The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). An example of a network attack is an attacker causing a denial of service by sending a specially crafted TCP packet across a wide area network (e.g., CVE-2004-0230).
Attack Complexity
Low
AC
The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Privileges Required
None
PR
The attacker is unauthenticated prior to attack, and therefore does not require any access to settings or files of the vulnerable system to carry out an attack.
User Interaction
None
UI
The vulnerable system can be exploited without interaction from any human user, other than the attacker. Examples include: a remote attacker is able to send packets to a target system a locally authenticated attacker executes code to elevate privileges
Scope
Unchanged
S
An exploited vulnerability can only affect resources managed by the same security authority. In the case of a vulnerability in a virtualized environment, an exploited vulnerability in one guest instance would not affect neighboring guest instances.
Confidentiality
High
C
There is total information disclosure, resulting in all data on the system being revealed to the attacker, or there is a possibility of the attacker gaining control over confidential data.
Integrity
High
I
There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the attacker being able to modify any file on the target system.
Availability
High
A
There is a total shutdown of the affected resource. The attacker can deny access to the system or data, potentially causing significant loss to the organization.
Below is a copy: UNICREDITBANK DOM-Based XSS / File Upload / CSRF
UNICREDITBANK DOM-Based XSS / File Upload / CSRF
TIME-LINE VULNERABILITY
Multiples Advisories but Vendor not response
Not Fixed
Full Disclosure
I. VULNERABILITY
-------------------------
#Title: UNICREDITBANK Cross Site Scripting (& Dom Based) / File Upload / Form without CSRF protection
#Vendor:http://www.unicreditbank.ru/
#Author:Juan Carlos Garca (@secnight)
#Follow me
https://hackingmadrid.blogspot.com
https://habemuscurso.blogspot.com
@secnight
II. DESCRIPTION
-------------------------
niCredit Bank is a Russian bank, operating in Russia since 1989. Ranked 8th by total assets based on H1 2013 results (Interfax-100 ranking), UniCredit Bank is the largest foreign bank in Russia.
UniCredit Bank is fully owned (100%) by UniCredit Bank Austria AG, Vienna, Austria, member of UniCredit.
The Bank benefits from its strong position in the large Russian corporate finance market and sustainable retail banking business.
UniCredit Bank at a glance
It was founded under the name of International Moscow Bank in 1989
105 branches in Russia and 1 Representative office in Belarus
Around 3798 employee
More than 1 298 000 retail customers *
More than 28 250 corporate clients
Ratings: BBB (Fitch), (Standard & Poors)
Total assets: RUR 776.73 billion *
Equity: RUR 121.27 billion *
UniCredit Bank has General Licence for banking operations 1 of Bank of Russia
* As of 30.06.2013, according to consolidated financial statements of ZAO UniCredit Bank prepared in accordance with International Financial Reporting Standards.
III. PROOF OF CONCEPT
-------------------------
Cross site scripting
*********************
Vulnerability description
___________________________
This script is possibly vulnerable to Cross Site Scripting (XSS) attacks.
Cross site scripting (also referred to as XSS) is a vulnerability that allows an
attacker to send malicious code (usually in the form of Javascript) to another user.
Because a browser cannot know if the script should be trusted or not, it will execute
the script in the user context allowing the attacker to access any cookies or session tokens retained by the browser.
This vulnerability affects
/rus/about/community/unicolours/frame.wbp. (46)
Attack details
**************
URL encoded GET input galleryId was set to 2_901827'():;955734
The input is reflected inside <script> tag between single quote
GET /rus/about/community/unicolours/frame.wbp?galleryId=2_901827%27%28%29%3a%3b955734&imgFull=/gallery/medicine/flight-2_tvorchestvo_kak_lekarstvo.jpg/full.jpg&imgId=1819ff22-ea3e-4b80-a8bf-711762ae252c
galleryId(15)
GET /rus/about/community/unicolours/frame.wbp?galleryId=2_935171%27%28%29%3a%3b994873&imgFull=/gallery/cats/8/full.jpg&imgId=2c1b226d-518e-4877-86e8-d9b57836a7e4
GET /rus/about/community/unicolours/frame.wbp?galleryId=2_985809%27%28%29%3a%3b936300&imgFull=/gallery/cats/9/full.jpg&imgId=0ae7d25c-056b-42d9-8abd-c38523785a81
GET /rus/about/community/unicolours/frame.wbp?galleryId=2_970273%27%28%29%3a%3b940959&imgFull=/gallery/cats/010/full.jpg&imgId=4f2a9956-83cd-498c-aa0e-9d491f2bf827
.
.
