Zero Science Lab » Legrand BTicino Driver Manager F454 1.0.51 Authenticated Stored XSS Exploit

Legrand BTicino Driver Manager F454 1.0.51 Authenticated Stored XSS Exploit

Title: Legrand BTicino Driver Manager F454 1.0.51 Authenticated Stored XSS Exploit
Advisory ID: ZSL-2019-5522
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 15.05.2019

Summary

Audio/video web server for the remote control of the system using web pages or the MY HOME portal. The device can operate as a gateway for the use of the MHVisual and Virtual Configurator software - 6 DIN modules. It replaces item F453 and F453AV.

Description

The application suffers from an authenticated stored XSS via GET request. The issue is triggered when input passed via the GET parameter 'server' is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Vendor

BTicino S.p.A. - https://www.bticino.com

Affected Version

Hardware Platform: F454
Firmware version: 1.0.51
Driver Manager version: 1.1.14

Tested On

Apache/2.2.14 (Unix)
OpenSSL/1.0.0d
PHP/5.1.6

Vendor Status

[30.04.2019] Vulnerability discovered.
[01.05.2019] Vendor contacted.
[01.05.2019] Vendor responds, employee from BTicino will contact us.
[14.05.2019] No reply from the vendor.
[15.05.2019] Public security advisory released.

PoC

legrand_xss.html

Credits

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>

References

[1] https://www.exploit-db.com/exploits/46850
[2] https://exchange.xforce.ibmcloud.com/vulnerabilities/161093
[3] https://packetstormsecurity.com/files/152941

Changelog

[15.05.2019] - Initial release
[17.05.2019] - Added reference [2] and [3]

Contact

Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk