From Huy Ngoc

Hello list, Here are two CVEs I reported to Freebox, a french ISP: - CVE-2014-9382 - CSRF in VPN user account creation - CVE-2014-9405 - XSS Vulnerable product: Freebox OS Web interface 3.0.2. CVE-2014-9382 - CSRF in Freebox OS Web interface 3.0.2 allowing VPN user account creation ==================== Risk level: High Freebox allows users to create VPN connections to their home network. In version 3.0.2 when a new user is created, the following JSON request is sent to http://mafreebox.free.fr/api/v3/vpn/user/: {"login":"foo","password_set":false,"ip_reservation":"","password":"bar"} This request is vulnerable to CSRF which is easy to trigger. The following POC would create a new VPN account "ngocdh" / "1234=5678": CVE-2014-9405 - XSS in Freebox OS Web interface 3.0.2 ==================== Risk level: low Two XSS instances with low probability of exploitation were found in the following places: - Download RSS - Contacts The following POC demonstrates the XSS in the "description" field of a Download RSS item: From Huy Ngoc huyngocbk@gmail.com http://google.com Test by huyngoc]]> Wed, 19 Nov 2014 20:36:47 UTC http://google.com> In order to exploit this XSS, the attacker must control a RSS feed to which a user have subscribed. The following VCF file demonstrates a XSS exploitation POC, "alert(document.domain)" would be called after importing this VCF file from the web interface: BEGIN:VCARD VERSION:3.0 FN:DAU Huy Ngoc N:;;;; URL:

END:VCARD In order to exploit this XSS, the attacker must trick a user into importing his malicious .vcf. Timeline: 21/11/2014: XSS CVE-2014-9382 is reported to vendor 21/11/2014: vendor confirmed the vulnerability 02/12/2014: CSRF CVE-2014-9405 is reported to vendor 06/12/2014: a hot fix is released (http://dev.freebox.fr/blog/?p=1867) Credit: DAU Huy Ngoc (@ngocdh)