Exploit the possiblities

60+ Vulnerabilities In 22 SOHO Routers

60+ Vulnerabilities In 22 SOHO Routers
Posted May 29, 2015
Authored by Ivan Sanz de Castro, Alvaro Folgado Rueda, Jose Antonio Rodriguez Garcia

SOHO routers have been found vulnerable to privilege escalation, information disclosure, cross site request forgery, cross site scripting, authentication bypass, denial of service, and various other vulnerabilities.

tags | exploit, denial of service, vulnerability, xss, info disclosure, csrf
MD5 | 883b458f340bf4b144ed04e1de200778

60+ Vulnerabilities In 22 SOHO Routers

Change Mirror Download
Dear PacketStorm community,

we are a group of security researchers doing our IT Security Master's Thesis at Universidad
Europea de Madrid.

As a part of the dissertation, we have discovered multiple vulnerability issues on the
following SOHO routers:

1. Observa Telecom AW4062
2. Comtrend WAP-5813n
3. Comtrend CT-5365
4. D-Link DSL-2750B
5. Belkin F5D7632-4
6. Sagem LiveBox Pro 2 SP
7. Amper Xavi 7968 and 7968+
8. Sagem Fast 1201
9. Linksys WRT54GL
10. Observa Telecom RTA01N
11. Observa Telecom Home Station BHS-RTA
12. Observa Telecom VH4032N
13. Huawei HG553
14. Huawei HG556a
15. Astoria ARV7510
16. Amper ASL-26555
17. Comtrend AR-5387un
18. Netgear CG3100D
19. Comtrend VG-8050
20. Zyxel P 660HW-B1A
21. Comtrend 536+
22. D-Link DIR-600


The aforementioned vulnerabilities are:
- Persistent Cross Site Scripting (XSS) on #1, #2, #3, #6, #10, #12, #13, #14, #16, #17, #18, #19 and #20.
- Unauthenticated Cross Site Scripting on #3, #7, #8, #9, #10, #14, #16, #17 and #19.
- Cross Site Request Forgery (CSRF) on #1, #2, #3, #5, #10, #12, #13, #14, #15, #16, #18 and #20.
- Denial of Service (DoS) on #1, #5 and #10.
- Privilege Escalation on #1.
- Information Disclosure on #4 and #11.
- Backdoor on #10.
- Bypass Authentication using SMB Symlinks on #12.
- USB Device Bypass Authentication on #12, #13, #14 and #15.
- Bypass Authentication on #13 and #14.
- Universal Plug and Play related vulnerabilities on #2, #3, #4, #5, #6, #7, #10, #11, #12, #13, #14, #16, #21 and #22.


CVEs have already been requested to MITRE and other CNAs (since MITRE is taking forever to
assign a CVE) and we are waiting for response. OSVDB IDs have been assigned.

Vendors and manufacturers have already been reported.

All routers have been physically tested.


============================================================================================
Manufacturer: Observa Telecom
Model: AW4062
Tested firmwares: 1.3.5.18 and 1.4.2 (latest)
Comments: Common router that Spanish ISP Telefónica used to give away to their
ADSL customers specially during 2012.
--------------------------------------------------------------------------------------------

----------------------------- Persistent Cross Site Scripting ----------------------------
* Description: Multiple Cross-site Scriptings (XSS) found into the configuration
menu within the router front-web.
These XSS give an attacker the opportunity to execute malicious
scripts.
* Report status: Reported to MITRE on 2015-03-12. Waiting for assignation.
OSVDB-121211 (http://osvdb.org/show/osvdb/121211)

* PoC:
The threat is found inside some entry inputs that let special characters to be written in
and show the added information into the web itself.

I.e., there’s a vulnerable input field within the subdirectory Domain Blocking. When used
legitimately, this input is used to block the traffic between the router and some particular
domains.
The script will remain stored (persistent XSS) into the field Domain from the Domain Block
Table and it will be executed each time the victim access to the Domain Blocking
subdirectory.

This vulnerability can also be found within the input fields that belong to other
subdirectories like Firewall/URL Blocking, Firewall/Port Forwarding, Services/DNS/Dynamic
DNS and Advance/SNMP, between others.

The most effective attack is found inside the Advance/SNMP subdirectory. By injecting the
script into the System Name field, the malicious code will be executed each time someone
connects to the router because the script is reflected into the home page.
--------------------------------------------------------------------------------------------

------------------------------- Cross Site Request Forgery -------------------------------
* Description: Every input field is vulnerable to Cross Site Request Forgery
(CSRF) attacks.
* Report status: Reported to MITRE on 2015-03-12. Waiting for assignation.
OSVDB-121210 (http://osvdb.org/show/osvdb/121210),
OSVDB-121212 (http://osvdb.org/show/osvdb/121212) and
OSVDB-121214 (http://osvdb.org/show/osvdb/121214)

* PoC:
I.e., if an attacker wants the victim to ping a certain IP address in order to check whether
the victim is already logged into the router, he will send this URL to the victim:
http://192.168.1.1/goform/formPing?pingAddr=37.252.96.88

It is also possible for an attacker to change the default router password by sending the
victim this URL:
http://192.168.1.1/goform/formPasswordSetup?userMode=0&oldpass=1234&newpass=12345&confpass=12345&save=%22Apply%20Changes%22
The URL above forces the user with index 0 (it is always going to be the user named 1234)
to change his default password from 1234 to 12345.

The following URL forces the victim to change his DNS servers to those the attacker wants to.
http://192.168.1.1/goform/formDNS?dnsMode=dnsManual&dns1=37.252.96.88&dns2=&dns3=

Any action which is available within the website can be attacked through CSRF.
This includes opening ports, changing the DHCP and NTP servers, modifying the Wireless
Access point, enabling WPS, etc.
--------------------------------------------------------------------------------------------

---------------------------------- Privilege Escalation ----------------------------------
* Description: Any user without administrator rights is able to carry out a
privilege escalation by reading the public router configuration
file (config.xml). This file stores each of the router configuration
parameters, including the credentials from all users in plain text.
* Report status: Reported to MITRE on 2015-03-12. Waiting for assignation.
OSVDB-121213 (http://osvdb.org/show/osvdb/121213) and
OSVDB-121285 (http://osvdb.org/show/osvdb/121285)

* PoC:
An user without administrator rights (i.e., user), connects to the router through FTP.
This user is able to get both /etc/passwd and config.xml files.
The file config.xml stores each of the router configuration parameters in plain text,
including the credentials from all users.
Doing so, any user is able to gain administrator privileges.

This is critical because not too many people know there is another user apart from the
administrator one. That means they only change the administrator password, leaving a
default user with default credentials (user:user) being able to escalate privileges.
--------------------------------------------------------------------------------------------

------------------------------------ Denial of Service -----------------------------------
* Description: An attacker is able to carry out an external Denial of Service
attack
* Report status: Reported to MITRE on 2015-03-12. Waiting for assignation.

* PoC:
It is possible for an attacker to carry out a Denial of Service attack through CSRF:
http://192.168.1.1/goform/admin/formReboot
If a victim opens this URL, router commits all the information and reboots in a process
that takes 60 seconds long.

