Viprinet VPN Hub Router Cross Site Scripting

2018-10-19T00:00:00
ID PACKETSTORM:149876
Type packetstorm
Reporter Denis Kolegov
Modified 2018-10-19T00:00:00

Description

                                        
                                            `SD-WAN New Hope Team identified a stored XSS in Viprinet VPN Hub Router.  
  
Overview:  
Input validation and output escaping mechanisms are missing for CLI  
interface. Stored XSS is possible. By exploiting that vulnerability an  
attacker can obtain sensitive information (e.g., private key) or modify a  
remote routeras SSL certificate fingerprint employed in VPN tunneling.  
  
Vulnerability Description:  
There are two management interfaces in the Viprinet system. One of them is  
a CLI which is available via 127.0.0.1:5111. And the second one is a Web  
interface.  
There is an access control mechanism which allows to add an user and give  
him a privilege to write or read to some sections of the app (sections  
like: ADMINRIGHTS, QOSTEMPLATES, etc.).  
  
Steps to Reproduce:  
1. Add an user and give him write access to QOSTEMPLATES and TRAFFICRULES.  
2. The user should have access to the CLI and Web Interface.  
3. Add a new ITEM in the TRAFFICRULES section.  
4. Using CLI, the added user with minimal privileges could set Name for  
created ITEM to <svg/onload=alert(ViprinetSessionId)>  
5. If the root user logs in, an alert window with sessionID will be shown.  
  
It should be noted, that passing a session ID in URL as a mitigation  
technique (actively used by Viprinet) does not work here.  
  
The same report was sent to Viprinet in September 2018.  
  
Regards.  
SD-WAN New Hope Team.  
  
  
`