Iris ID IrisAccess ICU 7000-2 Multiple XSS and CSRF Vulnerabilities

2016-07-26T00:00:00
ID ZSL-2016-5345
Type zeroscience
Reporter Gjoko Krstic
Modified 2016-07-26T00:00:00

Description

Title: Iris ID IrisAccess ICU 7000-2 Multiple XSS and CSRF Vulnerabilities
Advisory ID: ZSL-2016-5345
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 26.07.2016

Summary

The ICU 7000-2 is an optional component used when the client requires iris template data to be matched on the secure side of the door. When using ICU no data is stored in the iCAM7 Iris Reader itself. The ICU also ensures that portal operation can continue if the there is an interruption in communication with the host computer. In such circumstances, the ICU retains the records of portal activity, then automatically updates the host upon resumption of host communication. Every ICU in the iCAM4000 / 7 series runs on a LINUX OS for added reliability. Independent and fault tolerant, ICUs are connected up to 2 iCAMs and handle up to 100,000 users.

Description

The application is prone to multiple reflected cross-site scripting vulnerabilities due to a failure to properly sanitize user-supplied input to the 'HidChannelID' and 'HidVerForPHP' POST parameters in the 'SetSmarcardSettings.php' script. Attackers can exploit this issue to execute arbitrary HTML and script code in a user's browser session. The application also allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site.

Vendor

Iris ID, Inc. - <http://www.irisid.com>

Affected Version

ICU Software: 1.00.08
ICU OS: 1.3.8
ICU File system: 1.3.8
EIF Firmware [Channel 1]: 1.9
EIF Firmware [Channel 2]: 1.9
Iris TwoPi: 1.4.5

Tested On

GNU/Linux 3.0.51 (armv7l)
mylighttpd v1.0
PHP/5.5.13

Vendor Status

[06.05.2016] Vulnerability discovered.
[09.05.2016] Vendor contacted.
[12.06.2016] Vendor contacted again.
[26.07.2016] No response from the vendor.
[27.07.2016] Public security advisory released.

PoC

irisid_xss.txt

Credits

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>

References

[1] <https://www.exploit-db.com/exploits/40165/>
[2] <https://cxsecurity.com/issue/WLB-2016070203>
[3] <https://packetstormsecurity.com/files/138075>
[4] <https://exchange.xforce.ibmcloud.com/vulnerabilities/115504>
[5] <https://exchange.xforce.ibmcloud.com/vulnerabilities/115505>

Changelog

[26.07.2016] - Initial release
[27.07.2016] - Added reference [1], [2] and [3]
[29.07.2016] - Added reference [4] and [5]

Contact

Zero Science Lab

Web: <http://www.zeroscience.mk>
e-mail: lab@zeroscience.mk

                                        
                                            &lt;html&gt;&lt;head&gt;&lt;title&gt;403 Nothing to see.&lt;/title&gt;
&lt;link rel="Shortcut Icon" href="favicon.ico" type="image/x-icon"&gt;
&lt;style type="text/css"&gt;
&lt;!--
body {
	background-color: #000;
}
body,td,th {
	font-family: Verdana, Geneva, sans-serif;
}
a:link {
	color: #008FEF;
	text-decoration: none;
}
a:visited {
	color: #008FEF;
	text-decoration: none;
}
a:hover {
	text-decoration: underline;
	color: #666;
}
a:active {
	text-decoration: none;
}
--&gt;
&lt;/style&gt;
&lt;/head&gt;
&lt;body bgcolor=black&gt;
&lt;center&gt;
&lt;font color="#7E88A3" size="2"&gt;
&lt;br /&gt;&lt;br /&gt;
&lt;h1&gt;403 Nothing to see.&lt;/h1&gt;

You do not have the powah for this request /403.shtml&lt;br /&gt;&lt;br /&gt;
&lt;font size="2"&gt;&lt;a href="https://www.zeroscience.mk"&gt;https://www.zeroscience.mk&lt;/a&gt;&lt;/font&gt;
&lt;/font&gt;&lt;/center&gt;
&lt;/body&gt;&lt;/html&gt;