MYPROXY-OAUTH-2013-0002


Summary:

 

In the absence of human intervention, JavaScript code could be injected into a trusted page by a malicious or compromised science gateway.


Component Vulnerable Versions Platform Availability Fix Available
registration servlet all through 1.0.5 all not known to be publicly available 1.0.6
Status Access Required Host Type Required Effort Required Impact/Consequences
Verified no special access any variable high
Fixed Date Credit
2013-May-09 Karl Mazurak, Jim Kupsch

Access Required:

no special access

Anyone who can connect to the OAuth portal via the web can attempte to exploit this vulnerability. Successful exploitation may require further social engineering.

Effort Required:

variable

The difficulty of fully exploiting this vulnerability depends on the portal staff. The attacker must also have a means of luring users into attempting OAuth exchanges.

Impact/Consequences:

high

A successful attack can leak a user's MyProxy username and passphrase.

Full Details:

 

MyProxy's OAuth portal includes a registration servlet, intended to be used by to supply information about science gateways as prospective OAuth clients. Once a prospective client is submitted, the portal operator must manually approve it via an interface that displays the information entered at registration. Once approved, OAuth allows users to give the science gateway access to their MyProxy credentials without sharing their MyProxy usernames and passphrases.

Submitting the registration form requires only a valid RSA public key; none of the other information is validated in any way. During the OAuth process, some of this information—the gateway name and home page—is displayed on the login page hosted by the OAuth portal. No sanitization is performed prior to including this information in the page.

Because of this, a malicious submitter could inject arbitrary HTML code into the login page. This code could include JavaScript, which might rewrite the login page in arbitrary ways, potentially stealing a user's MyProxy username and passphrase. The following, entered after the gateway name, demonstrates this:

<script>window.onload=function(){a=document.getElementsByTagName('input');a[2].onclick=function(){alert('Leak '+a[0].value+':'+a[1].value)}}</script>

It could also attack any page that shares a JavaScript origin—essentially the protocol specifier and domain name portion of the URL—with the login page.

Before this can happen, the malicious registration information must be approved by a human operator. It is likely but not guaranteed that the human operator would deny this request; even the most obfuscated embedded JavaScript will not look like a name or simple URL. A less astute operator may overlook this, however, and, since the registration form also provides the email address to be used for communication about this science gateway, the attacker could apply social engineering pressure to further their ends.

Once the malicious registration entry is approved, the attacker will need to get users to the OAuth portal's login page in an exchange with the gateway the attacker registered. If the attacker is a malicious employee of a legitimate institution this may require no effort; if not, the attacker might resort to, e.g., phishing techniques.

Cause:

lack of input validation/sanitization

Aside from the validity of the public key, no checking is performed on the values provided at registration. These unchecked values are subsequently inserted into a web page.

Proposed Fix:

 

The registration servlet should ensure the validity of all of its fields: the email address should be formatted correctly and the home and error pages should be HTTP or HTTPS URLs. Further, any information included in a web page should always be properly escaped, with special characters &-encoded and non-standard characters in URLs %-encoded. These operations should be done with well-tested libraries to ensure they are performed correctly.

Actual Fix:

 

The MyProxy OAuth Portal team implemented validity checking in the registration servlet.

Acknowledgment:

 

This research funded in part by Department of Homeland Security grant FA8750-10-2-0030 (funded through AFRL), National Science Foundation grant OCI-1127210, and NATO grant ICS.MD.CLG 984138.