.
imageFull(15)
URL encoded GET input imgFull was set to /gallery/medicine/flight-2_tvorchestvo_kak_lekarstvo.jpg/full.jpg_997700'():;932188
GET /rus/about/community/unicolours/frame.wbp?galleryId=2&imgFull=%2fgallery%2fmedicine%2fflight-2_tvorchestvo_kak_lekarstvo.jpg%2ffull.jpg_997700%27%28%29%3a%3b932188&imgId=1819ff22-ea3e-4b80-a8bf-711762ae252c
GET /rus/about/community/unicolours/frame.wbp?galleryId=1&imgFull=%2fgallery%2fmedicine%2fflight-2_tvorchestvo_kak_lekarstvo.jpg%2ffull.jpg_925822%27%28%29%3a%3b964844&imgId=09b5e392-a316-4a39-8a17-747273376016
GET /rus/about/community/unicolours/frame.wbp?galleryId=1&imgFull=%2fgallery%2fmedicine%2fflight-2_tvorchestvo_kak_lekarstvo.jpg%2ffull.jpg_992446%27%28%29%3a%3b941577&imgId=2c1b226d-518e-4877-86e8-d9b57836a7e4
.
.
.
imgId(15)
URL encoded GET input imgId was set to 1819ff22-ea3e-4b80-a8bf-711762ae252c_914453'():;909492
GET /rus/about/community/unicolours/frame.wbp?galleryId=2&imgFull=/gallery/medicine/flight-2_tvorchestvo_kak_lekarstvo.jpg/full.jpg&imgId=1819ff22-ea3e-4b80-a8bf-711762ae252c_914453%27%28%29%3a%3b909492
GET /rus/about/community/unicolours/frame.wbp?galleryId=1&imgFull=/gallery/cats/7/full.jpg&imgId=1819ff22-ea3e-4b80-a8bf-711762ae252c_956295%27%28%29%3a%3b990851
GET /rus/about/community/unicolours/frame.wbp?galleryId=1&imgFull=/gallery/cats/8/full.jpg&imgId=1819ff22-ea3e-4b80-a8bf-711762ae252c_925541%27%28%29%3a%3b927917
DOM-based Cross-Site Scripting
******************************
Script code from document.location path part was executed via document.write() or document.writeln() function.
The code was executed in: /eng/reg/personal/deposits/index_special.wbp
Script code from document.location path part was executed via document.write() or document.writeln() function.
The code was executed in: /rus/reg/moscow/personal/deposits/index_special.wbp
Script code from document.location path part was executed via document.write() or document.writeln() function.
The code was executed in: /rus/reg/moscow/personal/remote_service/mobile_banking/smartphone.wbp
File upload
************
Vulnerability description
___________________________
This page allows visitors to upload files to the server. Various web applications allow users to upload files (such as pictures, images, sounds, ...).
Uploaded files may pose a significant risk if not handled correctly.
A remote attacker could send a multipart/form-data POST request with a specially-crafted filename or mime type and execute arbitrary code.
This vulnerability affects /rus/career/moscow/form.wbp.
Attack details
______________
Form name: <empty>
Form action: http://www.unicreditbank.ru/rus/career/moscow/form.wbp?ok=true
Form method: POST
Form inputs:
resume [File]
vacancy [Hidden]
location [Hidden]
subject [Hidden]
Form [Hidden]
This vulnerability affects /rus/reg/moscow/personal/cardsdebit/visa/r_debet.wbp.
Attack details
Form name: <empty>
Form action: http://www.unicreditbank.ru/rus/reg/moscow/personal/cardsdebit/visa/r_debet.wbp?ok=true&formclass=debitcards
Form method: POST
Form inputs:
Form [Hidden]
fio [Text]
officeCITY [Select]
city [Radio]
file [File]
SUBJECT [Hidden]
agree [Checkbox]
Confirmation [Text]
HTML form without CSRF protection
*********************************
Cross-site request forgery, also known as a one-click attack or session riding and abbreviated as CSRF or XSRF, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website
trusts.
