CVE-2014-2230 – OpenX 2.8.10 Dest Redirect Privilege Escalation Web Security Vulnerability

disavow-links-featured

 

CVE-2014-2230 – OpenX 2.8.10 Dest Redirect Privilege Escalation Web Security Vulnerability

 

Exploit Title: OpenX Dest Redirect Privilege Escalation Web Security Vulnerability

Product: OpenX

Vendor: OpenX

Vulnerable Versions: 2.8.10 and probably prior

Tested Version: 2.8.10

Advisory Publication: October 06, 2014

Latest Update: October 11, 2014

Vulnerability Type: URL Redirection to Untrusted Site (‘Open Redirect’) [CWE-601]

CVE Reference: *

Impact CVSS Severity (version 2.0):

CVSS v2 Base Score: 5.8 (MEDIUM) (AV:N/AC:M/Au:N/C:P/I:P/A:N) (legend)

Impact Subscore: 4.9

Exploitability Subscore: 8.6

CVSS Version 2 Metrics:

Access Vector: Network exploitable; Victim must voluntarily interact with attack mechanism

Access Complexity: Medium

Authentication: Not required to exploit

Impact Type: Allows unauthorized disclosure of information; Allows unauthorized modification

Writer and Reporter: Jing Wang [School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore] (@justqdjing)

 

 

 

 

Caution Details:

 

(1) Vendor & Product Description:

Vendor:

OpenX

 

Product & Vulnerable Versions:

OpenX

2.8.10

 

Vendor URL & Download:

Product can be obtained from here,

http://openx.com/

 

Product Introduction Overview:

OpenX is a real time advertising technology company. The company has developed an integrated technology platform that combines ad server and a real time bidding (RTB) exchange with yield optimization for advertising and digital media companies. OpenX’s Ad Exchange is not only one of the world’s largest programmatic digital advertising exchanges. It’s the best performing marketplace with the highest-quality, independently-rated inventory. Building it was no small feat, and we were only able to do it because we understand that publishers’ primary goal with advertising is to optimize monetization. That means maximizing revenue and control, and our solution helps you do both. The first step in any high-performance marketplace is creating demand. Our real time auctions give you maximum exposure to demand sources. All of the largest DSPs, networks and agency trading desks, plus the top advertisers, already purchase inventory on OpenX’s Ad Exchange. We connect you to a broad and deep selection of buyers, and you choose which ones can bid and which impressions they can win. Once you have interested buyers, you want to be able to showcase your inventory and command the best price. Our Ad Exchange supports a variety of formats and screens, letting you easily make all of your inventory available on one platform. We also make it easy for you to extract the full value out of each impression. You can set price floors and employ whitelist and blacklist features to avoid channel conflict and potential dilution of relationships with advertisers who buy direct. Furthermore, you can utilize our technology to manage your premium inventory through direct relationships with advertisers by leveraging preferred deals and private auctions.

According to Pixelate, OpenX Marketplace has the highest quality ad inventory in 2015, beating Google’s ad marketplace (Google Adx). OpenX integrations are widely distributed / long tail and currently sees the second most impressions on the internet, after Google. It’s new traffic quality platform for viewability and fraud detection technology has ability to leverage this position by seeing impressions earlier than existing ad verification / pre-bid solutions used by DSP and agency trading desks. (a) OpenX was ranked the 3rd fastest growing software company in North America with 44,075% growth in revenues from 2008 – 2012 by Deloitte’s Technology Fast 500. (b) According to a report from LeadLedger.com, OpenX has the second largest publisher adserver install base behind Google in 2013. (c) OpenX’s current products include the OpenX Exchange, Ad Server, and SSP (supply side platform) with Demand Fusion. (d) 96% of top 100 brand advertisers and 58% of comScore 100 publishers work with OpenX, conducting 250 billion monthly transactions with 12 billion daily bids from buyers. All major demand side platforms (DSP) including Rocketfuel, Criteo, Turn, MediaMath, Invite Media and Appnexus buy from OpenX ad exchange.

