Full Disclosure mailing list archives
Stored XSS in Viprinet VPN Hub Router
From: Denis Kolegov <d.n.kolegov () gmail com>
Date: Fri, 19 Oct 2018 12:22:04 +0700
SD-WAN New Hope Team identified a stored XSS in Viprinet VPN Hub Router. Overview: Input validation and output escaping mechanisms are missing for CLI interface. Stored XSS is possible. By exploiting that vulnerability an attacker can obtain sensitive information (e.g., private key) or modify a remote router’s SSL certificate fingerprint employed in VPN tunneling. Vulnerability Description: There are two management interfaces in the Viprinet system. One of them is a CLI which is available via 127.0.0.1:5111. And the second one is a Web interface. There is an access control mechanism which allows to add an user and give him a privilege to write or read to some sections of the app (sections like: ADMINRIGHTS, QOSTEMPLATES, etc.). Steps to Reproduce: 1. Add an user and give him write access to QOSTEMPLATES and TRAFFICRULES. 2. The user should have access to the CLI and Web Interface. 3. Add a new ITEM in the TRAFFICRULES section. 4. Using CLI, the added user with minimal privileges could set Name for created ITEM to <svg/onload=alert(ViprinetSessionId)> 5. If the root user logs in, an alert window with sessionID will be shown. It should be noted, that passing a session ID in URL as a mitigation technique (actively used by Viprinet) does not work here. The same report was sent to Viprinet in September 2018. Regards. SD-WAN New Hope Team. _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- Stored XSS in Viprinet VPN Hub Router Denis Kolegov (Oct 19)