Members Popular Post iGuano Posted March 4, 2017 Members Popular Post Share Posted March 4, 2017 Hello again, I'm assuming this is the correct place to report these vulnerabilities, as contacting the default e-mail "info@xat.com" failed, and the support system seems to be for paying customers only. This time the vulnerability actually lies in the "xatradio.com" domain, however it is affecting xat due to xat trusting this url and having it whitelisted. The vulnerable is endpoint /html5.php, the intended functionality of this is to act as a proxy between xat's users and your radio server. However, it seems the endpoint is simply redirecting to the supplied IP address or domain. Due to the behaviour of this, we can craft a malicious url to embed content from another domain, rendering xat's url filter useless as it is proxying through the trusted domain "xatradio.com". Lets get down to the POC, as you can see below, I have created an "<img" tag and set the src attribute to "xatradio.com/html5.php?ip=i.imgur.com/9r6tkfl.png&port=80&extra=/;stream.mp3". This is exactly the same as just setting the src attribute to i.imgur.com/9r6tkfl.png, however xat wouldn't let you do that as the domain is not trusted. Luckily xatradio.com is. So with this vulnerability, we can use any malicious url in xat's group editing and xatspace editing features, linkvalidator and some other xat features that only allow trusted urls. View the below image as a proof of concept. As you can see, I've embedded an image from my own domain below the chat. xat wouldn't usually allow us to do this (only allow tinypic, imgur and other trusted domains). Here is also an access log from the server. [snip] - - [04/Mar/2017 snip] "GET /bioxshotevil.jpg?:80/;stream.mp3 HTTP/1.1" 200 48198 "-" "Mozilla/5.0 [snip]" "[leaked victim IP]" A good fix here would be for xat to block redirects from external domains or xatradio.com to fix the vulnerable endpoint. 9 Link to comment Share on other sites More sharing options...
Bot Service Providers Nezhit Posted March 4, 2017 Bot Service Providers Share Posted March 4, 2017 Thank you for the report. It was fixed if you have future issues with xatRadio try to contact us via http://xatproject.com/support/. 1 Link to comment Share on other sites More sharing options...
Members iGuano Posted March 4, 2017 Author Members Share Posted March 4, 2017 22 minutes ago, Lamingtons said: Thank you for the report. It was fixed if you have future issues with xatRadio try to contact us via http://xatproject.com/support/. Good job. Thanks I'll notify xatradio.com specific vulnerabilities there from now on. 26 minutes ago, Lamingtons said: Thank you for the report. It was fixed if you have future issues with xatRadio try to contact us via http://xatproject.com/support/. On second-glance, it appears you have published an incomplete fix. I notice you now no longer allow a path (/x.png) in the 'ip' parameter, however if I simply put the domain itself without the path it still works). In this case, all I would have to do is have my domain automatically redirect to the png file and it would still work. This is still fully exploitable. 1 Link to comment Share on other sites More sharing options...
Bot Service Providers Nezhit Posted March 4, 2017 Bot Service Providers Share Posted March 4, 2017 6 minutes ago, iGuano said: Good job. Thanks I'll notify xatradio.com specific vulnerabilities there from now on. On second-glance, it appears you have published an incomplete fix. I notice you now no longer allow a path (/x.png) in the 'ip' parameter, however if I simply put the domain itself without the path it still works). In this case, all I would have to do is have my domain automatically redirect to the png file and it would still work. This is still fully exploitable. No, you can't, only whitelisted URLs will work. It will display BlockedDomain. Link to comment Share on other sites More sharing options...
Members iGuano Posted March 4, 2017 Author Members Share Posted March 4, 2017 3 minutes ago, Lamingtons said: No, you can't, only whitelisted URLs will work. It will display BlockedDomain. Yes but I can supply my server IP, not needing a domain at all. So whitelisting URLS doesn't make a difference. For example, xatradio.com/html5.php?ip=127.0.0.1&port=80&extra=/;stream.mp3 4 Link to comment Share on other sites More sharing options...
Bot Service Providers Nezhit Posted March 4, 2017 Bot Service Providers Share Posted March 4, 2017 1 hour ago, iGuano said: Yes but I can supply my server IP, not needing a domain at all. So whitelisting URLS doesn't make a difference. For example, xatradio.com/html5.php?ip=127.0.0.1&port=80&extra=/;stream.mp3 Ok, thank you again. We're working on it will be fixed. Link to comment Share on other sites More sharing options...
Members iGuano Posted March 4, 2017 Author Members Share Posted March 4, 2017 6 hours ago, Lamingtons said: Ok, thank you again. We're working on it will be fixed. Good job, that second fixed seems to have done the trick. I have to pop out, but I'll have another look later and see if it is still vulnerable. Link to comment Share on other sites More sharing options...
Members iGuano Posted March 4, 2017 Author Members Share Posted March 4, 2017 10 hours ago, Lamingtons said: Ok, thank you again. We're working on it will be fixed. I've had a look at your second fix. This time it seems you now block all mime types except "audio/mpeg". However the IP leakage issue is still present. You would have to actually proxy the stream through your server to avoid this issue, maybe it is a risk xat is willing to take. I created another quick POC, I'll post it below: index.php <?php header('Content-Type: audio/mpeg'); ?> Now that I've bypassed the mime type blocking, I can still log IP addresses. Server log [leaked victim ip] - - [04/Mar/2017] "GET /;stream.mp3 HTTP/1.1" 200 15 "http://chatsgroup.com/web_gear/chat/media.php?d=[snip]&p=0&id=[snip]" "Mozilla/5.0 [snip] You can make use of the proxy_pass feature in Nginx to achieve this. 1 Link to comment Share on other sites More sharing options...
Members Mynewcar Posted March 4, 2017 Members Share Posted March 4, 2017 Well I thought xat was against stuff like this, always putting users at risk. Link to comment Share on other sites More sharing options...
Members iGuano Posted March 4, 2017 Author Members Share Posted March 4, 2017 13 minutes ago, Lolppl said: Well I thought xat was against stuff like this, always putting users at risk. I believe there is a fix in progress for this one. Link to comment Share on other sites More sharing options...
Bot Service Providers Nezhit Posted March 4, 2017 Bot Service Providers Share Posted March 4, 2017 It is now fixed, thank you for the report. Please, future issues/bugs with xatRadio send on http://xatproject.com/support/. Link to comment Share on other sites More sharing options...
Recommended Posts