Juniper VPN SSL: client-side cross-site scripting

Published on Sep 12, 2013 in CVE-2013-5649, juniper, cross-site scripting, security advisory

Vendor advisory: http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10589
Vulnerable product that was tested: MAG-2600, Version 7.2R3 (build 21397)
CVE: CVE-2013-5649
Enable Security Advisory: https://www.enablesecurity.com/advisories/ES2013-01-juniper-junos-dom-xss/

Description

The Juniper VPN SSL system was found to be vulnerable to a client-side cross site scripting vulnerability.

Impact

Exploitation of this vulnerability may allow hijack of VPN SSL sessions. This usually involves a social engineering attack in order to convince a logged in victim to click on an attacker-supplied URL. Therefore such an attack would typically be the result of a targeted attack rather than an opportunistic one.

How to reproduce the issue

The vulnerable HTML was:

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Frameset//EN">
<!-- saved from url=(0022)http://www.juniper.net -->
<html><head><title>Secure Access Service End User Guide</title></head>
<script type="text/javascript">
    var fname='main';
    var url = self.location.href;
    var file;
    if(url.indexOf('?') > 0){
        file = url.substring(url.lastIndexOf('?')+1);
    }else{
        file = 'Secure-Access-Service-title.html';
    }
    var frameset = '<frameset rows="90,*">' +
        '<frame name="header" frameborder="0" marginheight="0" ' +
        'marginwidth="0" noresize="1" scrolling="no" ' +
        'src="j_header.html">' +
        '<frameset cols="350,*" id="content">' +
        '<frame name="tocframe" target="main" frameborder="0" ' +
        'marginheight="0" marginwidth="0" scrolling="auto" ' +
        'src="j_primary_toc.html">' +
        '<frame name="main" frameborder="0" marginheight="0" ' +
        'marginwidth="0" id="mainframe" scrolling="auto" ' +
        'src="'+ file + '">' +
        '</frameset></frameset>';
    document.write(frameset);
</script></html>

Since file is being written and rendered to the HTML without any validation or filtering, the web browser executes any URL that specified as file after the ? in the URL. Therefore a URL such as the following would execute the JavaScript function alert(123) as a demonstration:

https://vpnsystem/dana-cached/help/en/SA-User-Help/help.html?javascript:alert(123)

A more realistic example of exploitation would include leakage of the session cookie (through access to document.cookie within JavaScript) or execution of actions on behalf of the victim’s logged in web browser.

Timeline

Nov 26, 2012: Vulnerability discovered
Dec 19, 2012: Vulnerability report sent to vendor
Sep 12, 2013: Vendor fix released

Disclaimer

The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.