How I got my first CVE - CVE-2017-15872

Written by on
Hello All,

​INTRODUCTION

T​he purpose of this post is to let you know how I managed to get my first CVE​ and more importantly how you as a reader can adopt a similar strategy to earn a CVE against your name. Throughout this post, I will give you relevant examples/screenshots that demonstrates how I ended up finding the vulnerability and tips that are extremely handy.

​Alright, lets plunge into the Proof-Of-Concept !

PATH OF EXPLORATION

I was searching for a​n​ open source CMS based application which can help me in testing for some bugs for learning purpose.​ ​I ​stumbled upon phpwcms application ​which I found interesting and immediately download​ed​ the same. After configuring the application I started to create dummy pages ​for test​ing​. ​A few minutes​ later​ I came across a page where the administrator has the privilege to create users in phpwcms​. I found out that the username field does not properly filter / sanitize the user input which thus, result​ed​ into a ​STORED CROSS SITE SCRIPTING vulnerability.

THE MOST AWAITED DEEP DIVE POC​

1) While browsing the application to understand about the workflow I came across the module of user administration. I thought of creating a user by inserting the XSS payload into the username since it was reflecting on the page under couple of sections like phpwcms user list and users online. I added the payload and created a new user as you can see into the below snapshot.


2) After creating the user I didn't got XSS alert popup while viewing the user list. I viewed the page source code to understand how was my input rendered in background. I came to know that the application has taken some precaution to mitigate XSS attacks which was encoding my payload. I thought of using another payload with some encoding techniques to get the XSS alert popup.


3) I clicked on edit button and Boommmm !!!!!! XSS POP UP !!!!!! 😍👇


 4) Below snapshot shows the view source of the affected page.



REFERENCE LINKS

https://github.com/slackero/phpwcms/commit/62c7c4a7a7de5effa0a82c89e77e53795a82e11d
https://github.com/slackero/phpwcms/commit/90ee94a474b37919161f8112f9e36c53ad70492f
https://nvd.nist.gov/vuln/detail/CVE-2017-15872
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15872

LESSONS LEARNT

 Never come to the conclusion immediately. Test all the possibilities and then conclude. Always think that the developer will definitely miss to validated some parameters on some page.

 DISCLOSURE DATELINES

 23 October 2017 at 00:02 - Report send.
23 October 2017 at 12:01 - Bug acknowledged and fixed.
23 October 2017 at 22:53 - Request for the CVE ID to CVE Mitre
25 October 2017 at 01:08 - CVE ID Received (CVE-2017-15872)


Thanks for reading the post.

 Special Thanks to all my friends who help / supported / motivated me for writing blogs. 🙏

Comments

Post a Comment

Popular posts from this blog

Process Injection - Part I

Written by on
Image
Hello All, After publishing the post about Dumping Process Memory with Custom C# Code my friend Himanshu suggested me to write a tool & a blog post about Process Injection for learning and he referenced his post about Code Injection which covers the concept about the vanilla process injection technique. It was quite interesting to learn and understand the core concepts about Process Injection techniques and as a learning path to code in c# leveraging Windows API I started writing the tool for Process Injection. What is Process Injection ? Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process. Why Process Injection ?
Read more

Introduction to Callidus

Written by on
Image
Hello All, Performing Red Team assessments are becoming challenging day by day. In mature environments we see a lot of custom tool development and new techniques are getting discovered by the community to overcome various challenges. While thinking about such challenges, I came up with the idea of creating a tool that can leverage legitimate services for establishing command & control communication channel which is likely to be whitelisted or are less monitored due to the nature of services used by the corporate environments. This is not a new technique, we have already seen similar projects that were developed to leverage legitimate services for command & control. Communication channels such as Slackor for Slack C2, DaaC2 for Discord C2 or  Domain Fronting techniques etc. In this post I will introduce you to a tool called "Callidus" which I created to learn & to improve my knowledge about developing custom toolset in C# and learning how to leverage
Read more

Exploring the Dark Side of Package Files and Storage Account Abuse

Written by on
Image
 Hello All, In this blog, we dive into the dark side of package files and Storage Account abuse within the Azure Function App service. We explore how package files can be leveraged to enhance the functionality of the Functions Apps, shedding light on the potential abuse of package files. By examining the connection between the Function App and Storage Account, we uncover how attackers can abuse the Storage Account's connection string to gain unauthorized access to the Function Apps. We will provide step-by-step insights into replacing binary files and deploying custom code, enabling attackers to take control of the Function App.  The research was jointly done by  Raunak and myself . What are Function Apps? Function Apps (Lambda in AWS) are serverless computing services provided by Azure Cloud. They allow developers to build and deploy small, functions that can be triggered by events such as simple HTTP request. Function Apps provide an environment for executing our code without th
Read more