Details of VAR-201310-0247

ID

VAR-201310-0247

CVE

CVE-2013-3962

TITLE

plural Grandstream Product cross-site scripting vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2013-004458

DESCRIPTION

Cross-site scripting (XSS) vulnerability in Grandstream GXV3501, GXV3504, GXV3601, GXV3601HD/LL, GXV3611HD/LL, GXV3615W/P, GXV3651FHD, GXV3662HD, GXV3615WP_HD, GXV3500, and possibly other camera models before firmware 1.0.4.44, allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO. Unknown cross-site scripting vulnerabilities existed in multiple IP Cameras from Grandstream. Grandstream is an IP phone, network video surveillance solution vendor. The telnet service in multiple Grandstream products uses a built-in account that allows remote attackers to use this account to gain unauthorized access to factory reset or upgrade firmware. The affected products are as follows: GXV3500GXV3501GXV3504GXV3601GXV3601HD/LLGXV3611HD/LLGXV3615W/PGXV3615WP_HDGXV3651FHDGXV3662HD. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected device. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. Grandstream GXV3501 and others are network camera products of American Grandstream Networks (Grandstream) company. =============================================================================== GRANDSTREAM ==================================================================== =============================================================================== 1.Advisory Information Title: Grandstream Series Vulnerabilities Date Published: 12/06/2013 Date of last updated: 12/06/2013 2.Vulnerability Description The following vulnerability has been found in these devices: -CVE-2013-3542. Backdoor in Telnet Protocol(CAPEC-443) -CVE-2013-3962. Cross Site Scripting(CWE-79) -CVE-2013-3963. -CVE-2013-3542, CVE-2013-3962 and CVE-2013-3963. It\x92s possible others models are affected but they were not checked. 4.PoC 4.1.Backdoor in Telnet Protocol CVE-2013-3542, Backdoor in Telnet Protocol You should connect via telnet protocol to any camera affected (it's open by default). After all you should be introduce the magic string \x93 !#/ \x94 as Username and as Password. You will get the admin panel setting menu. If you type "help", the following commands are shown: ======================================================= help, quit, status, restart, restore, upgrade, tty_test ======================================================= @@@ restore (Reset settings to factory default) The attacker can take the device control, so it's make this devices very vulnerables. 4.2.Cross Site Scripting (XSS) CVE-2013-3962, Cross Site Scripting non-persistent. _____________________________________________________________________________ http://xx.xx.xx.xx/<script>alert(123)</script> _____________________________________________________________________________ 4.3.Cross Site Request Forgery (CSRF) CVE-2013-3963, CSRF via GET method. These cameras use a web interface which is prone to CSRF vulnerabilities. A malicious user can try targeted attacks by sending a special CSRF vector. This allows you to manipulate web interface parameters. You should introduce the following URL to replicate the attack. _____________________________________________________________________________ http://xx.xx.xx.xx/goform/usermanage?cmd=add&user.name=test3&user.password=test3&user.level=0 _____________________________________________________________________________ 5.Credits -CVE-2013-3542, CVE-2013-3962 and CVE-2013-3963 were discovered by Jon\xe1s Ropero Castillo. 6.Report Timeline -2013-05-31: Students opens a ticket in order to notify the Grandstream Customer Support of the CVE-2013-3542. -2013-05-31: Grandstream team reports to the technical support to analyze the vulnerability. -2013-06-11: Students opens a ticket in order to notify the Grandstream Customer Support of the CVE-2013-3962 and CVE-2013-3963 vulnerabilities

Trust: 3.15

sources: NVD: CVE-2013-3962 // JVNDB: JVNDB-2013-004458 // CNVD: CNVD-2013-13693 // CNVD: CNVD-2013-08565 // BID: 60531 // VULHUB: VHN-63964 // PACKETSTORM: 122004

IOT TAXONOMY

category:	['Network device']	sub_category:	-	Trust: 1.2
category:	['camera device']	sub_category:	camera	Trust: 0.1

