BrightSign Digital Signage Diagnostic Web Server 8.2.26 Unauthenticated SSRF

Title: BrightSign Digital Signage Diagnostic Web Server 8.2.26 Unauthenticated SSRF
Advisory ID: ZSL-2020-5595
Type: Local/Remote
Impact: Exposure of System Information
Risk: (3/5)
Release Date: 30.09.2020
Summary
BrightSign designs media players and provides free software and cloud networking solutions for the commercial digital signage market worldwide, serving all vertical segments of the marketplace.
Description
Unauthenticated Server-Side Request Forgery (SSRF) vulnerability exists in the BrightSign digital signage media player affecting the Diagnostic Web Server (DWS). The application parses user supplied data in the 'url' GET parameter to construct a diagnostics request to the Download Speed Test service. Since no validation is carried out on the parameter, an attacker can specify an external domain and force the application to make an HTTP request to an arbitrary destination host. This can be used by an external attacker for example to bypass firewalls and initiate a service and network enumeration on the internal network through the affected application.
Vendor
BrightSign, LLC - https://www.brightsign.biz
Affected Version
Model: XT, XD, HD, LS
Firmware / OS version: <=8.2.26
Tested On
roNodeJS
Vendor Status
[01.08.2020] Vulnerability discovered.
[01.08.2020] Vendor contacted.
[16.09.2020] No response from the vendor.
[17.09.2020] Vendor contacted.
[29.09.2020] No response from the vendor.
[30.09.2020] Public security advisory released.
[21.10.2020] Vendor releases a statement regarding this issue.
PoC
brightsign_ssrf.txt
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] https://packetstormsecurity.com/files/159442/
[2] https://www.exploit-db.com/exploits/48843
[3] https://cxsecurity.com/issue/WLB-2020100005
[4] https://exchange.xforce.ibmcloud.com/vulnerabilities/189207
[5] https://brightsign.zendesk.com/hc/en-us/articles/360056180694-Regarding-Advisory-ID-ZSL-2020-5595
Changelog
[30.09.2020] - Initial release
[06.10.2020] - Added reference [1], [2], [3] and [4]
[26.10.2020] - Added vendor status and reference [5]
Contact
Zero Science Lab

Web: https://www.zeroscience.mk
e-mail: lab@zeroscience.mk