exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Netis-WF2419 Cross Site Request Forgery

Netis-WF2419 Cross Site Request Forgery
Posted Jan 28, 2018
Authored by Sajibe Kanti

Netis-WF2419 suffers from a cross site request forgery vulnerability.

tags | exploit, csrf
SHA-256 | 6313ad8b216f8f105926c36e32be0fe6d548167e3d020d1c809948b4e8ce2ec7

Netis-WF2419 Cross Site Request Forgery

Change Mirror Download
# Exploit Title: Netis-WF2419 Router Cross-Site Request Forgery (CSRF)
# Date: 28/01/2018
# Exploit Author: Sajibe Kanti
# Author Contact: https://twitter.com/@sajibekantibd
# Vendor Homepage: http://www.netis-systems.com/
# Version: Netis-WF2419, V2.2.36123
# Tested on: Windows 10
#Technical Details & Description:

A cross site request forgery web vulnerability has been discovered in the
official Netis-WF2419 Router.

The vulnerability allows remote attackers to manipulate client-side
web-application to browser requests to compromise the reouter
by execution of system specific functions without session protection.

A remote attacker is able to delete Address Reservation List settings of
Netis Router with a cross site request forgery html script code.

The vulnerability can be exploited by loading embedded html code in a site
or page. The issue can also be exploited by attackers to external redirect
an user account
to malicious webpages.
The issue requires medium user interaction in case of exploitation. The
request method to execute is GET and the attack vector is located on the
client-side of the router firmware.

Exploitation of the cross site request forgery web vulnerability requires
no privilege web application user account and medium or high user
interaction.
Successful exploitation results in client-side account theft by client-side
phishing, client-side external redirects and non-persistent manipulation of
application functions that are in use.

The vulnerability can be exploited by remote attackers without privilege
application user account and with medium or high user interaction.
For security demonstration or to reproduce the vulnerability follow the
provided information and steps below to continue.

#Manual steps to reproduce the vulnerability :

1. Logging Your Netis Router
1. Now inject or use the html code
2. When the user of the router opens the html code in site or other type of
redirection. Router Address Reservation List will be erased!
4. Successful reproduce of the cross site request forgery vulnerability!

#PoC: Exploitcode :

<html>
<body>
<form action="http://192.168.10.2/cgi-bin-igd/netcore_set.cgi"
method="POST">
<input type="hidden" name="mode_name" value="netcore_set" />
<input type="hidden" name="reserve_address_set" value="1" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>


Note: By loading this html code All Address Reservation List will be erased
and the router becomes finally misconfigured!


--
Thanks
Sajibe Kanti
Independent Web Security Researcher <https://twitter.com/Sajibekantibd>
Login or Register to add favorites

File Archive:

May 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    15 Files
  • 2
    May 2nd
    16 Files
  • 3
    May 3rd
    38 Files
  • 4
    May 4th
    15 Files
  • 5
    May 5th
    35 Files
  • 6
    May 6th
    0 Files
  • 7
    May 7th
    0 Files
  • 8
    May 8th
    8 Files
  • 9
    May 9th
    66 Files
  • 10
    May 10th
    19 Files
  • 11
    May 11th
    27 Files
  • 12
    May 12th
    8 Files
  • 13
    May 13th
    0 Files
  • 14
    May 14th
    1 Files
  • 15
    May 15th
    19 Files
  • 16
    May 16th
    66 Files
  • 17
    May 17th
    28 Files
  • 18
    May 18th
    32 Files
  • 19
    May 19th
    13 Files
  • 20
    May 20th
    0 Files
  • 21
    May 21st
    0 Files
  • 22
    May 22nd
    0 Files
  • 23
    May 23rd
    0 Files
  • 24
    May 24th
    0 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close