 

 

 

(2) Vulnerability Details:

OpenX web application has a computer cyber security bug problem. It can be exploited by Unvalidated Redirects and Forwards (Open Redirect or URL Redirection) attacks. This could allow a user to create a specially crafted URL, that if clicked, would redirect a victim from the intended legitimate web site to an arbitrary web site of the attacker’s choosing. Such attacks are useful as the crafted URL initially appear to be a web page of a trusted site. This could be leveraged to direct an unsuspecting user to a web page containing attacks that target client side software such as a web browser or document rendering programs.

Several other similar products 0-day vulnerabilities have been found by some other bug hunter researchers before. OpenX has patched some of them. The Full Disclosure mailing list is a public forum for detailed discussion of vulnerabilities and exploitation techniques, as well as tools, papers, news, and events of interest to the community. FD differs from other security lists in its open nature and support for researchers’ right to decide how to disclose their own discovered bugs. The full disclosure movement has been credited with forcing vendors to better secure their products and to publicly acknowledge and fix flaws rather than hide them. Vendor legal intimidation and censorship attempts are not tolerated here! It also publishes suggestions, advisories, solutions details related to Open Redirect vulnerabilities and cyber intelligence recommendations.

 

Source code of adclick.php:

$destination = MAX_querystringGetDestinationUrl($adId[0]);

MAX_redirect($destination);

 

The “MAX_redirect” function is bellow,

function MAX_redirect($url)

{

if (!preg_match(‘/^(?:javascript|data):/i’, $url)) {

header(‘Location: ‘.$url);

MAX_sendStatusCode(302);

}

 

The header() function sends a raw HTTP header to a client without any checking of the “$dest” parameter at all.

 

 

 

(1) For “adclick.php”, the code programming flaw occurs with “&dest” parameter.

 

 

(2) For “ck.php”, it uses “adclick.php” file. the code programming flaw occurs with “_maxdest” parameter.

 

 

 

 

 

(3) Solutions:

2014-10-12 Public disclosure with self-written patch.

 

 

 

 

References:

https://webtechwire.wordpress.com/2014/12/09/cve-2014-2230-openx-dest-redirect-privilege-escalation-vulnerability/

http://tetraph.com/security/cves/cve-2014-2230-openx-open-redirect-vulnerability-2/

http://tetraph.blogspot.com/2014/10/cve-2014-2230-openx-dest-redirect.html

http://tetraph.blog.163.com/blog/static/23460305120141011328886/

http://www.inzeed.com/kaleidoscope/open-redirect/cve-2014-2230-openx-dest-redirect-privilege-escalation-vulnerability/

http://diebiyi.com/articles/security/cves/cve-2014-2230-openx-open-redirect-vulnerability-2/

https://hackertopic.wordpress.com/2014/12/12/cve-2014-2230-openx-dest-redirect-privilege-escalation-vulnerability/

https://www.facebook.com/essaybeans/posts/479120835562721

http://ithut.tumblr.com/post/104660020768/whitehatview-cve-2014-2230-openx-dest-redirect

 

 

 

 

Facebook, Google Users Threatened by New Security Flaw, Covert Redirect

images18

 

A serious flaw in two widely used security standards could give anyone access to your account information at Google, Microsoft, Facebook, Twitter and many other online services. The flaw, dubbed “Covert Redirect” by its discoverer, exists in two open-source session-authorization protocols, OAuth 2.0 and OpenID.

 

Both standards are employed across the Internet to let users log into websites using their credentials from other sites, such as by logging into a Web forum using a Facebook or Twitter username and password instead of creating a new account just for that forum.

 

Attackers could exploit the flaw to disguise and launch phishing attempts from legitimate websites, said the flaw’s finder, Mathematics Ph.D. student Wang Jing of the Nanyang Technological University in Singapore.

 

Wang believes it’s unlikely that this flaw will be patched any time soon. He says neither the authentication companies (those with which users have an account, such as Google, Microsoft, Facebook, Twitter or LinkedIn, among others) nor the client companies (sites or apps whose users log in via an account from an authentication company) are taking responsibility for fixing the issue.

 

“The vulnerability is usually due to the existing weakness in the third-party websites,” Wang writes on his own blog. “However, they have little incentive to fix the problem.”

