[CVE-2013-2764] Secure Entry Server - URL Redirection
--PGP_Universal_446FFF96_62620759_05F4E855_53A1E7E3
Content-Type: text/plain;
charset="utf-8"
Content-Transfer-Encoding: QUOTED-PRINTABLE
#############################################################
#
# COMPASS SECURITY ADVISORY
# http://www.csnc.ch/en/downloads/advisories.html
#
#############################################################
#
# Product: Secure Entry Server (SES)
# Vendor: United Security Providers Ltd.=20
# CSNC ID: CSNC-2013-008
# CVD ID: CVE-2013-2764
# Subject: URL Redirection
# Risk: High
# Effect: Remotely exploitable
# Author: Alexandre Herzog <alexandre.herzog@csnc.ch>
# Date: 18.12.2013
#
#############################################################
Introduction:
-------------
The USP Secure Entry Server=E2=84=A2 protects company networks and business=
=20
transactions with internet access as a Web application firewall (WAF)=20
and manages access to data and applications.=20
The USP Secure Entry Server=E2=84=A2 (SES) offers this protection by scanni=
ng=20
data packages right down to the individual items of content, thus=20
reliably safeguarding Web applications and all transactions carried out=20
using them. The SES acts as an x-ray scanner for online transactions; it=20
identifies data packages infected by viruses and only approves undamaged=20
or cleaned data packages for use.[1]=20
=20
Technical Description
---------------------
By default, the USP Secure Entry Server is shipped with option=20
HSP_AbsoluteRedirects set to off. The consequence is that after a=20
successful cookie-check, the server replies with a relative instead of=20
an absolute link. The server doesn't detect that relative URLs starting=20
with double slash are in fact detected as a valid domain by browsers and=20
not just a path on the actual server.=20
1. Initial request
GET //www.hacking-lab.com HTTP/1.1
Host: [victim]
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:19.0) Gecko/20100101 Firefox/1=
9.0
Accept: text/html,application/xhtml+xml,application/xml;q=3D0.9,*/*;q=3D0.8
Accept-Language: en-US,en;q=3D0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
2. Server redirect to the cookie check procedure
HTTP/1.1 302 Found
Date: Wed, 03 Apr 2013 09:23:56 GMT
Server: server
Location: /cookie-check?trg=3D[long token]
Set-Cookie: SCDID_S=3D[session id] path=3D/; Secure; HttpOnly
Content-Length: 290
Content-Type: text/html; charset=3Diso-8859-1
Keep-Alive: timeout=3D65, max=3D100
Connection: Keep-Alive