There are tons of ways for an attacker to do a Denial of Service attack by exploiting
Cross Site Request Forgery vulnerabilities:
a) Establish new firewall rules in order to block certain URLs, IPs or MACs. Even setting
up a global Deny order is possible and only allowing traffic from/to certain IPs/MAcs.
b) Delete the router configuration that allows itself to connect to the Internet Service
Provider.
c) Disable the Wireless Interface so no device can be connected through the 802.11 protocol.
d) Etc.
============================================================================================


============================================================================================
Manufacturer: Comtrend
Model: WAP-5813n (tested in Product Numbers 723306-104 and 723306-033)
Tested firmwares: P401-402TLF-C02_R35 and P401-402TLF-C04_R09 (latest one)
Comments: Common router that Spanish ISP Telefónica used to give away to
their FTTH customers from 2011 to 2014
--------------------------------------------------------------------------------------------

----------------------------- Persistent Cross Site Scripting ----------------------------
* Description: Some input fields within the router website are vulnerable to
Cross-site Scripting (XSS) attacks, allowing an attacker to execute
malicious code.
* Report status: Reported to MITRE on 2015-03-12. Waiting for assignation.
OSVDB-121218 (http://osvdb.org/show/osvdb/121218)

* PoC:
Despite the fact that most of the input fields do not allow special characters to be
written in, there are still some of them in which a XSS can be performed.

I.e., the SSID field within the Wireless>Basic subdirectory allows script code injection.
The script execution can be clearly seen within the
Wireless>Security and Wireless>MAC Filter subdirectories.

--------------------------------------------------------------------------------------------

------------------------------- Cross Site Request Forgery -------------------------------
* Description: Multiple Cross Site Request Forgery (CSRF) vulnerabilities within
the router website allow an external attacker to carry out actions
such as changing the administrator password.
* Report status: Reported to MITRE on 2015-03-12. Waiting for assignation.
OSVDB-121216 (http://osvdb.org/show/osvdb/121216) and
OSVDB-121217 (http://osvdb.org/show/osvdb/121217)

* PoC:
Every input field is vulnerable to CSRF.
Whenever the administrator user changes his password, he is actually opening the URL:
/password.cgi?adminPassword=newpassword.

An attacker may send the following URL to the victim, so the administrator password will
be changed to 1234567890:
http://192.168.1.1/password.cgi?adminPassword=1234567890

If an attacker wants to change the DNS servers, he may use the following URL to do so once
the victim opens the link:
http://192.168.1.1/dnscfg.cgi?dnsPrimary=37.252.96.88&dnsSecondary=37.252.96.89&dnsIfc=&dnsRefresh=1

--------------------------------------------------------------------------------------------

-------------------------------- Universal Plug and Play ---------------------------------
* Description: An unauthenticated attacker is able to modify firewall rules and
carry out a persistent denial of service by using the supported
Universal Plug and Play protocol.
* Report status: Reported to MITRE on 2015-05-21. Waiting for assignation.
OSVDB-122383 (http://osvdb.org/show/osvdb/122383)

* PoC:
The Universal Plug and Play (UPnP) protocol is supported by the device. This protocol has
lots of weaknesses, such as the lack of an authentication process, which can be exploited
by attackers.

The device supports multiple UPnP actions, such as changing the firewall rules
(AddPortMapping) or the termination of any WAN connections (ForceTermination).

These actions allow an attacker to carry out a persistent denial of service (router needs
to be factory reset to work properly again) or open critical ports, even for remote hosts
which are not into the LAN.
============================================================================================


============================================================================================
Manufacturer: Comtrend
Model: CT-5365
Tested firmwares: A111-306TKF-C02_R16
Comments: Common router that Spanish ISP Telefónica used to give away to
their FTTH customers since 2012
--------------------------------------------------------------------------------------------

----------------------------- Persistent Cross Site Scripting ----------------------------
* Description: Some input fields within the router website are vulnerable to
Cross-site Scripting (XSS) attacks, allowing an attacker to execute
malicious code.
* Report status: Reported to MITRE on 2015-03-12. Waiting for assignation.
OSVDB-121218 (http://osvdb.org/show/osvdb/121218)

* PoC:
Despite the fact that most of the input fields do not allow special characters to be
written in, there are still some of them in which a XSS can be performed.

I.e., the SSID field within the Wireless>Basic subdirectory allows script code injection.
The script execution can be clearly seen within the
Wireless>Security and Wireless>MAC Filter subdirectories.

--------------------------------------------------------------------------------------------

------------------------------- Cross Site Request Forgery -------------------------------
* Description: Multiple Cross Site Request Forgery (CSRF) vulnerabilities within
the router website allow an external attacker to carry out actions
such as changing the administrator password.
* Report status: Reported to MITRE on 2015-03-12. Waiting for assignation.
OSVDB-121216 (http://osvdb.org/show/osvdb/121216) and
OSVDB-121217 (http://osvdb.org/show/osvdb/121217)

* PoC:
Every input field is vulnerable to CSRF.
Whenever the administrator user changes his password, he is actually opening the URL:
/password.cgi?sysPassword=newpassword.
An attacker may send the following URL to the victim, so the administrator password will be
changed to 1234567890:
http://192.168.1.1/password.cgi?sysPassword=1234567890

If an attacker wants to change the DNS servers, he may use the following URL to do so once
the victim opens the link:
http://192.168.1.1/dnscfg.cgi?dnsPrimary=37.56.61.35.88&dnsSecondary=80.58.61.34&dnsDinamic=0&dnsRefresh=1

--------------------------------------------------------------------------------------------

-------------------------- Unauthenticated Cross Site Scripting --------------------------
* Description: Unauthenticated Cross-site Scripting (XSS) allows an attacker to
inject malicious code within the router configuration website by
sending a DHCP Request PDU.
* Report status: Reported to MITRE on 2015-04-15. Waiting for assignation.
OSVDB-121215 (http://osvdb.org/show/osvdb/121215)

* PoC:

An external attacker is able to inject malicious code within the router website without
requiring any login process.
This is achieved by sending a DHCP Request PDU containing the malicious script within the
hostname parameter.

The malicious code will be stored into the hostname field within the Connected Clients
list (Device Info -> DHCP).
Once the victim views this list, the script is executed.

--------------------------------------------------------------------------------------------

-------------------------------- Universal Plug and Play ---------------------------------
* Description: An unauthenticated attacker is able to modify firewall rules and
carry out a persistent denial of service by using the supported
Universal Plug and Play protocol.
* Report status: Reported to MITRE on 2015-05-21. Waiting for assignation.
OSVDB-122383 (http://osvdb.org/show/osvdb/122383)

* PoC:
The Universal Plug and Play (UPnP) protocol is supported by the device. This protocol has
lots of weaknesses, such as the lack of an authentication process, which can be exploited
by attackers.

The device supports multiple UPnP actions, such as changing the firewall rules
(AddPortMapping) or the termination of any WAN connections (ForceTermination).

These actions allow an attacker to carry out a persistent denial of service (router needs
to be factory reset to work properly again) or open critical ports, even for remote hosts
which are not into the LAN.
============================================================================================


============================================================================================
Manufacturer: D-Link
Model: DSL-2750B
Tested firmwares: EU_1.01
Comments:
--------------------------------------------------------------------------------------------

------------------ Information Disclosure (Insecure Object References) -------------------
* Description: An attacker is able to obtain critical information without being
logged in.
* Report status: Reported to MITRE on 2015-03-25. Waiting for assignation.
OSVDB-121219 (http://osvdb.org/show/osvdb/121219)

* PoC:
By accessing the URL http://192.168.1.1/hidden_info.html, browser shows huge amount of
parameters such as SSID, Wi-Fi password, PIN code, etc. without requiring any login process.

