Netgear R7000 - XSS via. DHCP hostname

vendor:

R7000

by:

Vincent Yiu

8,8

CVSS

HIGH

XSS

CWE

Product Name: R7000

Affected Version From: V1.0.7.2_1.1.93

Affected Version To: Latest to date

Patch Exists: Yes

Related CWE: N/A

CPE: h:netgear:r7000

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: None

2016

Netgear R7000 – XSS via. DHCP hostname

An user who has access to send DHCP via either VPN or Wireless connection can serve a host name with script tags to trigger XSS. Could be potentially used to connect to open or guest WIFI hotspot and inject stored XSS into admin panel and steal cookie for authentication.

Mitigation:

Netgear has released a patch to fix this vulnerability.

Source

Exploit-DB raw data:

# Exploit Title: Netgear R7000 - XSS via. DHCP hostname
# Date: 11-12-2016
# Exploit Author: Vincent Yiu
# Contact: https://twitter.com/vysecurity
# Vendor Homepage: https://www.netgear.com/
# Category: Hardware / WebApp
# Version: V1.0.7.2_1.1.93 + LATEST to date
 
-Vulnerability
An user who has access to send DHCP via either VPN or Wireless connection can serve a host name with script tags to trigger XSS.

Could be potentially used to connect to open or guest WIFI hotspot and inject stored XSS into admin panel and steal cookie for authentication.

http://RouterIP/start.htm

Then visit the "view who's connected" page.
 
-Proof Of Concept
Set /etc/dhcp/dhclient.conf

send host-name "<script>alert('xss')</script>";