Exploit the possiblities

Tenda / D-Link / TP-Link DHCP Cross Site Scripting

Tenda / D-Link / TP-Link DHCP Cross Site Scripting
Posted Nov 28, 2016
Authored by Lawrence Amer | Site vulnerability-lab.com

Tenda, D-Link, and TP-Link routers suffer from a DHCP-related cross site scripting vulnerability.

tags | exploit, xss
MD5 | 35203611e6c87286765993d433525561

Tenda / D-Link / TP-Link DHCP Cross Site Scripting

Change Mirror Download
Document Title:
Tenda, Dlink & Tplink TD-W8961ND - DHCP XSS Vulnerability

References (Source):

Release Date:

Vulnerability Laboratory ID (VL-ID):

Common Vulnerability Scoring System:

Abstract Advisory Information:
The vulnerability laboratory research team discovered a persistent xss vulnerability in the Tenda, Dlink & Tplink 1.0.1 TD-W8961ND & ADSL2+ Modem Routers web-application.

Vulnerability Disclosure Timeline:
2016-11-28: Public Disclosure (Vulnerability Laboratory)

Discovery Status:

Exploitation Technique:

Severity Level:

Technical Details & Description:
Persistent cross site scripting vulnerability has been discovered in Tenda 1.0.1 ADSL Modem Routers.
The vulnerability allows remote attackers and local privileged account to inject malicious script codes
on the application-side to manipulate the router dhcp hostnames.

Attackers are able to inject malicious code into the current list of DHCP clients on view, by modifying
the DHCP hostname into valid xss payload. The execution of vulnerability occurs on the application-side
on view events. Due to our investigation, we discovered that all models with the firmware v1.x on the
web gui are affected by the security vulnerability. Remote attackers can for example make special crafted
malicious pages with POST method requests to manipulate the dhcp hostname listing and client view.

The security risk of the issue is estimated as medium with a cvss (common vulnerability scoring system) count of 3.5.
Exploitation of the vulnerability requires no privilege web-application user account and only low user interaction.
Successful exploitation of the vulnerability results in phishing attacks, session hijacking, persistent external redirect
to malicious sources and persistent manipulation of affected or connected web module context.

Request Method(s):
[+] POST

Vulnerable Module(s):
[+] DHCP Client List
[+] DHCP settings

Vulnerable Parameter(s):
[+] Hostnames

Proof of Concept (PoC):
Persistent vulnerability can be exploited by remote attackers with low privileged application user account and low user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.

Manaul steps to reproduce the vulnerability ... (local)
1. Open the Router UI
2. Login as basic account
3. Open the DHCP List module via settings
4. Inject a payload to the hostnames input field
5. Save the input
6. Now the list becomes visible with all clients and the payload executes within the context
7. Successful reproduce of the vulnerability!

The following code is a bash script working on supported Linux OS to change the name of DHCP hostnames to a xss payload.
Save the file into vulnerablity.sh, then chmod +x vulnerability.sh.

PoC: Exploit
GREEN=$(tput setaf 2 && tput bold)
BLUE=$(tput setaf 6 && tput bold)
echo $BLUE"[+] Persistent XSS DHCP Exploiter via Routers"
echo $GREEN"[+] Vulnerability founded by : Lawrence Amer "
echo -n $BLUE"[~] type XSS Payload here :"
read -e xss
echo $xss > /etc/hostname

Video: https://www.youtube.com/watch?v=HUM5myJWbvc

Solution - Fix & Patch:
The xss vulnerability can be patched by a secure parse of the hostnames client parameters.
Restrict the input and disallow the usage of special chars to prevent the injection point.
Parse as well the hostnames output location in the active dhcp clients list.

Security Risk:
The security risk of the persistent xss web vulnerability in the router web-application is estimate as medium. (CVSS 3.5)

Credits & Authors:
Vulnerability Laboratory [Research Team] - Lawrence Amer (https://www.vulnerability-lab.com/show.php?user=Lawrence%20Amer)

Disclaimer & Information:
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies,
deface websites, hack into databases or trade with stolen data.

Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Section: magazine.vulnerability-lab.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
Social: twitter.com/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php

Any modified copy or reproduction, including partially usages, of this file, resources or information requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark
of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@) to get a ask permission.

Copyright A(c) 2016 | Vulnerability Laboratory - [Evolution Security GmbH]aC/

SERVICE: www.vulnerability-lab.com


RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?

Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

February 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    15 Files
  • 2
    Feb 2nd
    15 Files
  • 3
    Feb 3rd
    15 Files
  • 4
    Feb 4th
    13 Files
  • 5
    Feb 5th
    16 Files
  • 6
    Feb 6th
    15 Files
  • 7
    Feb 7th
    15 Files
  • 8
    Feb 8th
    15 Files
  • 9
    Feb 9th
    18 Files
  • 10
    Feb 10th
    8 Files
  • 11
    Feb 11th
    8 Files
  • 12
    Feb 12th
    17 Files
  • 13
    Feb 13th
    15 Files
  • 14
    Feb 14th
    15 Files
  • 15
    Feb 15th
    17 Files
  • 16
    Feb 16th
    18 Files
  • 17
    Feb 17th
    37 Files
  • 18
    Feb 18th
    0 Files
  • 19
    Feb 19th
    0 Files
  • 20
    Feb 20th
    0 Files
  • 21
    Feb 21st
    0 Files
  • 22
    Feb 22nd
    0 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    0 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2018 Packet Storm. All rights reserved.

Security Services
Hosting By