Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2023-35793 PoC — Cassia Networks Access Controller 跨站请求伪造漏洞

Source
https://github.com/Dodge-MPTC/CVE-2023-35793-CSRF-On-Web-SSH
Associated Vulnerability
Title:Cassia Networks Access Controller 跨站请求伪造漏洞 (CVE-2023-35793)
Description:Cassia Networks Access Controller是美国Cassia Networks公司的一个应用程序。提供一个功能强大的物联网网络管理解决方案。 Cassia Networks Access Controller 2.1.1.2303271039版本存在安全漏洞,该漏洞源于WebSSH功能存在跨站请求伪造(CSRF)漏洞。
Description
Repository contains description for CVE-2023-35793
Readme
# CVE-2023-35793-CSRF-On-Web-SSH
Repository contains description for CVE-2023-35793 discovered by Dodge Industrial Team for Dodge OPTIFY platfrom.
___  
CVE ID: CVE-2023-35793  
Vendor: Cassia Networks  
Product: Access Controller  
Version: Cassia-AC-2.1.1.2303271039  
___
Vulnerability: Cross Site Request Forgery (CSRF)  
Affected: web ssh, gateways  
Decription: WebSSH functionality can be intialized by CSRF.  
Status: Confirmed by vendor, Fixed  
Version Patched: Cassia-AC-2.1.1.2308181707
____
#### Details
Cassia uses WebSSH2 by billchurch to initiate SSH sessions from AC to Gateways. WebSSH2 Is a web SSH Client which uses ssh2, socket.io, xterm.js, and express. 
A bare bones example of an HTML5 web-based terminal emulator and SSH client. It uses SSH2 as a client on a host to proxy a Websocket/Socket.io connection to a SSH2 server.

When a user is logged into AC it uses _ac:ssid_ cookie with Same Site Strict cookie. 

![](img/0.png)

To Initiate SSH Web session with gateway users send GET request with mac and port number (reverse ssh) without CSRF token used.
```
http://<ac-ip>/ap/remote/<mac-addr>?ssh_port=9999
```

![](img/1.png)
![](img/11.png)

An attacker may trick user by sending him link address. 
This will trigger SSH session establishment by user (further it reveals that user can be just read-only).

____
#### Exploitation

Attacker may trick already authenticated user to click link provided in teams chat or email what will result in establishing conncetion to provided device.

1) User admin is doing some activities on AC:
![](img/2.png)

2) Attacker knows admin email sends SE profiled message (or post it on ITSM ticket) embedding URL. Admin then may click on link while his browser will
start session (note session is persistent - even when user close browser, the session will run already):
![](img/3.png)

3) Session starts as there is no CSRF Token on other protection used!
_AC sends request to Gateway with provided MAC address to establish reverse SSH
to AC - the attacker may use local port forwading (used in solution) to remotely
bruteforce SSH access (can be easy when default passwords are used)
![](img/4.png)
![](img/5.png)

#### Remediation
- Patch to the highest possible version availaible on [Cassia Networks](https://www.cassianetworks.com/)
File Snapshot

 [4.0K]  /data/pocs/c5caf883aeabad5c5fe4f9044d01f757bd4ef2ec
├── [4.0K]  img
│   ├── [ 94K]  0.png
│   ├── [133K]  11.png
│   ├── [ 23K]  1.png
│   ├── [129K]  2.png
│   ├── [ 50K]  3.png
│   ├── [ 31K]  4.png
│   └── [ 42K]  5.png
└── [2.2K]  README.md

1 directory, 8 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.