{"id":47612,"date":"2022-09-26T15:02:37","date_gmt":"2022-09-26T13:02:37","guid":{"rendered":"https:\/\/cyberant.com\/cve-2016-7941-xss-in-netgear-prosafe-switches\/"},"modified":"2023-04-12T15:56:57","modified_gmt":"2023-04-12T13:56:57","slug":"cve-2016-7941-xss-in-netgear-prosafe-switches","status":"publish","type":"post","link":"https:\/\/cyberant.com\/en\/cve-2016-7941-xss-in-netgear-prosafe-switches\/","title":{"rendered":"CVE-2016-7941 &#8211; XSS in Netgear ProSAFE switches"},"content":{"rendered":"\n<style type=\"text\/css\" data-created_by=\"avia_inline_auto\" id=\"style-css-av-l8iryfan-c77db7f41860d1dea60797cd0ba71a3f\">\n#top .av_textblock_section.av-l8iryfan-c77db7f41860d1dea60797cd0ba71a3f .avia_textblock{\nfont-size:40px;\n}\n<\/style>\n<section  class='av_textblock_section av-l8iryfan-c77db7f41860d1dea60797cd0ba71a3f '   itemscope=\"itemscope\" itemtype=\"https:\/\/schema.org\/BlogPosting\" itemprop=\"blogPost\" ><div class='avia_textblock'  itemprop=\"text\" ><h1 class=\"h2 entry-title\">CVE-2016-7941 \u2013 XSS in Netgear ProSAFE switches<\/h1>\n<\/div><\/section>\n\n<style type=\"text\/css\" data-created_by=\"avia_inline_auto\" id=\"style-css-av-rrjicy-7f33f389ff824fa2c027849fc14fac2e\">\n#top .hr.hr-invisible.av-rrjicy-7f33f389ff824fa2c027849fc14fac2e{\nheight:30px;\n}\n<\/style>\n<div  class='hr av-rrjicy-7f33f389ff824fa2c027849fc14fac2e hr-invisible  avia-builder-el-1  el_after_av_textblock  el_before_av_textblock '><span class='hr-inner '><span class=\"hr-inner-style\"><\/span><\/span><\/div>\n\n<style type=\"text\/css\" data-created_by=\"avia_inline_auto\" id=\"style-css-av-l8iryqan-8b0a1161170294e42d883fbef6e92d95\">\n#top .av_textblock_section.av-l8iryqan-8b0a1161170294e42d883fbef6e92d95 .avia_textblock{\nfont-size:16px;\n}\n<\/style>\n<section  class='av_textblock_section av-l8iryqan-8b0a1161170294e42d883fbef6e92d95 '   itemscope=\"itemscope\" itemtype=\"https:\/\/schema.org\/BlogPosting\" itemprop=\"blogPost\" ><div class='avia_textblock'  itemprop=\"text\" ><p>A few years ago, one of our researchers discovered a unauthenticated stored XSS vulnerability in the Netgear ProSAFE Gigabit Smart Managed Switches. Although this was quite some time ago, we still felt that it was worth to do a write up about it.<\/p>\n<h2>The vulnerability<\/h2>\n<p>At a security training, the instructor took her personal Netgear GS108T switch from home, and asked us to dive into it. She was curious how safe this ProSAFE device was. This led to the discovery of a new vulnerability.<\/p>\n<p>The Netgear devices have a two interfaces, which allows administrators to modify the settings of the device. This can be done in the web interface, but also with SNMP. The latter is by default not protected, although it&#8217;s possible to configure it.<\/p>\n<p>XSS is always a concern in web interfaces, so Netgear did some effort to filter bad input in the web interface. However, they didn&#8217;t do output encoding, only input validation, which is only present in the web interface. Any value that is modified with SNMP is therefore an opening for XSS. Since not all parameters were accessible or usable via SNMP, the\u00a0only system variables that can be accessed and modified and will result in a XSS were system name, system location, and system contact.<\/p>\n<h2>Exploiting via SNMP<\/h2>\n<p>In the web interface, the value is placed in a text box. To break out of this, we use the following payload: <code>hi\"\u00a0onclick=alert(\"xss\") x=\"<\/code>.<br \/>\nFirst, we enumerate the injection points. For this we use SNMPWALK (our target is at 192.168.1.30):<br \/>\n<code>snmpwalk -mALL -v2c -c public 192.168.1.30<\/code>. With this we find out that the key iso.3.6.1.2.1.1.5.0 is related to the system name. With that information we can change it using snmpset: <code>snmpset -v 2c -c private 192.168.1.30 iso.3.6.1.2.1.1.5.0 s 'hi\" onclick=alert(\"xss\") x=\"'<\/code><\/p>\n<p>Now, log in to the Netgear web interface (in this case http:\/\/192.168.1.30). Click on the system name field (it has the value \u201chi\u201d). You will see an alert box saying \u201cxss\u201d.