nCircle VERT Blog: August 2007 Archives

So an interesting question just came up in the office... Is a XSS a local or remote vulnerability. Now before we get into the discussion, let me clarify local and remote for you.

Local Vulnerability: A vulnerability affecting a client, generally you can think of this as falling into two types. Type 1 is physical access required and Type 2 is user interaction required.

Remote Vulnerability: A vulnerability affecting a remotely available service, or something available via that service.

So... Is XSS a local or a remote? I'll tell you that I'm fairly close-minded on this topic, so unless you've got a fairly compelling reason to argue it's a local, I'll most likely disagree. My answer is remote. Why? The XSS exists in a web page. The web page is hosted on a web server and is remotely available. To me that makes sense, I'm not sure that it can really be disagreed with. An argument for XSS being considered a local is that the client is affected... this seems to make sense. You visit a web page and a pop-up containing 'XSS' suddenly shows up but sit down and consider what happens.

- A Web Application is (poorly) developed.
- The Web Application contains a guestbook that allows for XSS in "signatures".
- A Malicious user visits the guestbook. (Page is properly rendered)
- A Malicious user enters <script>alert('pwned by XSS')</script> into the guestbook.
- An unsuspecting user visits the guestbook (Page is properly rendered) and is greated by a 'pwned by XSS' pop-up.

The malicious user has exploited the vulnerability in the webpage. However a secondary exploit has occurred. This exploit results because the trust relationship between the user and the web server has been violated. The JavaScript engine in the users browser processes the JavaScript while rendering the page and the exploitation of the trust relationship then occurs. This however is a secondary impact, following on the initial exploit of the vulnerable web page.

This was actually covered when CVSS v2 was released. I guess even they had issues answering the question initially:

     Proposal 8
     Proposal 8: Direct and Indirect Impact of Exploitation
     Release Date: 6/16/06
     Status: Approved by CVSS SIG

     Our multi-organization scoring comparison effort has revealed that the scoring of vulnerabilities that potentially have an impact on secondary hosts that access exploited servers, such as cross site scripting (XSS) vulnerabilities, is the cause of a large source of CVSS scoring discrepancies between multiple IT security organizations. For example, some analysts score XSS vulnerabilities with respect to the direct impact on the service, and some score them with respect to the indirect impact on an end user of the service.

     In order to make scoring consistent and to focus scoring on the software that is directly vulnerable, the CVSS documentation should be updated to reflect that vulnerabilities should always be scored with respect to the impact on the vulnerable service. For the majority of cases CIA will be scored Confidentiality None, Integrity Partial, and Availability None.

So I'm hoping to spur a discussion here, anyone who feels they have a valid reason to call these local, or wants to discuss whether they are local or remote, or wants to discuss whether or not the impact to the user is the initial impact or a secondary impact.

Today's the day the teddy bears have their picnic... well actually it's MS Tuesday, we've got 9 patches, spanning 14 CVEs. What's interesting this month is that it's almost like it's the month of Social Engineering, reading through each patch, it's all about user interaction this month. There aren't any traditional remotes... no running services or servers are affected, not remotely anyways. Let's start with todays lineup and the I'll talk about some of the ones that interest me the most.

MS07-042: Microsoft XML Core Services Vulnerability (CVE-2007-2223)
MS07-043: Microsoft OLE Automation Memory Corruption Vulnerability (CVE-2007-2224)
MS07-044: Microsoft Excel Workspace Memory Corruption Vulnerability (CVE-2007-3890)
MS07-045: Microsoft Internet Explorer CSS Memory Corruption Vulnerability (CVE-2007-0943)
MS07-045: Microsoft Internet Explorer ActiveX Object Vulnerability (CVE-2007-2216)
MS07-045: Microsoft Internet Explorer ActiveX Object Memory Corruption Vulnerability (CVE-2007-3041)
MS07-046: Microsoft GDI Remote Code Execution Vulnerability (CVE-2007-3034)
MS07-047: Microsoft Windows Media Player Skin Parsing Remote Code Execution Vulnerability (CVE-2007-3037)
MS07-047: Microsoft Windows Media Player Skin Decompression Remote Code Execution Vulnerability (CVE-2007-3035)
MS07-048: Microsoft Windows Vista Feed Headlines Gadget Remote Code Execution Vulnerability (CVE-2007-3033)
MS07-048: Microsoft Windows Vista Contacts Gadget Code Execution Vulnerability (CVE-2007-3032)
MS07-048: Microsoft Windows Vista Weather Gadget Remote Code Execution Vulnerability (CVE-2007-3891)
MS07-049: Microsoft Virtual PC and Virtual Server Heap Overflow Vulnerability (CVE-2007-0948)
MS07-050: Microsoft VML Buffer Overrun Vulnerability (CVE-2007-1749)

If I had to pick three that interest me, I'd go with MS07-042, MS07-048 and MS07-049, so let's take a closer look at them...

MS07-042:

This is interesting for one reason... the number of affected products. Not only are there numerous versions of XML Core Services but the number of products affected is a large list, all versions of Windows, all versions of Office, Sharepoint and Groove. It's a massive list of software that has to be updated.

MS07-048:

This one is the one I find the most interesting. Remote Code Execution via an RSS feed. There was actually an article almost two years ago quoting a researcher at Trend Micro who said that RSS would be the botnets next stomping ground. This vulnerability could be proof of that. Sure it affects Vista which not everyone is running, and further more you have to be running Gadgets with the RSS Widget, however this is evidence of what may be coming in other (read: more popular) RSS readers. When you subscribe to an RSS feed you are implicitly trusting that feed. You are asking your feed reader to gather all new articles that are published via the feed. Essentially you are forming a trust relationship with the feed. This vulnerability takes advantage of that trust relationship, inserting malicious code into something that you are "blindly" trusting. Now generally you are adding "trusted" or at least "partially trusted" sources. The problem is in the compromise of these sources... we're seeing more and more vulnerabilities pop up in Wordpress, Blogger and other popular blogging software. Taking advantage of these vulnerabilities, an attacker could modify the RSS feed to provide the malicious code that would exploit the condition patched by MS07-048. While this vulnerability itself may not be critical, if only due to user base, it is a crystal ball into the future and into what we will be seeing. It's a scaring thought, this isn't like clicking a link in Internet Explorer... this action has been pre-approved. I'm interested to see where this will lead us.

MS07-049:

This affects both Virtual PC and Virtual Server. Let's focus on Virtual Server. More and more we're seeing ads regarding server virtualization. 20:1 and 50:1 consolidations are not unheard of. If this consolidation was performed with Virtual Server, the door is opened to big problems with this vulnerability. Virtualization is trusted and placed in mission critical situtations... large marketing projects from the virtualization companies have seen to that. So you've taken all your mission critical machines... physical hardware, segmented by the fact that they each exist in their own box and placed them into a single box, seperated now by the virtualization software. A request comes in for a 'sandbox' environment for testing, you have room on your Virtual Server, so you throw a new virtual machine in place and provide it to the user. This user, or their software, is malicious... and you've given the user admin because you set them up on a "throw-away" VM. Suddenly this user, or the software, own all the guests on the host, as well as the host itself because of the vulnerability patched by MS07-049. Serious... yes. Dangerous... yes. Does it make us ask questions about the security of virualization... without a doubt. This is a security scenario that many don't consider but, really should be considered and we may see it pop up more and more in the future.