Ecessa ShieldLink SL175EHQ 10.7.4 CSRF Add Superuser Exploit
Title: Ecessa ShieldLink SL175EHQ 10.7.4 CSRF Add Superuser Exploit
Advisory ID: ZSL-2018-5476
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 24.06.2018
10.6.9
10.7.4
10.6.5.2
10.5.4
10.2.24
9.2.24
[21.05.2018] Contact with the vendor.
[23.06.2018] No response from the vendor.
[24.06.2018] Public security advisory released.
[2] https://packetstormsecurity.com/files/148304
[3] https://cxsecurity.com/issue/WLB-2018060287
[4] https://www.exploit-db.com/exploits/44938/
[11.07.2018] - Added reference [1], [2], [3] and [4]
Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk
Advisory ID: ZSL-2018-5476
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 24.06.2018
Summary
Ecessa's ShieldLink 60, 175, 600,1200 & 4000 are advanced, yet highly affordable secure WAN Optimization Controllers that incorporate all of the ISP/WAN link.Description
The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site.Vendor
Ecessa Corporation - https://www.ecessa.comAffected Version
10.7.410.6.9
10.7.4
10.6.5.2
10.5.4
10.2.24
9.2.24
Tested On
lighttpd/1.4.35Vendor Status
[21.05.2018] Vulnerability discovered.[21.05.2018] Contact with the vendor.
[23.06.2018] No response from the vendor.
[24.06.2018] Public security advisory released.
PoC
ecessa_shieldlink_csrf.htmlCredits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>References
[1] https://exchange.xforce.ibmcloud.com/vulnerabilities/145437[2] https://packetstormsecurity.com/files/148304
[3] https://cxsecurity.com/issue/WLB-2018060287
[4] https://www.exploit-db.com/exploits/44938/
Changelog
[24.06.2018] - Initial release[11.07.2018] - Added reference [1], [2], [3] and [4]
Contact
Zero Science LabWeb: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk