{"id":2014,"date":"2016-05-01T17:34:39","date_gmt":"2016-05-01T15:34:39","guid":{"rendered":"https:\/\/www.asafety.fr\/?p=2014"},"modified":"2016-07-25T00:34:11","modified_gmt":"2016-07-24T22:34:11","slug":"contribution-poc-redhat-credential-stealer-rxss","status":"publish","type":"post","link":"https:\/\/www.asafety.fr\/en\/vuln-exploit-poc\/contribution-poc-redhat-credential-stealer-rxss\/","title":{"rendered":"[Contribution \u2013 PoC] RedHat \u2013 Credential Stealer RXSS"},"content":{"rendered":"

<\/p>\n

The generic error page of the Red Hat customer portal suffers from a Cross-Site Scripting vulnerability to\u00a0steal users credential in plaintext.<\/strong><\/p>\n

Introduction<\/h1>\n

As part of my personal projects, as during my professional activity, it is not uncommon that I sign on RedHat sites to download resources (or find solutions to more or less twisted bugs :)) . It’s during\u00a0a simple research that\u00a0I reached an error page by following a link to a subject in the RedHat support… And this page included one GET parameter vulnerable to\u00a0XSS injection.<\/p>\n

Red Hat, Inc. is an American multinational software company providing open-source software products to the enterprise community.\u00a0Red Hat has become associated to a large extent with its enterprise operating system Red Hat Enterprise Linux and with the acquisition of open-source enterprise middleware vendor JBoss. Red Hat provides storage, operating system platforms, middleware, applications, management products, and support, training, and consulting services.<\/p>\n

Red Hat creates, maintains, and contributes to many free software projects. It has acquired several proprietary software product codebases through corporate mergers and acquisitions and has released such software under open source licenses. As of June 2013, Red Hat is the largest corporate contributor to Linux.<\/p>\n

RedHat has a website dedicated to its customers (including support). This is accessible via “access.redhat.com”. The generic error page when accidentally followed a wrong link suffers from an XSS reflection.<\/p>\n

Analysis and exploitation<\/h1>\n

Canonical alert() RXSS<\/h2>\n

The reflected GET parameter “uri” is located here :<\/p>\n

https:\/\/access.redhat.com\/downloads\/content\/error?code=403&uri=<\/mark><img src=x onerror=\"alert(\/Yann CAM - Security Consultant @ASafety - SYNETIS\/)\" \/><mark>&client=13.37.13.37&edge=13.37.13.37&timestamp=1446643590<\/pre>\n
This parameter was not filtered nor cleaned before being injected into the source code of the page :<\/p>\n
\"Canonical<\/a>
Canonical alert() RXSS RedHat<\/p><\/div>\n
At the source, no verification of the value of the parameter “uri” is performed:<\/p>\n
\"RedHat<\/a>
RedHat RXSS source-code<\/p><\/div>\n
Designing an exploitation\u00a0payload<\/h2>\n
In this case, the RXSS is located on a sub-domain of interest (the customer portal access.redhat.com) but to simulate an authentication target, it is necessary to reset the DOM of the page.<\/p>\n
The execution of arbitrary JavaScript in the context of the page being performed successfully, an attacker can load a remote JS script (as long as it is accessible through HTTPS – HSTS protocol) and change the browser victims’s DOM.<\/p>\n
Such payload can do these operations\u00a0:<\/p>\n