An attacker could exploit this vulnerability to create an account with administrative privileges to the web server component of BMC IPMI software. Such account provides full acess to all IPMI feautures. It also allows exploitation of vulnerabilities that require authentication. Successful exploitation of this vulnerability provides an attacker with persistence, allowing malicious code to be executed until the victim takes remedial actions.
An attacker could exploit this vulnerability to create an account with administrative privileges to the web server component of BMC IPMI software. Such account provides full acess to all IPMI feautures. It also allows exploitation of vulnerabilities that require authentication. Successful exploitation of this vulnerability provides an attacker with persistence, allowing malicious code to be executed until the victim takes remedial actions.
man_ikvm_html5_bootstrap
webserver HTML page passes the value of lang
local storage item to the eval()
JavaScript function without any sanitization:
man_ikvm_html5_bootstrap:
var sel = WebUtil.readSetting("lang","en");
translator = jQuery('body').translate ({
lang: sel,
t: eval("kvmdict_" + sel)
});
As a result, arbitrary JavaScript code can be injected into webpages, which will be executed on behalf of the authenticated user.
The first step to exploit this vulnerability is to poison the user's lang
local storage item. This can be achieved using another vulnerability in the web server (with XSS, HTTP header injection, etc.), as well as through exploitation of other system components, for example, with a malware.
To create an administrator account with username user
and password fLbYsEHqhGYp9pgK
an attacker can poison the lang
local storage item of an authenticated user session with administrative privileges with the following payload:
en + fetch("/redfish/v1/AccountService/Accounts",{method:"POST",headers:{"X-Auth-Token":sessionStorage.getItem("_x_auth")},body:JSON.stringify({"UserName":"user","Password":"fLbYsEHqhGYp9pgK","RoleId":"Administrator","Enabled":true,"AccountTypes":["Redfish"]})})
This payload first obtains the user's valid token and then uses it to make a POST
request in order to create a user with administrative privileges and credentials defined by the attacker.
NOTE: The payload will be executed every time the victim visits vulnerable pages while the lang
local storage item value is poisoned, even after logging in again, making this attack persistent. To terminate the exploitation, additional steps are required to clear the element local storage value.
Ideally, user controlled inputs should not be passed to dangerous JavaScript functions such as eval()
. If it is not possible in such case, the lang
local storage item value must be checked against a whitelist of allowed values.
This bug is subject to a 90 day disclosure deadline. After 90 days elapsed or a patch has been made broadly available (whichever is earlier), the bug report will become visible to the public.
BINARLY team