Recently Tim has been working with the software framework “OpenVAS” (“Open Vulnerability Assessment System”). This software is open source so we spent some evenings looking for bugs in the webfrontend, the Greenbone Security Assistant. After some time Sebastian found two bugs and we were able to submit those - they are fixed now.
For everybody who does not know what OpenVAS is: OpenVAS is a software for vulnerability management. You can run penetrationstests against diffrent it-systems with it and assess the results. It is also used in the Greenbone Security Manager and comes with Kali Linux.
If you take a look at the statistics page the following AJAX-Request is send to the backend:
aggregate_type was not escaped properly -
so it was easy to trigger a XSS in the script context. You can simply set
aggregate_type=nvt"-alert(document.domain)-" to get this reply:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
Sadly you need to know the value of the
token parameter. But if the guestmode is enabled like i.e. in the demo, it is possible to use:
Another minor bug
The following bug was also fixed with this update. We observed the following strange behaviour:
1 2 3
<a href="//internetwache.org/?r=1&=&token=guest">Login as a guest</a>
All characters of the path in the GET-request reflect to the href-attribute. Unfortunately a browser can not send a
- Product: Greenbone Security Assistant ≥ 6.0.0 and < 6.0.8
- Vendor: OpenVAS
- Risk: Low, CVSS 1.9 (AV:A/AC:M/Au:M/C:P/I:N/A:N)
The communication with Greenbone GmbH was always pleasant, transparent and to the point.
- 07.01.2016: XSS discovered and reported to vendor.
- 08.01.2016, 08:00: Acknowledgement from vendor and info that fix is already in progress.
- 08.01.2016, 17:30: Fix ready, QA and testing needed
- 09.01.2016: Update released for Greenbone Security Manager: Advisory GBSA 2016-01
- 13.01.2016: Update released OpenVAS: Advisory OVSA 20160113
- 18.01.2016: CVE-2016-1926 assigned by MITRE
The team of internetwache.org