Mercury MR816v2 Router Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the Mercury MR816v2 router, specifically in the firmware version 081C3114 4.8.7 Build 110427 Rel 36550n. This vulnerability allows remote attackers on the local area network to inject JavaScript into the router's management interface by submitting a malicious hostname. The injected script is stored and executed later in the context of an administrator's browser, such as after a DHCP release and renewal event triggers the interface to display the stored hostname. The issue arises because the management interface employs weak authentication and fails to properly safeguard session information, enabling the exfiltration of admin session data and the execution of administrative actions.

Impact

Exploitation of this vulnerability leads to stored cross-site scripting, where injected scripts persist across reboots and DHCP events, executing automatically when the admin interface is accessed. This vulnerability can be exploited by any device on the local network, including guest devices or compromised hosts. Successful exploitation allows for the theft of admin credentials or session information, facilitating a full administrative takeover of the router. Additionally, this vulnerability could be chained with other weaknesses, such as weak authentication or default credentials, to amplify its impact.

Reproduction

To reproduce this vulnerability, a LAN client must send a DHCP request with a crafted hostname that includes a JavaScript payload. This can be done by changing the client's hostname to include a script injection and then forcing a DHCP renewal. Once the router receives the malicious hostname, it stores it without proper sanitization. When the admin interface is accessed, the injected script executes in the context of the administrator's browser.