CVE-2022-21238
A cross-site scripting (xss) vulnerability exists in the info.jsp functionality of InHand Networks InRouter302 V3.5.4. A specially-crafted HTTP request can lead to arbitrary Javascript execution. An attacker can send an HTTP request to trigger this vulnerability.
InHand Networks InRouter302 V3.5.4
InRouter302 - https://www.inhandnetworks.com/products/inrouter300.html
5.4 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
The InRouter302 is an industrial LTE router. It features remote management functionalities and several security protection mechanism, such as: VPN technologies, firewall functionalities, authorization management and several other features.
The inRouter302’s web server allows to choose between two languages, Chinese and English. The language will influence the web interface among other things. To do so the device uses two JavaScript files, one for each language.
To dynamically load the value based on the language, the web server uses the resmsg_set function:
void resmsg_set(char* resource_name)
{
webcgi_set("_resmsg",resource_name);
return;
}
Several APIs of the web browser have the following pattern: 1) call the function resmsg_set that will set the _resmsg cgi variable 2) parse and include the info.jsp web page. Following the info.jsp web page:
<% pagehead(infomsg.info) %> [1]
<body>
<form>
<p>
<script type='text/javascript'>
<% resmsg() %> [2]
document.write(eval(resmsg)); [3]
</script>
</p>
<script type='text/javascript'>
document.write("<input type='button' value='" + ui.bk + "' onclick='history.go(-1)' style='font:12px sans-serif;width:80px;margin-left:10px'>");
</script>
</form>
</body>
</html>
The notation between <% and %> is used to dynamically resolve, by the web server, some information. For instance, at [1], the web server will load the resources required for the web page, among which is the language resource.
At [2], the <% resmsg() %> will be substituted with the string \nresmsg='<_resmsg>';\n, where <_resmsg> has as value the first parameter provided in the resmsg_set function. Then the resmsg will go through, at [3], an eval function.
The problem is that info.jsp is not limited in the access, and reaching /info.jsp?_resmsg=<X> will load the info.jsp web page and eval the <X> value. This can be exploited by an attacker performing XSS attacks.
By sending the following HTTP request:
GET /info.jsp?_resmsg=document.cookie HTTP/1.1
Host: 192.168.2.1
Cookie: web_session=5ab46261
The web server reply would be:
[...]
<p>
<script type='text/javascript'>
resmsg='document.cookie';
document.write(eval(resmsg));
</script>
</p>
[...]
When this response is rendered by a browser, it would result in evaluating the document.cookie and write it into the HTML DOM.
The vendor has updated their website and uploaded the latest firmware on it. https://inhandnetworks.com/product-security-advisories.html https://www.inhandnetworks.com/products/inrouter300.html#link4
https://www.inhandnetworks.com/upload/attachment/202205/10/InHand-PSA-2022-01.pdf
2022-03-02 - Vendor Disclosure
2022-05-10 - Public Release
2022-05-10 - Vendor Patch Release
Discovered by Francesco Benvenuto of Cisco Talos.