23 March 2021

[CVE-2021-3012] Vulnerability allowing remote HTML/JavaScript code injection on ESRI ArcGIS products

Introduction

A few weeks ago, BSSI performed a penetration test that included ESRI’s ArcGIS product in the customer’s scope.

The purpose of this article is to describe a vulnerability discovered by the BSSI audit team, allowing an authenticated user to remotely inject malicious HTML/JavaScript code into the application. This vulnerability affects all ArcGIS Enterprise and ArcGIS Online products before version 10.9.

ArcGIS is a comprehensive mapping, analytics, and collaboration solution that puts geographic intelligence to work for everyone. For example, it is made possible to quickly and easily create maps, manage and analyze geographic data, collaborate and share work with all employees and customers. The intuitive analytics tools available help users gain insight into their data, providing useful context to the data by linking it to Esri’s demographics and lifestyle.

There are two architecture platforms for the ArcGIS solution:

  •  ArcGIS Online: With deployment in SaaS mode, the “Software As A Service” solution offers high product availability by removing all IT infrastructure management
  • ArcGIS Enterprise: ArcGIS Enterprise is based on an On-premises mode deployment. This solution implements ArcGIS software in a customer’s IT infrastructure allowing better control and management of the product

Exploitation

The audit conducted by the auditors took place in a black box mode. This step allowed the application to be tested, without any prior information, as an attacker present on the Internet would do.

The vulnerability identified during the penetration test allows an authenticated user on the application to inject malicious client-side code (HTML / JavaScript) into web pages viewed by other users (stored XSS).

A stored XSS, unlike a reflected XSS, corresponds to an injection of code into the application which will be directly stored in the database. This means, that the injected code will automatically be executed when the page will load without any user interaction.

The tests carried out by the auditors made it possible to identify a parameter vulnerable to Cross-Site Scripting (XSS) injections. The injection has been identified in the “URL” field of the “Parameters” tab of a “Document Link” type element:

The URL field is vulnerable to XSS injections

Indeed, the lack of input filtering allows an attacker to exploit the feature of adding “Document Link”, in order to inject malicious HTML/JavaScript code.

The following URL field was used in order to execute a malicious payload:

“> <img src = x onerror = alert (document.domain)>

Once the payload is injected, as soon as a user wishes to access our element, the JavaScript payload will be executed:

Execution of the XSS injection in the “Document Link” type element

Since application session cookies are generated without the “Secure” and “HttpOnly” flags, it is possible to steal a user’s session token without their knowledge by this means. This could allow a full account takeover of any user.

Check the video of the exploit on YouTube

Conclusion

Upon discovery of the vulnerability, the BSSI audit team contacted and reported the vulnerability to the affected product team within Esri. A patch has been made available from December 2020 (corresponding to version 10.9).

This vulnerability is now known as CVE 2021-3012.

Timeline

11/03/2020 – Discovery of the vulnerability
12/18/2020 – First contact with the Cyber-Security team of Esri
01/04/2021 – Report of the vulnerability
12/10/2020 – The vulnerability is fixed using the 10.9 patch
03/23/2021 – Vulnerability disclosure (patch + 90 days)

Leave a Reply

Your email address will not be published. Required fields are marked *