Security Issues on Samsung Syncthru Web Service

Researching the platform, me, Edward Amaral, a security researchers from Stone Payments found some security issues on the Printing application from samsung, Syncthru Web Service

Hello guys !

The issues are:

- Multiple unauthenticated Storaged & Reflected Cross Site Scripts

- Multiple unauthenticated Cross Site Request Forgery

It’s important to note that all tests were conduced unauthenticated, and i pretend to continue with the research with credentials next week

Multiple Cross site Scripts

Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it.

An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page.

The cross site Scripts are on a lot of variables passed via GET parameter as an example we have this pictures

XSS Evidence

Where not only the ruiFw_pid are vulnerable to XSS, but all three parameter are vulnerable to it. Several more parameters through the application are vulnerable to it .

It’s important to know that this kind of XSS, unauthenticated, is very dangerous, as it can cause a session hijack and eventually some important information leakage.

Cross Site Request forgery

Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker’s choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application.

The CSRF was Found on Every post request sent to the aplication.

A malicious user could forge a “Print emails sent “ requisition and send it to a admin, that will then execute it.

an exemple of a code to do this, would be:

<html>
<body>
<script>history.pushState(‘’, ‘’, ‘/’)</script>
<form action=”http://IP/sws.application/printinformation/printReportSetupView.sws" method=”POST”>
<input type=”hidden” name=”f&#95;reportName” value=”Email&#95;Sent” />
<input type=”hidden” name=”f&#95;submit&#95;type” value=”apply” />
<input type=”submit” value=”Submit request” />
</form>
</body>
</html>

CVEs Related to this article :

CVE-2018–14904

CVE-2018–14908