Tenda / Dlink / Tplink TD-W8961ND - DHCP Cross-Site Scripting Vulnerability

Document Title:
===============
Tenda, Dlink & Tplink TD-W8961ND - DHCP XSS Vulnerability

 
Abstract Advisory Information:
==============================
The vulnerability laboratory research team discovered a persistent xss vulnerability in the Tenda, Dlink & Tplink 1.0.1 TD-W8961ND & ADSL2+ Modem Routers web-application.

 
 
Technical Details & Description:
================================
Persistent cross site scripting vulnerability has been discovered in Tenda 1.0.1 ADSL Modem Routers.
The vulnerability allows remote attackers and local privileged account to inject malicious script codes 
on the application-side to manipulate the router dhcp hostnames. 
 
Attackers are able to inject malicious code into the current list of DHCP clients on view, by modifying 
the DHCP hostname into valid xss payload. The execution of vulnerability occurs on the application-side 
on view events. Due to our investigation, we discovered that all models with the firmware v1.x on the 
web gui are affected by the security vulnerability. Remote attackers can for example make special crafted 
malicious pages with POST method requests to manipulate the dhcp hostname listing and client view.
 
The security risk of the issue is estimated as medium with a cvss (common vulnerability scoring system) count of 3.5. 
Exploitation of the vulnerability requires no privilege web-application user account and only low user interaction. 
Successful exploitation of the vulnerability results in phishing attacks, session hijacking, persistent external redirect 
to malicious sources and persistent manipulation of affected or connected web module context.
 
Request Method(s):
[+] POST
 
Vulnerable Module(s):
[+] DHCP Client List 
[+] DHCP settings
 
Vulnerable Parameter(s):
[+] Hostnames
 
 
Proof of Concept (PoC):
=======================
Persistent vulnerability can be exploited by remote attackers with low privileged application user account and low user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
 
 
Manaul steps to reproduce the vulnerability ... (local)
1. Open the Router UI
2. Login as basic account
3. Open the DHCP List module via settings
4. Inject a payload to the hostnames input field
5. Save the input
6. Now the list becomes visible with all clients and the payload executes within the context
7. Successful reproduce of the vulnerability!
 
The following code is a bash script working on supported Linux OS to change the name of DHCP hostnames to a xss payload. 
Save the file into vulnerablity.sh, then chmod +x vulnerability.sh.
 
PoC: Exploit
#!/bin/bash
GREEN=$(tput setaf 2 && tput bold)
BLUE=$(tput setaf 6 && tput bold) 
echo $BLUE"[+] Persistent XSS DHCP Exploiter via Routers"
echo $GREEN"[+] Vulnerability founded by : Lawrence Amer " 
echo -n $BLUE"[~] type XSS Payload here :"
read -e xss 
echo $xss > /etc/hostname
echo $GREEN"[+]DHCP HOST NAME IS WRITTEN"
 
 
Video: https://www.youtube.com/watch?v=HUM5myJWbvc
 
 
Solution - Fix & Patch:
=======================
The xss vulnerability can be patched by a secure parse of the hostnames client parameters.
Restrict the input and disallow the usage of special chars to prevent the injection point.
Parse as well the hostnames output location in the active dhcp clients list.

#  0day.today [2018-01-01]  #