Mailing List Archive

Web App Sec: (AT&T Corporation) former American Telecommunication & Telegraph Vulnerabilities (Cross-Site Scripting / OWASP Top 10)
_____ .___ _________
/ _ \ | |/ _____/
/ /_\ \| |\_____ \
/ | \ |/ \
\____|__ /___/_______ /
\/ \/ Corporation


Published Report: 27/02/2014


Credits: Advanced Information Security Corporation, USA

Severity: High/Critical (OWASP TOP 10)

Type: Web Application / Cross-Site Scripting .



Author: Nicholas Lemonias. (Information Security Expert)


Affected Domain
================
Domain: www.Att.com <http://www.att.com/> (AT&T Corporation) former

American Telecommunication & Telegraph


Vendor Overview

=========================
AT&T Corp., originally the American Telephone and Telegraph Company, is the
subsidiary of AT&T that provides voice, video, data, and Internet

telecommunications and professional services to
businesses, consumers, and government agencies. During its long history,
AT&T was at times the world's largest telephone company, the world's
largest cable television operator, and a regulated

monopoly. At its peak in the 1950s and 1960s, it employed one million
people and its revenue was roughly $300 billion annually in 2006.
In 2005, AT&T was purchased by Baby Bell SBC Communications for more than

$16 billion ($19.1 billion in present-day terms). SBC then rebranded itself
as AT&T Inc.
Today, AT&T Corporation continues to exist as the long distance subsidiary
of AT&T Inc., and its name occasionally shows up in AT&T press releases.

In 1880 the management of American Bell had created what would become AT&T
Long Lines. The project was the first of its kind to create a nationwide
long-distance network with a
commercially viable cost-structure. The project was formally incorporated

in New York State as a separate company named American Telephone and
Telegraph Company on March 3, 1885.
Starting from New York, its long-distance telephone network reached
Chicago, Illinois, in 1892.



Brief Description
============================
This problem allowed reproduction and execution of third-party
heterogeneous code which defied User -> Vendor trust levels, and
consequently affected user and product confidentiality, integrity and
availability of information (CIA Triad); as outlined by security practises
and in accord to formal

international standards (ISO/IEC 27001), (BS 77999) and (ISO/IEC 27002).


Proof-Of-Concept 1
==================
http://www.Att.com/gen/press-room?cdvn=news&newsfunction=
tagresults&pid=20626&tagname=technology&tagtype=att'sTYLe%
3d'ccd:Expre%2f**%2fSSion(prompt(91233))'bad%3d'%3e&tier=TS_PROD<
http://www.att.com/gen/press-room?cdvn=news&newsfunction=tagresults&pid=20626&tagname=technology&tagtype=att'sTYLe%3d'ccd:Expre%2f**%2fSSion(prompt(91233))'bad%3d'%3e&tier=TS_PROD
>


Description:
The variable 'tagtype' due to character encoding and insufficient data
sanitisation is vulnerable to a reflected cross-site scripting.
The variable is thus changed to
att'sTYLe='att:Expre/**/SSion(prompt(313371))'bad='>



Proof-of-Concept: 2
====================
www.att.com/gen/press-room?cdvn=news&newsfunction=
tagresults&pid=20626&tagname=technology&tagtype=att'sTYLe%
3d'att:Expre%2f**%2fSSion(confirm("xss"))'bad%3d'%3e&tier=TS_PROD

Description: A confirmation window would prompt the user for confidential
information. Defacement of the website could also occur through an 'Image

onload event'
e.g: IMG onload="JavaScript Code".
A malicious user could take advantage of this problem thus to impersonate
authenticated users, and to exploit user's or to execute open
Url/Java Script execution from third-party heterogeneous sources,

or to install untrusted components exploiting inherent O/S and browser
vulnerabilities, and without any prior notification.


Responsible Disclosure Timeline
==========================
[+] 8th of August 2013 - Informed vendor concerning this security
realisation.

[+] 8th of August 2013 - Vendor acknowledgement of the problem.

[+] 11th of August 2013 - Feedback request on remediation procedures.

[+] 9th of December 2013 - Problem remediation process.


[+] 27th of February, 2014 - Public Disclosure.


Recommendations for QoS & Security Compliance
=========================================
The recommendations made to AT&T Corp were therefore:

To consider encrypting the view state of the application. Furthermore to
implement a stronger Cross-Site Scripting protection.


Apparently XSS filtering is not properly applied, and meta-character
filtering allowed data input over the HTTP protocol to inject third-party
untrusted code, in JavaScript, Active-X and Visual Basic Script.
Please note that malicious users could take advantage of such instances, as
we have seen in malware and virus propagation instances - with a severe
impact
to systems of strategic and political importance.


Our consultation to AT&T Corp, has therefore been for a full and urgent
security risk assessment, as benchmarked in (ISO/IEC 27001), (ISO/IEC
27002),
and (ISO/IEC 27005). Furthermore we consulted for the effective
enumeration and revisitation of upper-level security policies.



Dissemination of information is often gathered in the form of a hyperlink,
either through an e-mail message, social networking websites, forums and
other online sources. A malicious user could take advantage of this
vulnerability, for: the
mass exploitation of unsuspected users, through malware and virus
propagation instances.
A malicious user could make use of defects in the encoding methods, so that
propagation is further obfuscated.


Appendices
============================
A. We have consulted AT&T Corp to consider the filtering of meta-characters.
B. To review server-level encoding of < and > to < and > in application
output.
C. Thus it is known, that a Cross- Site Scripting attack could embrace
mass user and product exploitation, theft of confidential information such
as: credit cards, passwords, security tokens and stored accounts.
Furthermore the use and exploitation of Cross-Site Scripting
vulnerabilities were widespread in notable cases of malware
propagation to systems of strategic and political importance
Stuxnet and Duqu.
D. We consulted to AT&T to consider filtering < and > and to make use
of appropriate encoding methods.
where ( and ) are also filtered and encoded to ( and ),
Example cited:
# and & should be converted to &#35 (#) and &#38 (&).

References
============================
OWASP. 2013. Cross Site Scripting (XSS) attacks, [ONLINE]
https://www.owasp.org/index.php/Cross-site_Scripting_(XSS), 2011
OWASP. 2013. XSS Filter Evasion Cheat-Sheet, [ONLINE]
https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet?, 2013.
Microsoft. 2011. Protecting against XSS attacks. [ONLINE] Available at:
http://msdn.microsoft.com/en-us/library/ff649310.aspx.

We would like to thank the vendor for the immediate deployment of best
security practise.

** This vulnerability report is posted for the wider benefit of the
security community, as is and without any warranties, including the
warranty of merchantability and capability fit for a particular purpose.
The information is posted under the FOI as per best security practises.


* Copyright Advanced Information Security Corp , (2014) *