Title: Leica Geosystems GR10/GR25/GR30/GR50 GNSS 4.30.063 JS/HTML Code Injection
Advisory ID: ZSL-2019-5503
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 05.01.2019

Summary

The Leica GR10 is the next generation GNSS reference station receiver that combines the latest state-of-the-art technologies with a streamlined 'plug and play' workflow. Designed for a wide variety of GNSS reference station applications, the Leica GR10 offers new levels of simplicity, reliability and performance.

Description

The application suffers from a stored XSS vulnerability. The issue is triggered via unrestricted file upload while restoring a config file allowing the attacker to upload an html or javascript file that will be stored in /settings/poc.html. This can be exploited to execute arbitrary HTML and JS code in a user's browser session in context of an affected site.

Vendor

Leica Geosystems AG - https://www.leica-geosystems.com

Affected Version

4.30.063
4.20.232
4.11.606
3.22.1818
3.10.1633
2.62.782
1.00.395

Tested On

BarracudaServer.com (WindowsCE)

Vendor Status

N/A

PoC

leica_xss.html

Credits

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>

References

[1] https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5502.php
[2] https://www.exploit-db.com/exploits/46091
[3] https://packetstormsecurity.com/files/151041
[4] https://exchange.xforce.ibmcloud.com/vulnerabilities/155274

Changelog

[05.01.2019] - Initial release
[14.01.2019] - Added reference [2], [3] and [4]

Contact

Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk