National Rail Live Enquiries Departure Board Gadget - Script Injection Vulnerability
Windows Vista includes the “Windows Sidebar”. This new feature allows users to display ‘gadgets’ on the sidebar and on the Windows desktop. Gadgets are small applications containing HTML, XML and JavaScript.
The National Rail Live Departure Board Sidebar gadget provides users with the ability to view real time train departure boards for all main railway stations in the UK. The gadget allows users to choose a “Start Station” and a “Destination Station” in order to provide them with the most up to date live departure information for their chosen trip. The gadget requests this information from a web server, which responds to the gadget with live departure board information for the user’s chosen rail journey.
An attacker capable of intercepting the web server response to the gadget request could modify that response such that a script was injected and then run on the user’s system. The injected script would run under the privileges of the currently logged in user, allowing the remote attacker to execute commands on the target system. An attacker successfully exploiting this vulnerability could execute arbitrary commands in the context of the current logged in user.
The following script could be injected into the body area of the response returned by the web server: -
<script SRC='vbscript:System.Shell.execute("cmd.exe", "/k whoami")'>In this case this would result in the “whoami” command being executed on the user’s system, as can be seen in the screenshot below:-
An attacker could alter this code to execute commands of their choosing which, depending on the logged on user’s privileges, could result in the remote compromise of the target system.
It should be noted that for this attack to be exploited an attacker would need to be able to intercept and modify network traffic between the remote web server supplying the departure information and the targeted user.
The National Rail Live Departure Board gadget version 1.0 was confirmed to be affected to this vulnerability. The vendor has addressed this vulnerability and implemented a fix in version 1.1
The full security advisory can be found here:- [1] [2]
The whitepaper Considerations for the Secure Rollout of Sidebar Gadgets on Windows Vista is a recommended reading if you are interested in the security of gadgets.
