Sunday 2 November 2014

Modx XSS And CSRF Bypass "CVE-2014-8773 , CVE-2014-8774 , CVE-2014-8775"


Modx XSS And CSRF Bypass


Hello all Bro`s :) ;) , Leets and learners , Hope you all are well and enjoying your bounties as well as ;)

Today we will see how i got Modx XSS And CSRF Bypass ( Modx CSRF + XSS = A Perfect Disaster  ) ;)

Attacker Scenario Is Inspired From Symantec CSRF

So What Is Modx

MODX is the web content management system (CMS) that gives you complete control over your site and content, with the flexibility and scalability



Popularity Of Modx

Modx comes in top 10 CMS According to user reviews - Checked out here 

Looks Cool :) ;)







========================================================================



Now lets come to the findings

There were 3  Vulnerabilities which are - 1 - Reflected XSS , 2. Stored XSS , 3. CSRF :) ;) Oopps Sorry That Is CSRF  Bypass ;)

While i found a Reflected XSS which was exploitable by remotely and admin session hijacking is also possible because there were Cookies are not set with Http Only Flag
POC






POC Video


;)



That is ok :( but i was looking for something more interesting  ;)

I played for sometimes here and there for something kickass ;) , and i got A Stored XSS ;) in his add post page you can see below




But that is only self exploitable :( , Only admin can perform this attack now what to do ? i was feeling like , Hey bring me one more drink ;)



Technical Details For Reflected & Stored XSS

=====================================
1) Reflected Cross-Site Scripting (XSS) in MODX Revolution


The vulnerability exists due to insufficient sanitization of input data passed via the "context_key" HTTP GET parameter to "http://127.0.0.1/day/modx/manager/index.php?a=55&class_key=modStaticResource&context_key=" URL. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.

This vulnerability can be used against website administrator to perform phishing attacks, steal potentially sensitive data and gain complete control over web application.


The exploitation example below uses the ""></script><img src=x onerror=prompt(/XSS/)>" JavaScript function to display "/XSS/" word:


Vulnerable URL - http://127.0.0.1/day/modx/manager/index.php?a=55&class_key=modStaticResource&context_key="></script><img src=x onerror=prompt(/XSS/)>


Vulnerable Parameter - "context_key"


XSS Payload - "></script><img src=x onerror=prompt(/XSS/)>


"></script><img src=x onerror=prompt(document.cookie)>


-----------------------------------------------------------------------------------------------


2) Stored Cross-Site Scripting (XSS) in MODX Revolution


The vulnerability exists due to insufficient sanitization of input data passed via the "context" HTTP POST parameter to " http://127.0.0.1/day/modx/manager/index.php?id=1" URL. A local attacker [Authenticated User] can  execute arbitrary HTML and script code in browser in context of the vulnerable website.

This vulnerability can be used against website visitors to perform phishing attacks, steal potentially sensitive data and gain complete control over web application.


The exploitation example below uses the "<script>alert(1)</script>" JavaScript function to display "1" word:


Vulnerable URL - http://127.0.0.1/day/modx/manager/index.php?id=1


Vulnerable Parameter - "context"


XSS Payload - <script>alert(1)</script>


Note - This Stored XSS Was more critical because there was a CSRF protection vulnerability also , which allow an attacker to trick an administrator To Send Unwated Request for Stored XSS , which will directly attack to the Visitors ,



I was thinking there is a only way to exploit it !!! Yes you are right i am talking about as expected ;) CSRF

but there CSRF  protection was there :( , But no problem i found a way to bypass that , Because where is efforts there is always a hope :)

The csrf tokens is like "HTTP MODE AUTH=somethingvalueblaahblaaahhhhhhhuuhuhuhu" if we removed the csrf tokens from original request then the request still works fine , i verified it by using the csrf tokens with invalid tokens value and in response i got error of csrf token check failed ,

There i noticed an another issue with CSRF tokens which is if you used the CSRF tokens parameter with 50 charactor length any random value then still the request working fine :) , So there were 2 flaws which are affecting the CSRF tokens ,
POC





After This My Re-Action Is Like The Same Like Previous One  ;)



Now i can say CSRF + XSS = Perfect Disaster 

By using 2 Chained Vulnerabilities , an attacker can perform critical attacks Like

  1. An attacker can trick an admin for take over his account

  2. An attacker is able to trick an admin to perform a Stored XSS Request which will direct attack on Visitors, which can be used for XSS Shell attack , Session hijacking of all users , Ddos attacks Etc.

  3. An attacker can trick an admin to send forged request , And make his self guilty,

There was many more attack scenario which can be acured due to these two Issue

Thats why we always say ;) CSRF + XSS = Perfect Disaster 

Technical Details For CSRF Bypass Vulnerability 

The vulnerability exists due to insufficient validation of csrftokens ["HTTP_MODHAUTH"] at server side which allow an attacker to Perform CSRF Attack by bypassing CSRF Protection Mechanism To take over victim account , Trick him to send malicious request Etc.

Attacker need to remove the "HTTP_MODHAUTH" parameter value to perform the successfull attack.




=====================================





Reporting Timeline

Affected VersionsMODX Revolution 2.0.0–2.2.14

Reporting Date - 10 July,2014

Severity - Critical

Acknowledge Date - 11 July,2014



Emergency Fix Release Date - 15 July,2014



Modx Security Advisory Published  - http://forums.modx.com/thread/92152/critical-login-xss-csrf-revolution-2-2-1-4-and-prior

Affected Releases

All MODX Revolution releases prior to and including 2.2.14.

CVE ID - CVE-2014-8773 ,  CVE-2014-8774 ,  CVE-2014-8775

Solution
Upgrade to MODX Revolution 2.2.15. Due to the nature of this issue and the number of files requiring changes the solution is to upgrade. No installable patch or fileset is available for prior versions.

===============================================================



Comments And Suggestions Are Always Welcome :) Thanks

14 comments:

  1. gud 1...
    btw can u help me ?
    i found csrf token in cookies(in microsoft's site)...
    i dont knw how to exploit it....any tut for this>?

    ReplyDelete
  2. Thanks ,
    Will take a look on that , and get back to you :)

    ReplyDelete
  3. remember: csrf token generates in cookie

    ReplyDelete
  4. I got it paresh parmar ! ,
    Will ping you on facebook if i got something to share with u k :)

    ReplyDelete
  5. disqus_toraWUUVTG9 November 2014 at 03:42

    dsqdqsdqsd@dd.de

    ReplyDelete
  6. Thanks for this. It's nice to see how flaws our found and executed. I came here looking on how to prevent this type of attack with an upload form I'm making in MODX. Maybe someday you can write a tutorial on how to PREVENT this stuff :) but then again that may make my job too easy.

    ReplyDelete
  7. Hurrah! Finally I got a weblog from where I know how to genuinely take useful information regarding my study and knowledge.

    ReplyDelete
  8. Hi every one, here every person is sharing these knowledge, so it's pleasant to read this blog, and I used to visit this weblog everyday.

    ReplyDelete
  9. I am truly thankful to the owner of this web page who has shared
    this wonderful piece of writing at at this place.

    ReplyDelete
  10. Thanks for such comments, Glad to know that its help you :)

    ReplyDelete
  11. Thanks
    Will also post about fixing :)

    ReplyDelete