Tag: Matt Mathur

  • CVE-2022-35739: PRTG Network Monitor Cascading Style Sheets (CSS) Injection

    CVE-2022-35739: PRTG Network Monitor Cascading Style Sheets (CSS) Injection

    I’m Matt Mathur, lead penetration tester here at Raxis. I recently discovered a cascading style sheet (CSS) injection vulnerability in PRTG Network Monitor.

    Summary

    PRTG Network Monitor does not prevent custom input for a device’s icon, which can be modified to insert arbitrary content into the style tag for that device. When the device page loads, the arbitrary CSS is inserted into the style tag, loading malicious content. Due to PRTG Network Monitor preventing “ characters, and from modern browsers disabling JavaScript support in style tags, this vulnerability could not be escalated into a Cross-Site Scripting vulnerability.

    Proof of Concept

    The vulnerability lies in a device’s properties and how they are verified and displayed within PRTG Network Monitor. When editing or creating a device, the device’s icon value is not verified to be one of the icon selections, and any text can be inserted in its place, as shown here:

    CSS Injection Payload

    When the device’s icon is then loaded in any subsequent pages (e.g., the Devices page), the content is loaded unescaped inside of the style tag, as shown below:

    Payload Insertion Point

    This allows malicious users to insert (almost) any CSS they want in place of the icon. A malicious user can cause an HTTP request to an arbitrary domain/IP address by setting a background-image property in the payload, as shown here:

    Payload Execution Causing HTTP Request to Controlled Server

    The impact of this vulnerability is less severe due to modern browsers preventing JavaScript in style tags, and from PRTG Network Monitor preventing “ characters in the payload. These steps prevent this vulnerability from being escalated into a Cross-Site Scripting vulnerability.

    Affected Versions

    Raxis discovered this vulnerability on PRTG Network Monitor version 22.2.77.2204.

    Remediation

    A fix for CVE-2022-35739 has not been released. When a fix is released, upgrade to the newest version to fully remediate the vulnerability. In the meantime, Raxis recommends keeping a small list of users who can edit devices to limit the impact of the vulnerability. CVE-2022-35739 has minimal damage potential and is difficult to execute, and thus does not warrant additional protections while waiting for a remediation.

    Disclosure Timeline
    • July 7, 2022 – Vulnerability reported to Paessler Technologies.
    • July 8, 2022 – Paessler Technologies begins investigating vulnerability.
    • July 14, 2022 – CVE-2022-35739 assigned to this vulnerability.
    • August 8, 2022 – Outreach to Paessler Technologies without response.
    • October 4, 2022 – Second outreach to Paessler Technologies without response.
    • October 7, 2022 – Third outreach to Paessler Technologies without response.
    • October 21, 2022 – Original blog post detailing CVE-2022-35739 released.
    CVE Links
  • Meet the Team: Matt Mathur, Lead Penetration Tester

    Meet the Team: Matt Mathur, Lead Penetration Tester

    Hi, I’m Matt Mathur. A few days ago, I did an interview with Jim, our marketing guru. The idea is to introduce you to Raxis through the eyes of our team, how we found our way to this profession, and to help you understand what drives our passion for penetration testing. Read on to learn more about my personal story, and if you’re interested in joining our team, check out our careers page and see if you might be a good fit.

    Jim: Tell me a little about your background. How long have you been with Raxis?

    Matt: I grew up on Long Island in New York and got my B.S. in Computer Science from Northeastern University in Boston. I now live in Philadelphia with my fiancée Natasha, who’s finishing up medical school. I joined the Raxis team last November after working on building some automated attack tools to assist in cybersecurity testing and training.

    Jim: How did you come to focus on cybersecurity?

    Matt: Well, I had some experience as a software engineer, in malware research and other security research before turning towards offensive security. I liked all those things, but the idea of offensive security – of using our hacking ability to help companies become more secure is really what excites me.

    Jim: Helping people seems to be a theme in your career and in your personal life. Is that right?

    Matt: Yeah, I think that’s really what led me to cybersecurity in the first place, helping people protect their users and important data. Outside of that, I try to volunteer at organizations such as Black Girls Hack and Women’s Society of Cyberjutsu to help empower people to succeed in cybersecurity. I’m also just inspired by Natasha, who is helping people every day.

    Jim: How does working on the Raxis team fit into that mix?

    Matt’s homemade macarons

    Matt: When we help companies remediate vulnerabilities, we’re helping them secure their users, data, and company. The team is passionate about this, and about helping other security researchers by sharing knowledge with the community.

    Jim: Help our readers and me understand what you mean by that.

    Matt: The Raxis team is fully remote, and we’re constantly updating each other on the newest attacks, tools, and vulnerabilities. On top of that, we’re encouraged to publish our findings, tools, and techniques to help others in the community remediate them too.

    Jim: Do you have an example?

    Matt: Sure, I recently published a Metasploit Module based on a new vulnerability I discovered in Microsoft’s Remote Desktop Web Access application. This module helps people detect the vulnerability, and Raxis not only gave me the time to work on this, but also actively encouraged it. The team celebrates these things, and the same is true for team members who earn new certifications, find creative ways to breach a customer’s network, or develop other tools.

    Jim: You’ve talked about a lot of advantages to being part of the Raxis team. What’s your favorite part of the job?

    Matt: Outside of being able to use offensive security to help people, I like being challenged while learning new things. Outside Raxis, I like to play strategic games like MtG, go hiking and biking, and improve my cooking and baking. These are varied, but it’s nice to get outside my cybersecurity headspace.

    With that said, my favorite part about the job is that it’s an ongoing challenge. We work with clients in various industries with vastly different networks, applications, and security postures. Even very similar companies can have entirely different tech stacks, so there’s constantly room to learn.