Home / exploits AT&T Cross Site Scripting
Posted on 27 February 2014
_____ .___ _________ / _ | |/ _____/ / /_ | |\_____ / | |/ \____|__ /___/_______ / / / Corporation Published Report: 27/02/2014 Credits: Advanced Information Security Corporation, USA Severity: High/Critical (OWASP TOP 10) Type: Web Application / Cross-Site Scripting . Author: Nicholas Lemonias. (Information Security Expert) Affected Domain ================ Domain: www.Att.com <http://www.att.com/> (AT&T Corporation) former American Telecommunication & Telegraph Vendor Overview ========================= AT&T Corp., originally the American Telephone and Telegraph Company, is the subsidiary of AT&T that provides voice, video, data, and Internet telecommunications and professional services to businesses, consumers, and government agencies. During its long history, AT&T was at times the world's largest telephone company, the world's largest cable television operator, and a regulated monopoly. At its peak in the 1950s and 1960s, it employed one million people and its revenue was roughly $300 billion annually in 2006. In 2005, AT&T was purchased by Baby Bell SBC Communications for more than $16 billion ($19.1 billion in present-day terms). SBC then rebranded itself as AT&T Inc. Today, AT&T Corporation continues to exist as the long distance subsidiary of AT&T Inc., and its name occasionally shows up in AT&T press releases. In 1880 the management of American Bell had created what would become AT&T Long Lines. The project was the first of its kind to create a nationwide long-distance network with a commercially viable cost-structure. The project was formally incorporated in New York State as a separate company named American Telephone and Telegraph Company on March 3, 1885. Starting from New York, its long-distance telephone network reached Chicago, Illinois, in 1892. Brief Description ============================ This problem allowed reproduction and execution of third-party heterogeneous code which defied user -> vendor trust levels, and consequently affected user and product Confidentiality, Integrity and Availability of information (CIA); as outlined by security practises and in accord to formal international standards, namely (ISO/IEC 27001), (BS 77999) and (ISO/IEC 27002). Visitors, Users and products were directly impacted due to the default levels of trust for the provision of confidentiality, integrity and availability of information. Proof-Of-Concept 1 ================== http://www.Att.com/gen/press-room?cdvn=news&newsfunction= tagresults&pid=20626&tagname=technology&tagtype=att'sTYLe% 3d'ccd:Expre%2f**%2fSSion(prompt(91233))'bad%3d'%3e&tier=TS_PROD<http://www.att.com/gen/press-room?cdvn=news&newsfunction=tagresults&pid=20626&tagname=technology&tagtype=att'sTYLe%3d'ccd:Expre%2f**%2fSSion(prompt(91233))'bad%3d'%3e&tier=TS_PROD> Description: The variable 'tagtype' due to character encoding and insufficient data sanitisation is vulnerable to a reflected cross-site scripting. The variable is thus changed to att'sTYLe='att:Expre/**/SSion(prompt(313371))'bad='> Proof-of-Concept: 2 ==================== www.att.com/gen/press-room?cdvn=news&newsfunction= tagresults&pid=20626&tagname=technology&tagtype=att'sTYLe% 3d'att:Expre%2f**%2fSSion(confirm("xss"))'bad%3d'%3e&tier=TS_PROD Description: A confirmation window would prompt the user for confidential information. Defacement of the website could also occur through an 'Image onload event' e.g: IMG onload="JavaScriptCode". A malicious user could take advantage of this problem thus to impersonate authenticated users, and to exploit user's or to execute open url/javascript execution from third-party heterogeneous sources, or to install untrusted components exploiting inherent O/S and browser vulnerabilities, and without any prior notification. Responsible Disclosure Timeline ========================== [+] 8th of August 2013 - Informed vendor concerning this security realisation. [+] 8th of August 2013 - Vendor acknowledgement of the problem. [+] 11th of August 2013 - Feedback request on remediation procedures [+] 9th of December 2013 - Problem remediation process. [+] 27th of February, 2014 - Public Disclosure. Recommendations for QoS and Security Compliance ========================================= The recommendations made to AT&T Corp was therefore: To consider encrypting the view state of the application. Furthermore to implement a stronger Cross-Site Scripting protection. Apparently XSS filtering is not properly applied, and meta-character filtering allowed data input over the HTTP protocol to inject third-party untrusted code, in JavaScript, Active-X and Visual Basic Script. Please note that malicious users could take advantage of such instances, as we have seen in malware and virus propagation instances - with a severe impact to systems of strategic and political importance. Our consultation to AT&T Corp, has therefore been, for a full and urgent security risk assessment, as outlined in (ISO/IEC 27001), (ISO/IEC 27002), and (ISO/IEC 27005). and furthermore the effective enumeration and revisitation of upper-level security policies. Cross-site Scripting enable attackers to inject client-side scripting into web-sites viewed by other users. Dissemination of information is often gathered in the form of a hyperlink, either through an e-mail message, social networking websites, forums and other online sources. A malicious adversary could take advantage of this vulnerability, for: the mass exploitation of unsuspected users, through malware and virus propagation instances. A malicious user could also use defects in the encoding methods, so that the propagation is further obfuscated, and avoid detection. Appendices ============================ A. We have consulted AT&T Corp to consider the filtering of meta-characters. B. To review server-level encoding of < and > to < and > in application output. C. Therefore it is known, that a Cross- Site Scripting attack could embrace mass-user and product exploitation, theft of confidential information such as: credit cards, passwords, security tokens and secure accounts. Furthermore the use and exploitation of Cross-Site Scripting vulnerabilities have been widespread in notable cases of malware propagation to systems of strategic and political importance such as Stuxnet and Duqu. D. I have consulted AT&T to consider filtering < and > and to use appropriate encoding methods. where ( and ) are also filtered and encoded to ( and ), Example cited: # and & should be converted to # (#) and & (&). References ============================ OWASP. 2013. Cross Site Scripting (XSS) attacks, [ONLINE] https://www.owasp.org/index.php/Cross-site_Scripting_(XSS), 2011 OWASP. 2013. XSS Filter Evasion Cheat-Sheet, [ONLINE] https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet?, 2013. Microsoft. 2011. Protecting against XSS attacks. [ONLINE] Available at: http://msdn.microsoft.com/en-us/library/ff649310.aspx. We would like to thank the vendor for the immediate deployment of best security practise. ** This vulnerability report is posted for the wider benefit of the security community, as is and without any warranties, including the warranty of merchantability and capability fit for a particular purpose. The information is posted under the FOI as per best security practises. * Copyright Advanced Information Security Corp ©, 2014*
