Zenario 9.7 (9.7.61188) : Malicious File Upload (XSS in PDF)

Description:

# An Issue is discovered in Zenario 9.7 (9.7.61188)

# We have discovered a vulnerability that allows authenticated admin users to upload PDF files containing malicious code (Stored Cross-Site Scripting) into the target system. If the PDF file is accessed through the website, it can trigger a Cross-Site Scripting (XSS) attack.

Affected Component:

http://[ip]/zenario-probusiness-9.7/organizer.php?fromCID=1&fromCType=html#zenario__library/panels/documents~.zenario_document_upload~tupload_document~k{}

Payload:

%PDF-1.7
        1 0 obj
        <</Pages 1 0 R /OpenAction 2 0 R>>
        2 0 obj
        <</S /JavaScript /JS (app.alert('xss test'))
        >> trailer <</Root 1 0 R>>

Proof of Concept:

First, login to the target application with admin.

http://[ip]/zenario-probusiness-9.7/index.php

Login to page as admin.

Select “Go to Organizer” and click “Continue”.

Continue to organizer console.

Select “Libraty” menu.

Console menu.

Select “Hierarchical documents”.

Library menu.

Then select “Upload documents” for upload pdf file to the target.

Document upload page.

Then follow this step.

1. Click “Upload…” and select file for upload to the target.
2. Select “Public” for create document to public.
3. Click “Save”. for save document to the target.

Document upload function page.

Success upload pdf malicious file to the target.

Document file upload (.pdf) on the target.

Then follow this step.

1. Click “Modules” menu.
2. Select “Modules” sub menu.

Modules menu and all sub menu.

Then found “Document Container” module has status is “Running”.

*If the “Document Container” module is found to be “Uninitialised” select the “Document Container” module and click “Start module.”

Document Container module is running.

Then select icon to “View this module’s plugins”.

View this module’s plugins icon.

Select “+Create a plugin” button for create new plugin.

Create new plugin page.

Then follow this step.

1. Create plugin name.
2. Click “Select…” and choose pdf file need to add on plugin.
3. Select malicious pdf file (xss-on-pdf.pdf) that was uploaded in the previous step.
4. Click “Choose”.
5. Check up “Show a View button”.
6. Click “Save” for create new plugin.

Create plugin name and select file.

Choose file for add to plugin.

Show a View button on web page and seve plugin.

Create new plugin success.

PDF Document Container plugin.

Then select icon “Back to Home Page”.

Back to Home Page icon.

Then select “Tools” menu for edit web page.

Tools menu on home page.

Choose eye icon for show empty slot on web page.

Hide mobile & empty slots icon.

Then looking for empty slot on web page and follow this step.

1. Choose slot inspector icon.
2. Select “Insert a plugin..” menu.

Add or edit plugin menu.

Click “Make a draft”.

Pop-up draft editing.

Then select plugin in “Document Container” module.

Select plugin.

Select plugin follow this step.

1. Choose “PDF Document Container” plugin.
2. Click “Insert plugin”.

Insert plugin.

After insert plugin successfully, will be found pdf file and view button on the web page.

pdf file show on the web page.

Then click “Publish” button for publish new content on the web application.

example new content on the web application.

Then follow this step.

1. Select “Publish”.
2. Click “Publish”.

Publish console.

Finally, malicious pdf file appear on the target web application and click “View” button for open pdf file.

malicious pdf file (xss-on-pdf.pdf) on the target.

The XSS payload will run immediately.

Payload was execute on the target.

Author:

Grim The Ripper Team by SOSECURE Thailand.