[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] Tenda, Dlink & Tplink TD-W8961ND - DHCP XSS Vulnerability

To: fulldisclosure@xxxxxxxxxxxx
Subject: [FD] Tenda, Dlink & Tplink TD-W8961ND - DHCP XSS Vulnerability
From: Vulnerability Lab <research@xxxxxxxxxxxxxxxxxxxxx>
Date: Mon, 28 Nov 2016 12:14:52 +0100

Document Title:
===============
Tenda, Dlink & Tplink TD-W8961ND - DHCP XSS Vulnerability


References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=1990


Release Date:
=============
2016-11-28


Vulnerability Laboratory ID (VL-ID):
====================================
1990


Common Vulnerability Scoring System:
====================================
3.5


Abstract Advisory Information:
==============================
The vulnerability laboratory research team discovered a persistent xss 
vulnerability in the Tenda, Dlink & Tplink 1.0.1 TD-W8961ND & ADSL2+ Modem 
Routers web-application.


Vulnerability Disclosure Timeline:
==================================
2016-11-28:     Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Medium


Technical Details & Description:
================================
Persistent cross site scripting vulnerability has been discovered in Tenda 
1.0.1 ADSL Modem Routers.
The vulnerability allows remote attackers and local privileged account to 
inject malicious script codes 
on the application-side to manipulate the router dhcp hostnames. 

Attackers are able to inject malicious code into the current list of DHCP 
clients on view, by modifying 
the DHCP hostname into valid xss payload. The execution of vulnerability occurs 
on the application-side 
on view events. Due to our investigation, we discovered that all models with 
the firmware v1.x on the 
web gui are affected by the security vulnerability. Remote attackers can for 
example make special crafted 
malicious pages with POST method requests to manipulate the dhcp hostname 
listing and client view.

The security risk of the issue is estimated as medium with a cvss (common 
vulnerability scoring system) count of 3.5. 
Exploitation of the vulnerability requires no privilege web-application user 
account and only low user interaction. 
Successful exploitation of the vulnerability results in phishing attacks, 
session hijacking, persistent external redirect 
to malicious sources and persistent manipulation of affected or connected web 
module context.

Request Method(s):
[+] POST

Vulnerable Module(s):
[+] DHCP Client List 
[+] DHCP settings

Vulnerable Parameter(s):
[+] Hostnames


Proof of Concept (PoC):
=======================
Persistent vulnerability can be exploited by remote attackers with low 
privileged application user account and low user interaction.
For security demonstration or to reproduce the vulnerability follow the 
provided information and steps below to continue.


Manaul steps to reproduce the vulnerability ... (local)
1. Open the Router UI
2. Login as basic account
3. Open the DHCP List module via settings
4. Inject a payload to the hostnames input field
5. Save the input
6. Now the list becomes visible with all clients and the payload executes 
within the context
7. Successful reproduce of the vulnerability!

The following code is a bash script working on supported Linux OS to change the 
name of DHCP hostnames to a xss payload. 
Save the file into vulnerablity.sh, then chmod +x vulnerability.sh.

PoC: Exploit
#!/bin/bash
GREEN=$(tput setaf 2 && tput bold)
BLUE=$(tput setaf 6 && tput bold) 
echo $BLUE"[+] Persistent XSS DHCP Exploiter via Routers"
echo $GREEN"[+] Vulnerability founded by : Lawrence Amer " 
echo -n $BLUE"[~] type XSS Payload here :"
read -e xss 
echo $xss > /etc/hostname
echo $GREEN"[+]DHCP HOST NAME IS WRITTEN"


Video: https://www.youtube.com/watch?v=HUM5myJWbvc


Solution - Fix & Patch:
=======================
The xss vulnerability can be patched by a secure parse of the hostnames client 
parameters.
Restrict the input and disallow the usage of special chars to prevent the 
injection point.
Parse as well the hostnames output location in the active dhcp clients list.


Security Risk:
==============
The security risk of the persistent xss web vulnerability in the router 
web-application is estimate as medium. (CVSS 3.5)


Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Lawrence Amer 
(https://www.vulnerability-lab.com/show.php?user=Lawrence%20Amer)


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability Lab disclaims all warranties, either expressed 
or implied, including the warranties of merchantability and capability for a 
particular purpose. Vulnerability-Lab or its suppliers are not liable 
in any case of damage, including direct, indirect, incidental, consequential 
loss of business profits or special damages, even if Vulnerability-Lab 
or its suppliers have been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability mainly for 
consequential or incidental damages so the foregoing limitation may not apply. 
We do not approve or encourage anybody to break any licenses, policies, 
deface websites, hack into databases or trade with stolen data.

Domains:    www.vulnerability-lab.com           - www.vuln-lab.com              
                                - www.evolution-sec.com
Section:    magazine.vulnerability-lab.com      - 
vulnerability-lab.com/contact.php                             - 
evolution-sec.com/contact
Social:     twitter.com/vuln_lab                - facebook.com/VulnerabilityLab 
                                - youtube.com/user/vulnerability0lab
Feeds:      vulnerability-lab.com/rss/rss.php   - 
vulnerability-lab.com/rss/rss_upcoming.php                    - 
vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php    - 
vulnerability-lab.com/list-of-bug-bounty-programs.php         - 
vulnerability-lab.com/register.php

Any modified copy or reproduction, including partially usages, of this file, 
resources or information requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is 
granted. All other rights, including the use of other media, are reserved by 
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, 
advisories, source code, videos and other information on this website is 
trademark 
of vulnerability-lab team & the specific authors or managers. To record, list, 
modify, use or edit our material contact (admin@) to get a ask permission.

                                    Copyright © 2016 | Vulnerability Laboratory 
- [Evolution Security GmbH]™



-- 
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com



_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Follow-Ups:
- Re: [FD] Tenda, Dlink & Tplink TD-W8961ND - DHCP XSS Vulnerability
  - From: Simon Waters (Surevine)

Prev by Date: [FD] Burden TMA v2.1.1 - (Task) Persistent Web Vulnerability
Next by Date: [FD] Apple iOS 10.1 - Multiple Access Permission Vulnerabilities
Previous by thread: [FD] Burden TMA v2.1.1 - (Task) Persistent Web Vulnerability
Next by thread: Re: [FD] Tenda, Dlink & Tplink TD-W8961ND - DHCP XSS Vulnerability
Index(es):
- Date
- Thread