Affected items
__________________
/eng/career/form1.wbp
/eng/feedback.wbp
/eng/index.wbp
/rus/career/form1.wbp
/rus/career/moscow/form.wbp (4bd115b5b2d18b05418cd5215414de73)
/rus/feedback/form_tab_consult.wbp
/rus/feedback/form_tab_quality.wbp
/rus/index.wbp
/rus/reg/arkhangelsk/personal/rko/cash/currency_rates/everyday_archive.wbp
/rus/reg/arkhangelsk/personal/rko/cash/currency_rates/everymonth_archive.wbp
/rus/reg/menu_4/personal/rko/cash/currency_rates/everyday_archive.wbp
/rus/reg/menu_4/personal/rko/cash/currency_rates/everymonth_archive.wbp
/rus/reg/moscow/banks/finmarket/analytics/form.wbp
/rus/reg/moscow/banks/finmarket/analytics/form_question.wbp
/rus/reg/moscow/corporate/factoring/factoringcredit.wbp (ca614aef3245c2f92a7ea16e1ef974bd)
/rus/reg/moscow/corporate/finmarket/analytics/form.wbp
/rus/reg/moscow/corporate/finmarket/analytics/form_question.wbp
/rus/reg/moscow/personal/calc_uni.wbp
/rus/reg/moscow/personal/car/express/calc_new.wbp
/rus/reg/moscow/personal/car/gfauto/form.wbp
/rus/reg/moscow/personal/car/usedauto/calc_used.wbp
/rus/reg/moscow/personal/cardscredit/autocard/form.wbp
/rus/reg/moscow/personal/cardsdebit/post/ruspost_form.wbp
/rus/reg/moscow/personal/cardsdebit/visa/r_debet.wbp
/rus/reg/moscow/personal/cardsdebit/visa/r_debet.wbp (65825570bed58511936e2cc0df9d839c)
/rus/reg/moscow/personal/consumer/form.wbp (56f3984593e2b24d64f498660d69a303)
/rus/reg/moscow/personal/consumer/refund/calc.wbp
/rus/reg/moscow/personal/deposits/choise/form.wbp
/rus/reg/moscow/personal/deposits/incomecalc.wbp
/rus/reg/moscow/personal/investments_savings/mutual_fund/form.wbp
/rus/reg/moscow/personal/mortgage/form_new.wbp
/rus/reg/moscow/personal/mortgage/index.wbp
/rus/reg/moscow/personal/mortgage/purpose/form.wbp
/rus/reg/moscow/personal/mortgage/purpose/icalc.wbp
/rus/reg/moscow/personal/rko/cash/currency_rates/everyday_archive.wbp
/rus/reg/moscow/private_banking/form.wbp
/rus/reg/moscow/private_banking/mc_worldelite/form.wbp
/rus/reg/moscow/small/factoring/factoringcredit.wbp (ca614aef3245c2f92a7ea16e1ef974bd)
/rus/reg/moscow/small/loans/auto/smbusinesscredit.wbp
/rus/reg/moscow/small/loans/smbusinesscredit.wbp (de98d6510bf3ecab0c54afbe38ff23de)
/rus/reg/moscow/small/package/forbusiness.wbp (00f973dc51d2e6a1ab71991ad9dac9a1)
/rus/reg/moscow/small/payroll/form.wbp
/rus/reg/moscow/small/rko/accounts/form.wbp (6923d688f3615c0326f50458f34e6048)
/rus/reg/moscow/unicredit_primeclub/dolce_vite/events/form.wbp
/rus/reg/moscow/unicredit_primeclub/dolce_vite/feedback.wbp
/rus/reg/moscow/unicredit_primeclub/form.wbp
/rus/reg/moscow/unicredit_primeclub/recepient.wbp
/rus/reg/saint_petersburg/personal/rko/cash/currency_rates/everyday_archive.wbp
/rus/reg/saint_petersburg/personal/rko/cash/currency_rates/everymonth_archive.wbp
/rus/reg/saint_petersburg/small/rko/accounts/form.wbp
/rus/reg/sochi/personal/rko/cash/currency_rates/everyday_archive.wbp
/rus/reg/sochi/personal/rko/cash/currency_rates/everymonth_archive.wbp
/rus/reg/tyumen/personal/rko/cash/currency_rates/everyday_archive.wbp
/rus/reg/tyumen/personal/rko/cash/currency_rates/everymonth_archive.wbp
/rus/rss.wbp
/rus/search.wbp (e3a1a6c4fc11fd7517bb1d4cff832bb2)
/rus/subscribe.wbp
The impact of this vulnerability
__________________________________
An attacker may force the users of a web application to execute actions of the attacker's choosing. A successful CSRF exploit can compromise end user data and operation in case of normal user. If the targeted end user is the
administrator account, this can compromise the entire web application.
How to fix this vulnerability
_________________________________
Check if this form requires CSRF protection and implement CSRF countermeasures if necessary.
IV. BUSINESS IMPACT
-------------------------
(...)
V SOLUTION
------------------------
Write Secure Code
VI. CREDITS
-------------------------
This vulnerability has been discovered
by Juan Carlos Garca(@secnight)
VII. LEGAL NOTICES
-------------------------
The Author accepts no responsibility for any damage
caused by the use or misuse of this information.
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum