Document Title:
===============
NetChat v7.8 - Persistent Cross Site Scripting Vulnerability


Date:
=====
2018-12-17


References:
===========
https://www.vulnerability-lab.com/get_content.php?id=2171

Video: https://www.vulnerability-lab.com/get_content.php?id=2174

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-20370

CVE-ID:
=====
CVE-2018-20370


VL-ID:
=====
2171


Common Vulnerability Scoring System:
====================================
4.3


Vulnerability Class:
====================
Cross Site Scripting - Persistent


Introduction:
=============
Chat with other local users. You can create a fixed user which can be located in another subnet.  This user can act as 
a gateway which connects both NetChat subnets together. A build-in HTTP server can be used to share pictures and 
other files. For users which are currently offline, the message can left on an FTP server.

(Copy of the Homepage: https://www.the-sz.com/products/netchat/ )


Abstract:
=========
The vulnerability laboratory core research team discovered a persistent cross site scripting vulnerability in the official SZ NetChat v7.8 software.


Report-Timeline:
================
2018-12-10: Researcher Notification & Coordination (Security Researcher)
2018-12-10: Vendor Notification (Product Developer Team)
2018-12-11: Vendor Response/Feedback (Product Developer Team)
2018-12-12: Vendor Fix/Patch (Product Developer Team)
2018-12-14: Security Acknowledgements (Product Developer Team)
2018-12-17: Public Disclosure (Vulnerability Laboratory)



Status:
========
Published


Affected Products:
==================
The SZ Development
Product: NetChat - Software Client (Windows) v7.8


Exploitation-Technique:
=======================
Remote


Severity:
=========
Medium


Details:
========
A persistent cross site scripting vulnerability has been discovered in the official SZ NetChat v7.8 software.
The web vulnerability allows local attacker to inject own malicious commands to compromise the http-server.

The vulnerability is located in the `MyName` input field of the `Options` module. Local attackers are 
able to inject own malicious commands as name by usage of the software client, to compromise the enabled 
http server web frontend. The validation of the MyName input is insecure handled and the output location of 
the web frontend does not sanitize the transmitted context.

The security risk of the cross site web vulnerability is estimated as medium with a cvss count of 3.8.
Exploitation of the issue requires a privileged application user account and only low user interaction. 
Successful exploitation of the application-side vulnerability results in persistent phishing, persistent 
external redirects and persistent manipulation affected or connected module context.


Vulnerable Module(s):
[+] Options 

Vulnerable Input(s):
[+] MyName

Affected Module(s):
[+] HTTP-Server (Web Frontend)


Proof of Concept:
=================
The xss vulnerability can be exploited by authenticated remote attackers with low user interaction.
For security demonstration or to reproduce the issue follow the provided information or steps below.


Manual steps to reproduce ...
1. Download and install the software client with http server
2. Start the software and open the options tab
3. Inject to the MyName value your malicious test script code
4. Click the "Change" button to save the settings
5. Open the tab HTTP Server and click the checkbox to enable
6. The code executes on open of the main directory and as well in http server exception handling
7. Successful reproduce of the persistent cross site vulnerability!

Note: Each user can connect to the HTTP server of other users via user list or chat. An attacker can manipulate his 
own service and wait until the server is active and a user accesses his enabled HTTP server.


PoC: Exploitation
<html><head><title>HTTP server from a "><[MALICIOUS PERSISTENT INJECTED SCRIPT CODE!]></title></head><body bgcolor="#3399FF">
<h3 align="center"><font face="Verdana" color="#FFFFFF"><i>HTTP server from a "><[MALICIOUS PERSISTENT INJECTED SCRIPT CODE!]></i></font></h3>
<h5 align="center"><font face="Verdana" color="#FFFFFF"><i>TEST/</i></font></h5><br><br></body></html>


Solution:
=========
1. The cross site scripting vulnerability can be patched by a parse of the content inside of the myname input field.
2. Restrict the input and disallow the usage of special chars to prevent cross site scripting or other validation bugs.
3. Parse in the http-server the output locations were the myname value is being displayed during sharing.

The sz software developer team resolved the vulnerability 2018-12-12 and discovered the version 7.9 as stable release.

Public Patched v7.9: http://www.the-sz.com/common/get.php?product=netchat


Risk:
=====
The security risk of the persistent cross site scripting web vulnerability in the netchat software is estimated as medium.
The risk impact is as well medium because of users are able to access with one click the web-server of an attacker by enable.


Credits:
========
Benjamin K.M. [bkm@vulnerability-lab.com] - https://www.vulnerability-lab.com/show.php?user=Benjamin+K.M.


Disclaimer:
===========
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab 
or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits 
or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do 
not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. 
We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.

Domains:    www.vulnerability-lab.com		www.vuln-lab.com				www.vulnerability-db.com
Services:   magazine.vulnerability-lab.com	paste.vulnerability-db.com 			infosec.vulnerability-db.com
Social:	    twitter.com/vuln_lab		facebook.com/VulnerabilityLab 			youtube.com/user/vulnerability0lab
Feeds:	    vulnerability-lab.com/rss/rss.php 	vulnerability-lab.com/rss/rss_upcoming.php 	vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php 	vulnerability-lab.com/register.php  vulnerability-lab.com/list-of-bug-bounty-programs.php

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other 
information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or 
edit our material contact (admin@ or research@) to get a ask permission.

				    Copyright © 2018 | Vulnerability Laboratory - [Evolution Security GmbH]™