RAD SecFlow-1v SF_0290_2.3.01.26 – Persistent Cross-Site Scripting

• Exploit Database
• 29 阅读

• 作者： Jonatan Schor
  日期： 2020-09-14
• 类别：

  • webapps
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/48807/

• # Exploit Title: RAD SecFlow-1v SF_0290_2.3.01.26 - Persistent Cross-Site Scripting
  # Date: 2020-08-31
  # Exploit Author: Jonatan Schor and Uriel Yochpaz
  # Vendor Homepage: https://www.rad.com/products/secflow-1v-IIoT-Gateway
  # Version: SecFlow-1v os-image SF_0290_2.3.01.26
  # Tested on: RAD SecFlow-1v
  # CVE : N/A
  
  A Stored-XSS vulnerability was found in multiple pages in the web-based
  management interface of RAD SecFlow-1v.
  An attacker could exploit this vulnerability by uploading a malicious file
  as the OVPN file in Configuration-Services-Security-OpenVPN-Config or as
  the static key file in Configuration-Services-Security-OpenVPN-Static Keys.
  These files content is presented to users while executing malicious stored
  JavaScript code.
  This could be exploited in conjunction with CVE-2020-13259
  
  # Proof of Concept
  Upload a file containing the following JS code:
  <img src=x onerror=alert(1)>
  Refresh the page and observe the malicious JS code execute every time you
  browse the compromised page.
  
  # Full Account Takeover
  As mentioned above, this exploit could be used in conjunction with
  CVE-2020-13259 (CSRF), by using the CSRF exploit to upload a malicious file
  to a Stored-XSS vulnerabale page, which could allow Full Account Takeover.
  For further information and full PoC:
  https://github.com/UrielYochpaz/CVE-2020-13259
  
  # Timeline
  May 19th, 2020 - Vulnerability exposed.
  May 19th, 2020 – Vulnerability reported to RAD.
  May 21th, 2020 – Vulnerability reported to MITRE.
  May 21th, 2020 – MITRE assigned CVE: CVE-2020-13260.
  May 22th, 2020 – Contacted RAD for further details and cooperation.
  Aug 25th, 2020 – RAD patched the vulnerability.