Title: B-swiss 3 Digital Signage System 3.6.5 CSRF Add Maintenance Admin
Advisory ID: ZSL-2020-5589
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (4/5)
Release Date: 19.09.2020

Summary

Intelligent digital signage made easy. To go beyond the possibilities offered, b-swiss allows you to create the communication solution for your specific needs and your graphic charter. You benefit from our experience and know-how in the realization of your digital signage project.

Description

The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site.

Vendor

B-Swiss SARL | b-tween Sarl - https://www.b-swiss.com

Affected Version

3.6.5
3.6.2
3.6.1
3.6.0
3.5.80
3.5.40
3.5.20
3.5.00
3.2.00
3.1.00

Tested On

Linux 5.3.0-46-generic x86_64
Linux 4.15.0-20-generic x86_64
Linux 4.9.78-xxxx-std-ipv6-64
Linux 4.7.0-040700-generic x86_64
Linux 4.2.0-27-generic x86_64
Linux 3.19.0-47-generic x86_64
Linux 2.6.32-5-amd64 x86_64
Darwin 17.6.0 root:xnu-4570.61.1~1 x86_64
macOS 10.13.5
Microsoft Windows 7 Business Edition SP1 i586
Apache/2.4.29 (Ubuntu)
Apache/2.4.18 (Ubuntu)
Apache/2.4.7 (Ubuntu)
Apache/2.2.22 (Win64)
Apache/2.4.18 (Ubuntu)
Apache/2.2.16 (Debian)
PHP/7.2.24-0ubuntu0.18.04.6
PHP/5.6.40-26+ubuntu18.04.1+deb.sury.org+1
PHP/5.6.33-1+ubuntu16.04.1+deb.sury.org+1
PHP/5.6.31
PHP/5.6.30-10+deb.sury.org~xenial+2
PHP/5.5.9-1ubuntu4.17
PHP/5.5.9-1ubuntu4.14
PHP/5.3.10
PHP/5.3.13
PHP/5.3.3-7+squeeze16
PHP/5.3.3-7+squeeze17
MySQL/5.5.49
MySQL/5.5.47
MySQL/5.5.40
MySQL/5.5.30
MySQL/5.1.66
MySQL/5.1.49
MySQL/5.0.77
MySQL/5.0.12-dev
MySQL/5.0.11-dev
MySQL/5.0.8-dev
phpMyAdmin/3.5.7
phpMyAdmin/3.4.10.1deb1
phpMyAdmin/3.4.7
phpMyAdmin/3.3.7deb7
WampServer 3.2.0
Acore Framework 2.0

Vendor Status

[13.06.2020] Vulnerability discovered.
[15.07.2020] Vendor contacted. (webform)
[17.07.2020] No response from the vendor.
[18.07.2020] Vendor contacted. (email)
[21.07.2020] Vendor responds asking more details.
[21.07.2020] Sent overview to the vendor asking for secure channel.
[23.07.2020] No response from the vendor.
[24.07.2020] Asked vendor for comment/update/status.
[27.07.2020] Vendor asks more details.
[27.07.2020] Sent details to the vendor.
[29.07.2020] Asked vendor for status update.
[30.07.2020] Vendor responds with questions.
[30.07.2020] Replied to the vendor.
[31.07.2020] Vendor looking into roadmap for the problems identified.
[03.08.2020] Replied to the vendor.
[05.08.2020] Vendor responds, if the reported vulnerabilities are applicable they will create patch for customers.
[06.08.2020] Asked vendor for patch milestone.
[06.08.2020] Vendor doesn't know.
[18.08.2020] Asked vendor for status update.
[18.09.2020] No reponse from the vendor.
[18.09.2020] Asked vendor for status update.
[18.09.2020] Vendor refuses to provide any further information.
[18.09.2020] Replied to the vendor, advisory release scheduled 19.09.2020.
[18.09.2020] Vendor working on fix, will inform us when issues have been solved.
[18.09.2020] Replied to the vendor.
[19.09.2020] Public security advisory released.

PoC

bswiss_csrf.html

Credits

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>

References

[1] https://packetstormsecurity.com/files/159231/
[2] https://www.exploit-db.com/exploits/48833
[3] https://exchange.xforce.ibmcloud.com/vulnerabilities/188579
[4] https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-22005
[5] https://nvd.nist.gov/vuln/detail/CVE-2020-22005

Changelog

[19.09.2020] - Initial release
[30.09.2020] - Added reference [1], [2] and [3]
[19.06.2021] - Added reference [4] and [5]

Contact

Zero Science Lab

Web: https://www.zeroscience.mk
e-mail: lab@zeroscience.mk