Beghelli Sicuro24 SicuroWeb AngularJS Sandbox Escape and Client-Side Remote Code Execution Vulnerability

A vulnerability in Beghelli Sicuro24's web management interface, SicuroWeb, allows for arbitrary JavaScript execution in operator browser sessions. This issue arises from an AngularJS template injection vulnerability, combined with a known sandbox escape in AngularJS version 1.5.2, which is embedded in the application. The vulnerability enables session hijacking, DOM manipulation, and a persistent compromise of the browser. Network-adjacent attackers can exploit this vulnerability by injecting the necessary payloads into the victim's browser via a Man-in-the-Middle (MITM) attack, taking advantage of unencrypted HTTP communications.

Impact

Exploitation of this vulnerability leads to unauthorized execution of JavaScript in the context of the affected user's browser session. This allows for manipulation of the Document Object Model (DOM), hijacking of user sessions, and execution of persistent malicious scripts that survive browser restarts.

Reproduction

The vulnerability can be reproduced by intercepting HTTP traffic to the SicuroWeb application using a tool like mitmproxy. Once the traffic is intercepted, the AngularJS template injection payload can be injected into HTML responses. This payload exploits the template injection vulnerability by injecting a script that escapes the AngularJS sandbox and executes arbitrary JavaScript. After the initial injection, the absence of a Content Security Policy (CSP) allows for the persistence of the injected script across browser sessions.

Remediation

As of now, no patch is available for this vulnerability. However, it is recommended to upgrade AngularJS to version 1.6 or later, deploy a restrictive Content Security Policy, enforce HTTPS with HSTS, sanitize template rendering to prevent user input from being evaluated as code, and segment networks to restrict access to management interfaces.