Check Box 2016 Q2 Survey – Multiple Vulnerabilities

• Exploit Database
• 33 阅读

• 作者： Fady Mohammed Osman
  日期： 2017-01-17
• 类别：

  • webapps
  平台：

  • aspx
• 来源：https://www.exploit-db.com/exploits/41086/

• # Exploit Title: Check Box 2016 Q2 Survey Multiple Vulnerabilities
  # Exploit Author: Fady Mohamed Osman (@fady_osman)
  # Exploit-db : http://www.exploit-db.com/author/?a=2986
  # Youtube : https://www.youtube.com/user/cutehack3r
  # Date: Jan 17, 2017
  # Vendor Homepage: https://www.checkbox.com/
  # Software Link: https://www.checkbox.com/free-checkbox-trial/
  # Version: Check Box 2016 Q2,Check Box 2016 Q4- Fixed in Checkbox Survey,
  Inc. v6.7
  # Tested on: Check Box 2016 Q2 Trial on windows Server 2012.
  # Description : Checkbox is a survey application deployed by a number of
  highly profiled companies and government entities like Microsoft, AT&T,
  Vodafone, Deloitte, MTV, Virgin, U.S. State Department, U.S. Secret
  Service,U.S. Necular Regulatory Comission, UNAIDS, State Of California
  and more!!
  
  For a full list of their clients please visit:
  https://www.checkbox.com/clients/
  
  1- Directory traversal vulnerability : For example to download the
  web.config file we can send a request as the following:
  http://www.example.com/Checkbox/Upload.ashx?f=..\..\web.config&n=web.config
  
  2- Direct Object Reference :
  attachments to surveys can be accessed directly without login as the
  following:
  https://www.victim.com/Checkbox/ViewContent.aspx?contentId=5001
  I created a script that can bruteforce the numbers to find ID's that will
  download the attachment and you can easily write one on your own ;).
  
  3- Open redirection in login page for example:
  https://www.victim.com/Checkbox/Login.aspx?ReturnUrl=http://www.google.com
  
  If you can't see why an open redirection is a problem in login page please
  visit the following page:
  https://www.asp.net/mvc/overview/security/preventing-
  open-redirection-attacks
  
  
  Timeline:
  December 2016 - Discovered the vulnerability during Pen. Test conducted by
  ZINAD IT for one of our clients.
  Jan 12,2017 - Reported to vendor.
  Jan 15,2017 - Sent a kind reminder to the vendor.
  Jan 16,2017 - First Vendor Response said they will only consider directory
  traversal as a vulnerability and that a fix will be sent in the next day.
  Jan 16,2017 - Replied to explain why DOR and Open Redirect is a problem.
  Jan 17,2017 - Patch Release Fixed the Directory Traversal.
  Jan 17,2017 - Sent another email to confirm if DOR and open redirect wont
  be fixed.
  Jan 17,2017 - Open redirection confirmed to be fixed in the same patch
  released before for DOR the vendor said they didn't believe that's a
  security concern and that they have added a warning to let users know that
  their attachments will be available to anyone with access to that survey page !!