Lucene search

K
talosTalos IntelligenceTALOS-2022-1469
HistoryMay 10, 2022 - 12:00 a.m.

InHand Networks InRouter302 info.jsp cross-site scripting (XSS) vulnerability

2022-05-1000:00:00
Talos Intelligence
www.talosintelligence.com
18

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

0.005 Low

EPSS

Percentile

76.1%

Summary

A cross-site scripting (xss) vulnerability exists in the info.jsp functionality of InHand Networks InRouter302 V3.5.4. A specially-crafted HTTP request can lead to arbitrary Javascript execution. An attacker can send an HTTP request to trigger this vulnerability.

Tested Versions

InHand Networks InRouter302 V3.5.4

Product URLs

InRouter302 - <https://www.inhandnetworks.com/products/inrouter300.html&gt;

CVSSv3 Score

5.4 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

CWE

CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

Details

The InRouter302 is an industrial LTE router. It features remote management functionalities and several security protection mechanism, such as: VPN technologies, firewall functionalities, authorization management and several other features.

The inRouter302’s web server allows to choose between two languages, Chinese and English. The language will influence the web interface among other things. To do so the device uses two JavaScript files, one for each language. To dynamically load the value based on the language, the web server uses the resmsg_set function:

void resmsg_set(char* resource_name)

{
  webcgi_set("_resmsg",resource_name);
  return;
}

Several APIs of the web browser have the following pattern: 1) call the function resmsg_set that will set the _resmsg cgi variable 2) parse and include the info.jsp web page. Following the info.jsp web page:

&lt;% pagehead(infomsg.info) %&gt;                                                                            [1]
&lt;body&gt;
    &lt;form&gt;
        <p>
        &lt;script type='text/javascript'&gt;
        &lt;% resmsg() %&gt;                                                                                  [2]
        document.write(eval(resmsg));                                                                   [3]
        &lt;/script&gt;
        </p>
        &lt;script type='text/javascript'&gt;
        document.write("&lt;input type='button' value='" + ui.bk + "' onclick='history.go(-1)' style='font:12px sans-serif;width:80px;margin-left:10px'&gt;");
        &lt;/script&gt;
    &lt;/form&gt;
&lt;/body&gt;
&lt;/html&gt;

The notation between &lt;% and %&gt; is used to dynamically resolve, by the web server, some information. For instance, at [1], the web server will load the resources required for the web page, among which is the language resource. At [2], the &lt;% resmsg() %&gt; will be substituted with the string \nresmsg='&lt;_resmsg&gt;';\n, where &lt;_resmsg&gt; has as value the first parameter provided in the resmsg_set function. Then the resmsg will go through, at [3], an eval function.

The problem is that info.jsp is not limited in the access, and reaching /info.jsp?_resmsg=&lt;X&gt; will load the info.jsp web page and eval the &lt;X&gt; value. This can be exploited by an attacker performing XSS attacks.

Exploit Proof of Concept

By sending the following HTTP request:

GET /info.jsp?_resmsg=document.cookie HTTP/1.1
Host: 192.168.2.1
Cookie: web_session=5ab46261

The web server reply would be:

[...]
	<p>
	&lt;script type='text/javascript'&gt;
    resmsg='document.cookie';
	document.write(eval(resmsg));
	&lt;/script&gt;
	</p>
[...]

When this response is rendered by a browser, it would result in evaluating the document.cookie and write it into the HTML DOM.

Vendor Response

The vendor has updated their website and uploaded the latest firmware on it. https://inhandnetworks.com/product-security-advisories.html https://www.inhandnetworks.com/products/inrouter300.html#link4

https://www.inhandnetworks.com/upload/attachment/202205/10/InHand-PSA-2022-01.pdf

Timeline

2022-03-02 - Vendor Disclosure
2022-05-10 - Public Release
2022-05-10 - Vendor Patch Release

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

0.005 Low

EPSS

Percentile

76.1%

Related for TALOS-2022-1469