CSRF attacks could be triggered to access and exfiltrate information

A researcher has gone public with details about a recently resolved flaw in Acronis cloud management console

A security researcher has disclosed a CSS injection flaw in Acronis software which could be abused for data theft.

On November 4, ‘Medi’ (under the alias ‘mr-medi’), published a technical analysis of the vulnerability, a client-side path traversal attack they described as the “favorite bug” they’ve ever found.

The vulnerability existed in the Acronis cloud management console. The software manages Acronis services, including cloud backups and resource monitoring.

Path traversal

According to the researcher, a web-facing URL would automatically pull a GET parameter called color_scheme. Then, when the GET request is underway, a CSS file is also requested and loaded.

However, when this CSS file is asked for, the front-end code doesn’t sanitize the values, so it is possible for an attacker to perform a path traversal by requesting the same file from a different path.

This relative path overwrite isn’t intrinsically an important bug unless you combine it with an open redirect, which allows attackers to issue a request and force a redirect to an external domain where a malicious CSS file is stored.

Catch up on the latest web security research

Medi discovered a vulnerable API endpoint and Location HTTP header combination in which the user can control the GET parameter. This allowed the researcher to create an exploit with the color_scheme parameter and a redirect, pointing to the domain so user information could be exfiltrated “by using CSS properties”.

Information could include cross-site request forgery (CSRF) tokens, personal data, partner hashes, and other data located in the Document Object Model (DOM) where the crafted CSS file is injected.

“If we specify our CSS file in a domain hosted by us, we can perform the CSRF attack via GET requests by loading an external image using CSS properties like background-image, or exfiltrate user information like [an] IP, Referer header or User Agent,” the researcher explained. “I used my local server but you can check it out in any external domain you own.”

Chain reaction

A video-based Proof-of-Concept (PoC) attack has been published. Medi has also suggested that this technique could be chained with relative path overwrites and path-relative stylesheet import (PRSSI) vulnerabilities.

Medi told The Daily Swig: “Since this is an attack relying on the client side, the main risk is [being able to] exfiltrate information found in the vulnerable page and CSRF attacks. The type of bug depends on how the JavaScript handles the user input and the purpose of that parameter.

“For example, in Acronis, the vulnerable page was the admin dashboard containing valuable information about their customers [and] the parameter was used to dynamically apply styles [...] Other scenarios may involve leading to XSS with more serious issues like CSRF with any HTTP method.”

Medi’s findings were disclosed privately via the HackerOne platform and the flaw was patched on January 13. A $250 bug bounty was awarded.

Medi confirmed the bug had been resolved. On HackerOne, the Acronis team likened the security flaw to a reflected cross-site scripting (XSS) attack, which, despite the possibility of user data exfiltration when the color_scheme is in use, accounts for the relatively low bug bounty.

The Daily Swig has reached out to Acronis for further comment and we will update this story as and when we hear back.

YOU MAY ALSO LIKE Gatsby patches SSRF, XSS bugs in Cloud Image CDN