Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label XSS. Show all posts

A Microsoft Azure Flaw Could Compromise Bing and Office 365

 


Microsoft Azure Active Directory (Azure AD) appears vulnerable to a new vulnerability discovered by security researchers. It was discovered that a vulnerability in Bing search results allowed users to alter the results and view users' private information. This included Outlook emails, calendars, and Microsoft Teams messages stored. 

In the event of a misconfiguration in Azure Active Directory (AAD) in Microsoft's cloud-hosted applications, miscreants could have compromised Bing's search engine to subvert Microsoft's cloud-hosted services. The results could even be changed on the Bing home page if the request succeeds. Several user accounts were left vulnerable to theft and snooping, as well as Outlook emails, calendars, and Teams messages.  

An Azure Active Directory (Azure AD) misconfiguration has been identified by Wiz researchers as part of the BingBang campaign. The issue was discovered in January this year. 

Microsoft's multitenant applications in Azure AD were misconfigured due to misconfiguration in the database. A developer must perform additional authentication steps to prevent these applications from being logged into by any Azure user, as these applications allow users to log into them from anywhere. In AAD, apps can be single-tenant or multi-tenant, depending on this need and the user's choice. Azure users can log in to a multi-tenant application since it is multi-tenant. Developers are responsible for performing additional authorization checks and deciding which users are allowed to use the app, it is their responsibility to do so. 

Approximately 25 percent of the multi-tenant applications they examined contained errors as a result of a lack of proper validation, based on Wiz researchers' findings. The researchers logged into Bing Trivia the application by creating an account and signing in to their account. The project team found a Content Management System (CMS) to manage the content, and they modified the search query based on their favorite team, Hackers (1995), to be the first item in the search results, instead of Dune (2021). 

Security experts have also discovered that it is also possible to exploit this vulnerability to execute cross-site scripting attacks (XSS). 

Further, Bing's Work section offers users to search Office 365 data that has been authorized for use by other employees who also have access to Office 365 in their organization. Email, calendar, Teams messages, OneDrive files, and SharePoint documents are some of the items that are included in this group.   

Wiz researchers say several thousand cloud-based applications and websites are vulnerable. Mag News, Power Automated Blog, Contact Center, PoliCheck, and Cosmos are a few of the tools included in the Cosmos file management system and include Mag News.

In response to the change in search results, researchers wanted to see if this vulnerability could be exploited to conduct cross-site scripting (XSS) attacks, a form of malicious scripting that occurs when malicious scripts are injected into trusted Microsoft websites, causing them to run malicious scripts in a victim's browser. By executing the code in a victim's browser, an attacker would be able to access that victim's account, and if that code is successful, it could exfiltrate their data. In this case, the team poisoned a page so visitors would be able to see what they were supposed to see. 

It has been found that other internal Microsoft-managed apps that were misconfigured like Bing Trivia were delivered similarly using Wiz.  

There was also Mag News, another control panel that controlled MSN Newsletter, a Microsoft API for the Central Notification Service, and Contact Center, in addition to Mag News. In addition, there was a Microsoft internal tool called PoliCheck, used by the company to check for forbidden words in code. In addition, Wiz published fake posts on a Microsoft.com domain, which was secured through the WordPress admin panel. It contained more than four exabytes of data stored in a Microsoft Cosmos file storage system. 

Microsoft responded by issuing fixes for all of these applications and awarding Wiz a $40,000 bug bounty award as a result of the researchers discovering the vulnerabilities. 

It was reported by security researchers to Microsoft's Security Response Center on January 31, 2023, that the Bing vulnerability had been identified. The vulnerability has already been fixed in all affected applications by Microsoft as a result of updates released previously. It is important to note that no evidence has been found that attackers have exploited this vulnerability in the wild as a result of the flaw.  

The good news is that Microsoft has made some changes to its Azure Active Directory applications in an attempt to prevent misconfigurations in the future. To track suspicious activity and prevent security breaches, the Wiz team recommends IT administrators check app logs. 

