[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] Cyberoam Central Console v02.03.1 - Multiple Persistent Vulnerabilities
From: Vulnerability Lab <research () vulnerability-lab ! com>
Date: 2016-04-25 10:09:30
Message-ID: 571DECDA.9080408 () vulnerability-lab ! com
[Download RAW message or body]
Document Title:
===============
Cyberoam Central Console v02.03.1 - Multiple Persistent Vulnerabilities
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1721
Cyberoam Ticket ID: #1001314
Case ID: CCC-4208
Release Date:
=============
2016-04-18
Vulnerability Laboratory ID (VL-ID):
====================================
1721
Common Vulnerability Scoring System:
====================================
3.4
Product & Service Introduction:
===============================
The Cyberoam Central Console (CCC) appliances enable Enterprises and MSSPs to \
centrally manage Cyberoam network security appliances deployed across branch offices \
or customer offices. Providing flexibility of hardware and virtual platforms, CCC \
appliances simplify centralized security management, reduce administrative overhead \
and aid compliance reporting for distributed enterprises and MSSPs as required for \
their growing networks.
(Copy of the Vendor Homepage: http://www.cyberoam.com/ccc.html )
Abstract Advisory Information:
==============================
An independent vulnerability laboratory researcher discovered multiple \
application-side validation vulnerabilities in the offical Cyberoam Central Console \
v02.03.1 appliance web-application.
Vulnerability Disclosure Timeline:
==================================
2016-04-18: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Sophos
Product: Cyberoam Central Console 02.03.1 - CCC15NM 30, CCC50NM 100, CCC100NM 200, \
CCC200NM 40
Sophos
Product: Cyberoam Central Console 02.03.1 Virtual CCC - CCCV15, CCCV50, CCCV100, \
CCCV200, CCCV
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Technical Details & Description:
================================
A persistent cross site scripting web vulnerability has been discoverd in the offical \
Cyberoam Central Console v02.03.1 appliance web-application. The security issue \
allows remote attackers to inject own malicious script codes on the application-side \
of the vulnerable service module.
The vulnerability is located in `header` and `footer` input fields of the `Policy \
Configuration - System - configuration - Captive Portal - General Settings` module. \
Remote attackers and low privileged or restricted web-application user accounts are \
able to inject own malicious script code in main functionality code of login page \
`Captive Portal`. The data of the POST method request in the body of message text, \
executes without a secure encoding or a restriction on input in the web-application \
appliance. The persistent execution of the script code occurs in [Page Title,Login \
page Header , Login page Footer] that gets shown by the appliances directly to users. \
The security risk of the application-side cross site vulnerability is estimated as \
medium with a cvss (common vulnerability scoring system) count of 3.8. Exploitation \
of the persistent input validation web vulnerability requires a low privilege \
web-application user account and low or medium user interaction. Successful \
exploitation of the vulnerability results in session hijacking, persistent phishing \
attacks, persistent external redirects to malicious source and persistent \
manipulation of affected or connected application modules.
Request Method(s):
[+] POST
Vulnerable Module(s):
[+] Policy Configuration - System - configuration - Captive Portal
Vulnerable File(s):
[+] WebClientPortalPreview.html
Vulnerable Inputs(s):
[+] Page Title
[+] Login page Header
[+] Login page footer
Vulnerable Parameter(s):
[+] header
[+] footer
Proof of Concept (PoC):
=======================
Persistent Web Vulnerability can be exploited by remote attackers with low privileged \
application user account and low user interaction. For security demonstration or to \
reproduce the vulnerability follow the provided information and steps below to \
continue.
1. Open the cyberoam central console appliance web-application login page
2. Login to the appliance
3. Open the following module ... Policy Configuration > System > configuration > \
Captive Portal > General Settings
Note: The vulnerable inputs are Page Title , Login page Header and the Login page \
Footer 4. Now inject to the regular input fields your script code payload to test \
the validation procedure
PoC: Payload ... "><iframe src=http://vulnerability-lab.com \
onload=alert(document.cookie) < 5. After the inject open the following document to \
execute the payload with application-side attack vector > \
[WebClientPortalPreview.html] 6. Successful reproduce of the application-side web \
vulnerability!
PoC: WebClientPortalPreview.html
<table cellpadding="0" cellspacing="0" width="100%">
<tbody><tr><td id="loginpagemessage" align="center" height="50px;" \
valign="middle">"><img src="X" onerror="alert("XSS");"></td></tr> \
</tbody></table>
...
<table cellpadding="0" cellspacing="0" width="100%">
<tbody><tr><td id="loginpagefooter" align="center" height="50px;" \
valign="middle">"><img src="X" onerror="alert("XSS");"></td></tr> \
</tbody></table>
Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure parse and encode of the vulnerable \
title, header and footer input fields. Restrict the input and disallow usage of \
special chars, escape the context. Encode also the output listing that in the preview \
file of the web-application to prevent attacks.
Security Risk:
==============
The security risk of the application-side input validation web vulnerabilities in the \
official cyberoam central console application is estimated as medium. (CVSS 3.4)
Credits & Authors:
==================
Lawrence Amer - ( http://www.vulnerability-lab.com/show.php?user=Lawrence%20Amer )
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. \
Vulnerability Lab disclaims all warranties, either expressed or implied, including \
the warranties of merchantability and capability for a particular purpose. \
Vulnerability-Lab or its suppliers are not liable in any case of damage, including \
direct, indirect, incidental, consequential loss of business profits or special \
damages, even if Vulnerability-Lab or its suppliers have been advised of the \
possibility of such damages. Some states do not allow the exclusion or limitation of \
liability for consequential or incidental damages so the foregoing limitation may \
not apply. We do not approve or encourage anybody to break any vendor licenses, \
policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - \
www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - \
admin@evolution-sec.com
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php \
- evolution-sec.com/contact
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - \
youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - \
vulnerability-lab.com/rss/rss_upcoming.php - \
vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - \
vulnerability-lab.com/list-of-bug-bounty-programs.php - \
vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file requires \
authorization from Vulnerability Laboratory. Permission to electronically \
redistribute this alert in its unmodified form is granted. All other rights, \
including the use of other media, are reserved by Vulnerability-Lab Research Team or \
its suppliers. All pictures, texts, advisories, source code, videos and other \
information on this website is trademark of vulnerability-lab team & the specific \
authors or managers. To record, list (feed), modify, use or edit our material contact \
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright © 2016 | Vulnerability Laboratory - [Evolution Security GmbH]â„¢
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic