Cross-Site Scripting (XSS) in Microsoft ReportViewer Controls

[info () gdssecurity com]

==================================================
Cross-Site Scripting (XSS) in Microsoft ReportViewer Controls 
Adam Bixby - Gotham Digital Science (labs () gdssecurity com) 
Public Release Date: 8/9/2011
Confirmed Affected Software:  Microsoft Report Viewer Redistributable 2005 SP1 and Microsoft Visual Studio 2005 Service 
Pack 1
Browser used for testing: IE8 (8.0.7601.17514)
Severity: High
MS Bulletin: MS11-067 - http://www.microsoft.com/technet/security/Bulletin/MS11-067.mspx
CVE: CVE-2011-1976

==================================================
1. Summary
==================================================
The Microsoft ReportViewer Controls are a freely redistributable control that enables embedding reports in applications 
developed using the .NET Framework.  A Cross-Site Scripting (XSS) vulnerability was found in the 
Microsoft.ReportViewer.WebForms.dll.  The XSS vulnerability appears to affect all websites that utilize the affected 
controls.

==================================================
2. Technical Details
==================================================
File: Microsoft.ReportViewer.WebForms.dll (PerformOperation() method of the SessionKeepAliveOperation class)
1) User controllable data enters via the "TimerMethod" URL parameter value and is assigned to the "andEnsureParam" 
string variable.

string andEnsureParam = HandlerOperation.GetAndEnsureParam(urlQuery, "TimerMethod");

2) The "andEnsureParam" variable with user-controllable input is then passed into the "s" string variable which is 
dynamically building a javascript block.  The "s" variable is then passed to response.write(). Writing the un-validated 
data to the JS block creates the XSS exposure.

string s = string.Format(CultureInfo.InvariantCulture, "<html><body><script 
type=\"text/javascript\">parent.{0}();</script></body></html>", new object[] { andEnsureParam });
response.Write(s);

==================================================
3. Proof-of-Concept Exploit
==================================================
This vulnerability can be exploited against websites that have deployed the vulnerable 
Microsoft.ReportViewer.WebForms.dll.  You will note that since the data is being written into an existing Javascript 
block that the attacker does not need to include any opening or closing tags (i.e.,<img>, <script>, etc) to execute 
code.

Reproduction Request:
https://test.com/Reserved.ReportViewerWebControl.axd?Mode=true&ReportID=&lt;arbitraryIDvalue&gt;&ControlID=&lt;validControlID&gt;&Culture=1033&UICulture=1033&ReportStack=1&OpType=SessionKeepAlive&TimerMethod=KeepAliveMethodctl00_PlaceHolderMain_SiteTopUsersByHits_ctl00TouchSession0;alert(document.cookie);//&CacheSeed=

(Note: During testing of this issue, it appeard as though a valid ControlID parameter value was needed to exploit this 
issue)

==================================================
4. Recommendation
==================================================
Update to the latest versions.  For more information please see 
http://www.microsoft.com/technet/security/Bulletin/MS11-067.mspx

==================================================
5. About Gotham Digital Science
==================================================
Gotham Digital Science (GDS) is an information security consulting firm that works with clients to identify, prevent, 
and manage security risks. For more information on GDS, please contact info () gdssecurity com or visit 
http://www.gdssecurity.com.