SecureAuth Version 9.3

ADVISORY SUMMARY

One low-risk vulnerability was discovered within the SecureAuth IdP v9.3 application. This vulnerability could allow malicious high-privilege users to modify usernames to contain an Angular template payload that could potentially be used to steal credentials during the authentication process.

Impact

The SecureAuth application was affected by a client-side template injection vulnerability that can lead to cross-site scripting (XSS) attacks.

Risk Level

Low

Affected Vendor

Product Vendor

Product Name

Affected Version

SecureAuth SecureAuth 9.3

 

Product Description

SecureAuth is an enterprise identity and access-management service. The project’s official website is https://www.secureauth.com/. The latest version of the application is 9.3.0-17, released on June 5, 2020.

Vulnerabilities List:

One vulnerability was identified within the SecureAuth application:

CLIENT-SIDE TEMPLATE INJECTION

Solution

Update to version 9.3.0-17

This vulnerability is described in the following sections.

VULNERABILITY

Client-Side Template Injection

CVE ID

Security Risk

Impact

Access Vector

CVE-2020-9437 Low Cross-site scripting Remote


The /SecureAuth.aspx endpoint's rendering of user-controlled username and email values is vulnerable to AngularJS client-side template injection. XSS payloads contained in the username or email can be executed during the authentication process.

The following AngularJS expression was used to execute a proof-of-concept Javascript payload:

b@.o


Figure 1
– Email-formatted username containing JavaScript payload

The username containing the payload was used to log in, as shown in the request below:

POST /[REDACTED]/SecureAuth.aspx?client_id=[REDACTED]
…omitted for brevity…
&ctl00%24ContentPlaceHolder1%24MFALoginControl1%24UserIDView%24ctl00%24ContentPlaceHolder1_MFALoginControl1_UserIDView_txtUserid=b%40%7B%7Bconstructor.constructor%28%27alert%28window.location%29%27%29%28%29%7D%7D.o&ctl00%24ContentPlaceHolder1%24MFALoginControl1%24UserIDView%24ctl00%24ContentPlaceHolder1_MFALoginControl1_UserIDView_btnSubmit=Submit


Figure
2 – SecureAuth login request

After submitting the request, the payload executed on the page, as shown below:

JavaScript alerting window.location


Figure
3 JavaScript alerting
window.location

The payload triggered as an error during the sign-in process, resulting in self-XSS. Alternatively, an attacker could change the email address of another user, such as a malicious administrator, and would be able to use this attack to perform XSS against users during authentication.

Credits

Chris Davis, Consultant, Bishop Fox (cdavis@bishopfox.com)
Robert Punnett, Senior Consultant, Bishop Fox (rpunnett@bishopfox.com)

Timeline

  1. Initial discovery: 02/20/2020
  2. Contact with vendor: 02/24/2020
  3. Vendor acknowledged vulnerabilities: 02/24/2020
  4. Vendor released patched version 9.3.0-17: 06/05/2020
  5. Vulnerability publicly disclosed: 06/19/2020