sources: OTHER: None // CNVD: CNVD-2013-13693 // CNVD: CNVD-2013-08565

AFFECTED PRODUCTS

vendor:	grandstream	model:	gxv device	scope:	eq	version:	1.0.4.16	Trust: 1.6
vendor:	grandstream	model:	gxv device	scope:	eq	version:	1.0.3.9	Trust: 1.6
vendor:	grandstream	model:	gxv device	scope:	eq	version:	1.0.4.42	Trust: 1.6
vendor:	grandstream	model:	gxv device	scope:	eq	version:	1.0.4.27	Trust: 1.6
vendor:	grandstream	model:	gxv device	scope:	eq	version:	1.0.4.7	Trust: 1.6
vendor:	grandstream	model:	gxv device	scope:	eq	version:	1.0.4.38	Trust: 1.6
vendor:	grandstream	model:	gxv device	scope:	eq	version:	1.0.4.6	Trust: 1.6
vendor:	grandstream	model:	gxv device	scope:	eq	version:	1.0.4.39	Trust: 1.6
vendor:	grandstream	model:	gxv device	scope:	eq	version:	1.0.2.3	Trust: 1.6
vendor:	grandstream	model:	gxv device	scope:	eq	version:	1.0.4.11	Trust: 1.6
vendor:	grandstream	model:	gxv3500	scope:	-	version:	-	Trust: 1.4
vendor:	grandstream	model:	gxv3615wp hd	scope:	-	version:	-	Trust: 1.4
vendor:	grandstream	model:	gxv3662hd	scope:	-	version:	-	Trust: 1.4
vendor:	grandstream	model:	gxv3651fhd	scope:	-	version:	-	Trust: 1.4
vendor:	grandstream	model:	gxv3615w/p	scope:	-	version:	-	Trust: 1.4
vendor:	grandstream	model:	gxv3611hd/ll	scope:	-	version:	-	Trust: 1.4
vendor:	grandstream	model:	gxv3601hd/ll	scope:	-	version:	-	Trust: 1.4
vendor:	grandstream	model:	gxv3601	scope:	-	version:	-	Trust: 1.4
vendor:	grandstream	model:	gxv3504	scope:	-	version:	-	Trust: 1.4
vendor:	grandstream	model:	gxv3501	scope:	-	version:	-	Trust: 1.4
vendor:	grandstream	model:	gxv device	scope:	lte	version:	1.0.4.43	Trust: 1.0
vendor:	grandstream	model:	gxv device	scope:	eq	version:	1.0.4.37	Trust: 1.0
vendor:	grandstream	model:	gxv device	scope:	eq	version:	1.0.4.34	Trust: 1.0
vendor:	grandstream	model:	gxv3651fhd	scope:	eq	version:	-	Trust: 1.0
vendor:	grandstream	model:	gxv3501	scope:	eq	version:	-	Trust: 1.0
vendor:	grandstream	model:	gxv3611hd\/ll	scope:	eq	version:	-	Trust: 1.0
vendor:	grandstream	model:	gxv3615wp hd	scope:	eq	version:	-	Trust: 1.0
vendor:	grandstream	model:	gxv3615w\/p	scope:	eq	version:	-	Trust: 1.0
vendor:	grandstream	model:	gxv3662hd	scope:	eq	version:	-	Trust: 1.0
vendor:	grandstream	model:	gxv3500	scope:	eq	version:	-	Trust: 1.0
vendor:	grandstream	model:	gxv3504	scope:	eq	version:	-	Trust: 1.0
vendor:	grandstream	model:	gxv3601	scope:	eq	version:	-	Trust: 1.0
vendor:	grandstream	model:	gxv3601hd\/ll	scope:	eq	version:	-	Trust: 1.0
vendor:	grandstream	model:	gxv	scope:	lt	version:	1.0.4.44	Trust: 0.8
vendor:	grandstream	model:	gxv device	scope:	lte	version:	<=1.0.4.43	Trust: 0.6
vendor:	grandstream	model:	gxv3501 gxv3504 ip video encoders	scope:	eq	version:	/	Trust: 0.6
vendor:	grandstream	model:	gxv3500 ip video encoder/decoder	scope:	-	version:	-	Trust: 0.6
vendor:	grandstream	model:	gxv series ip cameras	scope:	-	version:	-	Trust: 0.6
vendor:	grandstream	model:	gxv3662hd	scope:	eq	version:	0	Trust: 0.3
vendor:	grandstream	model:	gxv3651fhd	scope:	eq	version:	0	Trust: 0.3
vendor:	grandstream	model:	gxv3615wp hd	scope:	eq	version:	0	Trust: 0.3
vendor:	grandstream	model:	gxv3615w/p	scope:	eq	version:	0	Trust: 0.3
vendor:	grandstream	model:	gxv3611hd/ll	scope:	eq	version:	0	Trust: 0.3
vendor:	grandstream	model:	gxv3601hd/ll	scope:	eq	version:	0	Trust: 0.3
vendor:	grandstream	model:	gxv3601	scope:	eq	version:	0	Trust: 0.3
vendor:	grandstream	model:	gxv3504	scope:	eq	version:	0	Trust: 0.3
vendor:	grandstream	model:	gxv3501	scope:	eq	version:	0	Trust: 0.3
vendor:	grandstream	model:	gxv3500	scope:	eq	version:	0	Trust: 0.3

sources: CNVD: CNVD-2013-13693 // CNVD: CNVD-2013-08565 // BID: 60531 // JVNDB: JVNDB-2013-004458 // CNNVD: CNNVD-201306-257 // NVD: CVE-2013-3962

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2013-3962
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2013-3962
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2013-13693
value:	MEDIUM
Trust: 0.6
CNVD:	CNVD-2013-08565
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201306-257
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-63964
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2013-3962
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2013-13693
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
CNVD:	CNVD-2013-08565
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-63964
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: CNVD: CNVD-2013-13693 // CNVD: CNVD-2013-08565 // VULHUB: VHN-63964 // JVNDB: JVNDB-2013-004458 // CNNVD: CNNVD-201306-257 // NVD: CVE-2013-3962

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.9

sources: VULHUB: VHN-63964 // JVNDB: JVNDB-2013-004458 // NVD: CVE-2013-3962

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201306-257

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201306-257

CONFIGURATIONS

sources: JVNDB: JVNDB-2013-004458

PATCH

title:

Firmware Release Notes

url:

http://www.grandstream.com/firmware/BETATEST/GXV35xx_GXV36xx_H/Release_Note_GXV35xx_GXV36xx_H1.0.4.44.pdf

Trust: 0.8

sources: JVNDB: JVNDB-2013-004458

EXTERNAL IDS

db:	NVD	id:	CVE-2013-3962	Trust: 3.6
db:	BID	id:	60531	Trust: 1.6
db:	JVNDB	id:	JVNDB-2013-004458	Trust: 0.8
db:	PACKETSTORM	id:	122004	Trust: 0.7
db:	CNNVD	id:	CNNVD-201306-257	Trust: 0.7
db:	CNVD	id:	CNVD-2013-13693	Trust: 0.6
db:	SECUNIA	id:	53763	Trust: 0.6
db:	CNVD	id:	CNVD-2013-08565	Trust: 0.6
db:	FULLDISC	id:	20130612 SECURITY ANALYSIS OF IP VIDEO SURVEILLANCE CAMERAS	Trust: 0.6
db:	OTHER	id:	NONE	Trust: 0.1
db:	VULHUB	id:	VHN-63964	Trust: 0.1

sources: OTHER: None // CNVD: CNVD-2013-13693 // CNVD: CNVD-2013-08565 // VULHUB: VHN-63964 // BID: 60531 // JVNDB: JVNDB-2013-004458 // PACKETSTORM: 122004 // CNNVD: CNNVD-201306-257 // NVD: CVE-2013-3962

REFERENCES

url:	http://seclists.org/fulldisclosure/2013/jun/84	Trust: 2.8
url:	http://www.grandstream.com/firmware/betatest/gxv35xx_gxv36xx_h/release_note_gxv35xx_gxv36xx_h1.0.4.44.pdf	Trust: 2.3
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2013-3962	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2013-3962	Trust: 0.8
url:	http://www.secunia.com/advisories/53763/	Trust: 0.6
url:	http://packetstormsecurity.com/files/122004/grandstream-backdoor-cross-site-request-forgery-cross-site-scripting.html	Trust: 0.6
url:	http://www.securityfocus.com/bid/60531	Trust: 0.6
url:	http://www.grandstream.com/index.php/products/ip-video-surveillance	Trust: 0.3
url:	https://ieeexplore.ieee.org/abstract/document/10769424	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2013-3963	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2013-3542	Trust: 0.1
url:	http://xx.xx.xx.xx/<script>alert(123)</script>	Trust: 0.1
url:	http://xx.xx.xx.xx/goform/usermanage?cmd=add&user.name=test3&user.password=test3&user.level=0	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2013-3962	Trust: 0.1

CREDITS

Jons Ropero Castillo.

Trust: 0.6

sources: CNNVD: CNNVD-201306-257

SOURCES

db:	OTHER	id:	-
db:	CNVD	id:	CNVD-2013-13693
db:	CNVD	id:	CNVD-2013-08565
db:	VULHUB	id:	VHN-63964
db:	BID	id:	60531
db:	JVNDB	id:	JVNDB-2013-004458
db:	PACKETSTORM	id:	122004
db:	CNNVD	id:	CNNVD-201306-257
db:	NVD	id:	CVE-2013-3962

LAST UPDATE DATE

2025-01-30T22:08:44.849000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2013-13693	date:	2013-10-14T00:00:00
db:	CNVD	id:	CNVD-2013-08565	date:	2013-07-03T00:00:00
db:	VULHUB	id:	VHN-63964	date:	2013-10-02T00:00:00
db:	BID	id:	60531	date:	2013-06-12T00:00:00
db:	JVNDB	id:	JVNDB-2013-004458	date:	2013-10-04T00:00:00
db:	CNNVD	id:	CNNVD-201306-257	date:	2013-10-16T00:00:00
db:	NVD	id:	CVE-2013-3962	date:	2024-11-21T01:54:37.900

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2013-13693	date:	2013-10-14T00:00:00
db:	CNVD	id:	CNVD-2013-08565	date:	2013-07-02T00:00:00
db:	VULHUB	id:	VHN-63964	date:	2013-10-01T00:00:00
db:	BID	id:	60531	date:	2013-06-12T00:00:00
db:	JVNDB	id:	JVNDB-2013-004458	date:	2013-10-04T00:00:00
db:	PACKETSTORM	id:	122004	date:	2013-06-13T06:12:41
db:	CNNVD	id:	CNNVD-201306-257	date:	2013-06-18T00:00:00
db:	NVD	id:	CVE-2013-3962	date:	2013-10-01T19:55:09.427