exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

EasyIO 30P Authentication Bypass / Cross Site Scripting

EasyIO 30P Authentication Bypass / Cross Site Scripting
Posted Apr 9, 2019
Authored by Daniel Ricardo dos Santos

EasyIO 30P versions prior to 2.0.5.27 suffer from authentication bypass and cross site scripting vulnerabilities.

tags | exploit, vulnerability, xss, bypass
advisories | CVE-2018-15819, CVE-2018-15820
SHA-256 | 7d20be37df45b54832b76feed39a817af6960fb2dbf94b5d91e826fd70dfbbee

EasyIO 30P Authentication Bypass / Cross Site Scripting

Change Mirror Download
INFORMATION

Product: EasyIO 30P (http://www.easyio.com)
Affected versions: < 2.0.5.27 (tested on version 2.0.5.16)
CVE IDs: CVE-2018-15820 (Stored XSS) and CVE-2018-15819 (Authentication bypass)
Remote-exploit: yes

TIMELINE

Vendor notification: 3rd August, 2018
Vendor acknowledgment: 22nd August, 2018
Patch available: 8th October, 2018
Public disclosure: 7th April, 2019

INTRODUCTION

The EasyIO-30P controllers are rugged, network centric, multi-protocols Input
/ Output controllers to accommodate general and specific applications, featuring
Bacnet IP, Bacnet Ethernet, Bacnet MSTP, Modbus Serial (RS485) and Modbus TCP/IP
protocols. It also has a built-in web server for easy configuration.
(Description from: https://www.easyio.eu/products/bms-controllers/easyio-30p-bms-controller/)

The two vulnerabilities described below affect the web application that runs in
the controllers and that is used to manage them.

VULNERABILITIES DESCRIPTION

The XSS vulnerability (CVE-2018-15820) allows an attacker to inject malicious
scripts into the trusted web interface running on a vulnerable device. The
scripts may be executed by the browser of an unsuspecting device administrator
to access session tokens or other sensitive information, as well as to perform
malicious actions on behalf of the user (e.g., internal network discovery and
traffic tunneling using BeEF).

Stored XSS PoC (show alert dialog):
POST http://<device_address>/EASYIO30P-<session_token>/dev.htm
GDN=...'onMouseOver='alert(1);&GDG=Group&GDL=Location

The authentication bypass vulnerability (CVE-2018-15819) allows an attacker to
execute privileged requests in the vulnerable application without possessing
valid credentials, by manipulating the session token sent in a request. Any
string of the same size as a valid token is accepted. The attacker can use this
vulnerability to steal the credential information of application users,
including plaintext passwords (see the proof-of-concept below).

Authentication bypass PoC (access the file containing plaintext passwords):
http://<device_address>/EASYIO30P-123456789012345678901234567890123456789012345678/webuser.js

SOLUTION

Update to version 2.0.5.27
WARNING - CONFIDENTIAL INFORMATION:
________________________________
The information contained in the e-mail may contain confidential and privileged information and is intended solely for the use of the intended recipient(s). Access for any review, re-transmission, dissemination or other use of, or taking of any action in regard and reliance upon this e-mail by persons or entities other than the intended recipient(s) is unauthorized and prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message and any attachments.


Login or Register to add favorites

File Archive:

May 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    15 Files
  • 2
    May 2nd
    16 Files
  • 3
    May 3rd
    38 Files
  • 4
    May 4th
    15 Files
  • 5
    May 5th
    35 Files
  • 6
    May 6th
    0 Files
  • 7
    May 7th
    0 Files
  • 8
    May 8th
    8 Files
  • 9
    May 9th
    66 Files
  • 10
    May 10th
    19 Files
  • 11
    May 11th
    27 Files
  • 12
    May 12th
    8 Files
  • 13
    May 13th
    0 Files
  • 14
    May 14th
    1 Files
  • 15
    May 15th
    19 Files
  • 16
    May 16th
    66 Files
  • 17
    May 17th
    28 Files
  • 18
    May 18th
    32 Files
  • 19
    May 19th
    13 Files
  • 20
    May 20th
    0 Files
  • 21
    May 21st
    0 Files
  • 22
    May 22nd
    0 Files
  • 23
    May 23rd
    0 Files
  • 24
    May 24th
    0 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close