All versions of an HTML editor used in several Microsoft properties, including ASP.NET, suffer from a high-risk cross-site scripting (XSS) vulnerability that could allow an attacker to inject malicious script and glean private information.
The problem exists in all versions of RadEditor, a WYSIWYG text editor manufactured by Bulgaria-based firm Telerik, according to security researcher G.S. McNamara, who disclosed the vulnerability on his blog late last week.
“Technically speaking, this is a massive hole in how existing input validation security filters work in unison,” McNamara said in an email Thursday to Threatpost regarding the vulnerability.
The editor, which allows users to input rich-text, is used to varying degrees in Microsoft products like MSDN, CodePlex, TechNet, and MCMS, along with some Sharepoint and ASP.NET implementations.
“It’s a silent killer, too, because at least one commercial penetration-testing tool failed to find it” McNamara said, “You just get a false positive.”
McNamara initially found the vulnerability (CVE-2014-4958) in a 2009 version (2009.3.1208.20) of the product on Internet Explorer along with a 2014 version but suggests it could have existed in previous iterations of the editor.
“I just had a hunch and followed it obsessively, manually,” McNamara said of his search for the bug, which he first dug up on July 9.
From there it took about two months of going back and forth with the company.
When he first contacted Telerik’s Customer Support department, it insisted the bug had already been fixed. To prove his case McNamara forwarded the company his exploit code. When Telerik still wouldn’t put him in touch with anyone in charge of security, McNamara ultimately had to go through what he calls “unofficial channels,” by sending a personal email to a Telerik employee’s Gmail account in late August, to finally get the ball rolling.
It wasn’t until earlier this month that the researcher and the company agreed to coordinate a disclosure. Yet after two weeks of radio silence from Telerik – McNamara claims he made multiple phone calls, emails, requests to high-level account managers – he decided to disclose the bug independently — only to have the company release its information “out of the blue,” hours before he was planning on releasing his, last Wednesday.
“Resolving this politely was tough,” McNamara admits, claiming the issue lasted as long as it did due to a lapse in responsibility.
“This is a technical product sold to technical developers, and Telerik wanted the developers to share the responsibility of security. The developers probably didn’t know that,” McNamara said.
While RadEditor’s filters cover some attack vectors – namely the RemoveScripts filter to strip out script tags – the attack technique that McNamara used “is not your typical XSS.”
“By using lesser-known attacks I found a way through,” McNamara said, adding that he put to use some old research by WhiteHat Security’s Jeremiah Grossman to help dig up the vulnerability.
In a blog entry Telerik posted on Wednesday the company addressed the issue and gave credit to McNamara but stood pat on its stance that the responsibility of sanitizing content to prevent threats should fall to the developer.
“It is always the duty of the developer to implement the necessary content validation,” Nikodim Lazarov, one of the company’s senior software developers wrote.
The company is slated to push out a patch for the issue but not until it updates the Q3 edition of its controls, in late October. In the meantime Telerik is giving users a workaround that it’s strongly recommending users follow until its patch is pushed.
McNamara, who works as an application security engineer at the IT services provider CGI, says that he’s planning to do further research in his spare time on other rich text editors like RadEditor to see if he can find similar problems.
“Most of the company’s user base is likely unaware that they silently integrated a high-risk vulnerability into their site,” McNamara says of bug in closing, “System owners signed off on this without knowing.”