Hyperic HQ Multiple XSS

Advisory ID Internal

CORE-2009-0812

1. Advisory Information

Title: Hyperic HQ Multiple XSS
Advisory Id: CORE-2009-0812
Date published: 2009-10-02
Date of last update: 2009-11-23
Vendors contacted: SpringSource
Release mode: Coordinated release

2. Vulnerability Information

Class: Cross site scripting [CWE-79]
Impact: Code execution
Remotely Exploitable: Yes
Locally Exploitable: No
Bugtraq ID: N/A
CVE Name: CVE-2009-2897, CVE-2009-2898

3. Vulnerability Description

Hyperic HQ [1] is an open source monitoring software designed to manage web applications and infrastructure. It auto-discovers system resources (including hardware, operating systems and databases), and is able to monitor hosts and services.

Multiple cross-site scripting vulnerabilities (both stored and reflected) have been found in the web interface of Hyperic HQ, which can be exploited by an attacker to execute arbitrary JavaScript code in the context of the browser of a legitimate logged in user.

4. Vulnerable packages

Hyperic HQ 3.2
Hyperic HQ 4.0
Hyperic HQ 4.1
Hyperic HQ 4.2-beta1
Earlier (unsupported) versions may also be affected.

5. Non-vulnerable packages

Hyperic HQ 4.2-beta2 or later

6. Vendor Information, Solutions and Workarounds

6.1. Mitigation

Users of Hyperic HQ 3.2.6 should apply the 3.2.6.1 patch.
Users of Hyperic HQ 4.0 should upgrade to 4.0.3 and then apply the 4.0.3.1 patch.
Users of Hyperic HQ 4.1 should upgrade to 4.1.2 and then apply the 4.1.2.1 patch.
Users of Hyperic HQ 4.2-beta1 users should upgrade to 4.2-beta2 or later.

6.2. Applying the security patches

The security patches may be applied by following these steps:

If you are not already running version 3.2.6, 4.0.3 or 4.1.2, you must upgrade to one of these versions.
Download the zip file containing the appropriate patch for your version.
Stop the Hypric HQ server.
Copy the original hq-engine/server/default/deploy/hq.ear/hq.jar to a safe location outside of the Hyperic HQ installation.
Copy the original hq-engine/server/default/deploy/hq.ear/hq.war/WEB-INF/lib/hq_jsp.jar to a safe location outside of the Hyperic HQ installation.
Extract the hq.jar and hq_jsp.jar files from the zip file.
Replace hq-engine/server/default/deploy/hq.ear/hq.jar with the hq.jar file you extracted in step 6.
Replace hq-engine/server/default/deploy/hq.ear/hq.war/WEB-INF/lib/hq_jsp.jar with the hq_jsp.jar file you extracted in step 6.
Start the Hyperic HQ server.

Note: applying this patch will correct CVE-2009-2897 and CVE-2009-2898.

7. Credits

The XSS vulnerabilities were first reported to SpringSource by Aaron Kulick of CBS Interactive. All vulnerabilities were independently discovered and researched by Gastón Rey and Pablo Carballo from Core Security during Bugweek 2009 [2].

8. Technical Description / Proof of Concept Code

8.1. Introduction

8.2. Reflected XSS Vulnerability (CVE-2009-2897)

A reflected cross-site scripting vulnerability was found in the generic exception handler of Hyperic, located in hq/web/common/GenericError.jsp. When there is an uncatched exception in Hyperic, this generic exception handler is invoked. It shows a stack trace, including the data that caused the error without sanitizing it, leading to a reflected XSS. This is the vulnerable code:

hq/web/common/GenericError.jsp: ... <c:if test="${not empty exception}"> <div id="exception" style="visibility:hidden"> <%=StringUtil.getStackTrace(exception)%> </div> <c:if test="${not empty root}"> <div id="root" style="visibility:hidden"> <%=StringUtil.getStackTrace(root)%> </div> </c:if> </c:if> ...

This XSS can be triggered by sending invalid data for numeric parameters in several .do pages, causing the webapp to raise a java.lang.NumberFormatException exception; this way, GenericError.jsp will be called and it will print the data that caused the exception without escaping HTML characters, leading to the XSS vulnerability.

The following .do pages are affected, among others:

http://<hyperic-server>:7080/mastheadAttach.do?typeId=<script>alert(document.cookie)</script> http://<hyperic-server>:7080/Resource.do?eid=<script>alert(document.cookie)</script> http://<hyperic-server>:7080/admin/user/UserAdmin.do?mode=view&u=<script>alert(document.cookie)</script>

8.3. Stored XSS Vulnerability (CVE-2009-2898)

A stored cross-site scripting vulnerability was found in the Alerts list of Hyperic HQ. An authenticated Hyperic user can create an alert with JavaScript code in the Description field. When a user visits the Alerts list, the Description field of every alert is displayed without properly escaping especial HTML characters, thus leading to a persistent XSS.

As a proof of concept, create a new alert and insert the following JavaScript code in the Description field:

<script>alert(document.cookie)</script>

Afterwards, when a Hyperic user visits the Alerts list, the JavaScript code embedded into the Description of the malicious alert will be executed:

http://<hyperic-server>:7080/alerts/Config.do?mode=list&rid=10001&type=3

8.4. Remarks

The Hyperic HQ web interface includes a console that allows administrators to run Groovy code directly in the Hyperic server [3]. That code is executed in the same process as the Hyperic server. So, by exploiting any of these XSS vulnerabilities to steal an administrator cookie, and by running arbitrary Groovy code through the web console, it seems not only possible to compromise the web application, but also to fully compromise the machine where Hyperic is running.

9. Report Timeline

2009-09-01: Core Security notifies the Hyperic team of the vulnerability.
2009-09-02: The Hyperic team asks Core for a technical description of the vulnerability.
2009-09-03: Core sends a draft security advisory with technical details and PoC and announces its initial plan to publish the advisory on September 22nd, 2009.
2009-09-04: Hyperic team acknowledges notification and announces the investigation about the reported issue started.
2009-09-16: Core requests information about the nature of the fix and an estimated date of fix available. Core awaits updated information.
2009-09-16: Hyperic team notifies the investigation about the reported issues is still in progress, the issues have been evaluated and Hyperic team agrees that they are security vulnerabilities. The Hyperic team notifies the proposed release date (2009-09-22) will probably be too soon and it may require some adjust.
2009-09-18: Hyperic team confirms that the issues are present in versions 4.0, 4.1 and the soon to be released 4.2. Hyperic team also notifies the fixes for all affected version will be available near mid-October [3].
2009-09-21: The Hyperic team informs they have unintentionally disclosed some information relating to these vulnerabilities in the associated commit messages for the fixes. As a result of this, Hyperic team is adjusting its release plan and intend to release patches for 4.1, 4.0 as soon as possible.
2009-09-21: A technical report about these vulnerabilities was sent by Hyperic team.
2009-09-21: Core agrees to wait Hyperic team for patches and fixes, and the advisory publication is re-scheduled for the beginning of October. In spite of that, Core also notifies that if at any prior moment it is detected that the bug is being exploited in the wild, Core will publish the advisory immediately as 'user release'.
2009-10-01: Core requests information about of the fix and asks if all affected version will be patched and available near mid-October (as planned by Hyperic team).
2009-10-02: The Hyperic team notifies they are ready to make the release announcement, including the vulnerability announcement.
2009-10-02: Core asks the Hyperic team for additional information, the patched version numbers and possible workarounds.
2009-10-02: A complete report about the requested information was sent by Hyperic team.
2009-10-02: The advisory CORE-2009-0812 is published.
2009-10-05: Aaron Kulick of CBS Interactive indicating that the bugs were reported by him to Hyperic on 6/9/2009
2009-11-12: Core team offers Aaron Kulick to add his name to the Credit section of the advisory
2009-11-13: Aaron Kulick accepts to be credited in the advisory
2009-11-23: Advisory updated to reflect original discoverer in the Credits section

10. References

[1] http://www.hyperic.com/.
[2] The authors participated in Core Bugweek 2009 as members of the team "Estúpido y Sensual Flanders".
[3] http://sourceforge.net/projects/hyperic-hq/files/.

11. About CoreLabs

CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: www.coresecurity.com/core-labs.

12. About Core Security

Core Security develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company's flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. www.coresecurity.com

13. Disclaimer

The contents of this advisory are copyright (c) 2009 Core Security and (c) 2009 CoreLabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given.