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href=3D"/cookie-check?trg=3D[long token]">her=
e</a>.</p>
</body></html>
3. As instructed, the browser accesses the cookie check page, proving it=20
support cookies:=20
GET /cookie-check?trg=3D[long token] HTTP/1.1
Host: [victim]
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:19.0) Gecko/20100101 Firefox/1=
9.0
Accept: text/html,application/xhtml+xml,application/xml;q=3D0.9,*/*;q=3D0.8
Accept-Language: en-US,en;q=3D0.5
Accept-Encoding: gzip, deflate
Cookie: SCDID_S=3D[session id]
Connection: keep-alive
4. SES gets the expected request, and redirects the client to the=20
initially requested page, but without stripping the double-slashes and=20
without forcing a fully qualified domain name for the redirection:=20
HTTP/1.1 302 Found
Date: Wed, 03 Apr 2013 09:23:56 GMT
Server: server
Location: //www.hacking-lab.com
Content-Length: 205
Content-Type: text/html; charset=3Diso-8859-1
Keep-Alive: timeout=3D65, max=3D100
Connection: Keep-Alive
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href=3D"//www.hacking-lab.com">here</a>.</p>
</body></html>
5. The browser doesn't interpret a redirection to //www.hacking-lab.com=20
as being http(s)://[victim]//www.hacking-lab.com, but in fact as a=20
redirection to http(s)://www.hacking-lab.com. This behavior is RFC=20
conform and is well implemented in most current browsers[2]. The client=20
gets therefore redirected to another website by the SES.=20
Workaround / Fix:
-----------------
Upgrade to the latest available version of SES or ensure option=20
HSP_AbsoluteRedirects is set to on (as it's by default in the appliance=20
but not the software version), as this would insert the FQDN in the=20
response of the server.=20
Timeline:
---------
2013-12-18: Coordinated public disclosure date (after 3 months grace pe=
riod)
2013-09-18: Release of fixed SES Appliance Version 4.7.0 and HSP Softwa=
re Version 4.5.0=20
2013-04-26: Initial vendor response
2013-04-23: Initial formal vendor notification based on advisory and CV=
E-ID
2013-04-07: Assigned CVE-2013-2764
2013-04-03: Discovery of the same issue but with a different customer=20
2012-09-10: Discussed with a representative of the vendor, which did no=
t consider it as a major issue but customer related
2012-09-06: Discovery by Alexandre Herzog
References:
-----------
[1] http://www.united-security-providers.com/en/it-security-solutions/prote=
ction-for-web-applications/
[2] http://stackoverflow.com/questions/6785442/browser-support-for-urls-beg=
inning-with-double-slash
--PGP_Universal_446FFF96_62620759_05F4E855_53A1E7E3
Content-Type: application/x-pkcs7-signature;
name="smime.p7s"
Content-Transfer-Encoding: BASE64
Content-Disposition: attachment;
filename="smime.p7s"
MIIUbgYJKoZIhvcNAQcCoIIUXzCCFFsCAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCCEisw
ggX7MIIE46ADAgECAg8UfWk+WS1zUuKnrVuz6DMwDQYJKoZIhvcNAQEFBQAwVTELMAkGA1UEBhMC
Q0gxFTATBgNVBAoTDFN3aXNzU2lnbiBBRzEvMC0GA1UEAxMmU3dpc3NTaWduIFBlcnNvbmFsIFNp
bHZlciBDQSAyMDA4IC0gRzIwHhcNMTIwODIwMTMzNzE1WhcNMTUwODIwMTMzNzE1WjBJMR0wGwYD
VQQLExRFbWFpbCBWYWxpZGF0ZWQgT25seTEoMCYGA1UEAxQfRW1haWw6IGFsZXhhbmRyZS5oZXJ6
b2dAY3NuYy5jaDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqVR5S0xl0UAv+6gtSt
e1I3nnc5+hUMrkI2r2L9xjYlTeZHBFdiUwbQtb6dFBEiBezHL1Po1fYANgpiSmEqBAX5pSesw1Zw
tyM8BXn5iHb+V0nuExh0sdJPzwNzDtDhGA3RvqvCbUQO7yjEMTmbj/n9ZpBbDaUstP6qG93aOKUo
IAnkG/KL1NulzNlVB/V2basvfN6N+RDQn/Rdm7xhdb9yxTGEk5dwde3TVHybHT9l/+9n/DRa2NGb
R2VEn+2JNJSaXfqWuVnLmpBd2WgJMoWj9SESNw/m3JHkIEmQZPS+ZD2U/6QZ4rJxJFIRfG//bdvv
Xd9FzQhJE5y7/X0OBYkCAwEAAaOCAtIwggLOMA4GA1UdDwEB/wQEAwIEsDATBgNVHSUEDDAKBggr
BgEFBQcDBDAdBgNVHQ4EFgQU4s2q9ipX6Z3a/8IknZDSIoAnSXUwHwYDVR0jBBgwFoAU6zWxVm0V
YFj04SLNHEYcrtAEAGUwgf8GA1UdHwSB9zCB9DBHoEWgQ4ZBaHR0cDovL2NybC5zd2lzc3NpZ24u
bmV0L0VCMzVCMTU2NkQxNTYwNThGNEUxMjJDRDFDNDYxQ0FFRDAwNDAwNjUwgaiggaWggaKGgZ9s
ZGFwOi8vZGlyZWN0b3J5LnN3aXNzc2lnbi5uZXQvQ049RUIzNUIxNTY2RDE1NjA1OEY0RTEyMkNE
MUM0NjFDQUVEMDA0MDA2NSUyQ089U3dpc3NTaWduJTJDQz1DSD9jZXJ0aWZpY2F0ZVJldm9jYXRp
b25MaXN0P2Jhc2U/b2JqZWN0Q2xhc3M9Y1JMRGlzdHJpYnV0aW9uUG9pbnQwZAYDVR0gBF0wWzBZ
BglghXQBWQEDAQQwTDBKBggrBgEFBQcCARY+aHR0cDovL3JlcG9zaXRvcnkuc3dpc3NzaWduLmNv
bS9Td2lzc1NpZ24tU2lsdmVyLUNQLUNQUy1SNC5wZGYwgdkGCCsGAQUFBwEBBIHMMIHJMGQGCCsG
AQUFBzAChlhodHRwOi8vc3dpc3NzaWduLm5ldC9jZ2ktYmluL2F1dGhvcml0eS9kb3dubG9hZC9F
QjM1QjE1NjZEMTU2MDU4RjRFMTIyQ0QxQzQ2MUNBRUQwMDQwMDY1MGEGCCsGAQUFBzABhlVodHRw
Oi8vc2lsdmVyLXBlcnNvbmFsLWcyLm9jc3Auc3dpc3NzaWduLm5ldC9FQjM1QjE1NjZEMTU2MDU4
RjRFMTIyQ0QxQzQ2MUNBRUQwMDQwMDY1MCMGA1UdEQQcMBqBGGFsZXhhbmRyZS5oZXJ6b2dAY3Nu
Yy5jaDANBgkqhkiG9w0BAQUFAAOCAQEAZeCO3sFVqf5Pv8dKExUN4DsukKwEfhYis7JgmIVwzYh7
7od8WfsexqL904pvuPKN5NYbW2M7gWBBV6m6mhFDhFM2mKGkeO/een3xrznoYaNsdcZAmIFeiL7e
daJ+cLbJDSreER6pHuzZmcfMUZxotylaYCqKJ1J73RWaUFQwBZg/lO0mErC3uZQr9IdJppAzy8d/
zb9qTBCNDGNPjY0ks1xyXIF9DEXAw0AiweNVAs5kOcMVB7gNFLJazRXcMrVmzo3jpzgB0EGnmsUE
+lTjn4XKVQzgiYPmhYwZrYCDECtQiSilSkBQfauYgF8dKrGiih0sOJLU3ZC5HysqeZKdWjCCBmcw
ggRPoAMCAQICCQDiVrdTl2t2WDANBgkqhkiG9w0BAQUFADBHMQswCQYDVQQGEwJDSDEVMBMGA1UE
ChMMU3dpc3NTaWduIEFHMSEwHwYDVQQDExhTd2lzc1NpZ24gU2lsdmVyIENBIC0gRzIwHhcNMDgw
NzA5MTExMTA5WhcNMjMwNzA5MTExMTA5WjBVMQswCQYDVQQGEwJDSDEVMBMGA1UEChMMU3dpc3NT
aWduIEFHMS8wLQYDVQQDEyZTd2lzc1NpZ24gUGVyc29uYWwgU2lsdmVyIENBIDIwMDggLSBHMjCC
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPfzU15JbYwD5ScXIRhgpXaUPxUQuCFAzzYz
rCpymo9hw2veekkIWD2A2DvwnR1BEAG/awdWGo2zPb9jujF+4nJGGGiH14VPoMl7E6nQOdGJ1jVn
aHbBX5YJzc86BdE/BgUK2hbyQ/KkBx2irIB1AZ2g6Pc0p7+25jloZlJHOSlNtJ3oKq0VYbSiMeAQ
kdse5EPxK94QwTTLbITuYhQnRNgx8d88IczArJBo03RoyRdKjjsJp7EFZY0HpJCuLnreekRvsAL+
dP8ah/VY6aYl8cyIIifYyzHBLygMcXIe9/sITm56Bawhfz8KWmb4v+UWFPkbm8SfujMNhpcVXa6h
Bo8CAwEAAaOCAkYwggJCMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1Ud
DgQWBBTrNbFWbRVgWPThIs0cRhyu0AQAZTAfBgNVHSMEGDAWgBQXoM3B5EG2Ols7y0WdvRzCmPqG
WDCB/wYDVR0fBIH3MIH0MEegRaBDhkFodHRwOi8vY3JsLnN3aXNzc2lnbi5uZXQvMTdBMENEQzFF
NDQxQjYzQTVCM0JDQjQ1OURCRDFDQzI5OEZBODY1ODCBqKCBpaCBooaBn2xkYXA6Ly9kaXJlY3Rv
cnkuc3dpc3NzaWduLm5ldC9DTj0xN0EwQ0RDMUU0NDFCNjNBNUIzQkNCNDU5REJEMUNDMjk4RkE4
NjU4JTJDTz1Td2lzc1NpZ24lMkNDPUNIP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFzZT9v
YmplY3RDbGFzcz1jUkxEaXN0cmlidXRpb25Qb2ludDBkBgNVHSAEXTBbMFkGCWCFdAFZAQMBAzBM
MEoGCCsGAQUFBwIBFj5odHRwOi8vcmVwb3NpdG9yeS5zd2lzc3NpZ24uY29tL1N3aXNzU2lnbi1T
aWx2ZXItQ1AtQ1BTLVIzLnBkZjB0BggrBgEFBQcBAQRoMGYwZAYIKwYBBQUHMAKGWGh0dHA6Ly9z
d2lzc3NpZ24ubmV0L2NnaS1iaW4vYXV0aG9yaXR5L2Rvd25sb2FkLzE3QTBDREMxRTQ0MUI2M0E1
QjNCQ0I0NTlEQkQxQ0MyOThGQTg2NTgwDQYJKoZIhvcNAQEFBQADggIBAC4qdtqX80zfZCfhWy2V
77lVLtu4CWUxQLBLvXyQsdnYcRhTzug1LJsUuh90gtRXksBXk5tQBSV74JXUXbhEeOkzkEH+4b9G
m3l9crw4UBnAaFoGstMb3l1nz2mS+PWsCYXU3Vouajkj7/Tvc1o2HsPpjSBHZDcfOXkT1w5Qsqy6
GZ7qg+RFRgS+zS85EAibDYnwVbImJFGza9F8aT1Y1YE1PGhHV43GErPPKmoVRS+EqU49wTnK6/ve
SpytG7hhlgYguIAjGbR2Qxyfrpo4XhDSOPUentkMEdUu+MmKh6cMs9IoXSNsTmYF8ZhjoNxigcRH
4nKi4G0Zfj1dhUWXaIADpfD17duYgs7pppba32412hkDYPawR5gDNOW8YLTAkMAo9ARuPLn6SYc6
ZTi0tWGCHoYh75qIxXUoNateUmAvOu8xi6Z790gMcDy112LLtELD9I24RHGMJPzX7p8h6KpjlsPP
B1vygdKacCdUGMzuodEMIo5e0JlDOapSTmcbj9oyvFqDkto2q1N69BF36vzX6N7ql8ZuUA4PRODP
MMqLmqGgp/y56MUt83P1VP6dKNeQIyMpT0kzf5B5g0peHmGRZgQYXdGIb4wuIVtlAUTNdkkAABDy
GhKlHca2BX6IFqI2AqMpoXirJF3wCnQNZNoKeZoVYUhV3kYEubkE26qWMIIFvTCCA6WgAwIBAgII
TxvUL1S7L0swDQYJKoZIhvcNAQEFBQAwRzELMAkGA1UEBhMCQ0gxFTATBgNVBAoTDFN3aXNzU2ln
biBBRzEhMB8GA1UEAxMYU3dpc3NTaWduIFNpbHZlciBDQSAtIEcyMB4XDTA2MTAyNTA4MzI0NloX
DTM2MTAyNTA4MzI0NlowRzELMAkGA1UEBhMCQ0gxFTATBgNVBAoTDFN3aXNzU2lnbiBBRzEhMB8G
