155 lines
No EOL
6.3 KiB
Text
155 lines
No EOL
6.3 KiB
Text
Document Title:
|
|
===============
|
|
Tenda, Dlink & Tplink TD-W8961ND - DHCP XSS Vulnerability
|
|
|
|
|
|
References (Source):
|
|
====================
|
|
https://www.vulnerability-lab.com/get_content.php?id=1990
|
|
|
|
|
|
Release Date:
|
|
=============
|
|
2016-11-28
|
|
|
|
|
|
Vulnerability Laboratory ID (VL-ID):
|
|
====================================
|
|
1990
|
|
|
|
|
|
Common Vulnerability Scoring System:
|
|
====================================
|
|
3.5
|
|
|
|
|
|
Abstract Advisory Information:
|
|
==============================
|
|
The vulnerability laboratory research team discovered a persistent xss vulnerability in the Tenda, Dlink & Tplink 1.0.1 TD-W8961ND & ADSL2+ Modem Routers web-application.
|
|
|
|
|
|
Vulnerability Disclosure Timeline:
|
|
==================================
|
|
2016-11-28: Public Disclosure (Vulnerability Laboratory)
|
|
|
|
|
|
Discovery Status:
|
|
=================
|
|
Published
|
|
|
|
|
|
Exploitation Technique:
|
|
=======================
|
|
Remote
|
|
|
|
|
|
Severity Level:
|
|
===============
|
|
Medium
|
|
|
|
|
|
Technical Details & Description:
|
|
================================
|
|
Persistent cross site scripting vulnerability has been discovered in Tenda 1.0.1 ADSL Modem Routers.
|
|
The vulnerability allows remote attackers and local privileged account to inject malicious script codes
|
|
on the application-side to manipulate the router dhcp hostnames.
|
|
|
|
Attackers are able to inject malicious code into the current list of DHCP clients on view, by modifying
|
|
the DHCP hostname into valid xss payload. The execution of vulnerability occurs on the application-side
|
|
on view events. Due to our investigation, we discovered that all models with the firmware v1.x on the
|
|
web gui are affected by the security vulnerability. Remote attackers can for example make special crafted
|
|
malicious pages with POST method requests to manipulate the dhcp hostname listing and client view.
|
|
|
|
The security risk of the issue is estimated as medium with a cvss (common vulnerability scoring system) count of 3.5.
|
|
Exploitation of the vulnerability requires no privilege web-application user account and only low user interaction.
|
|
Successful exploitation of the vulnerability results in phishing attacks, session hijacking, persistent external redirect
|
|
to malicious sources and persistent manipulation of affected or connected web module context.
|
|
|
|
Request Method(s):
|
|
[+] POST
|
|
|
|
Vulnerable Module(s):
|
|
[+] DHCP Client List
|
|
[+] DHCP settings
|
|
|
|
Vulnerable Parameter(s):
|
|
[+] Hostnames
|
|
|
|
|
|
Proof of Concept (PoC):
|
|
=======================
|
|
Persistent vulnerability can be exploited by remote attackers with low privileged application user account and low user interaction.
|
|
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
|
|
|
|
|
|
Manaul steps to reproduce the vulnerability ... (local)
|
|
1. Open the Router UI
|
|
2. Login as basic account
|
|
3. Open the DHCP List module via settings
|
|
4. Inject a payload to the hostnames input field
|
|
5. Save the input
|
|
6. Now the list becomes visible with all clients and the payload executes within the context
|
|
7. Successful reproduce of the vulnerability!
|
|
|
|
The following code is a bash script working on supported Linux OS to change the name of DHCP hostnames to a xss payload.
|
|
Save the file into vulnerablity.sh, then chmod +x vulnerability.sh.
|
|
|
|
PoC: Exploit
|
|
#!/bin/bash
|
|
GREEN=$(tput setaf 2 && tput bold)
|
|
BLUE=$(tput setaf 6 && tput bold)
|
|
echo $BLUE"[+] Persistent XSS DHCP Exploiter via Routers"
|
|
echo $GREEN"[+] Vulnerability founded by : Lawrence Amer "
|
|
echo -n $BLUE"[~] type XSS Payload here :"
|
|
read -e xss
|
|
echo $xss > /etc/hostname
|
|
echo $GREEN"[+]DHCP HOST NAME IS WRITTEN"
|
|
|
|
|
|
Video: https://www.youtube.com/watch?v=HUM5myJWbvc
|
|
|
|
|
|
Solution - Fix & Patch:
|
|
=======================
|
|
The xss vulnerability can be patched by a secure parse of the hostnames client parameters.
|
|
Restrict the input and disallow the usage of special chars to prevent the injection point.
|
|
Parse as well the hostnames output location in the active dhcp clients list.
|
|
|
|
|
|
Security Risk:
|
|
==============
|
|
The security risk of the persistent xss web vulnerability in the router web-application is estimate as medium. (CVSS 3.5)
|
|
|
|
|
|
Credits & Authors:
|
|
==================
|
|
Vulnerability Laboratory [Research Team] - Lawrence Amer (https://www.vulnerability-lab.com/show.php?user=Lawrence%20Amer)
|
|
|
|
|
|
Disclaimer & Information:
|
|
=========================
|
|
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
|
|
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
|
|
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
|
|
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for
|
|
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies,
|
|
deface websites, hack into databases or trade with stolen data.
|
|
|
|
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
|
|
Section: magazine.vulnerability-lab.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
|
|
Social: twitter.com/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
|
|
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
|
|
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php
|
|
|
|
Any modified copy or reproduction, including partially usages, of this file, resources or information requires authorization from Vulnerability Laboratory.
|
|
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
|
|
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark
|
|
of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@) to get a ask permission.
|
|
|
|
Copyright © 2016 | Vulnerability Laboratory - [Evolution Security GmbH]™
|
|
|
|
|
|
|
|
--
|
|
VULNERABILITY LABORATORY - RESEARCH TEAM
|
|
SERVICE: www.vulnerability-lab.com |