Document Title: =============== NetChat v7.8 - Persistent Cross Site Scripting Vulnerability References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2171 Video: https://www.vulnerability-lab.com/get_content.php?id=2174 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-20370 CVE-ID: ======= CVE-2018-20370 Release Date: ============= 2018-12-17 Vulnerability Laboratory ID (VL-ID): ==================================== 2171 Common Vulnerability Scoring System: ==================================== 4.3 Vulnerability Class: ==================== Cross Site Scripting - Persistent Current Estimated Price: ======================== 500€ - 1.000€ Product & Service Introduction: =============================== Chat with other local users. You can create a fixed user which can be located in another subnet. This user can act as a gateway which connects both NetChat subnets together. A build-in HTTP server can be used to share pictures and other files. For users which are currently offline, the message can left on an FTP server. (Copy of the Homepage: https://www.the-sz.com/products/netchat/ ) Abstract Advisory Information: ============================== The vulnerability laboratory core research team discovered a persistent cross site scripting vulnerability in the official SZ NetChat v7.8 software. Vulnerability Disclosure Timeline: ================================== 2018-12-10: Researcher Notification & Coordination (Security Researcher) 2018-12-10: Vendor Notification (Product Developer Team) 2018-12-11: Vendor Response/Feedback (Product Developer Team) 2018-12-12: Vendor Fix/Patch (Product Developer Team) 2018-12-14: Security Acknowledgements (Product Developer Team) 2018-12-17: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== The SZ Development Product: NetChat - Software Client (Windows) 7.8 Exploitation Technique: ======================= Remote Severity Level: =============== Medium Authentication Type: ==================== Restricted authentication (user/moderator) - User privileges User Interaction: ================= Low User Interaction Disclosure Type: ================ Independent Security Research Technical Details & Description: ================================ A persistent cross site scripting vulnerability has been discovered in the official SZ NetChat v7.8 software. The web vulnerability allows local attacker to inject own malicious commands to compromise the http-server. The vulnerability is located in the `MyName` input field of the `Options` module. Local attackers are able to inject own malicious commands as name by usage of the software client, to compromise the enabled http server web frontend. The validation of the MyName input is insecure handled and the output location of the web frontend does not sanitize the transmitted context. The security risk of the cross site web vulnerability is estimated as medium with a cvss count of 3.8. Exploitation of the issue requires a privileged application user account and only low user interaction. Successful exploitation of the application-side vulnerability results in persistent phishing, persistent external redirects and persistent manipulation affected or connected module context. Vulnerable Module(s): [+] Options Vulnerable Input(s): [+] MyName Affected Module(s): [+] HTTP-Server (Web Frontend) Proof of Concept (PoC): ======================= The xss vulnerability can be exploited by authenticated remote attackers with low user interaction. For security demonstration or to reproduce the issue follow the provided information or steps below. Manual steps to reproduce ... 1. Download and install the software client with http server 2. Start the software and open the options tab 3. Inject to the MyName value your malicious test script code 4. Click the "Change" button to save the settings 5. Open the tab HTTP Server and click the checkbox to enable 6. The code executes on open of the main directory and as well in http server exception handling 7. Successful reproduce of the persistent cross site vulnerability! Note: Each user can connect to the HTTP server of other users via user list or chat. An attacker can manipulate his own service and wait until the server is active and a user accesses his enabled HTTP server. PoC: Exploitation HTTP server from a "><[MALICIOUS PERSISTENT INJECTED SCRIPT CODE!]>

HTTP server from a "><[MALICIOUS PERSISTENT INJECTED SCRIPT CODE!]>

TEST/


Solution - Fix & Patch: ======================= 1. The cross site scripting vulnerability can be patched by a parse of the content inside of the myname input field. 2. Restrict the input and disallow the usage of special chars to prevent cross site scripting or other validation bugs. 3. Parse in the http-server the output locations were the myname value is being displayed during sharing. The sz software developer team resolved the vulnerability 2018-12-12 and discovered the version 7.9 as stable release. Public Patched v7.9: http://www.the-sz.com/common/get.php?product=netchat Security Risk: ============== The security risk of the persistent cross site scripting web vulnerability in the netchat software is estimated as medium. The risk impact is as well medium because of users are able to access with one click the web-server of an attacker by enable. Credits & Authors: ================== Benjamin K.M. [bkm@vulnerability-lab.com] - https://www.vulnerability-lab.com/show.php?user=Benjamin+K.M. Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. Domains: www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss_upcoming.php vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@ or research@) to get a ask permission. Copyright © 2018 | Vulnerability Laboratory - [Evolution Security GmbH]™