®87C/=ÈÎhÁx®+ú,y?öè¹h¹UòD§9
ùü?ñ¢M'ùa{º·å¢¶ëa>ÐlÑæûú^í´? 5[¡?ËðI?þ?
>æÙ âO»Ü?7ü?é25"Ñ:N'?°?2Úa
GM`B®?Gè?ZPXé??¹]¡ÜÝ?J6g»Hä?¶7ëH:¯gèÊïj1?ÔÀ¶ù?q{gd¸¶?JB{e.0j õî?æòÍ?ìÙ¡Jìö²KåE?æmx?.??m6©Ä1d?? *ô5
xÉUÏA°Gé0??¾a¨?¹(z_8Ù©8°?sÁÃ;H*?!?¸Ì¨5Ã??³>¾¤?i:?xÙÉô?«V~[??9?¤
, 2?`³?À*¶ ~IòJùÕF/?£?§&¬»?<æ¼GÜsQñpd/ù´G0lDê)7??hf¼?8þ{9.ÓPðû^
`¶©¦ú'Añ?ròõ?tJÉgÄT®Hdß?Ñn°á??qéLØ¥÷GtÑQ??ó¢#@ sÛK¦çs?Á éÁY¬Fú
æ/øÏq?Fm¹Ä8yEHïÄ]×î?9"?²
XC÷q©H.ýêÖ£¬0©0Uÿ0Uÿ0ÿ0U ÍÁäA
¶:[;ËE½Â?ú?X0U#0? ÍÁäA¶:[;ËE½Â?ú?X0FU ?0=0; `?tY0.0,+ http://repository.swisssign.com/0
 *?H?÷
?sƁà'Ò-à?0â?AP,__ba©?ji tIÖ]?êARoX­PV jƽ(iX?Ü?5©:¼¥`?ØE?iÙ~»xrÁ*Ώ?pa¬ Í ¸9)V?2N?»=Ä*Ù×rîþQ¡"A±qc?°
b«^WßËÝu À]y?àPæÞ1þ?{p_¥Ø­ø¶oÓ`Ý@K"Å=­:z?G?y3º?Ü2i?nKðqþãgr ±¿
\?äú?"Ç?¹#??í%àÏe»õaïݲZA"Z¡?],è[Ém© xª`ÆVZ h¼iyÄ~?¿Åé$Q^ÔÕKSíÙ#Z6e£Á­A0óF?¯eµÕ±ä[xu?zmY©*{ÞÃ???IsxÈ=½Q5t
*Õñ~i*»;½%¸?Z=raf?î ÖMÔt jþ ü£UW?þJË®[Èò#1S8Ò-j??¹j÷^AtnÃ~¬)`??8ÊW
½0/Ç¥æA Ú®?? ¤elL ?º¸Ó¹À??0úå?kNgªÚbV>?fÒÄ6}§>ü?àÔ?彪óN£zjùbrã Oë?#ñ?»|ÜÜl?%²ò´cÒ*g??õÎêØ?jìä
»*Lë `9ÎÊbØ.n0?ñ0?Ù ð&?oãðÚß7{0
 *?H?÷
0U1 0 UCH10U
 SwissSign AG1/0-U&SwissSign Personal Silver CA 2008 - G20
140303154414Z
170303154414Z0D10U Email Validated Only1#0!UEmail: marco.delai (at) csnc (dot) ch0 [email concealed]?"0
 *?H?÷
?0?
?¤?Ïx?@wÛBø]Ö~ÖÊ??¥Ìý&ó@¤ñ(¬_ï1.
]oÇ8ò¸`[¢Õ®ªòî²m?ÏðB4?.ãGúí6ôf+¬Ácn$
çµ?â??¡?Za¬?ZñU??Yu]ßÛÂÙF?VµR å*±ôEo?ÅÝ
¯y
£[î¦ó¸×.·ïoJ?Y?Ð:¹?ö6r`'ëíçãA#=?¼ý?%Ó°µÑnºÒ~'õWÁÂé´wzè}ú?zf¡=ڍ|
±H¾î5~ ??¡-?.¥Â??0ÿ?L0_¤T;Rgy\²VùÞ?KÇ4Ù¢¾ Ñ?¥?Ö¯÷e6?IÆñ=£?Í0?É0Uÿ°0U% 0
+0UÌâÂ;¹Û=|'}lN{|?³?Ãr0U#0?ë5±Vm`Xôá"ÍF®Ð
e0ÿU÷0ô0G E C?Ahttp://crl.swisssign.net/EB35B1566D156058F4E122CD
1C461CAED00400650¨ ¥ ¢??ldap://directory.swisssign.net/CN=EB35B1566D
156058F4E122CD1C461CAED0040065%2CO=SwissSign%2CC=CH?certificateRevocatio
nList?base?objectClass=cRLDistributionPoint0dU ]0[0Y `?tY0L0J+>http://repository.swisssign.com/SwissSign-Silve
r-CP-CPS-R4.pdf0Ù+Ì0É0d+0?Xhttp://swisssign.net/cgi
-bin/authority/download/EB35B1566D156058F4E122CD1C461CAED00400650a+
0?Uhttp://silver-personal-g2.ocsp.swisssign.net/EB35B1566D156058F4E12
2CD1C461CAED00400650U0marco.delai (at) csnc (dot) ch0 [email concealed]
 *?H?÷
?Ç×È^f½lD«Br\ e ?'·¶Ûéîu/O
àGÏuâ"ªûsê``0c?é¿¿&ÞIë1SÔâ

