The Tales of N4nj0

Oracle GlassFish Server - Reflected Cross-site Scripting

TL;DR

Multiple Reflected XSS vulnerabilities are found inside the administration panel of Oracle GlassFish.
Full credits are for security researcher Francesco Giordano (https://linkedin.com/in/0xzeta).

Product Information

The Oracle GlassFish Server product features a search function at logViewer.jsf, which is an administrative interface function. There are 4 parameters on the search function that are vulnerable to Reflected XSS.

If the user visits the URL constructed by the attacker, then the attacker’s script executes in the user’s browser, in the context of that user’s session with the application. At that point, the script can carry out any action, and retrieve any data, to which the user has access.

We tried to contact Oracle Security team, but they do not recognize the security issue because the product is end-of-life. I am releasing the full disclosure for the reason I believe, which is that users have to be informed to make appropriate decisions, especially those who cannot afford an upgrade for several reasons.

It is recommended to update to the latest version.

Vulnerability Details

Reflected Cross-site Scripting (CWE-79)

  • Summary: An authenticated remote user is able to inject arbitrary web script or HTML due to incorrect sanitization of user-supplied data and achieve a Reflected Cross-Site Scripting attack against the platform administrators.
  • Prerequisites: None.

Step-by-step instructions and PoC

A malicious user can cause an administrator user to supply dangerous content to the vulnerable page, which is then reflected back to the user and executed by the web browser. The most common mechanism for delivering malicious content is to include it as a parameter in a URL that is posted publicly or e-mailed directly to victims.

Affected Endpoints:

  • URL: http://localhost:4848/common/logViewer/logViewer.jsf
  • HTTP Parameters:
    • propertyForm%3ApropertyContentPage%3ApropertySheet%3ApropertSectionTextField%3AtimeStampProp%3AfromDate
    • propertyForm%3ApropertyContentPage%3ApropertySheet%3ApropertSectionTextField%3AtimeStampProp%3AfromTime
    • propertyForm%3ApropertyContentPage%3ApropertySheet%3ApropertSectionTextField%3AtimeStampProp%3AtoDate
    • propertyForm%3ApropertyContentPage%3ApropertySheet%3ApropertSectionTextField%3AtimeStampProp%3AtoTIme

Below are the evidences with the vulnerability details and the payloads used.

While the administrator user is logged in to GlassFish, visit the page in the payload section.

Execution of the JavaScript payload in the browser context:

Reflected XSS

Security Impact

By exploiting this issue an attacker is able to target administrator users who are able to access the plugin configuration page within the browser with several type of direct or indirect impacts such as stealing cookies (if the HttpOnly flag is missing from the session cookies), modifying a web page, capturing clipboard contents, keylogging, port scanning, dynamic downloads and other attacks. This type of reflected XSS does require user interaction.

Timeline

  • 05/10/2020: First disclosure to Oracle Security Alerts Team secalert_us@oracle.com.
  • 05/10/2020: Oracle Security Alerts Team reports that the product is out of support and they no longer provide fixes or security bulletins for this version. Very fast 😱
  • 25/01/2021: After some research on MITRE processes, we’ve communicated to Oracle Security Alerts that we will request the CVE to MITRE using the CNA of Last Resort.
  • 25/01/2021: Oracle Security Alerts Team replies to let them know if a CVE is assigned. Consistently very fast 😱😱
  • 26/01/2021: I am releasing the full disclosure to assist the MITRE analysis.
  • 26/01/2021: Requested the CVE to MITRE using the CNA of Last Resort (CNA-LR). It is the one to use when the vendor does not recognize the issue because of the end-of-life reason.