Ericsson BSCS iX R18 Billing & Rating (ADMX, MX) - Stored XSS (CVE-2020-29144, CVE-2020-29145)
Dear Reader,
I was able to identify stored XSS in multiple web base modules of Ericsson BSCS iX R18 Billing & Rating platform
Below are its details:
# Software description:
Ericsson Billing is a convergent billing solution for telecoms that combines an unrivaled combination of out-of-the box features and high configurability.
As an evolution of the widely-installed Ericsson BSCS iX, Ericsson Billing provides a low-risk but effective route to capture and secure revenue streams and take advantage of business opportunities from both traditional telecom services as well as digital services, 5G and IoT.
# Technical Details & Impact:
There are multiple web base modules in BSCS iX e.g. ADMX, MX (monitoring center), CX etc. It was observed that ADMX and MX are vulnerable to stored XSS, In most test cases session hijacking was also possible by utilizing the XSS vulnerability. This potentially allows for full account takeover, or exploiting admin's browsers using beef framework
# POC
ADMX:
1. Once user logged-in on portal visit “/ADMX/solutionUnitServlet?SuName=UserReferenceDataSU” it will open Reference Data. If it shows error you can manually visit the page by clicking the "Security Tab", click on "Reference Data Tab".
2. Create a new “Access Rights Group”, enter anything as name and in description enter your xss payload.
3. Click Save and your Stored XSS will be executed.
MX:
1. MX Portal is used for monitoring the health/storage of all machines or scheduling any task using this portal.
2. The "Alert Dashboard" section is vulnerable to stored xss.
3. Double click on any alert on dashboard and in comment section enter your xss payload, click OK and you xss will stored permanently, and even admins/super admin cannot remove the xss.
Update:
Two CVE IDs are assigned to these both findings.
I was able to identify stored XSS in multiple web base modules of Ericsson BSCS iX R18 Billing & Rating platform
Below are its details:
Ericsson Billing is a convergent billing solution for telecoms that combines an unrivaled combination of out-of-the box features and high configurability.
As an evolution of the widely-installed Ericsson BSCS iX, Ericsson Billing provides a low-risk but effective route to capture and secure revenue streams and take advantage of business opportunities from both traditional telecom services as well as digital services, 5G and IoT.
# Technical Details & Impact:
There are multiple web base modules in BSCS iX e.g. ADMX, MX (monitoring center), CX etc. It was observed that ADMX and MX are vulnerable to stored XSS, In most test cases session hijacking was also possible by utilizing the XSS vulnerability. This potentially allows for full account takeover, or exploiting admin's browsers using beef framework
# POC
ADMX:
1. Once user logged-in on portal visit “/ADMX/solutionUnitServlet?SuName=UserReferenceDataSU” it will open Reference Data. If it shows error you can manually visit the page by clicking the "Security Tab", click on "Reference Data Tab".
2. Create a new “Access Rights Group”, enter anything as name and in description enter your xss payload.
3. Click Save and your Stored XSS will be executed.
MX:
1. MX Portal is used for monitoring the health/storage of all machines or scheduling any task using this portal.
2. The "Alert Dashboard" section is vulnerable to stored xss.
3. Double click on any alert on dashboard and in comment section enter your xss payload, click OK and you xss will stored permanently, and even admins/super admin cannot remove the xss.
Update:
Two CVE IDs are assigned to these both findings.
CVE-2020-29144
CVE-2020-29145
CVE-2020-29145
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-29144
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-29145
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-29145
Thanks
Comments
Post a Comment