Discovery of a reflective XSS vulnerability in ARP Guard software (CVE-2023–39575)

Pentest Team @greenhats.com
3 min readJun 21, 2023

--

Introduction
We recently executed an internal security assessment for a customer. During this engagement we discovered a vulnerability in the ARP Guard software. This vulnerability allowed us to inject HTML or JavaScript code into the application’s pages using a manipulated URL parameter, even without prior authentication. In this article, we provide a detailed technical description of the vulnerability and its potential impact.

Technical Description
The Reflective Cross-Site Scripting (XSS) vulnerability in ARP Guard is due to inadequate input validation and sanitization mechanisms. By manipulating a specific URL parameter, an attacker can inject arbitrary code that is executed within the victim’s browser, often leading to malicious actions or information theft. In our case, we were able to exploit the fact that the cookie named “S” is not marked as html only and can be stolen by abusing XSS. It has not been tested whether the parameter is used for authentication purposes.

We identified a vulnerable URL parameter “url_str” that was likely used to perform relative redirects after successful authentication. Insufficient input validation on the server side allowed us to inject malicious scripts into a hidden input field via this parameter.

Typical GET request on the login page
Typical GET request on the login page
The string is injected into the hidden field after the type declaration
It is also worth noting that the parameter name is injectible as well — here an example of changing the url_str to test’

In the context of exploiting XSS vulnerabilities, hidden HTML inputs present an interesting challenge. Hidden inputs are elements within an HTML form that are not displayed on the web page, but still contain values that can be used when the form is submitted. While XSS attacks primarily rely on injecting malicious code into visible fields, hidden inputs can also be potential targets for exploitation but the immediate impact of an XSS attack is limited in this case. A great article on this topic is provided by Portswigger: https://portswigger.net/research/xss-in-hidden-input-fields

Because the injection point is positioned right after the field type declaration, it is impossible to change the type of the field using this attack. However, we can abuse the accesskey method to demonstrate a successful attack chain. But the impact is very limited because the user has to press a key combination to execute the injected js code.

Using the following simple payload, we are able to exploit the bug in the latest version of ARP Guard.

https://REDACTED/login/?url_str=/management/admin/index%27%20onclick=%22alert(document.cookie)%22%20accesskey=%22C%22

After pressing CTRL+ALT+C the payload will be executed in the context of the visitor

Conclusion

The discovery of a Reflective XSS vulnerability in ARP Guard software highlights the importance of tough security testing and ongoing awareness. At evait security / greenhats, we remain committed to helping organizations identify and mitigate such vulnerabilities to improve their overall security structure. By remaining proactive and implementing the recommended fixes, organizations can strengthen their defenses against potential attacks, protect their sensitive data, and maintain the trust of their users.

Mitigation

If you are using this software, please ensure that you have updated to the latest version, or at least 4.0.4–1, to protect your environment from this vulnerability.

Timeline

20.06.2023 — Bug discovery and internal review

21.06.2023 — Vendor informed via E-Mail about this bug and providing additional information

10.07.2023 — Reminder via E-Mail (vendor has not yet responded)

11.07.2023 — Initial response from the vendor

25.07.2023 — Initial CVE request (Mitre)

04.08.2023 — Vendor deployed a fix in version 4.0.4–1, online instances will need two more weeks to fix

28.08.2023 — Mitre reserved CVE-2023–39575 for this vulnerability

10.09.2023 — Reminder via E-Mail (no response from vendor since 04.08.2023)

14.09.2023 — Still no response from vendor; inform about upcoming public disclosure as fixed version is availabe

18.09.2023 — Publicly disclose, notify Mitre team, wait for CVE to become public

20.09.2023 — Publicly disclosure of CVE

Author: FLX | https://github.com/FLX-0x00

--

--

Pentest Team @greenhats.com

evait security GmbH (aka pentest team of greenhats): full time white hacking / pentesting company who always stays on bleeding edge - https://www.greenhats.com