Monday, January 20, 2020

[SMC Networks] Stored Cross Site Scripting (Authenticated) in SMC D3G0804W Router (CVE-‪2020-7249)

SMC Networks is an American Based Company, founded in 1972. The company develops network interface cards (NICs), stackable, dual speed hubs and ethernet switches, now venturing into the world of IoT.

The SMC Networks D3G0804W Router is described as :

A multimedia Gateway that delivers video, and data for applications such as Home Security and Automation, and IPTV distribution. The Gateway is a versatile and robust all-in-one solutions that makeit ideal for homes and businesses to connect their local-area network (LAN) to the Internet."
--SMC Networks D3G0804W user manual.

To access this device, the default credentials are admin:password

Looking at Shodan, I've got that there is about 18670 devices, and most are from Bolivia.

Doing some researching I've discovered that in the Wifi Network Configuration section of the device, you can configure the name of the wireless signal or SSID. Here I've tested with a simple "<svg/onload=alert('XSS')>" payload on the SSID and then saved the configuration.

After clicking on the button "Save Settings", and then "Aceptar", I was redirected to the list of the WiFi Networks available, and automatically the payload injected before was executed.

The tested model of the device was D3G0804W-35.2.5-LAT_GA



0 comentarios:

Post a Comment