Discovery of a reflective XSS vulnerability in ARP Guard software (CVE-2023–39575)
Introduction
We recently executed an internal security assessment for a customer. During this engagement we discovered a vulnerability in the ARP Guard software. This vulnerability allowed us to inject HTML or JavaScript code into the application’s pages using a manipulated URL parameter, even without prior authentication. In this article, we provide a detailed technical description of the vulnerability and its potential impact.
Technical Description
The Reflective Cross-Site Scripting (XSS) vulnerability in ARP Guard is due to inadequate input validation and sanitization mechanisms. By manipulating a specific URL parameter, an attacker can inject arbitrary code that is executed within the victim’s browser, often leading to malicious actions or information theft. In our case, we were able to exploit the fact that the cookie named “S” is not marked as html only and can be stolen by abusing XSS. It has not been tested whether the parameter is used for authentication purposes.
We identified a vulnerable URL parameter “url_str” that was likely used to perform relative redirects after successful authentication. Insufficient input validation on the server side allowed us to inject malicious scripts into a hidden input field via this parameter.
In the context of exploiting XSS vulnerabilities, hidden HTML inputs present an interesting challenge. Hidden inputs are elements within an HTML form that are not displayed on the web page, but still contain values that can be used when the form is submitted. While XSS attacks primarily rely on injecting malicious code into visible fields, hidden inputs can also be potential targets for exploitation but the immediate impact of an XSS attack is limited in this case. A great article on this topic is provided by Portswigger: https://portswigger.net/research/xss-in-hidden-input-fields
Because the injection point is positioned right after the field type declaration, it is impossible to change the type of the field using this attack. However, we can abuse the accesskey method to demonstrate a successful attack chain. But the impact is very limited because the user has to press a key combination to execute the injected js code.
Using the following simple payload, we are able to exploit the bug in the latest version of ARP Guard.
https://REDACTED/login/?url_str=/management/admin/index%27%20onclick=%22alert(document.cookie)%22%20accesskey=%22C%22
Conclusion
The discovery of a Reflective XSS vulnerability in ARP Guard software highlights the importance of tough security testing and ongoing awareness. At evait security / greenhats, we remain committed to helping organizations identify and mitigate such vulnerabilities to improve their overall security structure. By remaining proactive and implementing the recommended fixes, organizations can strengthen their defenses against potential attacks, protect their sensitive data, and maintain the trust of their users.
Mitigation
If you are using this software, please ensure that you have updated to the latest version, or at least 4.0.4–1, to protect your environment from this vulnerability.
Timeline
20.06.2023 — Bug discovery and internal review
21.06.2023 — Vendor informed via E-Mail about this bug and providing additional information
10.07.2023 — Reminder via E-Mail (vendor has not yet responded)
11.07.2023 — Initial response from the vendor
25.07.2023 — Initial CVE request (Mitre)
04.08.2023 — Vendor deployed a fix in version 4.0.4–1, online instances will need two more weeks to fix
28.08.2023 — Mitre reserved CVE-2023–39575 for this vulnerability
10.09.2023 — Reminder via E-Mail (no response from vendor since 04.08.2023)
14.09.2023 — Still no response from vendor; inform about upcoming public disclosure as fixed version is availabe
18.09.2023 — Publicly disclose, notify Mitre team, wait for CVE to become public
20.09.2023 — Publicly disclosure of CVE
Author: FLX | https://github.com/FLX-0x00
