[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [FD] Vulnerabilities in Callisto 821+R3 ADSL Router
From:       "MustLive" <mustlive () websecurity ! com ! ua>
Date:       2015-09-28 20:56:17
Message-ID: 004f01d0fa30$2e744390$9b7a6fd5 () pc
[Download RAW message or body]

Hello list!

In 2011 I wrote 22 advisories about vulnerabilities in Callisto 821+ ADSL 
Router (http://seclists.org/fulldisclosure/2011/Aug/1). Because vendor 
ignored in 2011 all my letters and subsequent my public disclosure of 
vulnerabilities and new devices are vulnerable as well, so in August I 
disclosed vulnerabilities in Callisto 821+R3 ADSL Router.

These are Brute Force and Cross-Site Request Forgery vulnerabilities. And 
there are many other vulnerabilities (in control panel).

SecurityVulns ID: 11700.

-------------------------
Affected products:
-------------------------

Vulnerable is the next model: Callisto 821+R3, Firmware Version: ZXDSL 
831IIV7.5.1a_E09_UA. This model with other firmware and also other models of 
Callisto also must be vulnerable.

----------
Details:
----------

Similar Predictable Resource Location, BF and CSRF vulnerabilities, as in 
Callisto 821+ and other network devices of this and other vendors. The 
control panel of router is placed at default path with default login and 
password. Which allows for local users (which have access to PC or via LAN) 
and also for remote users via Internet (via CSRF vulnerabilities or if 
remote access is opened) to get access to control panel and change modem's 
settings. This also will be in handy for conducting of remote login attack.

Brute Force (WASC-11):

In login form http://192.168.1.1 there is no protection against Brute Force 
attacks. Which allows to pick up password (if it was changed from default), 
as at local attack, as at attack via Internet (if remote access is opened).

Cross-Site Request Forgery (WASC-09):

Lack of protection against Brute Force (such as captcha) also leads to 
possibility of conducting of CSRF attacks, which I wrote about in the 
article Attacks on unprotected login forms 
(http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2011-April/007773.html). 
It allows to conduct remote login. Which will be in handy at conducting of 
attacks on different CSRF and XSS vulnerabilities in control panel.


Note, that CSRF attack on html-form for remote login is possible only when 
settings of ADSL router are not changed. Because after changes instead of 
html-form for authentication the Basic Authentication is used. Then it's 
needed to use method of CSRF attack on Basic Authentication, when the remote 
login will occur without showing of dialog window.

Callisto 821+R3 CSRF.html

<img src="http://admin:admin@192.168.1.1">

<img src="http://admin:admin@host">

I mentioned about these vulnerabilities at my site 
(http://websecurity.com.ua/7916/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua 


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]