EasyIO 30P Authentication Bypass / Cross Site Scripting

`INFORMATION  
  
Product: EasyIO 30P (http://www.easyio.com)  
Affected versions: < 2.0.5.27 (tested on version 2.0.5.16)  
CVE IDs: CVE-2018-15820 (Stored XSS) and CVE-2018-15819 (Authentication bypass)  
Remote-exploit: yes  
  
TIMELINE  
  
Vendor notification: 3rd August, 2018  
Vendor acknowledgment: 22nd August, 2018  
Patch available: 8th October, 2018  
Public disclosure: 7th April, 2019  
  
INTRODUCTION  
  
The EasyIO-30P controllers are rugged, network centric, multi-protocols Input  
/ Output controllers to accommodate general and specific applications, featuring  
Bacnet IP, Bacnet Ethernet, Bacnet MSTP, Modbus Serial (RS485) and Modbus TCP/IP  
protocols. It also has a built-in web server for easy configuration.  
(Description from: https://www.easyio.eu/products/bms-controllers/easyio-30p-bms-controller/)  
  
The two vulnerabilities described below affect the web application that runs in  
the controllers and that is used to manage them.  
  
VULNERABILITIES DESCRIPTION  
  
The XSS vulnerability (CVE-2018-15820) allows an attacker to inject malicious  
scripts into the trusted web interface running on a vulnerable device. The  
scripts may be executed by the browser of an unsuspecting device administrator  
to access session tokens or other sensitive information, as well as to perform  
malicious actions on behalf of the user (e.g., internal network discovery and  
traffic tunneling using BeEF).  
  
Stored XSS PoC (show alert dialog):  
POST http://<device_address>/EASYIO30P-<session_token>/dev.htm  
GDN=...'onMouseOver='alert(1);&GDG=Group&GDL=Location  
  
The authentication bypass vulnerability (CVE-2018-15819) allows an attacker to  
execute privileged requests in the vulnerable application without possessing  
valid credentials, by manipulating the session token sent in a request. Any  
string of the same size as a valid token is accepted. The attacker can use this  
vulnerability to steal the credential information of application users,  
including plaintext passwords (see the proof-of-concept below).  
  
Authentication bypass PoC (access the file containing plaintext passwords):  
http://<device_address>/EASYIO30P-123456789012345678901234567890123456789012345678/webuser.js  
  
SOLUTION  
  
Update to version 2.0.5.27  
WARNING - CONFIDENTIAL INFORMATION:  
________________________________  
The information contained in the e-mail may contain confidential and privileged information and is intended solely for the use of the intended recipient(s). Access for any review, re-transmission, dissemination or other use of, or taking of any action in regard and reliance upon this e-mail by persons or entities other than the intended recipient(s) is unauthorized and prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message and any attachments.  
  
  
`