<\/p>\n<h2>Affected devices and response<\/h2>\n<p>After discovery, we contacted Netgear about the issue. Upfront, we registered a CVE number for this issue (CVE-2016-7941). After 2 weeks, we received an initial response with the request to fill in an Excel document. After submitting that, we got a confirmation that the document was received and that they will reach out to us soon. Then it went silent&#8230;<\/p>\n<p>After a few months, we decided to Google for the CVE. In the meantime, Netgear patched the issue, and created a <a href=\"https:\/\/kb.netgear.com\/000036745\/Security-Advisory-for-CVE-2016-7941-PSV-2016-0150\" target=\"_blank\" rel=\"noopener\">Security Advisory<\/a> for it. In this advisory we learned that the following devices were affected:<\/p>\n<ul>\n<li>GS724Tv3 and GS716Tv2 with firmware version 5.4.2.25 or earlier<\/li>\n<li>GS510TP with firmware version 5.4.2.25 or earlier<\/li>\n<li>GS108Tv2 and GS110TP with firmware version 5.4.2.25 or earlier<\/li>\n<li>GS748Tv4 with firmware version 5.4.2.25 or earlier<\/li>\n<\/ul>\n<p>Until this day, we wait for a response from Netgear. In the meantime, we installed the new firmware, recommended by the advisory.<\/p>\n<div class=\"text-center\">\n<div class=\"post-thumbnail\"><picture><source srcset=\"https:\/\/cyberant.com\/wp-content\/webp-express\/webp-images\/doc-root\/wp-content\/uploads\/2021\/06\/Netgear_ProSafe_8_Port_Gigabit_Switch_GS108_open-1024x628.jpeg.webp 1024w, https:\/\/cyberant.com\/wp-content\/webp-express\/webp-images\/doc-root\/wp-content\/uploads\/2021\/06\/Netgear_ProSafe_8_Port_Gigabit_Switch_GS108_open-300x184.jpeg.webp 300w, https:\/\/cyberant.com\/wp-content\/webp-express\/webp-images\/doc-root\/wp-content\/uploads\/2021\/06\/Netgear_ProSafe_8_Port_Gigabit_Switch_GS108_open-768x471.jpeg.webp 768w, https:\/\/cyberant.com\/wp-content\/webp-express\/webp-images\/doc-root\/wp-content\/uploads\/2021\/06\/Netgear_ProSafe_8_Port_Gigabit_Switch_GS108_open-1536x942.jpeg.webp 1536w, https:\/\/cyberant.com\/wp-content\/webp-express\/webp-images\/doc-root\/wp-content\/uploads\/2021\/06\/Netgear_ProSafe_8_Port_Gigabit_Switch_GS108_open-2048x1256.jpeg.webp 2048w, https:\/\/cyberant.com\/wp-content\/webp-express\/webp-images\/doc-root\/wp-content\/uploads\/2021\/06\/Netgear_ProSafe_8_Port_Gigabit_Switch_GS108_open-413x253.jpeg.webp 413w\" type=\"image\/webp\" sizes=\"(max-width: 640px) 100vw, 640px\" \/><img decoding=\"async\" class=\"attachment-large size-large wp-post-image webpexpress-processed\" src=\"https:\/\/cyberant.com\/wp-content\/uploads\/2021\/06\/Netgear_ProSafe_8_Port_Gigabit_Switch_GS108_open-1024x628.jpeg\" sizes=\"(max-width: 640px) 100vw, 640px\" srcset=\"https:\/\/cyberant.com\/wp-content\/uploads\/2021\/06\/Netgear_ProSafe_8_Port_Gigabit_Switch_GS108_open-1024x628.jpeg 1024w, https:\/\/cyberant.com\/wp-content\/uploads\/2021\/06\/Netgear_ProSafe_8_Port_Gigabit_Switch_GS108_open-300x184.jpeg 300w, https:\/\/cyberant.com\/wp-content\/uploads\/2021\/06\/Netgear_ProSafe_8_Port_Gigabit_Switch_GS108_open-768x471.jpeg 768w, https:\/\/cyberant.com\/wp-content\/uploads\/2021\/06\/Netgear_ProSafe_8_Port_Gigabit_Switch_GS108_open-1536x942.jpeg 1536w, https:\/\/cyberant.com\/wp-content\/uploads\/2021\/06\/Netgear_ProSafe_8_Port_Gigabit_Switch_GS108_open-2048x1256.jpeg 2048w, https:\/\/cyberant.com\/wp-content\/uploads\/2021\/06\/Netgear_ProSafe_8_Port_Gigabit_Switch_GS108_open-413x253.jpeg 413w\" alt=\"\" width=\"640\" height=\"393\" \/><\/picture><\/div>\n<\/div>\n<\/div><\/section>\n","protected":false},"excerpt":{"rendered":"","protected":false},"author":11,"featured_media":47613,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[195,216],"tags":[182,183,197,191,185,201,192,188],"class_list":["post-47612","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-hacken","category-knowledge-base","tag-cyber-security-en","tag-cyberaanval-en","tag-cybercriminelen-en","tag-etisch-hacker-en","tag-hacker-en","tag-netgear-prosafe-switches-en","tag-owasp-en","tag-vulnerability-management-en"],"_links":{"self":[{"href":"https:\/\/cyberant.com\/en\/wp-json\/wp\/v2\/posts\/47612","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cyberant.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cyberant.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cyberant.com\/en\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/cyberant.com\/en\/wp-json\/wp\/v2\/comments?post=47612"}],"version-history":[{"count":0,"href":"https:\/\/cyberant.com\/en\/wp-json\/wp\/v2\/posts\/47612\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cyberant.com\/en\/wp-json\/wp\/v2\/media\/47613"}],"wp:attachment":[{"href":"https:\/\/cyberant.com\/en\/wp-json\/wp\/v2\/media?parent=47612"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cyberant.com\/en\/wp-json\/wp\/v2\/categories?post=47612"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cyberant.com\/en\/wp-json\/wp\/v2\/tags?post=47612"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}