Three XSS Bugs Can Cause Complete System Shutdown



What is the bugs trio?

Cybersecurity experts have rolled out information about a trio of cross-site scripting (XSS) vulnerabilities in famous open-source applications that can cause remote code execution (RCE).

Researchers from PT Swarm found the security bugs in the web development applications Evolution CMS, FUDForum, and Gitbucket. 

A primitive XSS attack lets the threat actor's JavaScript code run in the victim user's web browser, which opens the door for cookie theft, redirects to a phishing site, and a lot more. 

Cross-Site Scripting (XSS) is one of the most widely faced attacks in web apps. If a threat actor deploys a javascript code into the app output, not only steals cookies, but it also leads to complete compromise of the systems sometime. In this blog post, we'll try to understand how XSS-driven remote code execution is achieved through examples of Evolution CMS, FUDForum, and Gitbucket. 

Evolution CMS V3.1.8

The first bug, Evolution CMS V3.1.8, allows a hacker to launch a reflected XSS attack in various locations in the admin section. Aleksey Solovev says in case of a successful attack on an administrator authorized in the system, the index.php file will be overwritten with the code that the attacker placed in the payload.

FUDForum v3.1.1

The second vulnerability, discovered in FUDForum v3.1.1, can possibly let a hacker launch a stored XSS attack.  Aleksey Solovev says FUDforum is a super fast and scalable discussion forum. It is highly customizable and supports unlimited members, forums, posts, topics, polls, and attachments. 

The FUDforum admin panel has a file manager that allows you to upload files to the server, including files with the PHP extension. An attacker can use stored XSS to upload a PHP file that can execute any command on the server.

Bitbucket v4.37.1

In the last vulnerability, Bitbucket v4.37.1, a security bug was found that can allow an attacker to launch a stored XSS attack in various locations. Aleksey Solovev says having a stored XSS attack can try to exploit it in order to execute code on the server. The admin panel has tools for performing SQL queries – Database viewer.

GitBucket uses H2 Database Engine by default. For this database, there is a publicly available exploit to achieve a Remote Code Execution. So, all an attacker needs to do is create a PoC code based on this exploit, upload it to the repository and use it during an attack:


Gitlab Patches a Critical RCE Flaw in Latest Security Advisory

 

Security researchers at Gitlab have issued a patch for a critical vulnerability that allows hackers to execute code remotely. 

The security bug tracked as CVE-2022-2185, impacts all versions starting from 14.0 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1 where an authorized user could import a maliciously designed project to launch remote code execution. 

GitLab is a web-based DevOps life cycle platform offering an open-source license from GitLab Inc. to offer wiki, problem-tracking, and continuous pipeline integration and deployment capabilities. Ukrainian programmers Dmytro Zaporozhets and Valery Sizov have manufactured the program.

 Multiple security flaws 

Fixes for a number of other vulnerabilities were also released in the latest version, including two separate cross-site scripting (XSS) bugs. The vulnerabilities impacted both GitLab Community Edition and Enterprise Edition. Security researchers have recommended users upgrade to the latest version. 

“We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible. When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected,” an advisory from GitLab reads. 

Last year in July, Gitlab patched multiple vulnerabilities — including two high-impact online security flaws by updating its software development infrastructure. In GitLab's GraphQL API, a cross-site request forgery (CSRF) developed a mechanism for a hacker to call modifications while impersonating their victims. The Gitlab Webhook feature was exploited for denial- of service (DoS) assaults because of a second high-level security vulnerability. 

An attack by a Denial-of-Service (DoS) is designed to shut down a user computer system or network, which makes it unreachable to its intended users. DoS attacks achieve this by flooding or delivering information to the target causing a crash. 'Afewgoats' researchers identified DoS vulnerability and reported it via a HackerOne-operated GitLab bug reward program. 

For both higher intensity vulnerabilities, CVE trackers were requested, although identification was not assigned. "The webhook connections usually have timeouts set, but my badly-behaving webserver can bypass them and keep the connection open for days," afewgoats explained. 

"It's the only Denial of Service, but it could tie up huge amounts of memory on the victim servers." To mitigate the risks, Gitlab patched 15 medium severity and two low-impact issues. These add-on vulnerabilities also included a clipboard DOM-based cross-site scripting (XSS) issue, a reflected XSS in release edit pages, and the audit log problem of the stored XSS.

WordPress WP Fastest Cache Plugin Discovered With Multiple Vulnerabilities

 

WP Fastest Cache is among a handful of WordPress plugins meant to improve the performance of a website. It seeks to reduce the frequency of database queries necessary to render the website and related server load by producing and maintaining a static replica of the articles and webpages. 

JetPack security experts uncovered several vulnerabilities in the popular WordPress plugin WP Fastest Cache that might enable an attacker to fully exploit admin rights. Outcomes have an impact on over a million WordPress installations. 

There are several flaws that have been discovered by the researchers, two of the many are: 

  • Authentic MySQL Injection 

Using an authenticated MySQL injection login, users can gain access to administrator-level data in the system. A MySQL injection vulnerability is a cyberattack on a database server that stores website components such as credentials and usernames. An effective MySQL injection attack might result in a total website takeover. 

“If exploited, MySQL injection bugs can give attackers access to privileged information from the affected site’s database (such as username and hash password). This can only be exploited if the Classic Editor plugin is also installed and activated on the site,” stated The Jetpack Security Bulletin. 

XSS was stored through cross-site request forgery 

XSS (cross-site scripting) flaws are rather widespread and stem from flaws in website input correction. If somehow the user inserts something into the website, such as a contact form, and the data is not deleted, the user may be attacked by XSS. 

Sanitization entails limiting what may be submitted to a single intended input, such as text, rather than a script or command. A faulty input enables the attacker to insert malicious scripts, which might also subsequently be used to target administrators who visit the site and install malicious files into their browsers; appears as though they are loading or blocking their credentials. 

Whenever an intruder convinces a user, such as a login administrator, into accessing the site and executing different actions, it is referred to as a cross-site application forgery. 

Such vulnerabilities are difficult to exploit since they rely on the traditional editor plugin being loaded and the attacker having some type of user verification. However, these flaws are still significant, and JetPack advises that customers must update their WP Fastest Cache plugins to at least version 0.95, which was released on October 14, 2021. 

According to the jet pack: “If exploited, MySQL injection bug attackers can gain access to privileged information from the affected site’s database (such as username and hash password). Successful exploitation of the vulnerabilities of CSRF and Stored XSS can allow bad actors to login to the administrator on the targeted site.”

Microsoft Edge’s Security Bypass Vulnerability Fixed

 

Microsoft released Edge browser upgrades last week that addressed two security flaws, one of which is a security bypass flaw that may be used to inject and execute arbitrary code in the context of any website. The flaw, dubbed CVE-2021-34506 (CVSS score: 5.4), is caused by a universal cross-site scripting (UXSS) bug that occurs while using Microsoft Translator to automatically translate web pages using the browser's built-in feature.

Microsoft Edge is a cross-platform web browser that was created by the company. It was first released in 2015 for Windows 10 and Xbox One, followed by Android and iOS in 2017, macOS in 2019, and Linux in October 2020 as a preview. Edge was originally designed with Microsoft's proprietary EdgeHTML and Chakra JavaScript engines, resulting in a version known as Microsoft Edge Legacy. 

On January 15, 2020, Microsoft announced the public release of the new Edge. Microsoft began rolling out the new version via Windows Update in June 2020 for Windows 7, 8.1, and Windows 10 versions released between 2003 and 2004. From March 9, 2021, Microsoft stopped issuing security fixes for Edge Legacy, and on April 13, 2021, Microsoft delivered a security upgrade that replaced Edge Legacy with Chromium-based Edge. 

