37 lines
No EOL
1.6 KiB
Text
37 lines
No EOL
1.6 KiB
Text
# Exploit Title: RAD SecFlow-1v SF_0290_2.3.01.26 - Persistent Cross-Site Scripting
|
||
# Date: 2020-08-31
|
||
# Exploit Author: Jonatan Schor and Uriel Yochpaz
|
||
# Vendor Homepage: https://www.rad.com/products/secflow-1v-IIoT-Gateway
|
||
# Version: SecFlow-1v os-image SF_0290_2.3.01.26
|
||
# Tested on: RAD SecFlow-1v
|
||
# CVE : N/A
|
||
|
||
A Stored-XSS vulnerability was found in multiple pages in the web-based
|
||
management interface of RAD SecFlow-1v.
|
||
An attacker could exploit this vulnerability by uploading a malicious file
|
||
as the OVPN file in Configuration-Services-Security-OpenVPN-Config or as
|
||
the static key file in Configuration-Services-Security-OpenVPN-Static Keys.
|
||
These files content is presented to users while executing malicious stored
|
||
JavaScript code.
|
||
This could be exploited in conjunction with CVE-2020-13259
|
||
|
||
# Proof of Concept
|
||
Upload a file containing the following JS code:
|
||
<img src=x onerror=alert(1)>
|
||
Refresh the page and observe the malicious JS code execute every time you
|
||
browse the compromised page.
|
||
|
||
# Full Account Takeover
|
||
As mentioned above, this exploit could be used in conjunction with
|
||
CVE-2020-13259 (CSRF), by using the CSRF exploit to upload a malicious file
|
||
to a Stored-XSS vulnerabale page, which could allow Full Account Takeover.
|
||
For further information and full PoC:
|
||
https://github.com/UrielYochpaz/CVE-2020-13259
|
||
|
||
# Timeline
|
||
May 19th, 2020 - Vulnerability exposed.
|
||
May 19th, 2020 – Vulnerability reported to RAD.
|
||
May 21th, 2020 – Vulnerability reported to MITRE.
|
||
May 21th, 2020 – MITRE assigned CVE: CVE-2020-13260.
|
||
May 22th, 2020 – Contacted RAD for further details and cooperation.
|
||
Aug 25th, 2020 – RAD patched the vulnerability. |