what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

BeyondTrust Remote Support 6.0 Cross Site Scripting

BeyondTrust Remote Support 6.0 Cross Site Scripting
Posted Jan 3, 2022
Authored by Malcrove

BeyondTrust Remote Support versions 6.0 and below suffer from a cross site scripting vulnerability.

tags | exploit, remote, xss
advisories | CVE-2021-31589
SHA-256 | c974011f5f45022352dcdbc5bd9c817581fc98bdbc3b7b45a41e107214bb693a

BeyondTrust Remote Support 6.0 Cross Site Scripting

Change Mirror Download
# Exploit Title: BeyondTrust Remote Support - Reflected Cross-Site Scripting (XSS)  (Unauthenticated)
# Google Dork: intext:"BeyondTrust" "Redistribution Prohibited"
# Date: 30/12/2021
# Exploit Author: Malcrove
# Vendor Homepage: https://www.beyondtrust.com/
# Version: v6.0 and earlier versions
# CVE: CVE-2021-31589

Summary:

Unauthenticated cross-site scripting (XSS) vulnerability in BeyondTrust Secure Remote Access Base Software through 6.0.1 allow remote attackers to inject arbitrary web script or HTML. Remote attackers could acheive full admin access to the appliance, by tricking the administrator into creating a new admin account through an XSS/CSRF attack involving a crafted request to the /appliance/users?action=edit endpoint.


Vulnerability Details:

Affected Endpoint: /appliance/login
Affected Parameter: login[password]
Request Method: GET or POST


Proof of concept (POC):

By navigating to the below link from a modern web browser, alert(document.domain) Javascript method would be fired in the same context of Beyondtrust Remote Support domain.

http://<bomgar-host>/appliance/login?login%5Bpassword%5D=test%22%3E%3Csvg/onload=alert(document.domain)%3E&login%5Buse_curr%5D=1&login%5Bsubmit%5D=Change%20Password


Mitigation:

A fix has been released by the vendor in NSBase 6.1. It's recommended to update the vulnerable appliance base version to the latest version.

- Time-Line:

April 6, 2021: Vulnerability advisory sent to the vendor (Beyondtrust)
April 8, 2021: Recevied an initial reply from the vendor
Jun 10, 2021: The vendor released a fix for the vulnerability in NSbase 6.1
Dec 30, 2021: The Responsible public disclosure


- Credits
Ahmed Aboul-Ela (Malcrove)



Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close