Ignacio Laurence, Vansh Devgan, and Shivam Kumar Singh of CyberXplore Private Limited are credited with finding and reporting CVE-2021-34506. "Unlike the common XSS attacks, UXSS is a type of attack that exploits client-side vulnerabilities in the browser or browser extensions in order to generate an XSS condition, and execute malicious code," CyberXplore researchers said. "When such vulnerabilities are found and exploited, the behavior of the browser is affected and its security features may be bypassed or disabled."

The researchers discovered that the translation feature contained a flaw in the code that failed to sanitise input, allowing an attacker to potentially inject malicious JavaScript code anywhere on the webpage, which is then executed when the user clicks the prompt in the address bar to translate the page. The researchers demonstrated that adding a comment to a YouTube video written in a language other than English, together with an XSS payload, may activate the attack as a proof-of-concept (PoC) exploit. 

In a similar vein, a Facebook friend request with other language content and the XSS payload was discovered to run the code as soon as the recipient checked out the user's profile. Following a responsible disclosure on June 3, Microsoft corrected the problem on June 24 and gave the researchers $20,000 as part of its bug bounty programme.

Atlassian Patched Vulnerabilities in its Domains

 

On Wednesday 23rd of June, cyber-security experts uncovered key vulnerabilities in the Atlassian project and software development platform that might have been exploited to take over the account and control certain apps connected via its single sign-on (SSO) capabilities. 

The vulnerabilities are due to Atlassian using SSO to ensure the uninterrupted navigation of the above-mentioned domains, thereby attempting to create a possible attack scenario involving the use of XSS and CSRF to inject malicious code into the portal and leveraging a session fixation error in the event of a valid user session. Though these vulnerabilities have been patched. 

On January 08, 2021, the Australian company delivered a patch for its upgrades, after Atlassian was notified of the problem. The issues in the sub-domains include – 
jira.atlassian.com 
confluence.atlassian.com 
getsupport.atlassian.com 
partners.atlassian.com 
developer.atlassian.com 
support.atlassian.com 
training.atlassian.com 

"With just one click, an attacker could have used the flaws to get access to Atlassian's to publish Jira system and get sensitive information, such as security issues on Atlassian cloud, Bitbucket, and on-premise products," Check Point Research stated. 

The appropriate exploitation of such vulnerabilities could escalate to an attack through a supply chain where the attacker can take over an account, take illegal measures on behalf of the victim, modify pages of Confluence, access Jira tickets, and even inject malicious implants to perpetrate further attacks. 

In other words, an attacker can deceive a user by clicking an Atlassian link that has been created to carry out a malicious payload, which can be utilized by the wrong player to log into the victim's account and gain confidential information. 

Moreover, the attacker can regulate a Bitbucket account with a Jira account by opening a Jira ticket that is incorporated with a malicious link to a rogue site which, when clicking on a message autogenerated by an e-mail, can be used to remove the credentials, essentially give them the authorization to access or modify the source code, make the repository publicly accessible or even insert the backdoors. 

"Supply chain attacks have piqued our interest all year, ever since the SolarWinds incident. The platforms from Atlassian are central to an organization's workflow," said Oded Vanunu, head of products vulnerabilities research at Check Point. "An incredible amount of supply chain information flows through these applications, as well as engineering and project management."

Attackers Denied of Full Control Over 'Wire' Users' Accounts

 

The developers of the Wire secure messaging app have patched the software against two critical security flaws, one of which could allow an attacker to takeover target users’ accounts. Specifically, the first of the two includes a cross-site scripting (XSS) vulnerability that allowed an attacker to fully control user accounts. The flaw tracked as, CVE-2021-32683, typically impacted the web app version 2021-05-10 and earlier.

According to security experts, threat actors often execute an XSS attack by sending a malicious link to a user and prompting the user to click it. If the app or website lacks proper security protocols, the malicious link executes the attacker’s chosen code on the user’s device. As a result, the attacker can steal the user’s active session cookie. 

Kane Gamble, an independent security researcher discovered two security issues in Wire Messenger versions for web and iOS. Headquartered in Germany with branches in the US, Sweden, and Switzerland, Wire is a popular messaging platform featuring audio, video, and text communications secured via end-to-end encryption with more than 500,000 users. 

The second flaw discovered by the researcher was a less critical denial of service (DoS) issue (CVE-2021-32666) in the iOS version of Wire.

“When we schedule the request to fetch the invalid asset, it’s not possible to create the URL object since the path contains an illegal URL character. This will in turn trigger an assertion which crashes the app,” the security researcher explained. 

Both flaws were subject to a coordinated disclosure process between Gamble and the Wire security team. “The DoS was fixed in version 3.81 and the stored XSS was patched in version 2021-06-01-production.0 [released June 1]. No update is required by the user other than updating your Wire on your iOS device if it hasn’t done so automatically,” Gamble further added.

A Wire spokesperson showed that there is no evidence of active exploitation of any of these bugs in the wild.

“The vulnerabilities were responsibly disclosed to us by a vulnerability researcher and after confirming their validity we fixed and released them as quickly as possible. We also proactively published the vulnerabilities as CVEs for full transparency,” the spokesperson said.

DarkSide Affiliates Claim Gang's Bitcoin Deposit

 

Multiple associates have protested about not being charged for past services since the DarkSide ransomware operation was shut down a week ago, and have filed a petition for bitcoins in escrow on a hacker forum. Escrow systems are popular in Russian-language cybercriminal cultures to prevent scams between sellers and buyers. The deposit is a direct message from ransomware operations that they mean business. 

DarkSide is a ransomware vulnerability that has been active since at least August 2020, when it was used in a cyberattack against the Colonial Pipeline in Georgia, causing a significant fuel supply disruption along the US East Coast. The malware is distributed as a service to various cybercriminals through an affiliate scheme and, like other well-known ransomware threats, uses double extortion, combining file encryption with data theft, and is installed on compromised networks through manual hacking techniques. 

DarkSide deposited 22 bitcoins on the famous hacker forum XSS to gain the confidence of potential partners and expand the operation. The wallet is administered by the site's administrator, who also serves as a guarantor for the gang and an arbitrator in the event of a dispute. 

Many analysts believe the group used an escape scam to retain the ransom money they received from their network of affiliates. DarkSide operators, on the other hand, claim to have halted operations as a result of US government pressure following the assault on the Colonial Pipeline. 

Last year, the REvil ransomware deposited $1 million in Bitcoin to a separate hacking website in order to recruit new members. This action demonstrated that they trusted the forum administrator with the money and that there was plenty to be made. 

Researchers discovered a series of allegations made by members of a hacking forum who claimed to have played various roles in the DarkSide ransomware gang's operations. Some associates assisted in the pentesting of threats or organizational breaches. According to Elliptic, a blockchain research company, the Darkside ransomware gang has received over $90 million in ransom payments from its victims since October 2020. 

“In total, just over $90 million in Bitcoin ransom payments were made to DarkSide, originating from 47 distinct wallets.” reads the report published by the Elliptic. “According to DarkTracer, 99 organizations have been infected with the DarkSide malware – suggesting that approximately 47% of victims paid a ransom and that the average payment was $1.9 million.”

Google and Mozilla Develop an API for HTML Sanitization

 

Google, Mozilla, and Cure53 engineers have collaborated to create an application programming interface (API) that offers a comprehensive solution to HTML sanitization. The API will be used in upcoming versions of the Mozilla Firefox and Google Chrome web browsers. 

HTML sanitization is the process of reviewing an HTML document and creating a new HTML document that only contains the "secure" and desired tags. By sanitizing any HTML code submitted by a user, HTML sanitization can be used to defend against attacks like cross-site scripting (XSS).

Sanitation is usually carried out using either a whitelist or a blacklist strategy. Sanitization can be done further using rules that define which operations should be performed on the subject tags. 

When rendering user-generated content or working with templates, web applications are often expected to manage dynamic HTML content in the browser. Client-side HTML processing often introduces security flaws, which malicious actors exploit to stage XSS attacks, steal user data, or execute web commands on their behalf. 

“Historically, the web has been confronted with XSS issues ever since the inception of JavaScript,” Frederik Braun, security engineer at Mozilla, said. “The web has an increase in browser capabilities with new APIs and can thus be added to the attacker’s toolbox.” 

To protect against XSS attacks, many developers use open-source JavaScript libraries like DOMPurify. DOMPurify takes an HTML string as input and sanitizes it by deleting potentially vulnerable parts and escaping them. 

“The issue with parsing HTML is that it is a living standard and thus a quickly moving target,” Braun said. “To ensure that the HTML sanitizer works correctly on new input, it needs to keep up with this standard. The failure to do so can be catastrophic and lead to sanitizer bypasses.” 

The HTML Sanitizer API incorporates XSS security directly into the browser. The API's sanitizer class can be instantiated and used without the need to import external libraries. 

“This moves the responsibility for correct parsing into a piece of software that is already getting frequent security updates and has proven successful in doing it timely,” Braun said. According to Bentkowski, browsers already have built-in sanitizers for clipboard info, so repurposing the code to extend native sanitization capabilities makes perfect sense.

Privacy Essentials Vulnerabilities in the DuckDuckGo Browser Extension

 

DuckDuckGo, the widely used web extension for Chrome and Firefox, that is meant to protect the privacy of its users has resolved a universal cross-site scripting (uXSS) flaw. DuckDuckGo Privacy Essentials, which blocks hidden trackers and offers private browsing features, was identified with the vulnerability. The research scientist Wladimir Palant has disclosed that it can allow arbitrary code to be executed on any domain on victims' devices. While the issue has been patched in Chrome, no updates for browsers like Microsoft Edge were published in Mozilla Firefox initially while it was disclosed. 

First of all, for certain internal communication, the extension used unsecure communication chains which ironically caused a certain amount of data leakage through the domain borders. DuckDuckGo's second security vulnerability allowed the DuckDuckGo server to execute arbitrary JavaScripting code on a given domain, and a Cross-Site Scripting (XSS) vulnerability in this extension. 

The security vulnerability could allow malicious actors to spy on all websites visited by the user, making confidential material such as banking and other data available. He says that even when browsing the website it leaves their privacy "completely compromised" and can even utilize web sites with defensive measures, like the security of information. Palant said that someone else controlling ‘http://staticcdn.duckduckgo.com’ can only use this vulnerability, which means that an attacker needs accessing the server. 

 “The data used to decide about spoofing the user agent is downloaded from staticcdn.duckduckgo.co,” Palant wrote. “So the good news [is]: the websites you visit cannot mess with it. The bad news: this data can be manipulated by DuckDuckGo, by Microsoft (hosting provider), or by anybody else who gains access to that server (hackers or government agency).” 

DuckDuckGo Privacy Essentials 2021.3. solves both problems. While initially it solved the issue for Chrome only. For certain reason Mozilla Firefox and Microsoft Edge, two releases were missed (insecure internal communication). Although Firefox and Edge can now have an extension version with the fix. 

These vulnerabilities are very characteristic, because in other extensions he has seen similar errors several times. This extension is not only one where the developers are clueless. The Google Chrome extension platform merely does not offer safe and convenient solutions. So most developers of extensions are bound to do the first attempt wrong. 

“As a more advanced consequence [if the attacker was a government agency], your communication in the browser is no longer private, even when using a secure mail provider like ProtonMail or communicating with journalists via SecureDrop.” 

As informed by a Mozilla spokesperson: "The extension is available in a fixed version now. Firefox users receive it, depending on their extension update settings, either through a manual or automatic update extension check."