28/11/2024 · 2 min read
Two XSS vulnerabilities were discovered within the DeviceMaster web interface that can be trivially exploited. These could be used to conduct social engineering attacks, reboot the DeviceMaster, send web requests to other devices in the network, or potentially lock the device up.
A vulnerability within the port.asp endpoint of the DeviceMaster web interface allows for arbitrary inputs to be reflected onto the webpage via the p variable.
A simple alert box:
http://192.168.1.20/port.asp?p=12<script>alert(1)</script>
Reboot the device by sending a GET request to the resetUnit endpoint:
http://192.168.1.20/port.asp?p=12<script>fetch('http://192.168.1.20/goforms/resetUnit')</script>
Upgrade to the latest firmware — see vendor publication for details.
The JS payload can be placed in the filename parameter sent to the load_config_form endpoint. The XMP tag must first be escaped, then restarted at the end of the payload.
When the system log page loads, the code executes — because the filename is written into the system log, injecting the payload.
filename="</xmp>PAYLOAD<xmp>"
Upgrade to the latest firmware — see vendor publication for details.
If exploited, the payload can be cleared by clearing the system log.
As demonstrated, the above vulnerabilities could be used to force the device to reboot, causing system downtime. There is also potential to use them to set a random password on the device, which may require a factory reset to re-enable access — although this was not tested.
These exploits could also be used to communicate with other devices on the network, giving an attacker a foothold to probe further.
These vulnerabilities were basic and trivial to exploit. These types of attacks should not be overlooked or assumed to be mitigated when testing against OT devices.