lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <201002141154.o1EBsdIX029468@www3.securityfocus.com>
Date: Sun, 14 Feb 2010 04:54:39 -0700
From: ivan.markovic@...sec.rs
To: bugtraq@...urityfocus.com
Subject: Huawei HG510 CSRF, Auth Bypass, DoS

Hello,


Huawei HG510 is a device offered by the Serbian telecom operator, to provide ADSL Internet connection.
Administration of settings on this device is allowed only from local LAN network but not only from
private IP address (eg 192.168.1.1) then You can access with public IP address (only from local LAN again).

There is no CSRF protection so we can create malicious web pages and create some CSRF attacks.
Is user is logged on his device we can change passwords or some another settings.

POC:

http://PUBLIC_IP_OF_USER/password.cgi?sysPassword=BASE64_NEW_PASSWORD


When I testing this I found one strange behavior with /rebootinfo.cgi (reboot device script).
Normaly for all this CSRF user must be logged into device web interface but if we request: 
http://PUBLIC_IP_OF_USER/rebootinfo.cgi, basic authentication is bypassed and device
is rebooted.

So we have CSRF + Authentication Bypass that lead to DoS of end user.

If someone have any questions about this please contact me.


Best regards,
Ivan Markovic

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