bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/multiple/webapps/51237.txt
Exploit-DB d46ab98863 DB: 2023-04-06 
32 changes to exploits/shellcodes/ghdb

Answerdev 1.0.3 - Account Takeover

D-Link DIR-846 - Remote Command Execution (RCE) vulnerability

Dell EMC Networking PC5500 firmware versions 4.1.0.22 and  Cisco Sx / SMB - Information Disclosure

SOUND4 LinkAndShare Transmitter 1.1.2 - Format String Stack Buffer Overflow

ERPNext 12.29 - Cross-Site Scripting (XSS)

Liferay Portal 6.2.5 - Insecure Permissions

GNU screen v4.9.0 - Privilege Escalation

Apache Tomcat 10.1 - Denial Of Service

PostgreSQL 9.6.1 - Remote Code Execution (RCE) (Authenticated)

BTCPay Server v1.7.4 - HTML Injection.

Provide Server v.14.4 XSS - CSRF & Remote Code Execution (RCE)

Secure Web Gateway 10.2.11 - Cross-Site Scripting (XSS)

ImageMagick 7.1.0-49 - DoS

bgERP v22.31 (Orlovets) - Cookie Session vulnerability & Cross-Site Scripting (XSS)

Bus Pass Management System 1.0  - Stored Cross-Site Scripting (XSS)

Calendar Event Multi View  1.4.07 - Unauthenticated Arbitrary Event Creation to Cross-Site Scripting (XSS)

CKEditor 5 35.4.0 - Cross-Site Scripting (XSS)

Control Web Panel 7 (CWP7) v0.9.8.1147 -  Remote Code Execution (RCE)

Froxlor 2.0.3 Stable - Remote Code Execution (RCE)

ImageMagick 7.1.0-49 - Arbitrary File Read

itech TrainSmart r1044 - SQL injection

Online Eyewear Shop 1.0 - SQL Injection (Unauthenticated)

PhotoShow 3.0 - Remote Code Execution

projectSend r1605 - Remote Code Exectution RCE

Responsive FileManager 9.9.5 - Remote Code Execution (RCE)

zstore 6.6.0 - Cross-Site Scripting (XSS)

Binwalk v2.3.2 - Remote Command Execution (RCE)

XWorm Trojan 2.1 - Null Pointer Derefernce DoS

Kardex Mlog MCC 5.7.12 - RCE (Remote Code Execution)

Linux/x86_64 - bash Shellcode with xor encoding
2023-04-06 00:16:31 +00:00

189 lines
No EOL
7.2 KiB
Text
Raw Blame History

Exploit Title: Secure Web Gateway 10.2.11 - Cross-Site Scripting (XSS)
Product: Secure Web Gateway
Affected Versions: 10.2.11, potentially other versions
Fixed Versions: 10.2.17, 11.2.6, 12.0.1
Vulnerability Type: Cross-Site Scripting
Security Risk: high
Vendor URL: https://www.skyhighsecurity.com/en-us/products/secure-web-gateway.html
Vendor Status: fixed version released
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2022-002
Advisory Status: published
CVE: CVE-2023-0214
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0214
Introduction
============
"Skyhigh Security Secure Web Gateway (SWG) is the intelligent,
cloud-native web security solution that connects and secures your
workforce from malicious websites and cloud apps—from anywhere, any
application, and any device."
(from the vendor's homepage)
More Details
============
The Secure Web Gateway's (SWG) block page, which is displayed when a
request or response is blocked by a rule, can contain static files such
as images, stylesheets or JavaScript code. These files are embedded
using special URL paths. Consider the following excerpt of a block page:
------------------------------------------------------------------------
<html>
<!-- FileName: index.html
Language: [en]
-->
<!--Head-->
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
<meta http-equiv="X-UA-Compatible" content="IE=7" />
<title>McAfee Web Gateway - Notification</title>
<script src="/mwg-internal/de5fs23hu73ds/files/javascript/sw.js" type="text/javascript" ></script>
<link rel="stylesheet" href="/mwg-internal/de5fs23hu73ds/files/default/stylesheet.css" />
</head>
------------------------------------------------------------------------
Static content is loaded from URL paths prefixed with
"/mwg-internal/de5fs23hu73ds/". It was discovered that paths with this
prefix are intercepted and directly handled by the SWG no matter on
which domain they are accessed. While the prefix can be configured in
the SWG, attackers can also obtain it using another currently
undisclosed vulnerability.
By reverse engineering the file "libSsos.so" and analysing JavaScript
code, it was possible to derive the API of the "Ssos" plugin's
"SetLoginToken" action. Through the following call using the
command-line HTTP client curl, the behaviour of the plugin was further
analysed:
------------------------------------------------------------------------
$ curl --proxy http://192.168.1.1:8080 -i 'https://gateway.example.com/mwg-internal/de5fs23hu73ds/plugin?target=Ssos&action=SetLoginToken&v=v&c=c&p=p'
HTTP/1.0 200 OK
P3P: p
Connection: Keep-Alive
Set-Cookie: MwgSso=v; Path=/; Max-Age=240;
Content-Type: application/javascript
Content-Length: 2
X-Frame-Options: deny
c;
------------------------------------------------------------------------
The response embeds the values of the three URL parameters "v", "c" and
"p". The value for "p" is embedded as value of the "P3P" header, the
value of "c" as the response body and the value of "v" as the value
of the cookie "MwgSso".
It is also possible to include newline or carriage return characters in
the parameter value which are not encoded in the output. Consequently,
if the value of the parameter "p" contains a line break, arbitrary
headers can be injected. If two line breaks follow, an arbitrary body
can be injected. If a suitable "Content-Length" header is injected, the
remaining headers and body of the original response will be ignored by
the browser. This means that apart from the initial "P3P" header, an
arbitrary response can be generated. For example, a page containing
JavaScript code could be returned, resulting in a cross-site scripting
attack.
Consequently, attackers can construct URL paths that can be appended to
any domain and cause an arbitrary response to be returned if the URL is
accessed through the SWG. This could be exploited by distributing such
URLs or even by offering a website which performs an automatic redirect
to any other website using such a URL. As a result, the SWG exposes its
users to self-induced cross-site scripting vulnerabilities in any
website.
Proof of Concept
================
In the following request, the "p" parameter is used to inject suitable
"Content-Type" and "Content-Length" headers, as well as an arbitrary
HTML response body.
------------------------------------------------------------------------
$ curl --proxy http://192.168.1.1:8080 'https://gateway.example.com/mwg-internal/de5fs23hu73ds/plugin?target=Ssos&action=SetLoginToken&v=v&c=c&p=p%0aContent-Type: text/html%0aContent-Length: 27%0a%0a<h1>RedTeam Pentesting</h1>'
HTTP/1.0 200 OK
P3P: p
Content-Type: text/html
Content-Length: 27
<h1>RedTeam Pentesting</h1>
------------------------------------------------------------------------
As mentioned above, the HTTP response body could also include JavaScript
code designed to interact with the domain specified in the URL resulting
in a cross-site scripting vulnerability.
Workaround
==========
None.
Fix
===
According to the vendor, the vulnerability is mitigated in versions
10.2.17, 11.2.6 and 12.0.1 of the Secure Web Gateway. This was not
verified by RedTeam Pentesting GmbH. The vendor's security bulletin can
be found at the following URL:
https://kcm.trellix.com/corporate/index?page=content&id=SB10393
Security Risk
=============
The vulnerability could be used to perform cross-site scripting attacks
against users of the SWG in context of any domain. Attackers only need
to convince users to open a prepared URL or visit an attacker's website
that could perform an automatic redirect to an exploit URL. This exposes
any website visited through the SWG to the various risks and
consequences of a cross-site scripting vulnerability such as account
takeover. As a result, this vulnerability poses a high risk.
Timeline
========
2022-07-29 Vulnerability identified
2022-10-20 Customer approved disclosure to vendor
2022-10-20 Vulnerability was disclosed to the vendor
2023-01-17 Patch released by vendor for versions 10.2.17, 11.2.6 and
12.0.1.
2023-01-26 Detailed advisory released by RedTeam Pentesting GmbH
RedTeam Pentesting GmbH
=======================
RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.
As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.
More information about RedTeam Pentesting can be found at:
https://www.redteam-pentesting.de/
Working at RedTeam Pentesting
=============================
RedTeam Pentesting is looking for penetration testers to join our team
in Aachen, Germany. If you are interested please visit:
https://jobs.redteam-pentesting.de/
--
RedTeam Pentesting GmbH Tel.: +49 241 510081-0
Alter Posthof 1 Fax : +49 241 510081-99
52062 Aachen https://www.redteam-pentesting.de
Germany Registergericht: Aachen HRB 14004
Geschäftsführer: Patrick Hof, Jens Liebchen
Reference in a new issue View git blame Copy permalink