---------------------------------------------------------------- v2 - modzero Security Advisory: XSS in Good for Enterprise administration console [MZ-13-03] --------------------------------------------------------------------- --------------------------------------------------------------------- Table of Contents 1. Timeline 2. Summary 3. Impact 4. Workaround 5. Fix 6. Credits 7. About modzero 8. Disclaimer --------------------------------------------------------------------- 1. Timeline --------------------------------------------------------------------- * 2013-06-25: Vendor was contacted and informed * 2013-07-03: Vendor confirmed vulnerability * 2013-07-05: Added fix information. * 2013-07-11: Vendor provides legal threat against publication of advisory. * 2015-09-25: Public Disclosure. --------------------------------------------------------------------- 2. Summary --------------------------------------------------------------------- Vendor: Good Technology Products known to be affected: Good for Enterprise administration console Product: Good Mobile Control Version: 2.3.0.402 Good Control gd.product.version: 1.3.26.76 Severity: High Remote exploitable: Yes The web-based administration console of the Good for Enterprise product shows at least one major cross site scripting (XSS) vulnerability. The weakness allows an attacker to persistently store code in the backend database, which is executed and rendered in the context of the administrator's web browser. An attacker could insert code into the name field of any managed iOS based client device. He is not required to know any of the passwords related to the Good for Enterprise solution. The injected code will be transported to the backend during the next synchronization event and will be persistently stored in the backend's database. Next time an administrator is opening any part of the administration console which displays the device name, the code will be executed in the context of the administrator's web browser. A CVE has not yet been assigned to this vulnerability. --------------------------------------------------------------------- 3. Impact --------------------------------------------------------------------- Depending on the target of the attacker, he could wipe devices, trigger additional management actions or steal session credentials of the administrator. Even critical aspects like the initialization PINs of all other managed devices are available to the attacker, which might introduce additional security issues. --------------------------------------------------------------------- 4. Workaround --------------------------------------------------------------------- There is no workaround for this vulnerability. Preventing scripts to be executed in the administrator's web browsers might mitigate the issue partially. --------------------------------------------------------------------- 5. Fix --------------------------------------------------------------------- The vendor released a patch in July 2013 (GMC R8). --------------------------------------------------------------------- 6. Credits --------------------------------------------------------------------- * Max Moser * Tobias Ospelt * David Gullasch --------------------------------------------------------------------- 7. About modzero --------------------------------------------------------------------- The independent Swiss company modzero AG assists clients with security analysis in the complex areas of computer technology. The focus lies on highly detailed technical analysis of concepts, software and hardware components as well as the development of individual solutions. Colleagues at modzero AG work exclusively in practical, highly technical computer-security areas and can draw on decades of experience in various platforms, system concepts, and designs. http://modzero.ch info@modzero.ch --------------------------------------------------------------------- 8. Disclaimer --------------------------------------------------------------------- The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.