Check Box 2016 Q2 Survey - Multiple Vulnerabilities. Webapps exploit for ASPX platform
# Exploit Title: Check Box 2016 Q2 Survey Multiple Vulnerabilities # Exploit Author: Fady Mohamed Osman (@fady_osman) # Exploit-db : http://www.exploit-db.com/author/?a=2986 # Youtube : https://www.youtube.com/user/cutehack3r # Date: Jan 17, 2017 # Vendor Homepage: https://www.checkbox.com/ # Software Link: https://www.checkbox.com/free-checkbox-trial/ # Version: Check Box 2016 Q2,Check Box 2016 Q4 - Fixed in Checkbox Survey, Inc. v6.7 # Tested on: Check Box 2016 Q2 Trial on windows Server 2012. # Description : Checkbox is a survey application deployed by a number of highly profiled companies and government entities like Microsoft, AT&T, Vodafone, Deloitte, MTV, Virgin, U.S. State Department, U.S. Secret Service, U.S. Necular Regulatory Comission, UNAIDS, State Of California and more!! For a full list of their clients please visit: https://www.checkbox.com/clients/ 1- Directory traversal vulnerability : For example to download the web.config file we can send a request as the following: http://www.example.com/Checkbox/Upload.ashx?f=..\..\web.config&n=web.config 2- Direct Object Reference : attachments to surveys can be accessed directly without login as the following: https://www.victim.com/Checkbox/ViewContent.aspx?contentId=5001 I created a script that can bruteforce the numbers to find ID's that will download the attachment and you can easily write one on your own ;). 3- Open redirection in login page for example: https://www.victim.com/Checkbox/Login.aspx?ReturnUrl=http://www.google.com If you can't see why an open redirection is a problem in login page please visit the following page: https://www.asp.net/mvc/overview/security/preventing- open-redirection-attacks Timeline: December 2016 - Discovered the vulnerability during Pen. Test conducted by ZINAD IT for one of our clients. Jan 12,2017 - Reported to vendor. Jan 15,2017 - Sent a kind reminder to the vendor. Jan 16,2017 - First Vendor Response said they will only consider directory traversal as a vulnerability and that a fix will be sent in the next day. Jan 16,2017 - Replied to explain why DOR and Open Redirect is a problem. Jan 17,2017 - Patch Release Fixed the Directory Traversal. Jan 17,2017 - Sent another email to confirm if DOR and open redirect wont be fixed. Jan 17,2017 - Open redirection confirmed to be fixed in the same patch released before for DOR the vendor said they didn't believe that's a security concern and that they have added a warning to let users know that their attachments will be available to anyone with access to that survey page !!