A1UEAxMYU3dpc3NTaWduIFNpbHZlciBDQSAtIEcyMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC
CgKCAgEAxPGHf9N4Mfc4yfjDmUO8x/e8N+dOcbpLj6VzHVxumK4DV644N0MvFz0fyM5oEMF4rhkD
KxD6LHmD9ui5aLlV8gREpzn5/ASLHvGiTSf5YXu6t+WiE7brYT7QbNHm+/pe7R20nqA1W6GSy/BJ
kv6FCgU+5tkL4k+73JU3/JHpMjUi0R86TieFnbAVlDLaYQ1HTWBCrpJH6INaUFjpiou5XaHc3ZlK
HzZnu0jkg7Y360g6rw9njxcH6ATK72oxh9TAtvmUcXtnZLi2kUpCe2UuMGoM9ZDulebyzYLs2aFK
7PayS+VFheZteJMELpyCbTapxDFkH4aDCyr0NQp4yVXPQbBH6TCfmb5hqAaEuSh6XzjZG6k4sIN/
c8HDO0gqgg8hm7jMqDXDhBuDsz6+pJVpATqJAHgE2cn0mRmrVn5bi4Y5FZGkECwJMoBgs5PAKrYY
C51+jUnyEEp/+dVGLxmSo5mnJqy7jDzmDrxHB9xzUfFwZC8I+bRHHTBsROopN4WSaGa8gzj+ezku
01DwH/teYLappvonQfGbGHLy9YR0SslnxFSuSGTfjNFusB3hB48IHpmccelM2KX3RxIfdNFRnobz
wqIjQAtz20um53MGjMGg6cFZrEb65i/4z3GcRm25xBWNOHkDRUjvxF3XCO6HOSKGsg0PWEP3calI
Lv3q1h8CAwEAAaOBrDCBqTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4E
FgQUF6DNweRBtjpbO8tFnb0cwpj6hlgwHwYDVR0jBBgwFoAUF6DNweRBtjpbO8tFnb0cwpj6hlgw
RgYDVR0gBD8wPTA7BglghXQBWQEDAQEwLjAsBggrBgEFBQcCARYgaHR0cDovL3JlcG9zaXRvcnku
c3dpc3NzaWduLmNvbS8wDQYJKoZIhvcNAQEFBQADggIBAHPGgeAn0i0P4JUw4ppBf1AsX19iYamG
amkYDHRJ1l2E6kFSGG9YrVBWIGrGvShpWJHckRE1qTodvBqlYJ7YH39FkWnZfrt4csEGDyrOj4Vw
YaygzQu4OSlWhDJOhrs9xCrZ1x9y7v5RoSJBsXECYxqCsGKrXlcSH9/L3XWgwF15kIwb4FDm3jH+
mHtwX6WQ2K34ArZv02DdQEsixT2tOnqfGhpHkXkzuoLcMmkDlm4fS/Bx/uNncqCxv1yL5PqZIseE
uRuNI5c/7SXgz2W79WEE790eslpBIlqhn10s6FvJbakMDHiqYMZWjwFaDGi8aRl5xB9+lwW/xekk
UV7U1UtT7dkjWjYDZaPBA61BMPNGG4WQr2W11bHkFlt4dR2Xem1ZqSqPe97Dh4kQmUlzeMg9vVE1
dCrV8X5pGyq7O70luJpaPXJhkGaH7gzWTdQRdAtq/gsD/KNVV4n+SsuuWxcFyPKNIzFTONItaj+C
uY0IavdeQXRuwxF+B6wpYJE/OMpXEA29MC/HpeZBoNquBYeaoKRlbEwJDIm6uNO5wJOKMPqN5Zpr
FQFOZ6raYlY+hAhm0sQ2fac+EPyI4NSA5QC9qvNOBqN6avlicuMJT+ubDgEj8Z+7fNzcbBGXJbLy
tGMU0gYqZ4yD9c7qB9iaah7s5Aq7KkzrCWA5zspi2C5uMYICCzCCAgcCAQEwaDBVMQswCQYDVQQG
EwJDSDEVMBMGA1UEChMMU3dpc3NTaWduIEFHMS8wLQYDVQQDEyZTd2lzc1NpZ24gUGVyc29uYWwg
U2lsdmVyIENBIDIwMDggLSBHMgIPFH1pPlktc1Lip61bs+gzMAkGBSsOAwIaBQCgejAjBgkqhkiG
9w0BCQQxFgQUyKWZ97+6IRHtJqqlRY0r7NR+ODUwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAc
BgkqhkiG9w0BCQUxDxcNMTMxMjE4MDgyNDEyWjAbBgkqhkiG9w0BCQ8xDjAMMAoGCCqGSIb3DQMH
MA0GCSqGSIb3DQEBAQUABIIBACQvi9Ck2bFul6/IwahzAHXkC5bSBu+TQzSVmNvRVrU6kIpH4Q0g
so6ESdrPgoms2GqgwG2HC+J4PJQC7xIznVqS1n0qgDYcs5uGmCtsLfGPuY8o323tx8ozwo9W4tPq
jXIwvLSHVGz9iyRBH2oy0XgN15R/xCAic2tjO+BW6AD6AVg3rcVl0svjsHSZMszYlOnZgiyY7NQT
QVil26v+eSoDgzXBwq5O97i0q7j79Sej3mrxmXdgKDLtF4LC+hzqRXwcCWUVA6kLefbrHMFmT3B+
8yp7iubm6tLhOBjDg8BkW2VtjD1O7uscF9YKyOfQXescJIM/k9tCzVpvy6h9vcM=
--PGP_Universal_446FFF96_62620759_05F4E855_53A1E7E3--