Skip to content

Stored Cross Site Scripting via SSH Delete Key in OpenWRT LuCI Console.

High
abbcdec published GHSA-7vqh-2r8q-rjg2 Mar 24, 2023

Package

sshkeys.js (OpenWRT LuCI)

Affected versions

OpenWrt 22.03.3

Patched versions

None

Description

Impact

Since the keys are getting stored to authorized_keys file it will be executed every time the SSH keys page is being loaded while deleting the key. Attacker can perform further malicious actions using this JavaScript execution.

Patches

openwrt/luci@588381e
openwrt/luci@aa7938d
openwrt/luci@0186d7e

Proof of Concept

  1. Login to Luci console using credentials
  2. Go to System -> Administration -> SSH Keys
  3. Add the Payload below in comment part of the Public SSH key.

image

  1. Once key is saved now when we click on delete button. The application asks for confirmation of key deletion and shows the content of the key.

  2. Here the input is not handled properly due to which JavaScript code can be executed.

Exact code line where the issue is happening : https://github.com/openwrt/luci/blob/f470452c4a1c478caf1bbbc19568c523e203e8dc/modules/luci-mod-system/htdocs/luci-static/resources/view/system/sshkeys.js#L207

image

Workarounds

It is recommended to pull the patched LuCI version from the main branch to mitigate this vulnerability.

Severity

High
7.4
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

CVE ID

CVE-2023-24182

Weaknesses

Credits