Full Disclosure mailing list archives
Maltego Radium ?XSS?
From: xnite () xnite org
Date: Sat, 6 Jul 2013 02:55:01 +0000
Maltego Radium is a piece of software written in Java which allows you to compile and centralize information gathered on an entity from the web. These datasets can be brought together and graphed out throughout the application. One feature of this application is that you put an alias entity within the graph, and use the pastebin transform on it in order to find all posts on pastebin related to that entity. On a related note in October 2012 I found a vulnerability in Internet Explorer 9 and below which allowed a regular plain text file to be executed as HTML, this flaw allowed for one to put malicious code into a Pastebin post and give out the raw link. Anyone who opened the "raw" post in Internet Explorer would be subjected to any and all HTML code within it.POC Provided: http://pastebin.com/raw.php?i=94zDf9PG (http://pastebin.com/raw.php?i=94zDf9PG) This is my write up on the IE vulnerability: http://xnite.org/2012/10/06/ie-vuln-ie-renders-plain-text-files-as-html (http://xnite.org/2012/10/06/ie-vuln-ie-renders-plain-text-files-as-html) This bug in IE appears to have been fixed as of Internet Explorer 10, however the issue still exists within applications which use or have used the IE libraries in their work (this is an assumption as I could not RE the code to find out why the bug exists, but only that it exists in certain configurations). If maltego is setup to use IE as it's default browser, even on a patched IE browser, an XSS exists where if you were to lookup my handle (for example), xnite, and move your mouse cursor over my IE POC code then a message box would pop up on the screen displaying the text created by JavaScript within my POC code from before. The suggested fix would be to disable Maltego from opening any links that have NOT been clicked, no browsing should be executed simply by highlighting over something. Instead of linking these entities to the raw pastebin post, they should be linked instead to the regular URL for the post. This has been tested against Maltego Radium v3.3.0, and may exist in versions before and after 3.3.0. The vulnerability has been reported to the Maltego Radium development team. As a side note: I'm not sure if I should call this an "arbitrary code execution" or "XSS". XSS makes the most sense but lacks sense in that Maltego is not a website but rather an application, yet it executes malicious code fed to it through a web entity. Please feel free to offer a correction on what type of vulnerability this would be. :) --- R. Whitney - Independent IT ConsultantPhone: (347)674-4835 Postal: PO Box 5984, Bloomington, IL 61702-5984 Other: My Blog (http://xnite.org) / LinkedIn (http://www.linkedin.com/in/whitneyr) / Twitter (http://twitter.com/xnite)
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Maltego Radium ?XSS? xnite (Jul 05)