Tuesday, August 05, 2008

Cross-site scripting CAN be used to hack a server

UPDATE: They won the Pwnie for this at Black Hat! More surprising is the fact that allegedly someone from McAfee showed up to accept. At least they have a sense of humor. More details soon.

Likely you remember when Joseph Pierini at McAfee Secure / Hacker Safe said XSS wasn't important because "cross-site scripting can't be used to hack a server. You may be able to do other things with it. You may be able to do things that affect the end-user or the client. But the customer data protected with the server, in the database, isn't going to be compromised by a cross-site scripting attack, not directly."
That gem has made McAfee Pwnie worthy (winners announced tomorrow!); may the Lamest Vendor win.
That said, anyone with a clue knows that XSS attacks are ideal for credential theft, and if you can steal credentials, you can hack a server.
Looking for a textbook example? Check out mckt's new blog, skeptikal.org.
Here's a highlight:
"Every cPanel user's account contains a file titled .contactemail in its home directory. This is used to tell the server and administrators who to email when things go south, and can be changed by the user through the cPanel interface, the file manager tool, FTP, or through local scripts. It's only a text file, after all. Assuming we set our email address to:
"onmouseover="alert(1337)
When the friendly system administrator tries to reset our email address (because we forgot our password, obviously), he will receive an alert box in his browser.
But an alert box doesn't really demonstrate anything. Fortunately the WHM (Web Hosting Manager) interface has enough functionality that we can perform just about any system-level task we want. This one will reset the root password to 'owned':
"onmouseover="f=document.forms[0];f.action='/scripts/passwd';f.user.value='root';
f.removeChild(f.domain);d=document.createElement('input');f.appendChild(d);
d.name='password';d.value='owned';d=document.createElement('input');f.appendChild(d);
d.name='password2';d.value='owned';f.submit()
Of course, the only limit is your imagination- WHM can set up cron jobs, add and delete users, send full backups to a server of your choice, and reformat hard drives."


Hmm...I'd say that would be a server hack. ;-)
Welcome, Mike...keep up the good work.

del.icio.us | digg

4 comments:

Angel One said...

That's really a combination of a persistent XSS attack and a XSRF attack.

Rafal said...

@Russ - you know... you should write a column called "McAfee is a bunch of Superhackers" [who don't understand security]... :)

mckt said...

There's not any CSRF in the exploit, though getting the admin to the appropriate page can certainly be done that way.

Actually, I looked into it a bit more and quite a few of cPanel's admin scripts (including the password reset one) can be exploited using CSRF only.

Regardless, both CSRF and XSS (persitent or reflected) can be used to gain root access and compromise an entire server.

Angel One said...

Yes it most certainly is a XSRF. You're getting an authenticated user (in this case the admin) to request specific web-based resources which in turn perform an action, thinking that the action has been authorized by the admin. True you're making the admin request those resources by using JavaScript instead of a standard URL request, but the principle is the same. XSRF inside of persistent XSS all the way.