?Ì2âÊë:?Õ?9:À?&#LKîmÛô}üá]7,[U?
C켐?í£µæÞò}×øærúòG qNd)??Ã??ñ;J?ÊeÃäÿ?|ß­?¯|ά"ÿOvWr xï?ýì xÿ»p<H9Úoþ-`è~GôÞ?LÏÆBìÎ&÷Ø<k'?òèQSJ¬½ aÞ%ue* ?ó|.Z7?Æ?Ââ?L:?[èRj??z"?0?g0?O  âV·S?kvX0
 *?H?÷
0G1 0 UCH10U
 SwissSign AG1!0USwissSign Silver CA - G20
080709111109Z
230709111109Z0U1 0 UCH10U
 SwissSign AG1/0-U&SwissSign Personal Silver CA 2008 - G20?"0
 *?H?÷
?0?
?÷óS^Im?å'!`¥v??¸!@Ï63¬*r?aÃkÞzIX=?Ø;ðA¿kV³=¿cº1~ârFh?
×?O É{©Ð9Ñ?Ö5ghvÁ_? ÍÏ:Ñ?
ÚòCò¤¢¬?u è÷4§¿¶æ9hfRG9)M´è*­a´¢1à?ÛäCñ+ÞÁ4Ël?îb'DØ1ñß<!ÌÀ¬h
ÓthÉJ?; §±e¤®.zÞzDo°þtÿ?õXé¦%ñÌ?"'ØË1Á/( qr÷ûNnz¬!?
Zfø¿åù?Ä?º3
??]®¡£?F0?B0Uÿ0Uÿ0ÿ0Uë5±Vm
`Xôá"ÍF®Ðe0U#0? ÍÁäA¶:[;ËE½Â?ú?X0ÿU÷0ô0G E C?Ahttp
://crl.swisssign.net/17A0CDC1E441B63A5B3BCB459DBD1CC298FA86580¨ ¥ ¢?
?ldap://directory.swisssign.net/CN=17A0CDC1E441B63A5B3BCB459DBD1CC298FA8
658%2CO=SwissSign%2CC=CH?certificateRevocationList?base?objectClass=cRLD
istributionPoint0dU ]0[0Y `?tY0L0J+>http://repository.swisssign.com/SwissSign-Silve
r-CP-CPS-R3.pdf0t+h0f0d+0?Xhttp://swisssign.net/cgi-bi
n/authority/download/17A0CDC1E441B63A5B3BCB459DBD1CC298FA86580
 *?H?÷
?.*vÚ?óLßd'á[-?ï¹U.Û¸ e1@°K½|±ÙØqSÎè5,?ºt?ÔW?ÀW??P%{à?Ô]¸Dxé3Aþá¿F?y}r¼8PÀhZ²ÓÞ]gÏi?ø
õ¬ ?ÔÝZ.j9#ïôïsZ6Ãé Gd79y×P²¬º?ê?äEF¾Í/9?
?ðU²&$Q³kÑ|i=XՁ5<hGWÆ³Ï*jE/?©N=Á9ÊëûÞJ?­¸a? ¸?#´vC?®?8^Ò8õ?Ù Õ.øÉ??§ ³Ò(]#lNfñ?c ÜbÄGâr¢àm~=]?E?h?¥ðõíÛ??Îé¦?Úßn5Ú`ö°G?4å¼`´ÀÀ(ôn<¹ú
I?:e8´µa??!ï??Åu(5«^R`/:ï1?¦{÷H p<µ×bË´BÃô¸Dq?$ü×î?!èªc?ÃÏ[òÒ?p'TÌî¡Ñ "?^Ð?C9ªRNgÚ2¼Z??Ú6«Szôwêü×èÞê?ÆnPDàÏ0Ê??¡ §ü¹èÅ-ósõTþ(א##)OI3y
?J^a?f]Ñ?o?.![eDÍvIò¥ƶ~?¢6£)¡x«$]ð
t

y?aHUÞF¹¹Ûª?1?Â0?¾0h0U1 0 UCH10U
 SwissSign AG1/0-U&SwissSign Personal Silver CA 2008 - G2ð&?oãðÚß7{0
 `?He ?+0 *?H?÷
 1  *?H?÷
0 *?H?÷
 1
150624143427Z0O *?H?÷
 1B@;+©sÛ§?²?q&r¦Íñ/Qk?<¦ñ?¥??e ßÌúñS#=,Xy;å ¤:΍4`¦Û0w +?71j0h0U1 0 UCH10U
 SwissSign AG1/0-U&SwissSign Personal Silver CA 2008 - G2ð&?oãðÚß7{0y *?H?÷
  1j h0U1 0 UCH10U
 SwissSign AG1/0-U&SwissSign Personal Silver CA 2008 - G2ð&?oãðÚß7{0« *?H?÷
 10?0  `?He*0  `?He0
*?H?÷
0  `?He0*?H?÷
?0+0
*?H?÷
@0
*?H?÷
(0  `?He0  `?He0  `?He0+0
 *?H?÷
?o}¨¹Fü£`±B¢¯_ÏøÖImÔ»,o9º7¼|ðʝ¬­ïôîq/Ù?eÉ|?Ë6éUW[òÛyÌÐU?ÿ
7Ú/?#üI¢K¹S?&öVUWՁ?ÿë¼=¬?"¤Ôãx?g~?ß²EA{vIÝi·F`µÔq3áȵ$0ZC-÷é?
?ÇQ1£«Dù
NQ??é9?ù?7v ?£ÓEè?*3A[÷»0NV??¢·n?øCñ$²ë»¯|??'|-7÷dkïGhRºå0?ä<?¾^ûX(
v??y\¾?¨$?dL}bÁUÍÔëÛÎüó?ê

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus