← Advisories

Fifthplay S.A.M.I - Service And Management Interface Unauthenticated Stored XSS

High
Advisory ID
ZSL-2020-5561
Release Date
28 January 2020
Vendor
Fifthplay NV - https://www.fifthplay.com
Affected Version
Platform: HAM V1.2, HAM V1.1, HAM V1.0, DINHAM 10W, Image Version: 2019.3-20190605144803, 2019.2_HP-20190808154634, 2018.4_HP-20181015152950, 2018.2-20180516100815, 2017.2_HP-20180213083050, 2013.4_HP-201309301203, AMP Version: 2019.2_HP, 2018.4_HP, 2017.2_HP, 2013.4_HP, R20.19.03, R20.18.02, Fix: 2017.2-HP4, 2018.4_HP3, 2018.5_HP7, 2019.2_HP3, 2019.3_HP1
CVE
CVE-2020-12132
Tested On
lighttpd/1.4.33, PHP/5.4.33, PHP/5.3.19
Summary

Fifthplay is a Belgian high-tech player and a subsidiary of Niko Group. We specialise in enriching smart homes and buildings for almost 10 years, and in services that provide comfort and energy. Our gateway provides a modular approach to integrating old and new technologies, such as smart meters, optical meters, sockets, switches. Fifthplay is a trendsetter with regards to smart homes and buildings and one of the sector's most innovative companies.

Description

The application suffers from an unauthenticated stored XSS through POST request. The issue is triggered when input passed via several parameters is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. The application interface also allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions if a user visits a malicious web site.

Proof of Concept
fifthplay_csrfxss.txtTXT
Disclosure Timeline
29.09.2019Vulnerabilities discovered.
09.10.2019Vendor contacted via web form.
09.10.2019Vendor responds asking more details.
09.10.2019Sent details to the vendor.
13.10.2019Vendor forwarded to SAMI developers.
13.10.2019Replied to the vendor, asking for the firmware and informing about exposed Shodan devices.
17.10.2019Vendor responds with confirmation of the issues, working on a fix.
18.10.2019Replied to the vendor.
22.10.2019Vendor estimated effort for fix to be 90 days. Will reply as soon as they have a version that resolves the issues.
22.10.2019Replied to the vendor with agreement.
06.12.2019Vendor has fixed the issues, provided fixed version for verification.
07.12.2019ZSL verifies that the reported issues are fixed. Replied to the vendor.
11.12.2019Vendor provides status update and next steps.
14.12.2019Replied to the vendor.
17.12.2019Vendor will postpone the firmware updates, release scheduled for January 2020.
23.12.2019Replied to the vendor.
28.01.2020Vendor releases firmware updates (Release 2019.3_HP2) that fixes the discovered issues.
28.01.2020Coordinated public security advisory released.
Credits
Vulnerability discovered by Gjoko Krstic
High five to Joris!
References
[1]https://www.fifthplay.com/faq/
[2]https://www.exploit-db.com/exploits/47979
[3]https://packetstormsecurity.com/files/156117
[4]https://cxsecurity.com/issue/WLB-2020010217
[5]https://exchange.xforce.ibmcloud.com/vulnerabilities/175557
[6]https://exchange.xforce.ibmcloud.com/vulnerabilities/175558
[7]https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-12132
[8]https://nvd.nist.gov/vuln/detail/CVE-2020-12132
Changelog
28.01.2020Initial release
30.01.2020Added reference [2], [3] and [4]
04.02.2020Added reference [5] and [6]
24.04.2020Added reference [7] and [8]