# Exploit Title: Unicorn Router WB-3300NR CSRF (Factory Reset/DNS Change) # Exploit Author: absane # Blog: http://blog.noobroot.com # Discovery date: October 29th 2013 # Vendor Homepage: http://www.eunicorn.co.kr/kimsboard7/_product.php?inc=wb-3300nr # Tested on: Unicorn WB-3300NR v1.0 # Firmware Version: V5.07.18_ko_UIS02 *************** *Vulnerability* *************** The WB-3300NR Unicorn Router suffers from numerous CSRF vulnerabilities. Considering that by default the administrative pages do not require authentication, countless exploits exist. ****************** *Proof of Concept* ****************** 1) Factory Reset
2) Alter the DNS Settings 3) WPA Password Disclosure (possibility)(not proven) The following PoC code only demostrates that with CSRF and XSS, it might be possible to obtain the WPA password. However, I have been unable to do so without forcing the router to revert to factory defaults.