lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 19 Oct 2018 12:22:04 +0700
From: Denis Kolegov <d.n.kolegov@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] Stored XSS in Viprinet VPN Hub Router

SD-WAN New Hope Team identified a stored XSS in Viprinet VPN Hub Router.

Overview:
Input validation and output escaping mechanisms are missing for CLI
interface. Stored XSS is possible. By exploiting that vulnerability an
attacker can obtain sensitive information (e.g., private key) or modify a
remote router’s SSL certificate fingerprint employed in VPN tunneling.

Vulnerability Description:
There are two management interfaces in the Viprinet system. One of them is
a CLI which is available via 127.0.0.1:5111. And the second one is a Web
interface.
There is an access control mechanism which allows to add an user and give
him a privilege to write or read to some sections of the app (sections
like: ADMINRIGHTS, QOSTEMPLATES, etc.).

Steps to Reproduce:
1. Add an user and give him write access to QOSTEMPLATES and TRAFFICRULES.
2. The user should have access to the CLI and Web Interface.
3. Add a new ITEM in the TRAFFICRULES section.
4. Using CLI, the added user with minimal privileges could set Name for
created ITEM to  <svg/onload=alert(ViprinetSessionId)>
5. If the root user logs in, an alert window with sessionID will be shown.

It should be noted, that passing a session ID in URL as a mitigation
technique (actively used by Viprinet) does not work here.

The same report was sent to Viprinet in September 2018.

Regards.
SD-WAN New Hope Team.

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists