Mailing List Archive: prado_viewstate.nasl - test for PRADO viewstate vulnerability

prado_viewstate.nasl - test for PRADO viewstate vulnerability

May 6, 2005, 10:00 AM

Post #1 of 4 (467 views)

Hi,

I've written a test for the VIEWSTATE vulnerability reported in the
PRADO Component Framework
(http://www.xisc.com/forum/viewtopic.php?t=1477,
http://secunia.com/advisories/15220/)

The script first of all tries to confirm that the site being checked was
generated by PRADO by looking
for the hidden __VIEWSTATE form control. It then does a POST containing
a VIEWSTATE with
an invalid HMAC. Patched Prado versions (2.0.1+) will reject this with a
"ViewState data is corrupted"
error, whereas vulnerable versions (which do not use any HMAC
verification) will report an unserialize()
error.

Does anybody have any suggestions as to how this script and others like
it could be applied against
pages other than the server root, that is to other pages found while
spidering the server?

Any comments are welcome...

Regards,

Hubert Seiwert, Internet Security Specialist
Westpoint Ltd,
Albion Wharf, 19 Albion Street, Manchester, M1 5LN, England
Tel: +44 161 237 1028
Fax: +44 161 237 1031

Re: prado_viewstate.nasl - test for PRADO viewstate vulnerability [ In reply to ]

mikhail at nessus

May 7, 2005, 5:34 AM

Post #2 of 4 (474 views)

Permalink

On Fri May 06 2005 at 19:00, Hubert Seiwert wrote:

> Any comments are welcome...

I did not look at the attack part in details. Here are comments on the
"style":

> desc["english"] = "Script to detect PRADO 2.0.0 and below VIEWSTATEvulnerability";

Description can span on several lines. Usually, it includes "Risk" and
"Solution" lines.

> summary["english"] =
> "Tests for improper handling of the VIEWSTATE form
> variable (no HMAC verification) in PRADO 2.0.0 and
> below, which may be exploitable for arbitrary code
> execution";

On the contrary, summary must be on one single line. You have to
switch desc & summary, I guess, and add some comments to desc.

> script_category(ACT_MIXED_ATTACK);

You don't call the safe_check function, this cannot be "MIXED".
It looks like an ACT_ATTACK, unless there is a risk of killing the
remote service (ACT_DESTRUCTIVE_ATTACK in this case)

> script_require_ports("Services/www", 80);

You also need script_dependencies("httpver.nasl")

> debug_level = 1;

Better:
include('global_settings.inc');

> if (debug_level)display("Found page possibly generated by PRADO\n");

You can use debug_print() instead

Re: prado_viewstate.nasl - test for PRADO viewstate vulnerability [ In reply to ]

deraison at nessus

May 7, 2005, 12:57 PM

Post #3 of 4 (468 views)

Permalink

On May 7, 2005, at 8:34, Michel Arboi wrote:
>
>> script_require_ports("Services/www", 80);
>>
>
> You also need script_dependencies("httpver.nasl")

You actually want "http_version.nasl", not httpver.nasl.

Re: prado_viewstate.nasl - test for PRADO viewstate vulnerability [ In reply to ]

hubert at westpoint

May 9, 2005, 9:29 AM

Post #4 of 4 (458 views)

Permalink

Thanks for the feedback. Here's an updated version with all suggested
changes.

Mailing List Archive

Attached Files:

Attached Files: