exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

OX Guard 2.10.3 Cross Site Scripting / Server-Side Request Forgery

OX Guard 2.10.3 Cross Site Scripting / Server-Side Request Forgery
Posted Jun 12, 2020
Authored by Martin Heiland

OX Guard version 2.10.3 suffers from server-side request forgery and cross site scripting vulnerabilities.

tags | exploit, vulnerability, xss
advisories | CVE-2020-9426, CVE-2020-9427
SHA-256 | 893145b9db604b7ed2accebb80ae3b758c5c402c2edddeae5cf393b911b11fb3

OX Guard 2.10.3 Cross Site Scripting / Server-Side Request Forgery

Change Mirror Download
Product: OX Guard
Vendor: OX Software GmbH



Internal reference: GUARD-179
Vulnerability type: Cross-Site Scripting (CWE-80)
Vulnerable version: 2.10.3
Vulnerable component: guard
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 2.10.2-rev9, 2.10.3-rev4
Vendor notification: 2020-02-04
Solution date: 2020-03-06
Public disclosure: 2020-06-12
CVE reference: CVE-2020-9426
CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)

Vulnerability Details:
Comments within forged malicious public-keys could contain HTML and Javascript that was not properly sanitized before displaying at Guard settings. Through autocrypt and other mechanisms such keys could get imported without noticing their malicious content.

Risk:
Users can trigger API calls that invoke local URLs, if a host can be accessed a different error will be returned compared to unavailable hosts. This can be used to discover an internal network topology and services.

Steps to reproduce:
1. Create a PGP keypair
2. Use HTML and JS as part of the public keys comment section
3. Distribute this key through mail attachments, autocrypt or HKP

Solution:
We improved our sanitizing and ensure that external content such as comments are handled safely.



---



Internal reference: GUARD-182
Vulnerability type: Server-Side Request Forgery (CWE-918)
Vulnerable version: 2.10.3
Vulnerable component: guard
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 2.10.2-rev9, 2.10.3-rev4
Vendor notification: 2020-02-11
Solution date: 2020-03-06
Public disclosure: 2020-06-12
CVE reference: CVE-2020-9427
CVSS: 5.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N)

Vulnerability Details:
HKP/HKPS key discovery mechanisms are based on DNS service records. Those are probed to look up unknown public-keys but were insufficiently checked for sensitive resource locations.

Risk:
In case of a malicious DNS server or domain, an attacker could use this technique to redirect HTTP requests to internal networks. Taking timing and response codes into consideration this can be used to determine if a specific port at a internal system is open or not, leading to basic network discovery capabilities for the attacker.

Steps to reproduce:
1. Setup a malicious domain with HKP/HKPS service records, point them to a malicious HKP responder
2. At the malicious HKP responder, issue HTTP redirects targetting internal hosts like 127.0.0.1

Solution:
We now run HKP responses through existing blacklist mechanisms to avoid accessing internal network resources.



---



Internal reference: GUARD-183
Vulnerability type: Server-Side Request Forgery (CWE-918)
Vulnerable version: 2.10.3
Vulnerable component: guard
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 2.10.2-rev9, 2.10.3-rev4
Vendor notification: 2020-02-11
Solution date: 2020-03-06
Public disclosure: 2020-06-12
CVE reference: CVE-2020-9427
CVSS: 5.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N)

Vulnerability Details:
WKS/Webkey services discovery mechanisms are based on DNS service records. Those are probed to look up unknown public-keys but were insufficiently checked for sensitive resource locations.

Risk:
In case of a malicious DNS server or domain, an attacker could use this technique to redirect HTTP requests to internal networks. Taking timing and response codes into consideration this can be used to determine if a specific port at a internal system is open or not, leading to basic network discovery capabilities for the attacker. Mind that this attack gets mitigated when using DNSSEC, but depending on configuration this might get bypassed or not used.

Steps to reproduce:
1. Setup a malicious domain with WKS/Webkey service records, point them to a malicious WKS responder
2. At the malicious WKS responder, issue HTTP redirects targetting internal hosts like 127.0.0.1

Solution:
We now run WKS responses through existing blacklist mechanisms to avoid accessing internal network resources.

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close