SecurityvulnsSECURITYVULNS:DOC:26661Multiple CSRF and XSS vulnerabilities in ADSL modem Callisto 821+
Hello 3APA3A!
I want to warn you about new
multiple security vulnerabilities
in ADSL modem Callisto 821+
(SI2000 Callisto821+ Router).
These are Cross-Site Request
Forgery and Cross-Site Scripting
vulnerabilities. In April I've
already drew attention of
Ukrtelecom's representative (and
this modem was bough at
Ukrtelecom) about multiple
vulnerabilities in this model of
Callisto modems (and other models
also could be affected).
These attacks should be
conducted on modem owner, which
is logged into control panel.
Taking into account that it's
unlikely to catch him in this
state, then it's possible to use
before-mentioned vulnerabilities
(http://websecurity.com.ua/5161/)
for conducting of remote login
(for logining him into control
panel). After that it's possible
to conduct CSRF or XSS attack.
CSRF (WASC-09):
In section LAN connection:
Ethernet routed
(http://192.168.1.1/configuration/lan_create_service.html?EmWeb_ns:vim:3=/configuration/lan_ether_routed.html)
it's possible to add connection.
In section LAN connection:
Ethernet bridged
(http://192.168.1.1/configuration/lan_create_service.html?EmWeb_ns:vim:3=/configuration/lan_ether_bridged.html)
it's possible to add connection.
In section LAN connections
(http://192.168.1.1/configuration/lan.html)
the functionality of editing and
deleting connections also must be
vulnerable to CSRF. But because
in my modem the functionality of
creating connections worked
incorrectly (it was not possible
to create them), then there was
no possibility to check it.
XSS (WASC-08):
There are many persistent XSS
vulnerabilities in
above-mentioned functionalities.
And also attacks via the names
of parameters (when XSS code is
setting in the name of
parameter), which I wrote about
earlier
(http://websecurity.com.ua/5277/).
In this case the code will be
executed immediately, and also at
visiting of pages
http://192.168.1.1/system/events.html
and
http://192.168.1.1/shared/event_log_selection.html.
In section LAN connection:
Ethernet routed
(http://192.168.1.1/configuration/lan_create_service.html?EmWeb_ns:vim:3=/configuration/lan_ether_routed.html)
there are persistent XSS
vulnerabilities in some text
fields and some hidden fields
(including XSS attacks via the
names of parameters).
In this case the code will be
executed immediately, and also at
visiting of pages
http://192.168.1.1/system/events.html
and
http://192.168.1.1/shared/event_log_selection.html.
And in case of some fields XSS
code will execute at page
http://192.168.1.1/configuration/lan.html.
In section LAN connection:
Ethernet bridged
(http://192.168.1.1/configuration/lan_create_service.html?EmWeb_ns:vim:3=/configuration/lan_ether_bridged.html)
there are persistent XSS
vulnerabilities in some text
fields and some hidden fields
(including XSS attacks via the
names of parameters).
In this case the code will be
executed immediately, and also at
visiting of pages
http://192.168.1.1/system/events.html
and
http://192.168.1.1/shared/event_log_selection.html.
And in case of some fields XSS
code will execute at page
http://192.168.1.1/configuration/lan.html.
Vulnerable is the next model:
SI2000 Callisto821+ Router: X7821
Annex A v1.0.0.0 / Argon 4x1 CSP
v1.0 (ISOS 9.0) [4.3.4-5.1]. This
model with other firmware and
also other models of Callisto
also must be vulnerable.
I mentioned about these
vulnerabilities at my site
(http://websecurity.com.ua/5281/).
Best wishes & regards,
MustLive
Administrator of Websecurity web
site
http://websecurity.com.ua