[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Huawei HG510 CSRF, Auth Bypass, DoS

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Huawei HG510 CSRF, Auth Bypass, DoS
From: ivan.markovic@xxxxxxxxx
Date: Sun, 14 Feb 2010 04:54:39 -0700

Hello,


Huawei HG510 is a device offered by the Serbian telecom operator, to provide 
ADSL Internet connection.
Administration of settings on this device is allowed only from local LAN 
network but not only from
private IP address (eg 192.168.1.1) then You can access with public IP address 
(only from local LAN again).

There is no CSRF protection so we can create malicious web pages and create 
some CSRF attacks.
Is user is logged on his device we can change passwords or some another 
settings.

POC:

http://PUBLIC_IP_OF_USER/password.cgi?sysPassword=BASE64_NEW_PASSWORD


When I testing this I found one strange behavior with /rebootinfo.cgi (reboot 
device script).
Normaly for all this CSRF user must be logged into device web interface but if 
we request: 
http://PUBLIC_IP_OF_USER/rebootinfo.cgi, basic authentication is bypassed and 
device
is rebooted.

So we have CSRF + Authentication Bypass that lead to DoS of end user.

If someone have any questions about this please contact me.


Best regards,
Ivan Markovic

Prev by Date: IE address bar characters into a small feature
Next by Date: Trusteer Rapport Security Circumvention
Previous by thread: IE address bar characters into a small feature
Next by thread: Trusteer Rapport Security Circumvention
Index(es):
- Date
- Thread