Stored XSS in Viprinet VPN Hub Router

[Denis Kolegov <d.n.kolegov () gmail com>]

SD-WAN New Hope Team identified a stored XSS in Viprinet VPN Hub Router.

Overview:
Input validation and output escaping mechanisms are missing for CLI
interface. Stored XSS is possible. By exploiting that vulnerability an
attacker can obtain sensitive information (e.g., private key) or modify a
remote router’s SSL certificate fingerprint employed in VPN tunneling.

Vulnerability Description:
There are two management interfaces in the Viprinet system. One of them is
a CLI which is available via 127.0.0.1:5111. And the second one is a Web
interface.
There is an access control mechanism which allows to add an user and give
him a privilege to write or read to some sections of the app (sections
like: ADMINRIGHTS, QOSTEMPLATES, etc.).

Steps to Reproduce:
1. Add an user and give him write access to QOSTEMPLATES and TRAFFICRULES.
2. The user should have access to the CLI and Web Interface.
3. Add a new ITEM in the TRAFFICRULES section.
4. Using CLI, the added user with minimal privileges could set Name for
created ITEM to  <svg/onload=alert(ViprinetSessionId)>
5. If the root user logs in, an alert window with sessionID will be shown.

It should be noted, that passing a session ID in URL as a mitigation
technique (actively used by Viprinet) does not work here.

The same report was sent to Viprinet in September 2018.

Regards.
SD-WAN New Hope Team.

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/