Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Multiple Cross Site Scripting in Netgear Router Version 1.0.0.24 #12

Open
cybersecurityworks opened this issue Jan 9, 2016 · 0 comments

Comments

@cybersecurityworks
Copy link
Owner

Details

Product Vendor: Netgear

Bug Name: Cross Site Scripting in Netgear Router Version 1.0.0.24

Software: Netgear Router Firmware

Version: 1.0.0.24

Last Updated: 10-06-2015

Homepage: http://netgear.com/

Severity High

Vulnerable URL: http://router-ip/cgi-bin/webproc?getpage=html/page.htm&var:page=RST_status&var:menu=advanced&t=1445843230593

Vulnerable Variable: getpage, var:page & var:menu

Parameter: GET

Status: Fixed

Exploitation Requires Authentication?: no

POC URL: https://www.youtube.com/watch?v=ITLg-uL68CU&index=7&list=PLrTr4Cobqhhw-72HKFFuwgBu6gXJSmeoT

Description

Cross Site Scripting (XSS) vulnerability in Netgear Router Firmware Version 1.0.0.24. By exploiting a Cross-site scripting vulnerability the attacker can hijack a logged in user’s session by stealing cookies. This means that the malicious hacker can change the logged in user’s password and invalidate the session of the victim while the hacker maintains access.

Proof of concept: (POC)

Inject the malicious JavaScript code ”></scripT><scripT>alert(1)</scripT> in thegetpage variable in the URL http://router-ip/cgi-bin/webproc?getpage=html/page.htm&var:page=RST_status&var:menu=advanced&t=1445843230593 and viewing it on browser will result in execution of Cross Site Scripting (XSS)

Note: Similarly, var:page & var:menu variable is also injected with malicious JavaScript payload and use it as a vehicle for further attack.

Issue 1:

The GET request parameter getpage variable in the following URL http://router-ip/cgi-bin/webproc?getpage=html/page.htm&var:page=RST_status&var:menu=advanced&t=1445843230593 is vulnerable to Cross Site Scripting (XSS).

xss-1

Figure 1: XSS Payload injected to getpage variable and its echoed back in the given response URL http://router-ip/cgi-bin/webproc?getpage=html/page.htm&var:page=RST_status&var:menu=advanced&t=1445843230593

xss

Figure 2: XSS Payload gets reflected in the browser

Issue 2:

The GET request parameter var:page variable in the following URL http://router-ip/cgi-bin/webproc?getpage=html/page.htm&var:page=RST_status&var:menu=advanced&t=1445843230593 is vulnerable to Cross Site Scripting (XSS).

xss-3

Figure 3: XSS Payload injected to var:page variable and its echoed back in the given response URL http://router-ip/cgi-bin/webproc?getpage=html/page.htm&var:page=RST_status&var:menu=advanced&t=1445843230593

Issue 3:

The GET request parameter var:menu variable in the following URL http://router-ip/cgi-bin/webproc?getpage=html/page.htm&var:page=RST_status&var:menu=advanced&t=1445843230593 is vulnerable to Cross Site Scripting (XSS).

xss-4

Figure 4: XSS Payload injected to var:menu variable and its echoed back in the given response URL http://router-ip/cgi-bin/webproc?getpage=html/page.htm&var:page=RST_status&var:menu=advanced&t=1445843230593


Timeline

28/10/2015 – Discovered in Netgear Router Firmware Version 1.0.0.24
28/10//2015 - Reported to vendor through support option but, no response
30/10//2015 - Reported to vendor through another support option available here. But, again no response.
03/11/2015 - Finally, Technical Team started addressing about the issue after so many followups through phone/mail.
13/12/2015 - Vulnerability got fixed & case was closed.
30/12/2015 - Netgear Released updated version 1.0.0.32


Discovered by:
Sathish from Cyber Security Works Pvt Ltd

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant