[Staff note: Secure Science Corporation has found a series of security vulnerabilities in the RSA Conference's website]
RSA Irony - Vulnerability Found #RSA #RSAC
It's the RSA Conference season again and many are booking flights to San Francisco as we speak to gather and discuss this year's information security issues that overwhelm technology businesses worldwide. In the midst of signing up, Secure Science discovered a concern within the RSA website itself that lends itself to a very trivial malware attack vector. Similar to the "Twitter Worm" lookups that pointed to many rogue AV (scareware) sites, those looking up RSA Conference could be easily turned to the right site, yet accompanied with abuse.
A post-login redirect is used by the single-sign-on service for logins and registration can be misused to redirect users to malicious websites. This redirect occurs after the user has signed in, enabling cross-site request forgery within the RSA site itself, or the site could load exploits at the victim's browser, injecting bank or scareware trojans onto their computers.
This type of attack might be ideal for malicious hackers as it provides ample opportunity to strike revenge at a popular white-hat conference and the white-hat personalities that may attend.
A demonstration of the exploit: This will take you to twitter.com/xssexploits after a login has been submitted:
https://sso.rsaconference.com/sso/LogIn.jsp?CT_ORIG_URL=http://www.twitter.com/xssexploits&ct_orig_uri=/xssexploits
RSA Irony Part 2: Registered Account Manipulation #rsa #rsac
Continuing the original story, we've taken Part 1 (rsaconference.com site allows arbitrary sites to be redirected following the registered user login) and extended it to use the site to manipulate account information including the email address. This is a multi-step process but can be executed successfully. Results will include database overwrites filled with invalid user data, RSA Conference email interception and overall confusion. The profile management section of the website permits a 'GET' request to modify all the profile settings without some method of authentication.
Warning: If you click this example link it will change all of your settings. It is advised to use the username: lj2600 and password: asdf1234 to test this.
Link
The above link upon logging in will reset all your contact info to the following. Alternatively, an attacker can redirect to another site and hide this in an iframe or img tag and execute it as a Cross-Site Request Forgery.
RSA Irony Part 3: Code Leak #rsa #rsac
Upon some HTTP "method fuzzying", Secure Science was able to force RSA's Apache/Tomcat 5.5.27 Java Servlets to leak code upon error. When an HTTP 500 error occurs, the web server will include code (and comments within the code) to the client browser.
Example of Password Change Code:
All of this is "Secured by RSA® Access Manager" according to the RSAConference.com website.
RSA Irony Part 4: RSA.com Search Engine
Need we say more...
Link
Clicking this will demonstrate a javascript pop-up stating "XSS" as the alert. This code is injected within the search engine of the RSA.com website, one of the largest security companies in the world.
[Snapshot]
RSA Irony Part 5: Arrival #rsa #rsac
An unexpected move from RSA Conference 2009 brings us RSA Irony: Part 5. With this, another year in information security heaven that is RSA's week-long Moscone meet-up, there is no doubt that all in attendance left having acquired a tale or two at minimum for the history books. Counting amongst which include seeing friends, both old and new, awesome parties, great talks and memorable dinners. And to think: SSC just might've missed it all. In a scene reminiscent of Seinfeld's "No Soup For You" episode - (you know, the one where the chef at the quite popular deli denies and even repossesses meals from patrons with whom he does not agree) we were, for a time, not allowed admittance into the wildly popular security event.
"R" is for Registration
Those of you already receiving the "XSSExploits" feed on Twitter likely recognize the vigor with which ETAT (SSC's External Threat Assessment Team) researchers are expediting exploit reports and rapidly addressing vulnerability vestiges. No one is safe so to speak, as a generalized egalitarianism ensures that fair attention be habituated upon all web-based entities. Admittedly this has caused a certain amount of strife in the past. It goes unsaid that several enterprises of a certain standing have seemingly come to expect standard exemption with the respect to the disclosure of security flaws. In a day and age where public knowledge of software holes and the like quite literally drive stock, certain factions are working overtime to make vulnerability research to the infosec industry what the celebrity rags are to the publishing world. The incentive to sizably control, if not altogether quell, one of the most significant forms of security research is manyfold. To our surprise we found that our recent reporting on RSA's conference e-foibles instantly catapulted us to the forefront of the disclosure etiquette debate whether we liked it or not. Typically registration for RSA is a simple choice between mailing it in along with a check, paying on-site, or more commonly, online enrollment via credit card. The additional draw for e-registration is that attendees are automatically eligible to participate in the site's online community portal and connect with other event-goers both during and in-advance of the commencement of the con. In other words, RSA Conference put together an on-line activity center specifically geared towards their target demographic, which according to conference advertising, are people who need to be "... on top of their game... professionally."
"S" is for (lack of) Security
This year, for reasons outlined in the previous segments, registering online presented us with a real problem once the apparitions on the conference site became apparent to our researchers. During the promotion of the conference website between associates, the discovery of flaws such as "arbitrary redirects", "Cross-Site Request Forgery", and "code leaks" were found. However serendipitous, the decision to quickly reveal the discrepancies was made in hopes of an equally expeditious repair. Too often, researchers who take the route vendors tend to prefer, find that in a world of corporate policy and procedure the investigations into, let alone the patching of, any given hole that happens to be reported falls very low on the infrastructure's to-do list hierarchy. As a result, research firms and individuals have long been their own system of ethical disclosure. Much like the unique make-up of a single snowflake, no two frameworks or guidelines pertaining to an agreed upon criteria for responsible disclosure appears to even exist. Our own procedure consists of the common sense approach if conducting a case-by-case assessment in an effort to make an ethically sound decision that in no way further jeopardizes the system in question. Naturally these precautions were our foremost thought when reporting on "RSA Irony 1-3".
"A" is for Authentication (Tokens)
We were flagged in the computer. That's how it all started. Well, first all SSC registered personnel were suddenly blocked online access. Then at the registration booth we were asked to "step aside". It's not that being held up or detained is new to us... only usually the holdover is at the airport on account of trying to get the six laptops, four phones and assorted recording devices through to carry-on. After a brief wait, the general manager and regional vice president of the conference arrived and quickly got down to the business of a perceived "breach" in responsible reporting. The intensity surrounding the issue of disclosure etiquette grew tangibly as it became clear that entry into the RSA Conference very well may predicate on the outcome of this tête-à-tête. While RSA failed to see the irony that was their deficient website, they do recognize the importance of making sure the public continue to view them in the light upon which it seems they have come to rest on their laurels. In an interview promoting 2009's conference objectives this was said:
"The stakes have never been higher - a breach harms not only an organization's reputation, but financially as customers look to do business elsewhere or an organization becomes liable for the harm done. When weighing the cost of a breach vs. the cost of honing the skills of infosec professionals to prevent the breach - the choice is clear."
With this in mind, it is not difficult to see why they would want the discovery of virtually no website security to be suppressed. At one point, the claim emerged that SSC "enabled fraud" by disclosing this information. Again, the dichotomy with which those who discover vulnerabilities and those who are originally responsible for them in the first place is so vast a chasm one wonders when what, if anything, will soon be done to bridge the vast divide. Chris Wysopal (VeraCode) and Steve Christen (Mitre) joined forces back in 2002 in an effort to do just that. Although promising, many argued that the guidelines presented more questions than answers. Five years later, Wysopal returned on a panel addressing the issue during RSA's 2007 Conference. It is largely said of the discussion that scarcely anything was agreed upon amongst the panelists or the audience members. Full disclosure, responsible disclosure, ethical disclosure... whatever the terms and however related, the act of disclosing the security deficit of another is no simple task. A few years ago, an elderly pastor who happened to be a local food critic shared what he believed to be his great secret to a success as an epicurean evaluator for many years. He said no matter how many times he ended up not caring for his meal, he always took care to remember his honesty still may nevertheless affect another man's livelihood. In a way, this surmises perfectly the relationship between vulnerability researchers and software vendors. Except that, barring the few offshore vulnerability research recruiting warehouses, the average vulnerability researcher isn't going public for the money and rarely, if ever, has the effect on a security deficit that a food critic would on a restaurant in a moderately sized town.
The concept that the discovery of fraud actually "enables fraud" is a terrific slight of hand. The first fatal flaw is the preliminary assumptive risk that we, "The Good Guys" and they, "The Bad Guys" are categorically different when in actuality we are inherently the same. This means it is impossible to ever truly discern who we are vs. who they are in order to get the necessary jump start needed to get ahead of the "mal-intents" in the first place. This is why long ago the practice of alerting everyone across the board became such a popular option. Resulting in an almost Pavlovian-like effect, once a researcher discloses a particular vulnerability, whereas xyz company had been stalling for months or sometimes even years, suddenly said company is able to have the needed patch ready by the end of the week. Outcomes such as this have left researchers in a generally mistrusting position eventuating in an even greater divide than ever before.
Knowing that the depths and intricacies revolving around disclosure procedures would likely not be resolved in the middle of the conference room floor during open registration (with our badges still unnecessarily in purgatory) we readily agree to contact the GM/VP directly should we ever again discover "open redirects"-on-their-front-page-that-enables-fraud, -or-"CSRF"-vulnerabilities-permitting-remote-database-corruption-against-their-registered-attendees,-and-"code-leaks"-secured-by-RSA Access Manager-despite-multiple-confirmed-penetration-tests.
As we now know people in the past who have found exploits on the conference computers in years past only to encounter a similar kind of welcoming committee. This raises the important question: "who is bullying who?" The popular stance is that the researcher holds all the deliciously malicious power against the large-scale corporation that has time tables to address, resources to allocate, and so on. What appears to be largely overlooked is the true motivation driving disclosure in the first place. Remarkable leaps and bounds are being made daily in the areas of science, social science and history not unlike the fashion of accelerated learning which took place a few hundred centuries before. Leonardo Da Vinci is said to have retained thousands of his erroneously drawn anatomical renderings of animals. Case in point, people learn from mistakes. People learn an even greater deal from observing one another's mistakes. A large part of the enormeous success this industry witnesses is in direct correlation of an endless scaffolding of ideas within the industry, thus perfecting any given area to a flawless finite point. Vulnerability research not only spurs this quest for accelerated perfection, it hones it. It goes without saying that the accurate representation of security is a constant imperative in this climate of increasing information migration onto the web.
