Friday, August 19, 2011 At 12:54PM
Lost amongst the numerous issues patched during this month’s Patch Tuesday was a bug I found in Microsoft’s ReportViewer 2005 Web Controls. While the issue was really just a vanilla XSS, the surprising thing was that it was in a product that has been out for 6 years and hasn’t been found or patched in that time. You mean to tell me nobody’s ever fuzzed that request!? We’re not talking about a complex memory corruption bug here! Anyway, the technical details and a walkthrough of the bug can be found below.
Overview
The Microsoft ReportViewer Controls are a freely redistributable control that enables embedding reports in applications developed using the .NET Framework. A Cross-Site Scripting (XSS) vulnerability was found in the Microsoft.ReportViewer.WebForms.dll library. The XSS vulnerability appears to affect all websites that utilize the affected controls.
Technical Details
File: Microsoft.ReportViewer.WebForms.dll (PerformOperation() method of the SessionKeepAliveOperation class)
1) User controllable data enters via the “TimerMethod” URL parameter value and is assigned to the “andEnsureParam” string variable.
string andEnsureParam = HandlerOperation.GetAndEnsureParam (urlQuery, "TimerMethod");
2) The “andEnsureParam” variable with user-controllable input is then passed into the “s” string variable which is dynamically building a javascript block. The “s” variable is then passed to response.write(). Writing the un-validated data to the JS block creates the XSS exposure.
string s = string.Format(CultureInfo.InvariantCulture, "<html> <body><script type="text/javascript">parent.{0}();</script> </body></html>", new object[] { andEnsureParam }); response.Write(s);
Proof-of-Concept Exploit
This vulnerability can be exploited against websites that have deployed the vulnerable Microsoft.ReportViewer.WebForms.dll library. You will note that since the data is being written into an existing Javascript block that the attacker does not need to include any opening or closing tags (i.e.,<img>, <script>, etc) to execute code.
Reproduction Request:
https://test.com/Reserved.ReportViewerWebControl.axd?Mode=true& ReportID=<arbitraryIDvalue>&ControlID=<validControlID>& Culture=1033&UICulture=1033&ReportStack=1&OpType=SessionKeepAlive &TimerMethod=KeepAliveMethodctl00_PlaceHolderMain_ SiteTopUsersByHits_ctl00TouchSession0;alert(document.cookie); //&CacheSeed=
(Note: During testing of this issue, it appeared as though a valid ControlID parameter value was needed to exploit this issue)
Recommendation
Update to the latest versions. For more information please see http://www.microsoft.com/technet/security/Bulletin/MS11-067.mspx
Author: Adam Bixby
©Aon plc 2023