Korenix Jetport Web manager Persistent XSS
Jetport 5601 series is a smart one RS-232/422/485 to Ethernet serial device server. It includes JetPort 5601 and 5601f. JetPort 5601 is one-port RS232/422/485 to Redundant Ethernet Solution. It’s the first serial device server with redundant dual Ethernet ports, the ports can auto-recovery in less than 200ms. JetPort 5601f is one-port RS232/422/485 to Fiber Ethernet Solution. 5601f-m supports one Multi-mode fiber port. 5601f-s supports one Single-mode Fiber port. JetPort serial device server connects the serial port of devices such as card readers, measurement devices, or data acquisition terminals, over Ethernet just like locally attached. It eliminates the limitation of single host and transmission distance of traditional serial communications by creating access for multiple hosts in Ethernet. The compact size and various mounting options further create installation flexibility.
Korenix JetPort serial device servers provide perfect solution to manage serial devices via Ethernet in flexible ways, such as TCP server, TCP client, UDP, or Windows Real/Virtual COM. JetPort creates a transparent gateway for the serial communication to Ethernet. If the control program uses network standard API, you can choose TCP or UDP as the communication protocol. If the control program uses COM port, you can install the Windows driver to add Real/Virtual COM ports.
You can find the jetport web manager in production connected to the internet without authentication and default configuration .
https://www.zoomeye.org/searchResult?q=%22jetport%22%20%2B%22web%22
There is a telnet port , ssh access and web server, the point here is that usually in many ICS communication devices the web sever is often full of vulnerabilities, this is another example about how easy is to inject javascript persistent code in the device web application , this a really common issue in all ICS devices probably because there is no basic security procedures , or probably security hasn’t been taken seriously at the development stage .
So, if you play around with the web application there are some string values that can be modified, let’s see if i can inject special characters.
In “Port Configuration” there is an option to modify the port alias name , what if we try to inject javscript code in there?
Seems like works as expected , nothing complicated at this point, the problem is that the value or our injection is going to be stored in persistent way, that’s cool, the problem here is that there is no proper sanitized input in the web application causing the special character injection easy to spot and inject.
Click on submit, now our payload is going to be stored and executed in browser each time someone open the web application and visits the port configuration setup.
There are several problems , situations, conditions , directions decisions and issues underlying each problem found in modern ICS devices, they offer you availability , remote monitoring and accessibility but the lack of security is clear in every new finding.
The END
