Endian UTM Firewall Cross-Site Request Forgery and HTML Injection Vulnerability

Release date: 2012-03-01
Updated on:

Affected Systems:
Endian Endian Firewall Community 2.x
Endian UTM Software Appliance 2.x
Description:
--------------------------------------------------------------------------------
Bugtraq id: 52263

Endian Firewall provides open-source GNU/Linux releases for routing/Firewall and unified Threat Management.

Endian UTM Software Appliance and Endian Firewall Community have multiple vulnerabilities in implementation. They are input to gi-bin/proxyconfig through the "PROXY_PORT", "VISIBLE_HOSTNAME", and "ADMIN_MAIL_ADDRESS" parameters. when cgi is not properly filtered, HTML and script code can be executed in the affected site user's browser.

<* Source: Benjamin Kunz Mejri
*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!

Benjamin Kunz Mejri () provides the following test methods:

Proof of Concept:
========================
The vulnerabilities can be exploited by remote attackers with high required user inter action or local low privileged user accounts.
For demonstration or reproduce...

1.1
Example Code Review: Input Validation Vulnerabilities (Persistent Inject)

Server: demo.endian.com/
Path:/cgi-bin/
File: proxyconfig. cgi

<Div id = "page-content-box"> <div id = "notification-view" class = "spinner" style = "display: none"> </div>
<Div id = "module-content">
<Script type = "text/javascript">
$ (Document). ready (function (){
/* Enable visualization of service configurations */
Display_configurications (["squid", "dansguardian", "havp", "sarg"], {"startMessage": "Proxy settings are being
Applied. Please hold... "," updateContent ":". service-switch-form "," type ":" observe "," endMessage ":" Proxy settings have been
Applied successfully. "," interval ":" 500 "});
})
</Script>
<Div class = "error-fancy" style = "width: 504px;">
<Div class = "content">
<Table cellpadding = "0" cellspacing = "0" border = "0">
<Tr>

<Td class = "sign" valign = "middle"> </td>
<Td class = "text" valign = "middle"> ">" <iframe src = http://vulnerability-lab.com width = 600 height = 600> @ aollamer.de"
At "Email used for notification (cache admin)" is not valid! (Or? @ Rem0ve) <br/> </td>
</Tr>
</Table>
</Div>

Reference (s ):
Https://www.example.com/cgi-bin/proxyconfig.cgi
Https://www.example.com/cgi-bin/hosts.cgi
Https://www.example.com/cgi-bin/dhcp.cgi

 

1.2
Example Code Review: Cross Site Request Forgery Vulnerabilities (Non-Persistent)

Server: demo.endian.com/
Path:/cgi-bin/
File: hotspot-changepw.cgi or changepw. cgi

<Form action = "/cgi-bin/changepw. cgi" method = "post">
<Div class = "section first multi-column">
<Input type = 'siden' name = 'Action _ root' value = 'save'/>
<Div class = "title">

<Div class = "fields-row">
<Span class = "multi-field">
<Label id = "username_field" for = "username"> Password * </label>

<Input type = "password" name = "ROOT_PASSWORD1" SIZE = "5"/> </span>

... Or

<Form enctype = 'multipart/form-data' method = 'post' action = '/cgi-bin/hotspot-changepw.cgi'>
<Input type = 'did' name = 'Action _ hot spot 'value = 'save'/>
<Table width = '000000'>

<Tr>
<Td width = '000000' class = 'base'> Password: </td>
<Td width = '000000'> <input type = 'Password' name = 'hot spot _ PASSWORD1 '/> </td>
<Td width = '000000' class = 'base'> Again: </td>
<Td width = '000000'> <input type = 'Password' name = 'hot spot _ PASSWORD2 '/> </td>
<Td width = '000000'> <input class = 'submitbutton 'type = 'submit' name = 'submit 'value = 'save'/> </td>
</Tr>
</Table>
</Form>

References:
Https://www.example.com/cgi-bin/changepw.cgi
Https://www.example.com/cgi-bin/hotspot-changepw.cgi
Http://www.bkjia.com

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:

Endian
------
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:

Http://www.endian.com