Sec-1 Advisory: Reflected Cross-Site-Scripting in Blackberry BES12 version 12.4

Sec-1 Security Advisory
Severity : Medium
Advisory Name : Reflected Cross-Site-Scripting in Blackberry BES12 version 12.4
Discovery Date : 23/02/2016
Release Date : 12/04/2016
Application : BES12 version 12.4 and earlier
Platform : Windows
CVE : CVE-2016-1917
CVE-2016-1918
Discovered by : Nicodemo Gawronski
Vendor Status : Resolved in April 2016 Blackberry Update available from http://web.blackberry.com/support/business/bes-support/bes-support-downloads.html
Website : https://www.sec-1.com/blog
http://support.blackberry.com/kb/articleDetail?articleNumber=000038118
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1917
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1918

Vulnerability Summary

Reflected Cross-Site-Scripting (Reflected XSS)

Two instances of Reflected Cross-Site-Scripting were discovered on the affected software.
Cross-Site-Scripting (XSS) is a vulnerability that occurs when user entered data is accepted by the server and returned in a response to the user without proper sanitisation, which allows an attacker to embed malicious scripts within a request which is later served to another user. Reflected XSS occurs when the malicious data is immediately returned in a response to a malicious request, whereas Stored XSS occurs when the malicious data is held by the application for some time before being embedded in a response (such as being stored in a database and then retrieved at a later date).

Exploit

Two parameters on the “admin/settings/redirect.do” and “admin/user/userDetails.do” of the BES12 web server were found to be vulnerable to Reflected Cross-Site Scripting (XSS).
This would allow an attacker to launch XSS attacks against targeted users by sending them crafted links (for example, by sending a malicious link in a targeted email). The effects could, for example, include:

  • Stealing access credentials from a targeted user as that user logs in
  • Stealing an access token from a targeted user as that user logs in
  • Displaying a malicious or political message to the user

Example Payload/POC

Steps to reproduce the vulnerability:

  1. Log in to the BES12 Server.
  2. Access the following URLs:
https://BES12_Server_IP/admin/settings/redirect.do?settingUrl=%22-alert%28document.domain%29-%22
Reflected XSS in "/admin/settings/Redirect.do"

Reflected XSS in “/admin/settings/Redirect.do”

https://BES12_Server_IP/admin/user/userDetails.do?userId=3&backLocation=usergrid”);alert(1);//&suppressLoginWizard=true&gridHandleId=50896ee8-f282-4713-b54d-33f7725099fb
Reflected XSS BES12 "/admin/user/Userdetails.do"

Reflected XSS in “/admin/user/Userdetails.do”

This is a simplistic payload which will simply display a pop up message warning the users that the page is vulnerable; however a more advanced payload could easily be generated to perform actions as discussed above.

Vendor Response

The vendor has patched the XSS issues in the April 2016 Software Update. Sec-1 would like to thank Blackberry for their prompt and professional response.

This entry was posted in Advisories. Bookmark the permalink.

Comments are closed.