One Article Review
| Source |  RedTeam PL |
|---|---|
| Identifiant | 1798890 |
| Date de publication | 2019-09-05 19:27:02 (vue: 2020-07-09 15:05:43) |
| Titre | CVE-2019-10677 Multiple Cross-Site Scripting (XSS) in the web interface of DASAN Zhone ZNID |
| Texte | With recent software update of DASAN Zhone Solutions (DZS) routers, the company pushed fixes for multiple vulnerabilities I found in it [https://redteam.pl/poc/dasan-zhone-znid-gpon-2426a-eu.html, https://www.exploit-db.com/exploits/47351]. Vulnerabilities got registered under CVE-2019-10677 [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10677]. Multiple Cross-Site Scripting (XSS) in the web interface of DASAN Zhone ZNID allows a remote attacker to execute arbitrary JavaScript via manipulation of an unsanitized GET parameters. This vulnerability affects all zNID(s) models running following firmware versions: all releases of 3.0.xxx SW (on 3.0 branch), release 3.1.349 and earlier (on 3.1 branch), release 3.2.087 and earlier (on 3.2 branch), release 4.1.253 and earlier (on 4.1 branch), release 5.0.019 and earlier (on 5.0 branch).You can find a short description of this issues and proof-of-concept code below.There is a limit of characters passed from the user to variables in the application, when we will pass 50*A and 50*B in vulnerable GET parameters:http://admin:admin@192.168.1.1/wlsecrefresh.wl?wl_wsc_reg= |
| Envoyé | Oui |
| Condensat | */*;q=0 */var +wpapskkey;//ma /* //redteam /wifi /wlsecrefresh 0123456789 019 087 0accept: 1/wlsecrefresh 10677 168 1812 1host: 1referer: 2019 2426a 253 27//redteam 27;document 2bwpapskkey;// 2bwpapskkey;//connection: 2bwpapskkey;//it 2bwpapskkey;//there 2bwscdevpin;// 31337 349 3600 36000 3accept 50*a 50*b 8accept ; zhone ; var ;/* ;// ;document ;location=/* ;var =13 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa address admin aes affects agent: all allows also application application/xhtml+xml application/xml;q=0 applyrequired arbitrary are array attack attacker auth auto bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb because below big bin/cvename bit both branch but can cgi characters closenow code com/exploits/47351 comment company concept credentials cross custom cve dasan data deflateupgrade description disabled dns domain dzs earlier en;q=0 enabled enblwireless encoding: end enough etc example execute exploit find firefox/70 firmware fixes following follows:http://admin:admin@192 found from gecko/20100101 get got gpon grey gzip hardcoded have header html http http/1 http://192 httpd https://cve https://redteam https://www included insecure interface isp issues javascript just keep keyidx keys language: leaking letter like likely limit limited location=/* location=/*&wlwsccfgmethod=*/ logs manipulation marked merged mind mitre mode models mods mods modsvar most mozilla/5 multimedia multiple name=cve new nmode not now number:http://192 once org/cgi other p@ssw0rd parameters parameters:http://admin:admin@192 part parts:1 pass passed password payload phy pin pl/ pl/poc/dasan plaintext please pluser polish possible preauthmode;var proof psk2 pure pushed put radiuskey radiusport radiusserverip real rebinding recent redirected redteam referer reg= reg=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&wlwsccfgmethod=bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb reg=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&wlwsccfgmethod=bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbwe registered release releases remote requests: response:get returns:get router routers routers:http://user:multimedia@192 running rv:70 same scenarios scripting searching separated sessionkey= short shorter single site software solutions splits ssididx start*/var steal stored such syncnvram text/html two under unsanitized update url us;q=0 use user userid using var variable variables varnetreauth varpreauth versions: victims visited vulnerabilities vulnerability vulnerable web website wep when which wifi will win64; windows wlcorerev wlrefresh wlwapiavail wpa wpagtkrekey wpapskkey wps wsc wscapmode wsccfgmethod wscdevpin wscirmode wscisforcewpsdisable wscmode wscstapin wscver2 x64; xss xxx zhone zhone55556666 znid |
| Tags | Vulnerability |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.