 

The biggest danger of Covert Redirect is that it could be used to conduct phishing attacks, in which cybercriminals seize login credentials, by using email messages containing links to malicious websites disguised as something their targets might want to visit.

 

Normal phishing attempts can be easy to spot, because the malicious page’s URL will usually be off by a couple of letters from that of the real site. The difference with Covert Redirect is that an attacker could use the real website instead by corrupting the site with a malicious login popup dialogue box.

 

For example, say you regularly visit a given forum (the client company), to which you log in using your credentials from Facebook (the authentication company). Facebook uses OAuth 2.0 to authenticate logins, so an attacker could put a corrupted Facebook login popup box on this forum.

 

If you sign in using that popup box, your Facebook data will be released to the attacker, not to the forum. This means the attacker could possibly gain access to your Facebook account, which he or she could use to spread more socially engineered attacks to your Facebook friends.

 

Covert Redirect could also be used in redirection attacks, which is when a link takes you to a different page than the one expected.

 

Wang told CNET authentication companies should create whitelists — pre-approved lists that block any not on it — of the client companies that are allowed to use OAuth and OpenID to redirect to them. But he said he had contacted a number of these authentication companies, who all shifted blame elsewhere.

 

Wang told CNET Facebook had told him it “understood the risks associated with OAuth 2.0” but that fixing the flaw would be “something that can’t be accomplished in the short term.” Google and LinkedIn allegedly told Wang they were looking into the issue, while Microsoft said the issue did not exist on its own sites.

 

Covert Redirect appears to exist in the implementations of the OpenID and OAuth standards used on client websites and apps. But because these two standards are open-source and were developed by a group of volunteers, there’s no company or dedicated team that could devote itself to fixing the issue.

 

 

Where does that leave things?

“Given the trust users put in Facebook and other major OAuth providers, I think it will be easy for attackers to trick people into giving some access to their personal information stored on those service,” Chris Wysopal, chief technology officer of Boston-area security firm Veracode and a member of the legendary 1990s hackerspace the L0pht, told CNET.

 

“It’s not easy to fix, and any effective remedies would negatively impact the user experience,” Jeremiah Grossman, founder of Santa Clara, Calif.-based WhiteHat Security, told CNET. “Just another example that Web security is fundamentally broken and the powers that be have little incentive to address the inherent flaws.”

 

Users should be extra-wary of login popups on Web pages. If you wish to log into a given website, it might be better to use an account specific to that website instead of logging in with Facebook, Twitter, or another authentication company, which would require the use of OAuth and/or OpenID to do.

 

If you think someone has gained access to one of your online accounts, notify the service and change that account’s password immediately.

 

 

 

 

 

Related Articles:

http://www.tomsguide.com/us/facebook-google-covert-redirect-flaw,news-18726.html

http://www.scmagazine.com/covert-redirect-vulnerability-impacts-oauth-20-openid/article/345407/

http://news.yahoo.com/facebook-google-users-threatened-security-192547549.html

http://thehackernews.com/2014/05/nasty-covert-redirect-vulnerability.html

http://www.foxnews.com/tech/2014/05/05/facebook-google-users-threatened-by-new-security-flaw/

http://whitehatview.tumblr.com/post/120695795041

http://russiapost.blogspot.ru/2015/05/openid-oauth-20.html

http://www.diebiyi.com/articles/security/covert-redirect/covert_redirect/

https://itswift.wordpress.com/2014/05/06/microsoft-google-facebook-attacked/

http://tetraph.blog.163.com/blog/static/2346030512015420103814617/

http://itsecurity.lofter.com/post/1cfbf9e7_72e2dbe

http://ithut.tumblr.com/post/119493304233/securitypost-une-faille-dans-lintegration

http://japanbroad.blogspot.jp/2015/05/oauthopenid-facebook.html

http://webtech.lofter.com/post/1cd3e0d3_6f0f291

https://webtechwire.wordpress.com/2014/05/11/covert-redirect-attack-worldwide/

http://whitehatview.tumblr.com/post/119489968576/securitypost-sicherheitslucke-in-oauth-2-0-und

http://www.inzeed.com/kaleidoscope/computer-security/facebook-google-attack/