User privilege escalation exploit.
Vendor: CyberSource
Version: Business Center, Essentials/Small
Business, https://businesscenter.cybersource.com/
Severity: Vulnerability allows malicious employees or comprimised accounts to
steal money.
Vendor Status: Notified, but expects to fix issue some time in 2006.
Overview: Business Center is the web application used by merchants to
authorize, capture, and refund
Credit Card transactions. This application has the ability for merchants to
define user accounts
that are given limited privileges on what operations they can perform on a
transaction.
There does not appear to be validation on user-controlled input as found by the
two ways to
bypass user privilege restrictions.
Unfortunately it was found that through simple URL manipulation it is possible
to bypass these security
restrictions to allow a user to create new transactions and search for and view
previous transactions.
The latter would allow an untrusted user to view customer information.
Issuing new Credit transactions and capturing (moving customer money to
merchant account) can be done
by creating a local copy of web pages from the site and modifying the HTML
<form> submission target and content. A user then
simply has to login, access the locally modified page and submit the form which
then blindly sends the transaction to the server.
In theory then an unprivileged account would be able to generate a number of
fraudulent transactions onto existing customers
and then move money from the merchant's account after capture to their own
credit card or an accomplice's. This includes
forcing through transactions that do not have correct Card Verification Numbers.
Details:
Demo account is free to create and can be done at
http://www.cybersource.com/bankofamerica/eval/.
Test server is identical to Production with the exception that the Credit Card
Authorizer and capturing does not contact
the card owners banks for verification.
After creating an account with only the AO privilege (allows user to create new
Authorizations only) login under this account.
Accessing Order Search or Reports
The first level of *security* uses the security through obscurity method to
prevent user from accessing the Order Search by preventing
the URL information from being sent to the user. The menu on the interface
does not have the button but fortunately the URL's use
a standard naming convention in the JSP's.
1) Copy the URL from the Virtual Terminal button, this will be
https://businesscentertest.cybersource.com/sbctest/landing/terminal.jsp
2) Paste URL into address bar and change terminal.jsp to search.jsp, or
similarly to reports.jsp
3) The associated jsp is loaded and usable.
Capturing and Crediting a transaction is not vulnerable to simply URL
manipulation but are vulnerable to HTTP Post injections.
When creating a new transaction it is possible to save the web page locally and
then modify the source
(sbc_index.jsp_files\home_data\VTSettingsLoad.htm) to prefix the form's target
with https://businesscentertest.cybersource.com so that submission
will be sent to the server instead of localhost.
Adding the HTML option <option value="Credit">Credit</option> to the HTML
<select name='transactionType'> allows a Credit transaction
to be selectable for creation.
Confirming the transaction causes this crafted POST form to be sent to the
server and a confirmation of information is presented to the user
to confirm the transaction.
Recommendation:
Do not use user accounts until next year when vendor has said the problem will
be fixed.