Introduction:
I found a script injection vulnerability in the login form language parameter of the ADB firmware being used in numerous VDSL devices sold by ADB and being used by numerous ISPs world-wide including the countries Austria, Israel, Italy, Slovakia, Argentina, Lithuania, Poland and Chile amongst others.
I informed ADB and A1 Telekom Austria about the vulnerability identified in 2017 allowing them to prepare a fix prior to informing the public. As it was confirmed by the two parties that fixes have been rolled out now to all customers in June 2018, I disclose the vulnerability. I have not tested the updates provided by the manufacturer/ISP and therefore can’t comment on its effectivity.
CVE-2018-7633- Script Injection in EpiCentro 7.3.2+ login form
Product: EpiCentro
Vendor: ADB Global
Tested Version: 7.3.2
CVE ID: 2018-7633
Severity: medium
Severity Rating: CVSS v3 Base Score: 5,4 AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Impact: Execution of injected Javascript
Locally Exploitable: no
Remotely Exploitable: Yes
Product Description:
EpiCentro is the firmware name of ADB’s (previously Pirelli) VDSL router/modem products used by many ISPs worldwide including Telekom Austria A1 for providing their customers access to their infrastructure. Citation from the ADB Website: „ADB’s home gateways are equipped with Epicentro®, ADB’s state-of-the-art software platform, which allows service providers to deploy software modules and applications over time via transparent TR-069 remote management, creating opportunities to provide function and service up-selling to the consumer on the same hardware device.“ see https://www.adbglobal.com/devices/broadband-gateways/
CVE Description:
The EpiCentro httpd (web server) login form language parameter providing web based access to the configuration of the devices is susceptible to a Javascript injection resulting in Javascript injected by the attacker being executed in the browser.
Technical Details:
Code injection in the /ui/login form Language parameter in Epicentro E_7.3.2+ allows attackers to execute JavaScript code by making a user issue a manipulated POST request.
The Javascript code injected and sent to the server gets reflected and is executed in the client browser.
Issuing the following request:

Results in:

being returned.
In the browser this looks like the following

