Tune into our first episode of Tool Talk: a how-to series for hackers. REGISTER ›

Low Risk Advisory Featured

Share

ADVISORY SUMMARY

One low-risk vulnerability was discovered within the SecureAuth IdP v9.3 application. This vulnerability could allow malicious high-privilege users to modify usernames to contain an Angular template payload that could potentially be used to steal credentials during the authentication process.

Impact

The SecureAuth application was affected by a client-side template injection vulnerability that can lead to cross-site scripting (XSS) attacks.

Risk Level

Low

Affected Vendor

Product Vendor

Product Name

Affected Version

SecureAuth SecureAuth 9.3

Product Description

SecureAuth is an enterprise identity and access-management service. The project’s official website is https://www.secureauth.com/. The latest version of the application is 9.3.0-17, released on June 5, 2020.

Vulnerabilities List:

One vulnerability was identified within the SecureAuth application:

CLIENT-SIDE TEMPLATE INJECTION

Solution

Update to version 9.3.0-17

This vulnerability is described in the following sections.

VULNERABILITY

Client-Side Template Injection

CVE ID

Security Risk

Impact

Access Vector

CVE-2020-9437 Low Cross-site scripting Remote


The /SecureAuth.aspx endpoint's rendering of user-controlled username and email values is vulnerable to AngularJS client-side template injection. XSS payloads contained in the username or email can be executed during the authentication process.

The following AngularJS expression was used to execute a proof-of-concept Javascript payload:

b@{{constructor.constructor('alert(window.location)')()}}.o

The username containing the payload was used to log in, as shown in the request below:

POST /[REDACTED]/SecureAuth.aspx?client_id=[REDACTED]
…omitted for brevity…
&ctl00%24ContentPlaceHolder1%24MFALoginControl1%24UserIDView%24ctl00%24ContentPlaceHolder1_MFALoginControl1_UserIDView_txtUserid=b%40%7B%7Bconstructor.constructor%28%27alert%28window.location%29%27%29%28%29%7D%7D.o&ctl00%24ContentPlaceHolder1%24MFALoginControl1%24UserIDView%24ctl00%24ContentPlaceHolder1_MFALoginControl1_UserIDView_btnSubmit=Submit

Figure 2 – SecureAuth login request


After submitting the request, the payload executed on the page, as shown below:

JavaScript alerting window.location

Figure 3 JavaScript alerting window.location

The payload triggered as an error during the sign-in process, resulting in self-XSS. Alternatively, an attacker could change the email address of another user, such as a malicious administrator, and would be able to use this attack to perform XSS against users during authentication.

Credits

Chris Davis, Consultant, Bishop Fox (cdavis@bishopfox.com)
Robert Punnett, Senior Consultant, Bishop Fox (rpunnett@bishopfox.com)

Timeline

  1. Initial discovery: 02/20/2020
  2. Contact with vendor: 02/24/2020
  3. Vendor acknowledged vulnerabilities: 02/24/2020
  4. Vendor released patched version 9.3.0-17: 06/05/2020
  5. Vulnerability publicly disclosed: 06/19/2020

Chris davis

About the author, Chris Davis

Senior Security Consultant

Chris Davis is a Senior Security Consultant at Bishop Fox. His areas of expertise are application penetration testing (static and dynamic) and external network penetration testing.

Chris actively conducts independent security research and has been credited with the discovery of 40 CVEs (including CVE-2019-7551 and CVE-2018-17150) on enterprise-level, highly distributed software. The vulnerabilities he identified included remote code execution and cross-site scripting (XSS).
More by Chris

Robert punnett

About the author, Robert Punnett

Managing Security Consultant

Robert Punnett (OSCP) is a Managing Security Consultant Bishop Fox. His primary areas of expertise are external network penetration testing, web application assessments, and red teaming. Additionally, Robert is an independent security researcher who participates in bug bounty programs and has also led security teams for Fortune 500 companies in the retail and transportation spaces.

More by Robert

This site uses cookies to provide you with a great user experience. By continuing to use our website, you consent to the use of cookies. To find out more about the cookies we use, please see our Privacy Policy.