IMCAFS

Home

analysis of seven vulnerabilities in livezilla real-time chat application

Posted by tzul at 2020-04-13
all

In June 2019, fortiguard Laboratory of Fortinet found seven vulnerabilities in live chat of livezilla and wrote relevant reports. Livezilla is a software company with a large number of Fortune 500 enterprises and top university users, with more than 15000 users.

We can find these vulnerabilities in 8.0.1.0 and earlier. At the time of writing this blog, these issues have been fixed and vendors have released fixes for these vulnerabilities. Fortiguard labs appreciates the supplier's rapid response and timely repair.

The following is a summary of the vulnerability:

Vulnerability details

1. Livezilla server before fg-vd-19-082 8.0.1.1 attacks SQL injection of server.php through the P ﹐ ext ﹐ RSE parameter

When auditing the source code file in \ livezilla \ server.php, line 76 indicates that server.php will import the intern.php file.

\livezilla\server.php \livezilla\server.php

When we look at \ livezilla \ intern. PHP, we see that it calls the listen() method of the class operatorrequest on line 29. This class derives from \ livezilla \ \\\\\\\\\\\\\\\\\\.

\livezilla\intern.php OperatorRequest Listen() \livezilla\_lib\objects.internal.inc.php \livezilla\intern.php OperatorRequest Listen() \livezilla\_lib\objects.internal.inc.php

As we can see in the figure, it then calls the build () method in the same class at line 302:

Build() Build() Build() DBManager::RealEscape DBManager::RealEscape \livezilla\_definitions\definitions.protocol.inc.php

p_ext_rse=(select*from(select(if((substr(123,1,1) like 1),2,sleep(5))))a)

p_ext_rse=(select*from(select(if((substr(123,1,1) like 2),2,sleep(5))))a)

p_ext_rse=(select*from(select(if((substr(123,1,1) like 1),2,sleep(5))))a)

p_ext_rse=(select*from(select(if((substr(123,1,1) like 2),2,sleep(5))))a)

Figure 7 shows the patches provided by the vendor:

When analyzing the source code file in \ livezilla \ mobile \ index.php at line 84, we found that the server responded to $language without cleaning up, which may lead to a cross site scripting (XSS) vulnerability.

\livezilla\mobile\index.php $language \livezilla\mobile\index.php $language $language

By using the man in the middle (mitm) attack method, or any extension to modify the header, an attacker can run JavaScript code in the user's browser.

Man-in-The-Middle(MiTM) Man-in-The-Middle(MiTM)

Figure 10 shows the patch provided by the vendor:

3. Fg-vd-19-084 livezilla server is vulnerable to denial of service in knowledgebase.php

This denial of service was found in \ livezilla \ knowledgebase.php, lines 39 to 51:

\livezilla\knowledgebase.php \livezilla\knowledgebase.php

The conditional structure on line 39 determines if the search engine preferred URL option is turned on. If so, look for the get parameter depth and perform a loop based operation on its value, which can be controlled by an attacker. In other words, if we provide input, such as? Depth = 2200000 ", it will cycle 2200000 times. As we can see at lines 46-47 in Figure 11, the loop instruction connects the string ".. /" to the $path variable, which can cause a memory overflow.

“?depth = 2200000” “../” $path “?depth = 2200000” “../” $path

Figure 12 shows the patch provided by the vendor:

4. Livezilla server is vulnerable to XSS attack in chat.php fault order creation

This is another XSS vulnerability that can be triggered from the guest live chat window. An attacker can enter the payload of XSS in real-time chat.

In the management panel, if the administrator creates a trouble ticket in the chat window, the chat content will be presented as a new chat record pop-up window without cleaning, which may result in arbitrary JavaScript execution in the user's browser.

After verifying the vendor's patch, we realized that the patch in version 8.0.1.1 was incomplete. We informed the developers and provided them with an extra payload to bypass the 8.0.1.1 patch, and they provided a complete solution to this problem. Figure 15 shows the patch in vendor version 8.0.1.2:

5. Livezilla server is easy to inject SQL in functions.internal.build.inc.php with the parameter P ﹣ DT ﹣ s ﹣ D

Another SQL injection vulnerability can be found at lines 596 to 605 in \ livezilla \ lib \ functions.internal.build.inc.php.

p_dt_s_d

Figures 17 and 18 show vendor supplied patches:

6. Livezilla server is vulnerable to XSS attack in ticket.php

Another XSS was found in \ livezilla \ ticket.php at line 109. For this vulnerability, the server replaced the $subject holder with the content we made, without proper cleanup.

\livezilla\ticket.php $subject \livezilla\ticket.php $subject

Figure 21 shows the patch provided by the vendor:

7. Livezilla server is vulnerable to CSV injection attack in export function

We also found a comma separated value (CSV) file injection in the source code file \ livezilla \ \\lib \ functions.internal.man.inc.php. From lines 736 to 744 in Figure 22, we can see that the server tries to export the data in CSV format without cleaning up.

\livezilla\_lib\functions.internal.man.inc.php \livezilla\_lib\functions.internal.man.inc.php

Figure 23 shows the patch provided by the vendor:

Vulnerability discovery time

June 27, 2019 Day: Fortinet confirmed the fix of these vulnerabilities, except for fg-vd-19-085 July 1, 2019: livezilla confirmed the fix of fg-vd-19-085 was incorrect, waiting for version 8.0.1.2 July 23, 2019: livezilla released 8.0.1.2 patch vulnerability, Fortinet confirmed the fix of fg-vd-19-085

conclusion

All in all, the root cause of all these vulnerabilities is the lack of simple input cleansing. As a result, fortiguard labs found multiple vulnerabilities in livezilla live chat software, ranging from moderate to severe.

It is critical for live chat users to immediately apply the hotfix provided by livezilla, because some vulnerabilities (such as SQL injection enabled) will allow attackers to extract confidential information from the database after successful exploitation.

This article comes from the prophet community