ID
VAR-E-201612-0124
TITLE
Netgear R7000 - XSS via. DHCP hostname
Trust: 0.6
AFFECTED PRODUCTS
| vendor: | netgear | model: | r7000 | scope: | - | version: | - | Trust: 0.6 |
EXPLOIT
# Exploit Title:
# Date: 11-12-2016
# Exploit Author: Vincent Yiu
# Contact: https://twitter.com/vysecurity
# Vendor Homepage: https://www.netgear.com/
# Category: Hardware / WebApp
# Version: V1.0.7.2_1.1.93 + LATEST to date
-Vulnerability
An user who has access to send DHCP via either VPN or Wireless connection can serve a host name with script tags to trigger XSS.
Could be potentially used to connect to open or guest WIFI hotspot and inject stored XSS into admin panel and steal cookie for authentication.
http://RouterIP/start.htm
Then visit the "view who's connected" page.
-Proof Of Concept
Set /etc/dhcp/dhclient.conf
send host-name "<script>alert('xss')</script>";
Trust: 0.6
PRICE
free
Trust: 0.6
TYPE
XSS via. DHCP hostname
Trust: 0.6
EXTERNAL IDS
| db: | EDBNET | id: | 89501 | Trust: 0.6 |
REFERENCES
| url: | https://www.intelligentexploit.com | Trust: 0.6 |
SOURCES
| db: | EDBNET | id: | 89501 |
LAST UPDATE DATE
2022-07-27T09:37:39.531000+00:00
SOURCES RELEASE DATE
| db: | EDBNET | id: | 89501 | date: | 2016-12-12T00:00:00 |