CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:S/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
EPSS
Percentile
22.7%
Document Title:
===============
NetChat v7.8 - Persistent Cross Site Scripting Vulnerability
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2171
Video: https://www.vulnerability-lab.com/get_content.php?id=2174
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-20370
CVE-ID:
=======
CVE-2018-20370
Release Date:
=============
2018-12-17
Vulnerability Laboratory ID (VL-ID):
====================================
2171
Common Vulnerability Scoring System:
====================================
4.3
Vulnerability Class:
====================
Cross Site Scripting - Persistent
Current Estimated Price:
========================
500€ - 1.000€
Product & Service Introduction:
===============================
Chat with other local users. You can create a fixed user which can be located in another subnet. This user can act as
a gateway which connects both NetChat subnets together. A build-in HTTP server can be used to share pictures and
other files. For users which are currently offline, the message can left on an FTP server.
(Copy of the Homepage: https://www.the-sz.com/products/netchat/ )
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered a persistent cross site scripting vulnerability in the official SZ NetChat v7.8 software.
Vulnerability Disclosure Timeline:
==================================
2018-12-10: Researcher Notification & Coordination (Security Researcher)
2018-12-10: Vendor Notification (Product Developer Team)
2018-12-11: Vendor Response/Feedback (Product Developer Team)
2018-12-12: Vendor Fix/Patch (Product Developer Team)
2018-12-14: Security Acknowledgements (Product Developer Team)
2018-12-17: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
The SZ Development
Product: NetChat - Software Client (Windows) 7.8
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Authentication Type:
====================
Restricted Authentication (Guest Privileges)
User Interaction:
=================
Low User Interaction
Disclosure Type:
================
Full Disclosure
Technical Details & Description:
================================
A persistent cross site scripting vulnerability has been discovered in the official SZ NetChat v7.8 software.
The web vulnerability allows local attacker to inject own malicious commands to compromise the http-server.
The vulnerability is located in the `MyName` input field of the `Options` module. Local attackers are
able to inject own malicious commands as name by usage of the software client, to compromise the enabled
http server web frontend. The validation of the MyName input is insecure handled and the output location of
the web frontend does not sanitize the transmitted context.
The security risk of the cross site web vulnerability is estimated as medium with a cvss count of 3.8.
Exploitation of the issue requires a privileged application user account and only low user interaction.
Successful exploitation of the application-side vulnerability results in persistent phishing, persistent
external redirects and persistent manipulation affected or connected module context.
Vulnerable Module(s):
[+] Options
Vulnerable Input(s):
[+] MyName
Affected Module(s):
[+] HTTP-Server (Web Frontend)
Proof of Concept (PoC):
=======================
The xss vulnerability can be exploited by authenticated remote attackers with low user interaction.
For security demonstration or to reproduce the issue follow the provided information or steps below.
Manual steps to reproduce ...
1. Download and install the software client with http server
2. Start the software and open the options tab
3. Inject to the MyName value your malicious test script code
4. Click the "Change" button to save the settings
5. Open the tab HTTP Server and click the checkbox to enable
6. The code executes on open of the main directory and as well in http server exception handling
7. Successful reproduce of the persistent cross site vulnerability!
Note: Each user can connect to the HTTP server of other users via user list or chat. An attacker can manipulate his
own service and wait until the server is active and a user accesses his enabled HTTP server.
PoC: Exploitation
<html><head><title>HTTP server from a "><[MALICIOUS PERSISTENT INJECTED SCRIPT CODE!]></title></head><body bgcolor="#3399FF">
<h3 align="center"><font face="Verdana" color="#FFFFFF"><i>HTTP server from a "><[MALICIOUS PERSISTENT INJECTED SCRIPT CODE!]></i></font></h3>
<h5 align="center"><font face="Verdana" color="#FFFFFF"><i>TEST/</i></font></h5><br><br></body></html>
Solution - Fix & Patch:
=======================
1. The cross site scripting vulnerability can be patched by a parse of the content inside of the myname input field.
2. Restrict the input and disallow the usage of special chars to prevent cross site scripting or other validation bugs.
3. Parse in the http-server the output locations were the myname value is being displayed during sharing.
The sz software developer team resolved the vulnerability 2018-12-12 and discovered the version 7.9 as stable release.
Public Patched v7.9: http://www.the-sz.com/common/get.php?product=netchat
Security Risk:
==============
The security risk of the persistent cross site scripting web vulnerability in the netchat software is estimated as medium.
The risk impact is as well medium because of users are able to access with one click the web-server of an attacker by enable.
Credits & Authors:
==================
Benjamin K.M. [[email protected]] - https://www.vulnerability-lab.com/show.php?user=Benjamin+K.M.
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab
or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits
or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do
not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.
Domains: www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com
Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com
Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss_upcoming.php vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other
information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or
edit our material contact (admin@ or research@) to get a ask permission.
Copyright © 2018 | Vulnerability Laboratory - [Evolution Security GmbH]™
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:S/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
EPSS
Percentile
22.7%