{"id":57683,"date":"2024-06-24T18:30:13","date_gmt":"2024-06-24T15:30:13","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/179182\/SBA-ADV-20240321-01.txt"},"modified":"2024-06-24T18:30:13","modified_gmt":"2024-06-24T15:30:13","slug":"paradox-ip150-internet-module-1-40-00-cross-site-request-forgery","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/paradox-ip150-internet-module-1-40-00-cross-site-request-forgery\/","title":{"rendered":"Paradox IP150 Internet Module 1.40.00 Cross Site Request Forgery"},"content":{"rendered":"<p>&#8212;&#8211;BEGIN PGP SIGNED MESSAGE&#8212;&#8211;<br \/>Hash: SHA256<\/p>\n<p># Paradox IP150 Internet Module Cross-Site Request Forgery #<\/p>\n<p>Link: https:\/\/github.com\/sbaresearch\/advisories\/tree\/public\/2024\/SBA-ADV-20240321-01_Paradox_Cross_Site_Request_Forgery<\/p>\n<p>## Vulnerability Overview ##<\/p>\n<p>The Paradox IP150 Internet Module in version 1.40.00 is vulnerable to<br \/>Cross-Site Request Forgery (CSRF) attacks due to<br \/>a lack of countermeasures and the use of the HTTP method `GET` to introduce<br \/>changes in the system.<\/p>\n<p>* **Identifier** : SBA-ADV-20240321-01<br \/>* **Type of Vulnerability** : Cross-Site Request Forgery (CSRF)<br \/>* **Software\/Product Name** : [IP150 Internet Module](https:\/\/www.paradox.com\/Products\/default.asp?CATID=3&amp;SUBCATID=38&amp;PRD=563)<br \/>* **Vendor** : [Paradox Security Systems (Bahamas) Ltd.](https:\/\/www.paradox.com\/)<br \/>* **Affected Versions** : 1.40.00 (possibly others too)<br \/>* **Fixed in Version** : Not yet<br \/>* **CVE ID** : CVE-2024-5676<br \/>* **CVSS Vector** : CVSS:3.1\/AV:N\/AC:H\/PR:N\/UI:R\/S:U\/C:N\/I:H\/A:H<br \/>* **CVSS Base Score** : 6.8 (Medium)<\/p>\n<p>## Vendor Description ##<\/p>\n<p>&gt; IP150<br \/>&gt; Internet Module<br \/>&gt; Supports SWAN Server<br \/>&gt;<br \/>&gt; Features<br \/>&gt;<br \/>&gt; * Controls and monitors a control panel through an IP network (LAN \/ WAN \/ Internet)<br \/>&gt; * Reports control panel events via IP to the Paradox IPR512 GPRS \/ IP Monitoring Receiver and \/ or IPRS-7 GPRS \/ IP PC Receiver Software<br \/>&gt; * Two I\/Os on board; controlled via the web interface, triggering an email<br \/>&gt; * Sends notification and alarm system events via email<br \/>&gt; * Arm \/ Disarm individual partitions via Insite GOLD app<br \/>&gt; * Connects to Swan for easy installation (no port forwarding)<br \/>&gt; * Enables Insite GOLD, or BabyWare to access your system through the Internet<br \/>&gt; * Push notification to Insite GOLD app<br \/>&gt; * HTTPS support for improving security (HyperText Transfer Protocol Secure; a widely used communications protocol for secure communication over a computer network)<br \/>&gt; * Very low bandwidth consumption<br \/>&gt; * Easy installation; built-in clip for mounting in a metal box<br \/>&gt; * Supported language: English<br \/>&gt; * Compatible with EVO Series, Spectra SP Series, MG5000, MG5050 and MG5075<\/p>\n<p>Source: &lt;https:\/\/www.paradox.com\/Products\/default.asp?PID=404&gt;<\/p>\n<p>## Impact ##<\/p>\n<p>An attacker can coerce an administrator into clicking a link, which issues<br \/>a HTTP request that changes the state of the system.<br \/>Depending on the configuration, meaning which downstream component is<br \/>controlled by the affected component, the impact will be different.<br \/>As an example the *IP150 Internet Module* might control an alarm unit.<br \/>Thus an attacker can deactivate the alarm by performing a CSRF attack.<\/p>\n<p>## Vulnerability Description ##<\/p>\n<p>The server cannot verify whether a request was sent intentionally. This<br \/>makes it possible for an attacker to trick a client into making<br \/>unintentional requests to the web server which will be treated as an<br \/>authentic request. In combination with a social engineering attack,<br \/>this allows an attacker to perform server-side actions as the victim.<\/p>\n<p>In addition, the functionality of activation and deactivation of the alarm<br \/>systems, is accessed via a HTTP `GET` request.<br \/>Changing the state of the server with `GET` is discouraged in the HTTP<br \/>standard, since it is defined to be a *safe* method [1].<br \/>This makes the exploitation of the vulnerability easier, as an attacker<br \/>can craft an URL.<br \/>If the victim opens this URL, the CSRF attack is carried out and an action<br \/>is performed.<\/p>\n<p>## Proof of Concept ##<\/p>\n<p>For example, the following HTTP request disables the alarm in area `00`:<\/p>\n<p>&#8220;`http<br \/>GET \/statuslive.html?area=00&amp;value=d HTTP\/1.1<br \/>Host: 192.0.2.1<br \/>&#8220;`<\/p>\n<p>It is vulnerable to CSRF, since it does not apply any CSRF countermeasures.<br \/>Therefore, it is possible to craft an URL that performs this action:<\/p>\n<p>&#8220;`text<br \/>http:\/\/192.0.2.1\/statuslive.html?area=00&amp;value=d<br \/>&#8220;`<\/p>\n<p>## Recommended Countermeasures ##<\/p>\n<p>We are not aware of a vendor fix yet. Please contact the vendor.<\/p>\n<p>A generally valid solution against CSRF, which however requires a server-side<br \/>state, is the implementation of an unpredictable token that is unique for<br \/>each session.<br \/>The OWASP project gives further recommendations [2] [3].<\/p>\n<p>## Timeline ##<\/p>\n<p>* `2024-02-09` Identified the vulnerability in version 1.40.00<br \/>* `2024-02-12` First contact to the system owner to acquire more information about the system configuration and version<br \/>* `2024-03-08` System owner provided all details on the affected system<br \/>* `2024-03-21` First attempt to contact vendor via support email<br \/>* `2024-04-03` Second attempt to contact vendor via web form and support email<br \/>* `2024-06-19` No reaction from vendor to all previous contact attempts<br \/>* `2024-06-19` SBA Research assigned CVE-2024-5676<br \/>* `2024-06-19` Public disclosure<\/p>\n<p>## References ##<\/p>\n<p>1. RFC 7231. HTTP\/1.1 Semantics and Content. Safe Methods: &lt;https:\/\/datatracker.ietf.org\/doc\/html\/rfc7231#section-4.2.1&gt;<br \/>2. OWASP Cheat Sheet Series. Cross-Site Request Forgery Prevention Cheat Sheet: &lt;https:\/\/cheatsheetseries.owasp.org\/cheatsheets\/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html&gt;<br \/>3. OWASP Web Security Testing Guide (WSTG) v4.2. Testing for Cross Site Request Forgery: &lt;https:\/\/owasp.org\/www-project-web-security-testing-guide\/v42\/4-Web_Application_Security_Testing\/06-Session_Management_Testing\/05-Testing_for_Cross_Site_Request_Forgery.html&gt;<\/p>\n<p>## Credits ##<\/p>\n<p>* Jakob Pachmann ([SBA Research](https:\/\/www.sba-research.org\/))<br \/>* Fabian Funder ([SBA Research](https:\/\/www.sba-research.org\/))<br \/>&#8212;&#8211;BEGIN PGP SIGNATURE&#8212;&#8211;<\/p>\n<p>iQIzBAEBCAAdFiEEL9Wp\/yZWFD9OpIt6+7iGL1j3dbIFAmZyq50ACgkQ+7iGL1j3<br \/>dbIISw\/8CO95qAHA1sNw43g7j202gLt4zyIRHAjowX1btaOb5SwEPKgZCMa+Trnz<br \/>fF\/Ck5opN\/Y8QvKE4C75TJVXVZBja4cTWeNa0bqXXNlvGsUB\/9y5N2d7NTAN+CLc<br \/>ew61aTFrudgjHL1hHyhzj74vt0rb44vrBlhQ562jwmHDgkixrek7m5FqLAa4nVVf<br \/>yglBLbUlvi5MVCL1v3b1P5TTTBJfThRps5xhHpMpflyxsBWAdQZ+dZb000K+P5gf<br \/>jnmMYAcDhe1Peun\/ui4dYfsNapha16gpZ9vjjq0gBh+Si8t+Ri6Gup3d6AJuWVCV<br \/>zcqjrYN+kwK0\/I8e25MCpPNV3rIw16Gb+8HCeSKhVXEQalF1Gw+GVUsVua65hsoa<br \/>JMF2gGN9p89Wcn5HD7Az3pv0HmdjrTghXhyf6JzP+k1NJscPbLQ9Lo7ea7Y4CBTG<br \/>zkPoPEX3Ida05YxMgMesq60fXx9\/Eq7vxIJtdnJSwjJVAhbEA+phkuX201ykK7WN<br \/>iWIJVBY2EEZUOt2xBy\/PLu6Eh5Bm11vCWqi8KeCyZj7OUYVNIPFbh52W+PJ9B13B<br \/>1j0gf3TZF4nIO+ncvdKw3LQINkdj3G74VwKMFqLxSJQdzxDA0kDjWvZxst45n23J<br \/>6HUGL0ur4KDQCMpeyqqgB46qF1GGl+iqAGJW4lTITUJO62EqRlo=<br \/>=HcOX<br \/>&#8212;&#8211;END PGP SIGNATURE&#8212;&#8211;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>&#8212;&#8211;BEGIN PGP SIGNED MESSAGE&#8212;&#8211;Hash: SHA256 # Paradox IP150 Internet Module Cross-Site Request Forgery # Link: https:\/\/github.com\/sbaresearch\/advisories\/tree\/public\/2024\/SBA-ADV-20240321-01_Paradox_Cross_Site_Request_Forgery ## Vulnerability Overview ## The Paradox IP150 Internet Module in version 1.40.00 is vulnerable toCross-Site Request Forgery (CSRF) attacks due toa lack of countermeasures and the use of the HTTP method `GET` to introducechanges in the system. * **Identifier** &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-57683","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/57683","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=57683"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/57683\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=57683"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=57683"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=57683"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}