--------------------------------------------------------------------------------------------

-------------------------------- Universal Plug and Play ---------------------------------
* Description: An unauthenticated attacker is able to modify firewall rules and
carry out a persistent denial of service by using the supported
Universal Plug and Play protocol.
* Report status: Reported to MITRE on 2015-05-21. Waiting for assignation.
OSVDB-122384 (http://osvdb.org/show/osvdb/122384)

* PoC:
The Universal Plug and Play (UPnP) protocol is enabled by default on the device. This
protocol has lots of weaknesses, such as the lack of an authentication process, which can
be exploited by attackers.

The device supports multiple UPnP actions, such as changing the firewall rules
(AddPortMapping) or the termination of any WAN connections (ForceTermination).

These actions allow an attacker to carry out a persistent denial of service (router needs
to be factory reset to work properly again) or open critical ports, even for remote hosts
which are not into the LAN.
============================================================================================


============================================================================================
Manufacturer: Belkin
Model: F5D7632-4
Tested firmwares: 6.01.04
Comments:
--------------------------------------------------------------------------------------------

------------------------------- Cross Site Request Forgery -------------------------------
* Description: Multiple Cross Site Request Forgery (CSRF) vulnerabilities within
the router website allow an external attacker to carry out
malicious actions.
* Report status: Reported to CERT on 2015-04-14. Reported to MITRE on 2015-04-15.
Waiting for assignation.
OSVDB-121220 (http://osvdb.org/show/osvdb/121220)

* PoC:
Every input field is vulnerable to CSRF.
I.e., if an attacker wants to change the DNS servers, he may use the following URL to do so:
http://192.168.2.1/cgi-bin/setup_dns.exe?page="setup_dns"&logout=""&dns1_1=37&dns1_2=252
&dns1_3=96&dns1_4=88&dns2_1=37&dns2_2=252&dns2_3=96&dns2_4=89

--------------------------------------------------------------------------------------------

------------------------------------ Denial of Service -----------------------------------
* Description: An attacker is able to carry out an external Denial of Service
attack.
* Report status: Reported to CERT on 2015-04-14. Reported to MITRE on 2015-04-15.
Waiting for assignation.

* PoC:
It is possible for an attacker to carry out a Denial of Service attack through CSRF:
http://192.168.2.1/cgi-bin/restart.exe?page="tools_gateway"&logout=""
This URL causes the router to reboot, interrupting any active connection and denying the
service for about 20 seconds.

--------------------------------------------------------------------------------------------

-------------------------------- Universal Plug and Play ---------------------------------
* Description: An unauthenticated attacker is able to modify firewall rules and
carry out a persistent denial of service by using the supported
Universal Plug and Play protocol.
* Report status: Reported to MITRE on 2015-05-21. Waiting for assignation.
OSVDB-122389 (http://osvdb.org/show/osvdb/122389)

* PoC:
The Universal Plug and Play (UPnP) protocol is supported by the device. This protocol has
lots of weaknesses, such as the lack of an authentication process, which can be exploited
by attackers.

The device supports multiple UPnP actions, such as changing the firewall rules
(AddPortMapping) or the termination of any WAN connections (ForceTermination).

These actions allow an attacker to carry out a persistent denial of service (router needs
to be factory reset to work properly again) or open critical ports, even for remote hosts
which are not into the LAN.
============================================================================================


============================================================================================
Manufacturer: Sagem
Model: LiveBox 2 Pro
Tested firmwares: FAST3yyy_671288
Comments: Common router that ISP Orange used to give away to their ADSL
customers.
--------------------------------------------------------------------------------------------

----------------------------- Persistent Cross Site Scripting ----------------------------
* Description: Some input fields within the router website are vulnerable to
Cross-site Scripting (XSS) attacks, allowing an attacker to execute
malicious code, even if the victim is not logged into the router
web-config page.
* Report status: Reported to CERT on 2015-04-14. Reported to MITRE on 2015-04-15.
Waiting for assignation.
OSVDB-121223 (http://osvdb.org/show/osvdb/121223)

* PoC:
Despite the fact that most of the input fields do not allow special characters to be
written in, there are still some of them in which a XSS can be performed.

1. The SSID field within the “Configuración-> Equipos -> Personalizar”
(Configuration->Devices->Personalize) subdirectory allows script code injection.
The script execution can be clearly seen within the “Configuración-> Equipos -> Mostrar”
(Configuration->Devices->Show) subdirectory.

2. The SSID field within the “Configuración-> LiveBox-> Configuracion Wifi -> SSID-name”
(Configuration->LiveBox->Wi-Fi Configuration->SSID-Name) subdirectory allows script
code injection.
The script execution can be clearly seen within the main log-in webpage, even if the
user is not logged in.

--------------------------------------------------------------------------------------------

-------------------------------- Universal Plug and Play ---------------------------------
* Description: An unauthenticated attacker is able to modify firewall rules and
carry out a persistent denial of service by using the supported
Universal Plug and Play protocol.
* Report status: Reported to MITRE on 2015-05-21. Waiting for assignation.
OSVDB-122387 (http://osvdb.org/show/osvdb/122387)

* PoC:
The Universal Plug and Play (UPnP) protocol is enabled by default on the device. This
protocol has lots of weaknesses, such as the lack of an authentication process, which can
be exploited by attackers.

The device supports multiple UPnP actions, such as changing the firewall rules
(AddPortMapping) or the termination of any WAN connections (ForceTermination).

These actions allow an attacker to carry out a persistent denial of service (router needs
to be factory reset to work properly again) or open critical ports, even for remote hosts
which are not into the LAN.
============================================================================================


============================================================================================
Manufacturer: Amper
Model: Xavi 7968 and Xavi 7968+
Tested firmwares: 3.01APT94 (latest one)
Comments: Common router that ISP Telefónica used to give away to their ADSL
customers from 2010 to 2013.
--------------------------------------------------------------------------------------------

-------------------------- Unauthenticated Cross Site Scripting --------------------------
* Description: Unauthenticated Cross-site Scripting (XSS) allows an attacker to
inject malicious code within the router configuration website by
sending a DHCP Request PDU.
* Report status: Reported to MITRE on 2015-04-15. Waiting for assignation.
OSVDB-121224 (http://osvdb.org/show/osvdb/121224)

* PoC:
An external attacker is able to inject malicious code within the router website without
requiring any login process.
This is achieved by sending a DHCP Request PDU containing the malicious script within the
hostname parameter.

The malicious code will be stored into the hostname field within the Connected Clients
list (/webconfig/status/dhcp_table.html).
Once the victim views this list, the script is executed.

--------------------------------------------------------------------------------------------

-------------------------------- Universal Plug and Play ---------------------------------
* Description: An unauthenticated attacker is able to modify the WPS configuration
by using the supported Universal Plug and Play protocol.
* Report status: Reported to MITRE on 2015-05-21. Waiting for assignation.
OSVDB-122388 (http://osvdb.org/show/osvdb/122388)

* PoC:
The Universal Plug and Play (UPnP) protocol is enabled by default on the device. This
protocol has lots of weaknesses, such as the lack of an authentication process, which can
be exploited by attackers.

The device supports multiple UPnP actions, such as changing the WPS configuration or
resetting the AP to default settings.
============================================================================================


============================================================================================
Manufacturer: Sagem
Model: Fast 1201
Tested firmwares: 3.01APT94 (latest one)
Comments: -
--------------------------------------------------------------------------------------------

-------------------------- Unauthenticated Cross Site Scripting --------------------------
* Description: Unauthenticated Cross-site Scripting (XSS) allows an attacker to
inject malicious code within the router configuration website by
sending a DHCP Request PDU.
* Report status: Reported to MITRE on 2015-04-15. Waiting for assignation.
OSVDB-121222 (http://osvdb.org/show/osvdb/121222)

* PoC:
An external attacker is able to inject malicious code within the router website without
requiring any login process.
This is achieved by sending a DHCP Request PDU containing the malicious script within the
hostname parameter.

The malicious code will be stored into the hostname field within the DHCP Leases
list (dhcpinfo.html).
Once the victim views this list, the script is executed.
============================================================================================


============================================================================================
Manufacturer: Linksys
Model: WRT54GL
Tested firmwares: 4.30.16 build 6
Comments: -
--------------------------------------------------------------------------------------------

-------------------------- Unauthenticated Cross Site Scripting --------------------------
* Description: Unauthenticated Cross-site Scripting (XSS) allows an attacker to
inject malicious code within the router configuration website by
sending a DHCP Request PDU.
* Report status: Reported to MITRE on 2015-04-15. Waiting for assignation.
OSVDB-121221 (http://osvdb.org/show/osvdb/121221)

* PoC:

An external attacker is able to inject malicious code within the router website without
requiring any login process.
This is achieved by sending a DHCP Request PDU containing the malicious script within the
hostname parameter.

The malicious code will be stored into the hostname field within the Connected Clients
list (DHCPTable.asp). It can be accessed either directly through the URL or through the
Status-> Local Network -> DHCP Clients Table subdirectories.
Once the victim views this list, the script is executed.
============================================================================================


============================================================================================
Manufacturer: Observa Telecom
Model: RTA01N
Tested firmwares: RTK_V2.2.13
Comments: Common router that Spanish ISP Telefónica used to give away to their
ADSL/VDSL customers
--------------------------------------------------------------------------------------------

----------------------------- Persistent Cross Site Scripting ----------------------------
* Description: Multiple Cross-site Scriptings (XSS) found into the configuration
menu within the router front-web. These XSS give an attacker the
opportunity to execute malicious scripts.
* Report status: Reported to MITRE on 2015-05-07. Waiting for assignation.
OSVDB-121787 (http://osvdb.org/show/osvdb/121787) and
OSVDB-121788 (http://osvdb.org/show/osvdb/121788)

* PoC:
The threat is found inside some entry inputs that let special characters to be written in
and show the added information into the web itself.

I.e., Nombre del host (Hostname) input field within the subdirectory Servicio -> DDNS
(Service -> DDNS or /ddns.htm) is vulnerable.
There is another vulnerable input field within the Mantenimiento -> Contraseña
(Maintenance -> Password or /userconfig.htm) subdirectory.
After creating a user whose username contains the malicious script, it is stored into the
User Accounts table and executes once the victim accesses this subdirectory.

--------------------------------------------------------------------------------------------

------------------------------- Cross Site Request Forgery -------------------------------
* Description: Every input field is vulnerable to Cross Site Request Forgery
(CSRF) attacks.
* Report status: Reported to MITRE on 2015-05-07. Waiting for assignation.
OSVDB-121786 (http://osvdb.org/show/osvdb/121786)

* PoC:
I.e., if an attacker wants to change the DNS servers, he may use the following URL to do so
once the victim opens the link:
http://192.168.1.1/form2Dns.cgi?dnsMode="1"&dns1="37.252.96.88"&dns2="37.252.96.89"&dns3=""&submit.htm?dns.htm="Send"&save="Aplicar cambios"

It is also possible for an attacker to change the default router administrator password by
sending the victim this URL:
http://192.168.1.1/form2userconfig.cgi?username="1234"&privilege=2&oldpass="1234"&newpass="newpass"&confpass="newpass"&modify="Modificar"&select="s0"&hiddenpass="1234"&submit.htm?userconfig.htm="Send"
The URL above forces the administrator user (it is always going to be the user named 1234)
to change his default password from 1234 to newpass.

--------------------------------------------------------------------------------------------

------------------------------------ Denial of Service -----------------------------------
* Description: An attacker is able to carry out an external Denial of Service
attack
* Report status: Reported to MITRE on 2015-05-07. Waiting for assignation.

* PoC:
It is possible for an attacker to carry out a Denial of Service attack through CSRF:
http://192.168.1.1/form2Reboot.cgi?rebootMode=0&reboot="Reiniciar"&submit.htm?reboot.htm="Send"

If a victim opens this URL, router replies with HTTP 200 OK status code and reboots.

--------------------------------------------------------------------------------------------

-------------------------- Unauthenticated Cross Site Scripting --------------------------
* Description: Unauthenticated Cross-site Scripting (XSS) allows an attacker to
inject malicious code within the router configuration website by
sending a DHCP Request PDU.
* Report status: Reported to MITRE on 2015-05-07. Waiting for assignation.
OSVDB-121789 (http://osvdb.org/show/osvdb/121789)

* PoC:
An external attacker is able to inject malicious code within the router website without
requiring any login process.
This is achieved by sending a DHCP Request PDU containing the malicious script within the
hostname parameter.

The malicious code will be stored within the DHCP Active Clients table (/dhcptbl.html).
Once the victim views this list, the script is executed.

--------------------------------------------------------------------------------------------

----------------------------------------- Backdoor ---------------------------------------
* Description: There is a second default administrator user who is hidden to the
legitimate router owner.
* Report status: Reported to MITRE on 2015-05-07. Waiting for assignation.
OSVDB-121785 (http://osvdb.org/show/osvdb/121785)

* PoC:
In addition to the well-known 1234 administrator user, there is another one named admin,
whose password is 7449airocon.

This superuser remains hidden (it does only appear into the backup configuration XML file)
and is able to modify any configuration settings either through the web interface or
through telnet.

--------------------------------------------------------------------------------------------

-------------------------------- Universal Plug and Play ---------------------------------
* Description: An unauthenticated attacker is able to modify firewall rules,
carry out a persistent denial of service and obtain the WLAN
passwords, between other things, by using the supported Universal
Plug and Play protocol.
* Report status: Reported to MITRE on 2015-05-21. Waiting for assignation.
OSVDB-122386 (http://osvdb.org/show/osvdb/122386)

* PoC:
The Universal Plug and Play (UPnP) protocol is supported by the device. This protocol has
lots of weaknesses, such as the lack of an authentication process, which can be exploited
by attackers.

The device supports multiple UPnP actions, such as changing the firewall rules
(AddPortMapping) or the termination of any WAN connections (ForceTermination).

These actions allow an attacker to carry out a persistent denial of service (router needs
to be factory reset to work properly again) or open critical ports, even for remote hosts
which are not into the LAN.

It is also possible for an attacker to change the WPS configuration settings, reset the AP
to the default ones and obtain critical information, such as WLAN passwords.
============================================================================================


============================================================================================
Manufacturer: Observa Telecom
Model: Home Station BHS-RTA
Tested firmwares: v1.1.3
Comments: Common router that Spanish ISP Telefónica used to give away to their
ADSL/VDSL customers
--------------------------------------------------------------------------------------------

--------------------------------- Information Disclosure ---------------------------------
* Description: Observa Telecom Home Station BHS-RTA web interface allows an
external attacker to obtain critical information without login
process.
* Report status: Reported to MITRE on 2015-05-07. Waiting for assignation.
OSVDB-121781 (http://osvdb.org/show/osvdb/121781),
OSVDB-121782 (http://osvdb.org/show/osvdb/121782),
OSVDB-121783 (http://osvdb.org/show/osvdb/121783) and
OSVDB-121784 (http://osvdb.org/show/osvdb/121784)

* PoC:
Without requiring any login process, an external attacker is able to obtain critical
information such as the WLAN password and settings, the Internet configuration, a list of
connected clients, etc.

By accessing the following URL, browser shows WLAN configuration, including the passwords:
http://192.168.1.1/cgi-bin/webproc?getpage=html/gui/APIS/returnWifiJSON.txt&var:page=returnWifiJSON.txt&_=1430086147101

By accessing the following URL, browser shows a list of connected clients, including their
IP and MAC addresses:
http://192.168.1.1/cgi-bin/webproc?getpage=html/gui/APIS/returnDevicesJSON.txt&var:page=returnDevicesJSON.txt&_=1430086147101

By accessing the following URL, browser shows the Internet configuration parameters:
http://192.168.1.1/cgi-bin/webproc?getpage=html/gui/APIS/returnInternetJSON.txt&var:page=returnInternetJSON.txt&_=1430086980134

By accessing the following URL, browser shows whether the administrator password has been
changed or is the default one.
http://192.168.1.1/cgi-bin/webproc?getpage=html/gui/APIS/returnPasswordJSON.txt&var:page=returnPasswordJSON.txt&_=1430086980134

--------------------------------------------------------------------------------------------

-------------------------------- Universal Plug and Play ---------------------------------
* Description: An unauthenticated attacker is able to modify firewall rules and
carry out a persistent denial of service by using the supported
Universal Plug and Play protocol.
* Report status: Reported to MITRE on 2015-05-21. Waiting for assignation.
OSVDB-122386 (http://osvdb.org/show/osvdb/122386)

* PoC:
The Universal Plug and Play (UPnP) protocol is supported by the device. This protocol has
lots of weaknesses, such as the lack of an authentication process, which can be exploited
by attackers.

The device supports multiple UPnP actions, such as changing the firewall rules
(AddPortMapping) or the termination of any WAN connections (ForceTermination).

These actions allow an attacker to carry out a persistent denial of service (router needs
to be factory reset to work properly again) or open critical ports, even for remote hosts
which are not into the LAN.
============================================================================================


============================================================================================
Manufacturer: Observa Telecom
Model: VH4032N
Tested firmwares: VH4032N_V0.2.35
Comments: Common router that ISP Vodafone used to give away to their customers
--------------------------------------------------------------------------------------------

----------------------------- Persistent Cross Site Scripting ----------------------------
* Description: Some input fields within the router website are vulnerable to
Cross-site Scripting (XSS) attacks, allowing an attacker to execute
malicious code.
* Report status: Reported to MITRE on 2015-05-07. Waiting for assignation.
OSVDB-121793 (http://osvdb.org/show/osvdb/121793)

* PoC:
The threat is found inside some entry inputs that let special characters to be written in
and show the added information into the web itself.

I.e, the SSID input field is vulnerable if the following code is written in:
‘; </script><script>alert(1)</script><script>//
The malicious code will be executed throughout the whole web interface.

--------------------------------------------------------------------------------------------

------------------------------- Cross Site Request Forgery -------------------------------
* Description: Every input field is vulnerable to Cross Site Request Forgery
(CSRF) attacks.
* Report status: Reported to MITRE on 2015-05-07. Waiting for assignation.
OSVDB-121791 (http://osvdb.org/show/osvdb/121791) and
OSVDB-121792 (http://osvdb.org/show/osvdb/121792)

* PoC:
Although the existence of a token related to session ID, configuration settings can be
modified without the need of it. Thus, every input field is vulnerable to CSRF attacks.

I.e., if an attacker wants to change the administrator password, he may use the following
URL to do so once the victim opens the link:
http://192.168.0.1/en_US/administration.cgi?usrPassword=newpass

If an attacker wants to change the FTP server configuration settings, such as the password
and the allowance of remote FTP WAN connections, he may use the following link:
http://192.168.0.1/en_US/config_ftp.cgi?ftpEnabled=1&ftpUserName=vodafone&ftpPassword=vulnpass&ftpPort=21&ftpAclMode=2

--------------------------------------------------------------------------------------------

------------------------ Bypass Authentication using SMB Symlinks ------------------------
* Description: An external attacker, without requiring any login process, is able
to download the whole router kernel filesystem, including all the
configuration information and the user account information files,
by creating symbolic links through the router Samba server.
* Report status: Reported to MITRE on 2015-05-07. Waiting for assignation.
OSVDB-121790 (http://osvdb.org/show/osvdb/121790)

* PoC:
An unauthenticated attacker is able to download the whole router filesystem by connecting
to the Samba server.

There is a shared service (called storage) in which it is possible to create symbolic links
to the router filesystem and download the content. I.e., a symlink to / is possible and
allows the attacker to freely view and download the entire filesystem.

--------------------------------------------------------------------------------------------

---------------------------- USB Device Bypass Authentication ----------------------------
* Description: An external attacker, without requiring any login process, is able
to view, modify, delete and upload new files to the USB storage
device connected to the router.
* Report status: Reported to MITRE on 2015-05-07. Waiting for assignation.
OSVDB-121794 (http://osvdb.org/show/osvdb/121794)

* PoC:
If a USB storage device is hooked up to the router, an external attacker is able to
download, modify the content and upload new files, without requiring any login process.

In order to do so, the attacker only needs to access the router IP followed by the 9000 port.

--------------------------------------------------------------------------------------------

-------------------------------- Universal Plug and Play ---------------------------------
* Description: An unauthenticated attacker is able to modify the WPS configuration
by using the supported Universal Plug and Play protocol.
* Report status: Reported to MITRE on 2015-05-21. Waiting for assignation.
OSVDB-122386 (http://osvdb.org/show/osvdb/122386)

* PoC:
The Universal Plug and Play (UPnP) protocol is enabled by default on the device. This
protocol has lots of weaknesses, such as the lack of an authentication process, which can
be exploited by attackers.

The device supports multiple UPnP actions, such as changing the WPS configuration or
resetting the AP to default settings.
============================================================================================


============================================================================================
Manufacturer: Huawei
Model: HG553
Tested firmwares: V100R001C03B043SP01
Comments: Common router that ISP Vodafone used to give away to their customers
--------------------------------------------------------------------------------------------

---------------------------- USB Device Bypass Authentication ----------------------------
* Description: An external attacker, without requiring any login process, is able
to view, modify, delete and upload new files to the USB storage
device connected to the router.
* Report status: Reported to MITRE on 2015-05-07. Waiting for assignation.
OSVDB-121778 (http://osvdb.org/show/osvdb/121778)

* PoC:
If a USB storage device is hooked up to the router, an external attacker is able to
download, modify the content and upload new files, without requiring any login process.

In order to do so, the attacker only needs to access the router IP followed by the 9000 port.

--------------------------------------------------------------------------------------------

--------------------------------- Bypass Authentication ----------------------------------
* Description: An external attacker, without requiring any login process, is able
to reset the router settings to default ones besides bringing a
permanent denial of service attack on.
* Report status: Reported to MITRE on 2015-05-07. Waiting for assignation.
OSVDB-121779 (http://osvdb.org/show/osvdb/121779)

* PoC:
Without requiring any login process, an attacker is able to bring on a permanent denial of
service by constantly accessing the /rebootinfo.cgi URL.

The attacker is also able to force the router to reset to default configuration settings by
accessing the /restoreinfo.cgi URL. After that, the attacker is able to log into the router
by using the default credentials.

In both attacks, router replies with HTTP 400 status code, but either the reboot or the
configuration reset is being correctly executed.

--------------------------------------------------------------------------------------------

----------------------------- Persistent Cross Site Scripting ----------------------------
* Description: Some input fields within the router website are vulnerable to
Cross-site Scripting (XSS) attacks, allowing an attacker to execute
malicious code.
* Report status: Reported to MITRE on 2015-05-07. Waiting for assignation.
OSVDB-121776 (http://osvdb.org/show/osvdb/121776)

* PoC:
Despite the fact that most of the input fields do not allow special characters to be
written in, there are still some of them in which a XSS can be performed.

I.e., the SSID field within the WiFi->Básico (WiFi->Basic) subdirectory allows script code
injection.

--------------------------------------------------------------------------------------------

------------------------------- Cross Site Request Forgery -------------------------------
* Description: Multiple Cross Site Request Forgery (CSRF) vulnerabilities within
the router website allow an external attacker to carry out actions
such as changing the administrator password.
* Report status: Reported to MITRE on 2015-05-07. Waiting for assignation.
OSVDB-121775 (http://osvdb.org/show/osvdb/121775)

* PoC:
Every input field is vulnerable to Cross Site Request Forgery attacks.

I.e., if an attacker wants to change the administrator password, he may use the following
URL to do so once the victim opens the link:
http://192.168.0.1/userpasswd.cgi?usrPassword=newpassword

--------------------------------------------------------------------------------------------

-------------------------------- Universal Plug and Play ---------------------------------
* Description: An unauthenticated attacker is able to modify firewall rules and
carry out a persistent denial of service by using the supported
Universal Plug and Play protocol.
* Report status: Reported to MITRE on 2015-05-21. Waiting for assignation.
OSVDB-122385 (http://osvdb.org/show/osvdb/122385)

* PoC:
The Universal Plug and Play (UPnP) protocol is enabled by default on the device. This
protocol has lots of weaknesses, such as the lack of an authentication process, which can
be exploited by attackers.

The device supports multiple UPnP actions, such as changing the firewall rules
(AddPortMapping) or the termination of any WAN connections (ForceTermination).

These actions allow an attacker to carry out a persistent denial of service (router needs
to be factory reset to work properly again) or open critical ports, even for remote hosts
which are not into the LAN.
============================================================================================


============================================================================================
Manufacturer: Huawei
Model: HG556a
Tested firmwares: V100R001C10B077
Comments: Common router that ISP Vodafone used to give away to their customers
--------------------------------------------------------------------------------------------

---------------------------- USB Device Bypass Authentication ----------------------------
* Description: An external attacker, without requiring any login process, is able
to view, modify, delete and upload new files to the USB storage
device connected to the router.
* Report status: Reported to MITRE on 2015-05-07. Waiting for assignation.
OSVDB-121778 (http://osvdb.org/show/osvdb/121778)

* PoC:
If a USB storage device is hooked up to the router, an external attacker is able to
download, modify the content and upload new files, without requiring any login process.

In order to do so, the attacker only needs to access the router IP followed by the 9000 port.

--------------------------------------------------------------------------------------------

--------------------------------- Bypass Authentication ----------------------------------
* Description: An external attacker, without requiring any login process, is able
to reset the router settings to default ones besides bringing a
permanent denial of service attack on.
* Report status: Reported to MITRE on 2015-05-07. Waiting for assignation.
OSVDB-121779 (http://osvdb.org/show/osvdb/121779)

* PoC:
Without requiring any login process, an attacker is able to bring on a permanent denial of
service by constantly accessing the /rebootinfo.cgi URL.

The attacker is also able to force the router to reset to default configuration settings by
accessing the /restoreinfo.cgi URL. After that, the attacker is able to log into the router
by using the default credentials.

In both attacks, router asks for username-password and returns HTTP 401 status code
(unauthorized), but after multiple requests are sent, it replies with HTTP 400 status code
and executes the action.

--------------------------------------------------------------------------------------------

------------------------------- Cross Site Request Forgery -------------------------------
* Description: Multiple Cross Site Request Forgery (CSRF) vulnerabilities within
the router website allow an external attacker to carry out actions
such as changing the administrator password.
* Report status: Reported to MITRE on 2015-05-07. Waiting for assignation.
OSVDB-121775 (http://osvdb.org/show/osvdb/121775)

* PoC:
Every input field is vulnerable to Cross Site Request Forgery attacks.

I.e., if an attacker wants to change the administrator password, he may use the following
URL to do so once the victim opens the link:
http://192.168.1.23/es_ES/expert/userpasswd.cgi?usrPassword=vodafone1&sSuccessPage=administration.htm&sErrorPage=administration.htm

--------------------------------------------------------------------------------------------

----------------------------- Persistent Cross Site Scripting ----------------------------
* Description: Some input fields within the router website are vulnerable to
Cross-site Scripting (XSS) attacks, allowing an attacker to execute
malicious code.
* Report status: Reported to MITRE on 2015-05-07. Waiting for assignation.
OSVDB-121776 (http://osvdb.org/show/osvdb/121776)

* PoC:
Despite the fact that most of the input fields do not allow special characters to be
written in, there are still some of them in which a XSS can be performed.

I.e., the SSID field within the WiFi->Nombre (WiFi->Name) subdirectory allows script code
injection.
The script execution can be clearly seen within different subdirectories such as
diagnostic.htm and config_wifi.htm.

--------------------------------------------------------------------------------------------

-------------------------- Unauthenticated Cross Site Scripting --------------------------
* Description: Unauthenticated Cross-site Scripting (XSS) allows an attacker to
inject malicious code within the router configuration website by
sending a DHCP Request PDU.
* Report status: Reported to MITRE on 2015-05-07. Waiting for assignation.
OSVDB-121777 (http://osvdb.org/show/osvdb/121777)

* PoC:
An external attacker is able to inject malicious code within the router website without
requiring any login process.
This is achieved by sending a DHCP Request PDU containing the malicious script within the
hostname parameter.

The malicious code will be stored within the Dispositivos Conectados (Connected Devices)
table.
Once the victim views this list, the script is executed.

--------------------------------------------------------------------------------------------

-------------------------------- Universal Plug and Play ---------------------------------
* Description: An unauthenticated attacker is able to modify firewall rules and
carry out a persistent denial of service by using the supported
Universal Plug and Play protocol.
* Report status: Reported to MITRE on 2015-05-21. Waiting for assignation.
OSVDB-122385 (http://osvdb.org/show/osvdb/122385)

* PoC:
The Universal Plug and Play (UPnP) protocol is enabled by default on the device. This
protocol has lots of weaknesses, such as the lack of an authentication process, which can
be exploited by attackers.

The device supports multiple UPnP actions, such as changing the firewall rules
(AddPortMapping) or the termination of any WAN connections (ForceTermination).

These actions allow an attacker to carry out a persistent denial of service (router needs
to be factory reset to work properly again) or open critical ports, even for remote hosts
which are not into the LAN.
============================================================================================


============================================================================================
Manufacturer: Astoria
Model: ARV7510
Tested firmwares: 00.03.41
Comments: Common router that ISP Vodafone used to give away to their customers
--------------------------------------------------------------------------------------------

---------------------------- USB Device Bypass Authentication ----------------------------
* Description: An external attacker, without requiring any login process, is able
to view, modify, delete and upload new files to the USB storage
device connected to the router.
* Report status: Reported to MITRE on 2015-05-07. Waiting for assignation.
OSVDB-121773 (http://osvdb.org/show/osvdb/121773)

* PoC:
If a USB storage device is hooked up to the router, an external attacker is able to
download, modify the content and upload new files, without requiring any login process.

In order to do so, the attacker only needs to access the router IP followed by the 9000 port.

--------------------------------------------------------------------------------------------

------------------------------- Cross Site Request Forgery -------------------------------
* Description: Multiple Cross Site Request Forgery (CSRF) vulnerabilities within
the router website allow an external attacker to carry out actions
such as changing the administrator password.
* Report status: Reported to MITRE on 2015-05-07. Waiting for assignation.
OSVDB-121774 (http://osvdb.org/show/osvdb/121774) and
OSVDB-121888 (http://osvdb.org/show/osvdb/121888)

* PoC:
Every input field is vulnerable to Cross Site Request Forgery attacks.

I.e., if an attacker wants to change the administrator password, he may use the following
URL to do so once the victim opens the link:
http://192.168.1.22/cgi-bin/setup_pass.cgi?pwdOld=vodafone&pwdNew=vodafone1&pwdCfm=vodafone1
============================================================================================


============================================================================================
Manufacturer: Amper
Model: ASL-26555
Tested firmwares: v2.0.0.37B_ES
Comments: Common router that Spanish ISP Telefónica used to give away to their
customers
--------------------------------------------------------------------------------------------

------------------------------- Cross Site Request Forgery -------------------------------
* Description: Multiple Cross Site Request Forgery (CSRF) vulnerabilities within
the router website allow an external attacker to carry out actions
such as changing the administrator password.
* Report status: Reported to MITRE on 2015-05-07. Waiting for assignation.
OSVDB-121770 (http://osvdb.org/show/osvdb/121770) and
OSVDB-121771 (http://osvdb.org/show/osvdb/121771)

* PoC:
Besides the main web configuration interface (port 80), there is a much more advanced one
on port 8000 in which every input field is vulnerable to CSRF.

I.e., if an attacker wants to change the DNS servers, he may use the following URL to do
so once the victim opens the link:
http://192.168.1.21:8000/ADVANCED/ad_dns.xgi?&set/dproxy/enable=0&set/dns/mode=4&set/dns/server/primarydns=80.58.61.251&set/dns/server/secondarydns=80.58.61.251&CMT=0&EXE=DNS

It is also possible for an attacker to change the default router administrator password by
sending the victim this URL: (URL is omitted due to size reasons)

--------------------------------------------------------------------------------------------

----------------------------- Persistent Cross Site Scripting ----------------------------
* Description: Some input fields within the router website are vulnerable to
Cross-site Scripting (XSS) attacks, allowing an attacker to execute
malicious code.
* Report status: Reported to MITRE on 2015-05-07. Waiting for assignation.
OSVDB-121772 (http://osvdb.org/show/osvdb/121772)

* PoC:
Despite the fact that most of the input fields do not allow special characters to be
written in, there are still some of them in which a XSS can be performed.

I.e., the SSID field within the Red Inalambrica->Nombre (Wireless Network->Name)
subdirectory allows script code injection. The vulnerable input field is found into the
basic web interface on port 80.

The script execution can be clearly seen within the Advanced->WLAN Access Rules subdirectory,
into the advanced web interface on port 8000.

--------------------------------------------------------------------------------------------

-------------------------- Unauthenticated Cross Site Scripting --------------------------
* Description: Unauthenticated Cross-site Scripting (XSS) allows an attacker to
inject malicious code within the router configuration website by
sending a DHCP Request PDU.
* Report status: Reported to MITRE on 2015-05-07. Waiting for assignation.
OSVDB-121224 (http://osvdb.org/show/osvdb/121224)

* PoC:
An external attacker is able to inject malicious code within the router website without
requiring any login process.
This is achieved by sending a DHCP Request PDU containing the malicious script within the
hostname parameter.

The malicious code will be stored within the Connected Clients table (Setup->Local Network).
Once the victim views this list, the script is executed.

--------------------------------------------------------------------------------------------

-------------------------------- Universal Plug and Play ---------------------------------
* Description: An unauthenticated attacker is able to modify firewall rules and
carry out a persistent denial of service by using the supported
Universal Plug and Play protocol.
* Report status: Reported to MITRE on 2015-05-21. Waiting for assignation.
OSVDB-122388 (http://osvdb.org/show/osvdb/122388)

* PoC:
The Universal Plug and Play (UPnP) protocol is supported by the device. This protocol has
lots of weaknesses, such as the lack of an authentication process, which can be exploited
by attackers.

The device supports multiple UPnP actions, such as changing the firewall rules
(AddPortMapping) or the termination of any WAN connections (ForceTermination).

These actions allow an attacker to carry out a persistent denial of service (router needs
to be factory reset to work properly again) or open critical ports, even for remote hosts
which are not into the LAN.
============================================================================================


============================================================================================
Manufacturer: Comtrend
Model: AR-5387un
Tested firmwares: A731-410JAZ-C04_R02
Comments: Common router that ISP Jazztel used to give away to their customers
--------------------------------------------------------------------------------------------

----------------------------- Persistent Cross Site Scripting ----------------------------
* Description: Some input fields within the router website are vulnerable to
Cross-site Scripting (XSS) attacks, allowing an attacker to execute
malicious code.
* Report status: Reported to MITRE on 2015-05-07. Waiting for assignation.
OSVDB-121218 (http://osvdb.org/show/osvdb/121218)

* PoC:
Despite the fact that most of the input fields do not allow special characters to be
written in, there are still some of them in which a XSS can be performed.

I.e., the SSID field within the Wireless->Basic subdirectory allows script code injection.

The script execution can be clearly seen within Wireless->Security and Wireless->MAC Filter
subdirectories.

--------------------------------------------------------------------------------------------

-------------------------- Unauthenticated Cross Site Scripting --------------------------
* Description: Unauthenticated Cross-site Scripting (XSS) allows an attacker to
inject malicious code within the router configuration website by
sending a DHCP Request PDU.
* Report status: Reported to MITRE on 2015-05-07. Waiting for assignation.
OSVDB-121215 (http://osvdb.org/show/osvdb/121215)

* PoC:
An external attacker is able to inject malicious code within the router website without
requiring any login process.
This is achieved by sending a DHCP Request PDU containing the malicious script within the
hostname parameter.

The malicious code will be stored within the DHCP Leases table (Device Info -> DHCP).
Once the victim views this list, the script is executed.
============================================================================================


============================================================================================
Manufacturer: Netgear
Model: CG3100D
Tested firmwares: v1.05.05
Comments: Common router that ISP ONO used to give away to their customers
--------------------------------------------------------------------------------------------

------------------------------- Cross Site Request Forgery -------------------------------
* Description: Multiple Cross Site Request Forgery (CSRF) vulnerabilities within
the router website allow an external attacker to carry out actions
such as changing the administrator password.
* Report status: Reported to MITRE on 2015-05-07. Waiting for assignation.
OSVDB-121795 (http://osvdb.org/show/osvdb/121795)

* PoC:
Every input field is vulnerable to CSRF.

An attacker may code a malicious website which triggers a POST request to the victim’s
router. When a website with that code is accessed, the POST request is sent and the attack
is done.

It is also possible for an attacker to reset the victim’s router to default settings by
using custom source code.

(Source codes have been omitted due to size reasons).

--------------------------------------------------------------------------------------------

----------------------------- Persistent Cross Site Scripting ----------------------------
* Description: Some input fields within the router website are vulnerable to
Cross-site Scripting (XSS) attacks, allowing an attacker to execute
malicious code.
* Report status: Reported to MITRE on 2015-05-07. Waiting for assignation.
OSVDB-121780 (http://osvdb.org/show/osvdb/121780)

* PoC:
Despite the fact that most of the input fields do not allow special characters to be
written in, there are still some of them in which a XSS can be performed.

I.e., the SSID field within the Red Inalambrica->Nombre (Wireless Network->Name)
subdirectory allows script code injection.

The script execution can be clearly seen within different subdirectories such as
Básico->Inicio (Basic->Home), Avanzado->Inicio (Advanced->Home) and Avanzado->Estado del
router (Advanced->Router status).
============================================================================================


============================================================================================
Manufacturer: Comtrend
Model: VG-8050
Tested firmwares: SB01-S412TLF-C07_R03
Comments: Common router that Spanish ISP Telefonica used to give away to their
customers
--------------------------------------------------------------------------------------------

----------------------------- Persistent Cross Site Scripting ----------------------------
* Description: Some input fields within the router website are vulnerable to
Cross-site Scripting (XSS) attacks, allowing an attacker to execute
malicious code.
* Report status: Reported to MITRE on 2015-05-07. Waiting for assignation.
OSVDB-121218 (http://osvdb.org/show/osvdb/121218)

* PoC:
Despite the fact that most of the input fields do not allow special characters to be
written in, there are still some of them in which a XSS can be performed.

I.e., the SSID field within the Wireless->Basic subdirectory allows script code injection.

The script execution can be clearly seen within Wireless->Security and Wireless->MAC Filter
subdirectories.

--------------------------------------------------------------------------------------------

-------------------------- Unauthenticated Cross Site Scripting --------------------------
* Description: Unauthenticated Cross-site Scripting (XSS) allows an attacker to
inject malicious code within the router configuration website by
sending a DHCP Request PDU.
* Report status: Reported to MITRE on 2015-05-07. Waiting for assignation.
OSVDB-121215 (http://osvdb.org/show/osvdb/121215)

* PoC:
An external attacker is able to inject malicious code within the router website without
requiring any login process.
This is achieved by sending a DHCP Request PDU containing the malicious script within the
hostname parameter.

The malicious code will be stored within the DHCP Leases table (Device Info -> DHCP).
Once the victim views this list, the script is executed.
============================================================================================


============================================================================================
Manufacturer: Zyxel
Model: P 660HW-B1A
Tested firmwares: 3.10L.02
Comments: Common router that Spanish ISP Telefonica used to give away to their
customers
--------------------------------------------------------------------------------------------

----------------------------- Persistent Cross Site Scripting ----------------------------
* Description: Some input fields within the router website are vulnerable to
Cross-site Scripting (XSS) attacks, allowing an attacker to execute
malicious code.
* Report status: Reported to MITRE on 2015-05-07. Waiting for assignation.
OSVDB-121796 (http://osvdb.org/show/osvdb/121796)

* PoC:
Despite the fact that most of the input fields do not allow special characters to be
written in, there are still some of them in which a XSS can be performed.

I.e., the Hostname field within the Dynamic DNS subdirectory allows script code
injection.

--------------------------------------------------------------------------------------------

------------------------------- Cross Site Request Forgery -------------------------------
* Description: Multiple Cross Site Request Forgery (CSRF) vulnerabilities within
the router website allow an external attacker to carry out actions
such as changing the administrator password.
* Report status: Reported to MITRE on 2015-05-07. Waiting for assignation.
OSVDB-121797 (http://osvdb.org/show/osvdb/121797)

* PoC:
Every input field is vulnerable to Cross Site Request Forgery attacks.

I.e., if an attacker wants to change the administrator password, he may use the following
URL to do so once the victim opens the link:
http://192.168.1.1/password.cgi?sysPassword=newpassword
============================================================================================


============================================================================================
Manufacturer: Comtrend
Model: 536+
Tested firmwares: A101-220TLF-C35
Comments: Common router that Spanish ISP Telefonica used to give away to their
customers
--------------------------------------------------------------------------------------------

-------------------------------- Universal Plug and Play ---------------------------------
* Description: An unauthenticated attacker is able to modify firewall rules and
carry out a persistent denial of service by using the supported
Universal Plug and Play protocol.
* Report status: Reported to MITRE on 2015-05-21. Waiting for assignation.
OSVDB-122383 (http://osvdb.org/show/osvdb/122383)

* PoC:
The Universal Plug and Play (UPnP) protocol is supported by the device. This protocol has
lots of weaknesses, such as the lack of an authentication process, which can be exploited
by attackers.

The device supports multiple UPnP actions, such as changing the firewall rules
(AddPortMapping) or the termination of any WAN connections (ForceTermination).

These actions allow an attacker to carry out a persistent denial of service (router needs
to be factory reset to work properly again) or open critical ports, even for remote hosts
which are not into the LAN.
============================================================================================


============================================================================================
Manufacturer: D-Link
Model: DIR-600
Tested firmwares: PV6K3A8024009
Comments:
--------------------------------------------------------------------------------------------

-------------------------------- Universal Plug and Play ---------------------------------
* Description: An unauthenticated attacker is able to modify firewall rules and
carry out a persistent denial of service by using the supported
Universal Plug and Play protocol.
* Report status: Reported to MITRE on 2015-05-21. Waiting for assignation.
OSVDB-122384 (http://osvdb.org/show/osvdb/122384)

* PoC:
The Universal Plug and Play (UPnP) protocol is enabled by default on the device. This
protocol has lots of weaknesses, such as the lack of an authentication process, which can
be exploited by attackers.

The device supports multiple UPnP actions, such as changing the firewall rules
(AddPortMapping) or the termination of any WAN connections (ForceTermination).

These actions allow an attacker to carry out a persistent denial of service (router needs
to be factory reset to work properly again) or open critical ports, even for remote hosts
which are not into the LAN.
============================================================================================


We would also like to thank Alejandro Ramos (Project Tutor) and Maite Villalba (Director of Master).

Greetings,
Jose Antonio Rodriguez Garcia
Alvaro Folgado Rueda
Ivan Sanz de Castro.

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

December 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    15 Files
  • 2
    Dec 2nd
    2 Files
  • 3
    Dec 3rd
    1 Files
  • 4
    Dec 4th
    15 Files
  • 5
    Dec 5th
    15 Files
  • 6
    Dec 6th
    18 Files
  • 7
    Dec 7th
    17 Files
  • 8
    Dec 8th
    15 Files
  • 9
    Dec 9th
    13 Files
  • 10
    Dec 10th
    1 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close